At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow, and profoundly impact health for humanity. Learn more at https://www.jnj.com **Job Function:** Technology Enterprise Strategy & Security **Job Sub** **Function:** Security & Controls **Job Category:** Scientific/Technology **All Job Posting Locations:** São José dos Campos, São Paulo, Brazil, Warsaw, Masovian, Poland **Job Description:** Johnson & Johnson is currently recruiting for a Principal Attack Surface Management within the Information Security and Risk Management (ISRM) organization. This position is based out of **Warsaw, Poland** or **São José dos Campos, Brazil** . As a member of the Attack Surface Management (ASM) team, you will lead J&J’s Exposure Management. Continuously discover, quantify, and reduce internal and external attack surface. You will turn findings into prioritized action, lead adversarial validation, and collaborate across security and technology teams to deliver measurable risk reduction. Driving remediation across on‑prem and cloud environments - consistently and with measurable impact! **Key Responsibilities:** + Support Exposure and Attack Surface Management platform configuration, scalability, upgrades, policy enforcement, and overall health. + Partner with ASM vendor to coordinate platform issues, upgrades, maintenance, roadmaps, and feature requests. + Drive detection and prioritization: tune and automate detection rules, enrichment, and correlation logic to reduce false positives and accelerate response. + Support ingestion and delivery of exposure and incident data into enterprise risk tools to support incident response, containment, and post‑incident review. + Ensure exposure management practices align with CIS, NIST, and applicable compliance requirements. + Produce actionable reporting and indicators (heat maps, MTTR, exploitable exposure reduction, observability coverage) to guide prioritization and executive decision-making. + Plan, authorize, and coordinate adversarial exposure programs (pen tests, Red Team, Purple Team), defining scope, rules of engagement, success criteria, and approvals. + Perform or coordinate authorized exploit validation and proof of concept development in isolated labs; operationalize findings into CTEM/ASM workflows to adjust scoring, tune detection, and trigger remediation/ticketing. + Collaborate multi-functionally with Technology teams, Cloud Security, Application Security, Identity, the Cyber Defense Center, and business owners to coordinate fixes and risk acceptance. **Experience and Skills:** **Required:** + 8+ years in security engineering, exposure/attack surface management, vulnerability management, or similar roles. + Hands‑on experience with CTEM/ASM platforms and asset discovery tools and integrating them into enterprise tooling. + Strong scripting and automation skills (Python, PowerShell, or equivalent) for integrations, enrichment, and remediation orchestration via APIs. + Demonstrable experience conducting or coordinating authorized exploit validation, PoC testing, and working with Pen Test/Red Team/Purple Team engagements. + Solid knowledge of exposure and risk prioritization methodologies, threat intelligence ingestion, and exploitability scoring. + Demonstrated ability to build remediation playbooks, automate ticketing/workflows, and drive multi-functional remediation at scale. + Ability to translate technical vulnerabilities into business risk language for executive and business-owner reporting. + Proven track record of producing measurable outcomes (reduced exploitable exposures, improved MTTR, increased observability coverage). **Preferred:** + Certifications: CISSP, GPEN, GWAPT, CRISC, OSCP/OSWE, or equivalent; cloud security certs (AWS/Azure/GCP) a plus. + Prior experience in large, hybrid enterprises or compliance-focused environments adhering to security frameworks such as CIS and NIST. + Vendor management experience including platform evaluation, roadmap alignment, and procurement support. + Strong data‑analytics approach: experience building dashboards, and executive‑level key risk metrics. For more information on how we support the whole health of our employees throughout their wellness, career and life journey, please visit www.careers.jnj.com .] **Required Skills:** **Preferred Skills:** Business Process Design, Crisis Management, Critical Thinking, Information Security Auditing, Information Security Management System (ISMS), Information Technology (IT) Security Assessments, Information Technology Strategies, Mentorship, Organizing, Presentation Design, Process Optimization, Root Cause Analysis (RCA), Security Architecture Design, Security Policies, Technical Credibility, Vulnerability Management