Cyber Security Engineering Consultant (Digital Solutions)

This is a remote position. The Cyber Security Engineering Consultant is responsible for delivering end-to-end product security engineering capabilities across digital products, aligned with regulatory requirements and secure SDLC practices. The role is outcome-based, requiring independent execution and delivery of structured cybersecurity artifacts across product lifecycle stages. This is a remote position with travel to Germany - once a month. Responsibilities: Threat Modeling & Secure Architecture • Conduct STRIDE-based threat modeling for applications, cloud-native platforms, AI/ML systems, and CI/CD pipelines • Create and analyze Data Flow Diagrams (DFDs) • Identify trust boundaries, attack surfaces, and potential security risks • Develop and maintain threat registers including risk likelihood, impact assessments, and mitigation strategies • Design secure architectures for:• Cloud-native systems • APIs and microservices • AI/ML-enabled platforms • Assess risks related to: • Model poisoning • Data leakage • Pipeline compromise Security Requirements & Secure Design • Develop Product Security Requirements Specifications (PSRS) • Translate regulatory and compliance requirements into actionable technical security controls • Perform secure architecture reviews and design validations • Define security controls across:• Identity & Access Management (IAM) • Cryptography • Logging & monitoring • System resilience • Perform SBOM (Software Bill of Materials) analysis and risk evaluation Risk Management & Regulatory Compliance • Conduct security risk assessments using frameworks such as ISO 14971 and NIST • Perform CVSS-based vulnerability scoring • Maintain and manage risk registers • Support risk-benefit analysis activities • Prepare and maintain cybersecurity documentation for audits and regulatory reviews Vulnerability Management & Post-Market Security • Monitor threat intelligence and emerging vulnerabilities • Conduct vulnerability impact analysis • Support PSIRT processes and incident response activities • Contribute to post-market cybersecurity surveillance activities • Provide cybersecurity advisory support to engineering and product teams DevSecOps & Secure SDLC • Integrate security controls into CI/CD pipelines (Azure DevOps, GitLab) • Implement and govern security tooling including:• SAST • DAST • SCA • IaC scanning • Define policies-as-code and automated security gates • Support Kubernetes and container security initiatives • Drive secure SDLC maturity improvements across teams Stakeholder Collaboration & Enablement • Collaborate with engineering, product, regulatory, and leadership stakeholders • Deliver security awareness workshops and enablement sessions • Prepare executive-level reporting and security metrics • Support development of long-term cybersecurity roadmaps and strategic initiatives Requirements • 5+ years of experience in:• Product Security • Application Security • Cloud Security Architecture • DevSecOps • Strong hands-on experience with: • STRIDE threat modeling • Secure architecture reviews • Cloud security on Azure • Kubernetes and container security • CI/CD security integration • Experience implementing secure SDLC practices in enterprise environments • Strong understanding of: • OWASP Top 10 / ASVS • ISO 27001 • NIST Cybersecurity Framework • Secure software engineering principles • Experience working in regulated industries, preferably medical devices or healthcare • Excellent documentation and communication skills • Ability to work independently in an advisory and consulting capacity Technical Stack Cloud & Infrastructure • Azure (mandatory) • AWS / GCP (nice to have) • Docker • Kubernetes CI/CD & DevSecOps • Azure DevOps • GitLab Security Tooling • SAST: Fortify or similar • DAST: Seeker, Burp Suite • SCA: Black Duck or equivalent • IaC scanning: Checkov • Threat modeling tools Regulatory & Security Standards Experience with the following is highly desirable: • ISO/IEC 27001 • ISO 14971 • FDA cybersecurity guidance • MDR • EU CRA • NIS2 Nice to have: • Degree in Cybersecurity, Computer Science, Engineering, or related field • Certifications such as:• CISSP • CSSLP • OSCP • DevSecOps certifications • ISO 27001 / Risk Management certifications