Cybersecurity Engineer

Regulatory & Compliance • Lead CRA readiness for Gravis products with digital elements: scoping, product classification, gap assessments against essential requirements, risk analysis, control design, and remediation roadmaps • Translate CRA, NIS2, and Machinery Regulation requirements into actionable control frameworks and policies; map to ISO 27001/27002/27036, NIST CSF, NIST SP 800-161, NIST SSDF, CIS Controls, and OWASP • Maintain comprehensive technical documentation to support conformity assessments, CE marking, and engagement with Notified Bodies • Stay current on emerging threats, regulatory changes, and best practices in product security, supply chain security, and GRC Product Security • Establish and mature product security capabilities: secure development lifecycle, secure update processes, vulnerability handling, coordinated vulnerability disclosure (CVD), PSIRT setup and operations, SBOM generation, management, and vulnerability triage • Conduct risk assessments and threat modelling for products and suppliers; define mitigation strategies, metrics, and KPIs • Participate in incident and alert response reviews; propose and implement improvement actions • Assess and improve the security hardening of enterprise and embedded solutions Secure Engineering • Write secure code for critical system components in C, C++, Python, and/or Rust • Conduct manual and automated code reviews with a strict focus on security vulnerabilities (OWASP Top 10, CWE) • Define and enforce secure coding guidelines and SAST/DAST tooling across engineering teams • Mentor and upskill engineers on secure development best practices Collaboration & Communication • Collaborate cross-functionally with security, engineering, product, operations, legal, and compliance teams; facilitate workshops and drive change • Produce clear, high-quality deliverables: assessment reports, control designs, implementation plans, policies, process maps, and training materials • Regularly monitor and report on security metrics, security posture, and compliance status to management. • Explain complex security topics clearly to both technical and non-technical stakeholders
• 3+ years of security experience with direct focus on EU regulatory compliance (CRA, NIS2, Machinery Regulation) and GRC • Strong familiarity with industrial or embedded cybersecurity standards, particularly IEC 62443 • Broad knowledge of security frameworks — ISO 27001, NIST CSF, NIST SP 800-161, NIST SSDF, CIS Controls, OWASP — including control mapping and tailored implementation • Demonstrable experience establishing product security capabilities (PSIRT, CVD, SBOM, secure development/update pipelines) in a product or software organisation • Proficiency writing secure code in one or more of: C, C++, Python, Rust • Experience conducting manual and automated code reviews focused on identifying security vulnerabilities • Deep understanding of common vulnerability classes (OWASP Top 10, CWE) and proven mitigation strategies • Strong written and verbal communication skills; comfortable engaging both engineers and executives
• Relevant cybersecurity certifications: CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer/Auditor, CCSK, or CCSP • Practical experience with conformity assessments, technical documentation, and CE marking processes • Experience with penetration testing and vulnerability assessments • Hands-on experience with SAST and DAST tooling • Experience engaging with Notified Bodies through the conformity assessment process • Knowledge of cryptography, secure boot processes, and secure over-the-air (OTA) update mechanisms • Background in industrial automation, robotics, or embedded systems environments