Sr Cybersecurity Analyst

At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow, and profoundly impact health for humanity. Learn more at

Job Function:

Technology Enterprise Strategy & Security Job Sub Function:

Security & Controls Job Category:

Scientific/Technology All Job Posting Locations:

Santa Clara, California, United States of America Job Description:

Johnson & Johnson is hiring for a Sr. Cybersecurity Analyst to join our team located in Santa Clara, CA.

At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow, and profoundly impact health for humanity. Learn more at

Fueled by innovation at the intersection of biology and technology, we're developing the next generation of smarter, less invasive, more personalized treatments. Ready to join a team that's pioneering the development and commercialization of Intravascular Lithotripsy (IVL) to treat complex calcified cardiovascular disease. Our Shockwave Medical portfolio aims to establish a new standard of care for medical device treatment of atherosclerotic cardiovascular disease through its differentiated and proprietary local delivery of sonic pressure waves for the treatment of calcified plaque.

Position Overview

We are seeking an experienced, detail-oriented, and forward-thinking cybersecurity professional to join our Governance, Risk, and Compliance (GRC) team as the Common Controls Framework (CCF) Lead. In this critical role, you will be responsible for designing, implementing, and continuously optimizing a comprehensive, enterprise-wide Common Controls Framework that serves as the foundation for our security, privacy, and compliance programs.

This framework will enable the organization to consolidate overlapping controls, reduce audit fatigue, streamline compliance efforts, and enhance our ability to scale securely across business lines, geographies, and regulatory requirements. The Sr. Cybersecurity Analyst will play a pivotal role in ensuring alignment across a complex landscape of frameworks and standards, including NIST CSF, NIST 800-53, ISO/IEC 27001, SOC 2, HIPAA, PCI DSS, SOX, and GDPR.

The Sr. Cybersecurity Analyst will collaborate with a broad set of internal stakeholders including IT, Legal, Privacy, Engineering, IT Operations, HR, and Business Units to ensure controls are well-designed, clearly understood, efficiently implemented, and effectively monitored. Leveraging GRC tools and modern compliance automation techniques, you'll lead initiatives that enhance visibility into control health, reduce manual effort, and build a culture of continuous compliance and security by design.

This is a strategic and hands-on role, ideal for someone with strong technical acumen, a deep understanding of regulatory frameworks, and a passion for building scalable, resilient governance programs that support innovation and control.

Essential Job Functions

CCF Strategy & Design

• Develop and continuously improve a scalable and risk-based Common Controls Framework that maps and consolidates requirements across multiple frameworks and regulatory obligations.
• Lead the design and standardization of control definitions, supporting documentation, and testing methodologies.

Framework Management & Alignment

• Maintain a real-time inventory of all applicable compliance requirements, ensuring full traceability between regulatory controls and internal policies and standards.
• Align the CCF with the organization's enterprise risk management, privacy, and information security programs to ensure full coverage and business relevance.

Collaboration & Stakeholder Engagement

• Partner with business units, IT Security, Cloud Engineering, DevOps, Data Privacy, and Legal to validate control applicability, design, and operational ownership.

Automation & Enablement

• Leverage GRC platforms (e.g., ServiceNow GRC, Archer, OneTrust, Vanta, Drata) to streamline control lifecycle management, reporting, and compliance monitoring.

Audit & Assurance Support

• Prepare and support internal and third-party audits by providing control evidence, mapping, and documentation aligned to the CCF.
• Conduct gap assessments and control reviews, and work with control owners to remediate identified deficiencies.

Metrics & Reporting

• Define and maintain key performance indicators (KPIs) and key risk indicators (KRIs) for control coverage.
• Produce regular reports and dashboards to communicate compliance status and risk exposure to leadership and executive stakeholders.

Requirements

• Bachelor's degree preferred in Cybersecurity, Information Systems, Risk Management, Computer Science, or a related field.
• 5+ years of experience in cybersecurity, IT risk, or compliance, with at least 3 years in a role focused on frameworks, GRC, or control integration.
• Deep understanding of regulatory and industry security frameworks, including but not limited to NIST CSF, NIST 800-53, ISO/IEC 27001, SOC 2, HIPAA, PCI DSS, SOX, and GDPR.
• Proven experience with GRC platforms (e.g., ServiceNow, Archer, OneTrust, Vanta, Drata) and compliance tracking methodologies.
• Strong understanding of risk-based security principles and control design, implementation, and validation.
• Excellent analytical, project management, and communication skills with the ability to translate complex requirements into actionable outcomes.
• Ability to work cross-functionally and influence without authority in a matrixed, fast-paced environment.
• Security certifications (CISA, CISM, CRISC, CISSP, ISO/IEC 27001 Lead Implementer or Auditor) or the willingness to obtain certifications desirable.

NOTE: This job description is not intended to be all-inclusive. Employee may perform other related duties as assigned or negotiated to meet the ongoing needs of the organization.

Additional Information:

• The anticipated base pay for this position is $89,000-$142,600 annually.
• The Company maintains highly competitive, performance-based compensation programs. Under current guidelines, this position is eligible for an annual performance bonus in accordance with the terms of the applicable plan. The annual performance bonus is a cash bonus intended to provide an incentive to achieve annual targeted results by rewarding for individual and the corporation's performance over a calendar/performance year. Bonuses are awarded at the Company's discretion on an individual basis.
• Employees and/or eligible dependents may be eligible to participate in the following Company sponsored employee benefit programs: medical, dental, vision, life insurance, short- and long-term disability, business accident insurance, and group legal insurance.
• Employees may be eligible to participate in the Company's consolidated retirement plan (pension) and savings plan (401(k .
• Employees are eligible for the following time off benefits:
  • Vacation - up to 120 hours per calendar year
  • Sick time - up to 40 hours per calendar year; for employees who reside in the State of Washington - up to 56 hours per calendar year
  • Holiday pay, including Floating Holidays - up to 13 days per calendar year
  • Work, Personal and Family Time - up to 40 hours per calendar year
• Additional information can be found through the link below.

Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or other characteristics protected by federal, state or local law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act.

Johnson and Johnson is committed to providing an interview process that is inclusive of our applicants' needs. If you are an individual with a disability and would like to request an accommodation, please email the Employee Health Support Center or contact AskGS to be directed to your accommodation resource.

The anticipated base pay range for this position is :

Additional Description for Pay Transparency: