Job Description

What You’ll Do:

The Senior Cybersecurity Engineer is a broad-scope, hands-on technical role responsible for engineering, operating, and maturing cybersecurity capabilities across the enterprise. Glaukos manages cybersecurity across several distinct security domains; this role will own primary accountability for several of these domains based on organizational need, team structure, and the candidate's areas of expertise.

Candidates are not expected to be specialists in all areas. Rather, Glaukos seeks engineers who bring deep proficiency in at least one or more domains, a working knowledge of adjacent areas, and the intellectual curiosity to grow. Domain ownership may evolve over time as the program matures and team needs shift.

This position partners closely with IT, Quality, Legal, and Privacy to protect Glaukos products, systems, and data while enabling innovation in a highly regulated medical device environment. The Senior Cybersecurity Engineer is expected to work independently within their domain(s), contribute to cross-domain initiatives, and help mentor junior team members.

This position partners closely with IT, Quality, Legal, and Privacy to protect Glaukos products, systems, and data while enabling innovation in a highly regulated medical device environment. The Senior Cybersecurity Engineer is expected to work independently within their domain(s), contribute to cross-domain initiatives, and help mentor junior team members.

Based on domain assignment, the Senior Cybersecurity Engineer will own the following responsibilities. Engineers assigned to multiple domains will be supported with appropriate resourcing and prioritization guidance from leadership.

Supply Chain Security

• Lead third-party and supplier cybersecurity assessments integrated into the procurement lifecycle.
• Govern Software Bill of Materials (SBOM) accuracy, update cadence, and traceability from component to product.
• Track and remediate supply chain vulnerabilities through coordinated processes with Engineering and suppliers.
• Develop and maintain supply chain security standards, questionnaires, and contractual security requirements.

Vulnerability Management

• Own and operate the enterprise vulnerability management program, including scanning cadence, triage, prioritization, and SLA tracking.
• Manage patch tracking and exception handling processes, including compensating controls and escalation of overdue items.
• Coordinate vulnerability disclosure (CVD) processes and customer notification workflows in partnership with product security and regulatory teams.
• Maintain dashboards and metrics to communicate vulnerability posture to leadership.

Network Security

• Play a key role in the design of network security architecture including firewalls, segmentation, zero trust principles, and secure remote access.
• Conduct network traffic analysis and manage intrusion detection/prevention systems (IDS/IPS).
• Confirm/ audit the hardening of network infrastructure supporting both corporate IT and device-connected environments.
• Partner with IT and engineering on secure network design for manufacturing-support and product-connected systems.

Cloud Security

• Audit cloud security controls across IaaS, PaaS, and SaaS platforms (AWS, Azure, GCP, and applicable SaaS tools).
• Perform cloud security posture management (CSPM), identity hygiene reviews, and misconfiguration remediation.
• Develop and enforce cloud security standards, guardrails, and architecture review processes.
• Ensure cloud-hosted workloads supporting medical devices and manufacturing meet applicable regulatory and security requirements.

Security Operations

• Support and mature Security Operations Center (SOC) capabilities, including alert triage, use case development, and SIEM/SOAR tuning.
• Manage security monitoring for device-supporting environments, including backup, restore, and attestation activities.
• Manage a 3rd party MSSP/MXDR that provides detection logic, playbooks, and runbooks to improve response fidelity and speed.
• Provide KPIs and operational reporting for security operations activities to the CISO and stakeholders.

Incident Response

• Lead and coordinate cybersecurity incident response activities, including containment, eradication, recovery, and post-incident reviews.
• Maintain and test the incident response plan (IRP), including tabletop exercises and scenario-based drills.
• Serve as a technical escalation point for security incidents impacting corporate, OT, and product environments.
• Coordinate with Legal, Regulatory Affairs, and Communications teams on disclosure obligations and customer notification.

Identity & Access Management

• Own and mature IAM controls including role-based access control (RBAC), privileged access management (PAM), and multi-factor authentication (MFA) enforcement.
• Execute and govern periodic user and privileged access reviews for applications, cloud portals, and manufacturing-support systems.
• Manage identity lifecycle processes (joiner/mover/leaver) in coordination with HR and IT.
• Implement and maintain least-privilege principles across enterprise and product-connected systems.

Data Security

• Design and implement data classification frameworks, DLP controls, and encryption standards for data at rest and in transit.
• Identify, inventory, and protect sensitive data assets including regulated data (PII, PHI) across corporate and cloud environments.
• Support data security requirements for medical device connectivity and patient data flows.
• Conduct periodic data security assessments and drive remediation of identified gaps.

Privacy & Compliance

• Partner with Legal and Privacy teams to implement technical controls supporting HIPAA, GDPR, CCPA, and other applicable privacy regulations.
• Conduct and/or manage 3rd party firms in Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new products, systems, and processes.
• Ensure data handling practices for medical device products meet applicable privacy and security standards.
• Track and document privacy-related security controls for audit and regulatory inspection readiness.

Collaboration Suite Security

• Monitor the security configuration of collaboration platforms (Microsoft 365, Teams, SharePoint, email, video conferencing) through policy, configuration hardening, and monitoring.
• Manage email security controls including anti-phishing, anti-spoofing (SPF/DKIM/DMARC), and secure email gateway policies.
• Govern data sharing and external collaboration settings to prevent unauthorized exfiltration.
• Conduct periodic configuration reviews and implement security benchmarks for collaboration tools.

Third-Party & Vendor Risk

• Conduct security assessments of third-party vendors, cloud providers, and technology partners integrated into the Glaukos supply chain or infrastructure.
• Maintain the vendor cybersecurity risk register and track remediation commitments.
• Lead and coordinate responses to customer cybersecurity questionnaires, risk assessments, and security audits.
• Define and enforce minimum security requirements in vendor contracts and SLAs.

Security Awareness

• Design and deliver security awareness training programs tailored to technical, clinical, and executive audiences.
• Manage phishing simulation campaigns and track metrics on program effectiveness.
• Develop targeted training materials for high-risk roles including developers, administrators, and manufacturing staff.
• Foster a security-conscious culture through communication, champions programs, and ongoing education.

Enterprise Application Security

• Conduct security assessments and architecture reviews for enterprise applications including ERP, QMS, MES, CRM, and other business-critical platforms.
• Partner with IT and application owners to ensure secure configuration, access control, and patch management for enterprise software.
• Perform application security testing coordination (SAST, DAST, penetration testing) for internally developed and procured software.
• Maintain an inventory of enterprise applications, their risk classifications, and associated security controls.

OT / ICS Security

• Design, implement, and maintain security controls for operational technology (OT) and industrial control systems (ICS) environments supporting medical device manufacturing and operations.
• Conduct OT-specific risk assessments, network segmentation reviews, and asset inventory management.
• Apply IEC 62443 principles to secure manufacturing and production systems.
• Monitor OT environments for anomalous behavior and coordinate incident response with engineering and operations teams.

How You’ll Get There:

• 8+ years of experience in cybersecurity engineering, with demonstrated depth in at least one or more of the domains outlined above; broader familiarity across additional domains is a strong differentiator.
• Direct experience in a regulated industry — medical devices, life sciences, healthcare technology, or a similarly regulated environment — strongly preferred.
• Proven ability to engineer, operate, and mature cybersecurity controls within your domain(s) of ownership, including metrics, documentation, and audit-readiness.
• Working knowledge of applicable frameworks and standards including NIST CSF, IEC 62443, IEC 62304, FDA cybersecurity guidance, HIPAA, SOC2 and ISO 27001 deep fluency in the frameworks most relevant to your domain(s) is expected.
• Experience supporting regulatory inspections, internal audits, or customer security assessments as a credible technical representative.
• Demonstrated ability to work cross-functionally and collaborate effectively with Engineering, Quality, Regulatory, and IT stakeholders.
• Track record of delivering sustained results through scalable processes, clear metrics, and well-maintained documentation.
• Relevant certifications preferred, aligned to your domain(s): CISSP, CISM, GICSP, GCIH, CCSP, CIPP, or equivalent.
• Bachelor's degree in Cybersecurity, Computer Science, Engineering, Biomedical Engineering, or a related field; equivalent experience considered.

#GKOSUS