We are seeking a Consultant – Product Security & Regulatory Compliance to strengthen our advisory practice for industrial OT and AI-embedded product development. In this role, you will guide clients through complex regulatory landscapes, embed security into engineering delivery and translate compliance obligations into actionable technical specifications for federated product portfolios.
Responsibilities
- Design and maintain product security requirements frameworks for large federated product portfolios, including central control libraries, deviation governance workflows, risk acceptance procedures and change-propagation models across product lines
- Translation of Cyber Resilience Act essential requirements (Annex I Parts I & II) into actionable engineering specifications, covering SBOM governance, secure-by-default configurations, vulnerability handling procedures, secure update mechanisms and CE marking documentation
- Performance of OT/ICS security level assessments (SL-T vs SL-A gap analysis), zone/conduit modeling and component requirement mapping, with evidence packages for client conformity verification
- Lead threat modeling workshops with engineering teams using STRIDE, PASTA or MITRE ATT&CK for ICS, delivering prioritized risk registers and control recommendations at component and system levels
- Definition and implementation of SDL/SSDLC programs, including OWASP ASVS compliance matrices, SAST/DAST/SCA toolchain integration, vulnerability triage procedures and secure coding standards for embedded and industrial software
- Support for Notified Body engagement and technical documentation preparation for CRA Class I and Class II products, authoring security architecture documents and risk assessment evidence for regulatory submissions
- Design and execution of threat models for industrial products integrating AI/ML or LLM capabilities such as predictive maintenance, anomaly detection and agentic automation, applying OWASP LLM Top 10 mitigations
- Integration of AI security controls into DevSecOps pipelines, including model provenance, AI SBOM, MLOps security gates, CI/CD compliance checks and automated vulnerability scanning for AI components
- Support for EU AI Act conformity obligations for high-risk AI systems, covering technical documentation, human oversight mechanism design, audit trail architecture and AI incident response planning
- Conduct engineering-level regulatory gap assessments across CRA, NIS2, EU AI Act and DORA, delivering remediation roadmaps with specific control requirements
- Presentation of compliance posture, security architecture findings and roadmaps to senior client stakeholders including CISOs, engineering VPs, product heads and regulatory affairs teams, and facilitation of cross-functional alignment workshops
- Contribution to external publications, white papers and industry forums, supporting proposal development and practice capability-building
Requirements
- 5+ years of experience in product security, regulatory compliance or OT/ICS security within industrial product development
- Knowledge of Cyber Resilience Act essential requirements, CE marking documentation and Notified Body engagement
- Expertise in IEC 62443 security level assessments, zone/conduit modeling and component requirement mapping
- Proficiency in threat modeling methodologies including STRIDE, PASTA and MITRE ATT&CK for ICS
- Background in SDL/SSDLC programs, OWASP ASVS and secure coding standards for embedded and industrial software
- Skills in SAST/DAST/SCA toolchain integration and vulnerability triage procedures
- Understanding of AI/ML and LLM security, including OWASP LLM Top 10 mitigations
- Competency in DevSecOps pipelines, model provenance, AI SBOM and MLOps security gates
- Familiarity with EU AI Act, NIS2 and DORA regulatory frameworks
- Capability to present security findings and roadmaps to senior stakeholders such as CISOs, engineering VPs and regulatory affairs teams
- Advanced proficiency in English (C1+)