Cybersecurity Engineer

What You Will Do Regulatory & Compliance

• Lead CRA readiness for Gravis products with digital elements: scoping, product classification, gap assessments against essential requirements, risk analysis, control design, and remediation roadmaps
• Translate CRA, NIS2, and Machinery Regulation requirements into actionable control frameworks and policies; map to ISO 27001/27002/27036, NIST CSF, NIST SP 800-161, NIST SSDF, CIS Controls, and OWASP
• Maintain comprehensive technical documentation to support conformity assessments, CE marking, and engagement with Notified Bodies
• Stay current on emerging threats, regulatory changes, and best practices in product security, supply chain security, and GRC

Product Security

• Establish and mature product security capabilities: secure development lifecycle, secure update processes, vulnerability handling, coordinated vulnerability disclosure (CVD), PSIRT setup and operations, SBOM generation, management, and vulnerability triage
• Conduct risk assessments and threat modelling for products and suppliers; define mitigation strategies, metrics, and KPIs
• Participate in incident and alert response reviews; propose and implement improvement actions
• Assess and improve the security hardening of enterprise and embedded solutions

Secure Engineering

• Write secure code for critical system components in C, C++, Python, and/or Rust
• Conduct manual and automated code reviews with a strict focus on security vulnerabilities (OWASP Top 10, CWE)
• Define and enforce secure coding guidelines and SAST/DAST tooling across engineering teams
• Mentor and upskill engineers on secure development best practices

Collaboration & Communication

• Collaborate cross-functionally with security, engineering, product, operations, legal, and compliance teams; facilitate workshops and drive change
• Produce clear, high-quality deliverables: assessment reports, control designs, implementation plans, policies, process maps, and training materials
• Regularly monitor and report on security metrics, security posture, and compliance status to management.
• Explain complex security topics clearly to both technical and non-technical stakeholders

Required Qualifications

• 3+ years of security experience with direct focus on EU regulatory compliance (CRA, NIS2, Machinery Regulation) and GRC
• Strong familiarity with industrial or embedded cybersecurity standards, particularly IEC 62443
• Broad knowledge of security frameworks — ISO 27001, NIST CSF, NIST SP 800-161, NIST SSDF, CIS Controls, OWASP — including control mapping and tailored implementation
• Demonstrable experience establishing product security capabilities (PSIRT, CVD, SBOM, secure development/update pipelines) in a product or software organisation
• Proficiency writing secure code in one or more of: C, C++, Python, Rust
• Experience conducting manual and automated code reviews focused on identifying security vulnerabilities
• Deep understanding of common vulnerability classes (OWASP Top 10, CWE) and proven mitigation strategies
• Strong written and verbal communication skills; comfortable engaging both engineers and executives

Nice To Have

• Relevant cybersecurity certifications: CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer/Auditor, CCSK, or CCSP
• Practical experience with conformity assessments, technical documentation, and CE marking processes
• Experience with penetration testing and vulnerability assessments
• Hands-on experience with SAST and DAST tooling
• Experience engaging with Notified Bodies through the conformity assessment process
• Knowledge of cryptography, secure boot processes, and secure over-the-air (OTA) update mechanisms
• Background in industrial automation, robotics, or embedded systems environments