Principal Attack Surface Management

Technology Enterprise Strategy & Security

Security & Controls

Scientific/Technology

São Paulo, Brazil, Warsaw, Masovian, Poland

At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow, and profoundly impact health for humanity. Learn more at https://www.jnj.com

Senior ASM vulnerability management specialist (7+ years) responsible for identifying, prioritizing, and remediating vulnerabilities across web apps and infrastructure in on-prem and cloud environments. Authority in designing, configuring, and maintaining scanning controls and programs. Leads exploitation simulations, exposure management, and meticulous analysis to drive risk reduction across a global enterprise. Collaborates with security, operations, and development teams; accelerates detection and remediation through automation; strengthens security posture and regulatory compliance.

• Define and implement secure baseline configurations aligned with CIS Benchmarks across OS, apps, and cloud resources.
• Develop remediation playbooks and policy-as-code to ensure consistent secure configurations.
• Conduct regular vulnerability assessments (Windows, Linux, network devices); map findings to controls and business risk; drive prioritized actions.
• Lead remediation planning; track progress in ITSM systems; deliver executive-ready compliance reports.
• Oversee onboarding, maintenance, and support of vulnerability assessment controls and other tools used by the ASM team.
• Maintain continuous compliance monitoring and gap analysis for audit readiness.
• Plan, coordinate, and implement targeted testing (web apps, APIs, infrastructure, cloud) using automated tools and skilled manual testing.
• Validate findings with evidence; collaborate with engineering to verify remediation effectiveness; re-test as needed.
• Integrate vulnerability findings into SIEM, ITSM, CMDB, and DevSecOps tooling; automate ticketing and remediation workflows.
• Leverage threat intel and threat modeling to prioritize tests and remediation efforts.
• Coordinate platform support and cloud security posture management (AWS/Azure) to scale and strengthen security posture.
• Create clear, concise documentation to support colleagues and stakeholders.

• 7+ years in vulnerability management/secure configurations; relevant certifications (e.g., CISSP, GIAC, OSCP) preferred.
• Solid experience with CIS Benchmarks, cloud security tooling, SIEM/ITSM integrations, and threat modeling.
• Excellent stakeholder communication and executive reporting skills.

• Experience with regulatory frameworks (NIST CSF, 800‑53, ISO 27001, PCI‑DSS, HIPAA).
• Prior experience conducting controlled exploitation simulations or red‑team/blue‑team exercises.

• Business Process Design
• Crisis Management
• Critical Thinking
• Information Security Auditing
• Information Security Management System (ISMS)
• Information Technology (IT) Security Assessments
• Information Technology Strategies
• Mentorship
• Organizing
• Presentation Design
• Process Optimization
• Root Cause Analysis (RCA)
• Security Architecture Design
• Security Policies
• Technical Credibility
• Vulnerability Management

• Business Process Design
• Crisis Management
• Critical Thinking
• Information Security Auditing
• Information Security Management System (ISMS)
• Information Technology (IT) Security Assessments
• Information Technology Strategies
• Mentorship
• Organizing
• Presentation Design
• Process Optimization
• Root Cause Analysis (RCA)
• Security Architecture Design
• Security Policies
• Technical Credibility
• Vulnerability Management

Johnson & Johnson Family of Companies are equal opportunity employers, and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, protected veteran status, disability status, or any other characteristic protected by law.