What you'd actually do

Perform and lead third-party risk assessments, risk rankings, and collaboration on remediation strategies as needed.

Perform deep technical reviews of third‑party security controls, evidence artifacts, attestations, and independent reports to assess control design, implementation, and operating effectiveness.

Evaluate complex risk scenarios involving sensitive data types, regulatory obligations, complex architectures, and cross‑border data flows.

Identify, document, and risk‑rate third‑party cyber issues, ensuring consistent severity determination and alignment to ISRM standards.

Drive automation and process improvements as identified and through relevant projects and/or operations.

At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow, and profoundly impact health for humanity. Learn more at jnj.com.

As guided by Our Credo, Johnson & Johnson is responsible to our employees who work with us throughout the world. We provide an inclusive work environment where each person is considered as an individual. At Johnson & Johnson, we respect the diversity and dignity of our employees and recognize their merit.

**Job Function: **

Technology Enterprise Strategy & Security

**Job Sub Function: **

Security & Controls

Job Category:

Scientific/Technology

All Job Posting Locations:

Warsaw, Masovian, Poland

Job Description:

Johnson & Johnson is recruiting for a Principal – Third Party Cyber Risk Assessment to join the Information Security & Risk Management (ISRM) Risk Assessment Center of Excellence (CoE). This role is based in the United States with the Raritan, NJ location preferred, but also available internally to our ISRM Service Centers in São José dos Campos, São Paulo, Brasil and Warsaw, Poland.

Please note that this role is available across multiple countries and may be posted under different requisition numbers to comply with local requirements. While you are welcome to apply to any or all of the postings, we recommend focusing on the specific country(s) that align with your preferred location(s): Raritan NJ, São José dos Campos, São Paulo, Brasil and Warsaw, Poland.

São José dos Campos, Brazil- Requisition Number: R-073330

Raritan, NJ- Requisition Number: R-072604

Remember, whether you apply to one or all of these requisition numbers, your applications will be considered as a single submission.

This role serves as a senior technical authority and thought leader for third‑party cyber risk assessments across Johnson & Johnson’s global ecosystem of vendors, SaaS providers, and strategic partners.

Are you ready to use your technical knowledge to change the trajectory of health for humanity? We have a position for you!

Caring for the world, one person at a time inspired and united the people of Johnson & Johnson for over 130 years. We embrace research and science -- bringing innovative ideas, products, and services to advance the health and well-being of people.

At Johnson & Johnson, we believe good health is the foundation of vibrant lives, thriving communities and forward progress. That’s why for more than 130 years, we have aimed to keep people well at every age and every stage of life. Today, as the world’s largest and most broadly-based healthcare company, we are committed to using our reach and size for good. We strive to improve access and affordability, create healthier communities, and put a healthy mind, body and environment within reach of everyone, everywhere. Every day, our more than 130,000 employees across the world are blending heart, science and ingenuity to profoundly change the trajectory of health for humanity.

Thriving on a diverse company culture, celebrating the uniqueness of our employees, and committed to inclusion. Proud to be an equal opportunity employer!

As an integral member of the ISRM Risk Assessment Center of Excellence team, you will identify and assess cyber risks within the Third-Party Risk Assessment (TPRA) service. In this role, you will work with a diverse, global team of skilled cyber security professionals.

Key Responsibilities:

Perform and lead third-party risk assessments, risk rankings, and collaboration on remediation strategies as needed.
Perform deep technical reviews of third‑party security controls, evidence artifacts, attestations, and independent reports to assess control design, implementation, and operating effectiveness.
Evaluate complex risk scenarios involving sensitive data types, regulatory obligations, complex architectures, and cross‑border data flows.
Identify, document, and risk‑rate third‑party cyber issues, ensuring consistent severity determination and alignment to ISRM standards.
Drive automation and process improvements as identified and through relevant projects and/or operations.
Communicate cybersecurity third-party risk assessment results to senior leaders and provide input on remediation plans.
Enhance third-party cyber risk assessment processes by defining and implementing process improvements.
Offer consulting support to the larger cybersecurity team on third-party risk assessment understanding and remediation.
Lead and mentor junior members of the team, ensure ongoing learning, and support special projects as needed.

Qualifications

Education:

A bachelor’s degree in Computer Science, Engineering or Information Security/Cybersecurity or equivalent degree is required.
Security certifications such as CISSP, CCSP, CISA, CRISC etc. are preferred.
An advanced degree is preferred.

Experience and Skills:

Required:

5+ years of direct third-party cybersecurity risk assessment experience, including application of third-party risk assessment concepts and internal controls.
5+ years using ServiceNow GRC tool to support security risk objectives.
Proficiency in conducting and leading third-party risk assessments, including data classification, risk scoring, and mitigation planning.
Ability to translate technical findings into business impact for key partners.
Strong analytical and problem-solving skills.
Strong interpersonal skills to build and maintain relationships with internal partners.

Preferred:

Foundational knowledge of regulatory requirements (e.g., SOX404, Privacy, HIPAA, GxP, cyber regulations).
Experience assessing third-party risk in a large, dynamic, multinational organization.
Experience in identifying key security risks, security controls, and providing consulting services to customers throughout the third-party vendor lifecycle.
Experience with security standards and control frameworks (e.g. FAIR, HITRUST, ISO27001, NIST, SOC 2, etc.).
Demonstrable record of effectively collaborating with virtual, global teams, including diverse groups of people with varied backgrounds and cultural experiences.

Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or other characteristics protected by federal, state or local law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act.

Johnson & Johnson is committed to providing an interview process that is inclusive of our applicants’ needs. If you are an individual with a disability and would like to request an accommodation, please contact us via https://www.jnj.com/contact-us/careers or contact AskGS to be directed to your accommodation resource.

**Required Skills: **

Preferred Skills:

Business Process Design, Crisis Management, Critical Thinking, Information Security Auditing, Information Security Management System (ISMS), Information Technology (IT) Security Assessments, Information Technology Strategies, Mentorship, Organizing, Presentation Design, Process Optimization, Root Cause Analysis (RCA), Security Architecture Design, Security Policies, Technical Credibility, Vulnerability Management

The anticipated base pay range for this position is:

zł251,000.00 - zł483,000.00

Benefits:

In addition to base pay, we offer the following benefits*: an annual bonus with set target (% of pay) depending on pay grade / location, where the actual amount is based on the employees’ and companies’ performance of the previous calendar year, or sales commissions. Moreover, we offer vacation days, parental leave for a minimum of 12 weeks, bereavement leave, caregiver leave, volunteer leave, well-being reimbursement, programs for financial, physical and mental health. We also offer service anniversary and recognition awards, and subject to the terms of their respective plans, employees - and in some location’s eligible dependents - can participate in several insurance plans. For more information, visit Employee benefits | Supporting well-being & career growth | Johnson & Johnson Careers.

*This is for informative purposes only. Amounts and actual benefits may vary by location and are subject to change.