Information Security Engineer

Location: Leiden (NL) | Hours: 36-40 per week

As an Information Security Engineer, reporting to the IT Director, you play a key role in protecting the organization's information assets while delivering cybersecurity initiatives aligned with business goals. You own the IT risk register and translate risk assessments into actionable security improvements. You turn security policies and compliance requirements into concrete technical solutions and project plans.

This on-site, hands-on role involves regular interaction with IT teams, business stakeholders, and partners. You will manage daily security operations and coordinate improvement initiatives with both internal and external cybersecurity groups.

• Manage the infrastructure security in a hybrid IT environment, with a strong focus on cloud services (Microsoft Azure) and on-premises infrastructure, including servers, networks with micro-segmentation, in close cooperation with external cybersecurity partners.

• Manage and optimize security technologies, including Identity & Access Management (IAM), MFA, passwordless, access reviews, data security, endpoint protection, and security monitoring.

• Coordinate security compliance activities including NIS2 incident reporting obligations, third-party assessments, and regulatory audits; work closely with collegues, Quality Assurance, and external partners.

• Develop, implement, and maintain information security policies, standards, and procedures aligned with NIS2, and GxP requirements; ensure access controls and audit trails meet computerized systems validation requirements.

• Coordinate and manage small to mid-sized IT and cybersecurity projects, including planning, execution, progress tracking, reporting, and maintaining security documentation, dashboards, and KPIs.

• Develop and maintain the IT risk register and security asset inventory. Use the IT risk register to prioritize security initiatives and remediation efforts; ensure risk treatment plans are tracked to completion. Conduct risk assessments and report security posture on a regular basis.

• Manage vulnerability scans, audits, penetration tests, and timely patching. Ensure remediation and identify opportunities for continuous improvement.

• Implement security controls within IT projects, embedding security-by-design and privacy-by-design principles.

• Drive security awareness initiatives and advise the IT team and business users on security matters.

• Liaise with external Security Operations Center (SOC) provider on threat detection, log analysis, incident escalation, and service performance.

• Support the development of incident response plans and playbooks, and security incident handling, including detection, containment, technical analysis, communication, regulatory reporting, and documentation.

• Ensure security controls support GxP compliance requirements, including access management, audit trails, and electronic signature controls.

• Prepare, maintain, and support testing of Disaster Recovery and Business Continuity plans, including communication plans.

• Bachelor's degree in IT, Computer Science, or a related discipline.
• Security certifications such as Security+, AZ-500, SC-200, or equivalent; candidates working toward CISSP, CISM, or ISO 27001 Lead Implementer are encouraged to apply.
• At least 6 years of experience in information security, with demonstrated experience coordinating security initiatives, working with governance/compliance frameworks.
• Strong hands-on experience with Microsoft Azure, on-premises infrastructure, firewalls, and network security.
• Experience coordinating IT or security-related projects is a strong advantage.
• Working knowledge of NIS2, ISO 27001, and GDPR required. Understanding of pharmaceutical regulations (EU Annex 11, 21 CFR Part 11, GxP) strongly preferred; willingness to develop deep expertise in GxP security requirements.
• Experience with regulatory incident reporting or willingness to develop this expertise.
• Experience with IT risk management, including maintaining and operationalizing a risk register, is required.
• Excellent command of the English language, both spoken and written; proficiency in Dutch is highly preferred.

You are a proactive and hands-on security professional who enjoys working at the intersection of technology, risk, and business operations. You take ownership of your work, think analytically, and approach security challenges in a structured and pragmatic way.

You are comfortable operating at the intersection of security, compliance, and business operations, understanding that in a pharmaceutical environment, security controls must also satisfy regulatory requirements for data integrity and system validation.

You communicate clearly with both technical and non-technical stakeholders and are comfortable collaborating with IT operations, engineers, and business users. You are calm under pressure, reliable, and someone the business can trust. You are a self-starter who takes initiative, enjoys continuously improving security, and is looking to grow your career in a pharmaceutical environment.