This role is part of the D&T department of HEINEKEN International and is located in Heineken Global Shared Service. D&T is proud to bring cutting-edge innovation, strong technology, and advanced analytics to HEINEKEN. With speed and agility, we ensure HEINEKEN has the technological competitive advantages it needs to deliver on its ambition.

The Toolkit Security Specialist is part of the Toolkit portfolio and several Product teams within it (Toolchain, Digital integration, Robotics&Automation, Digital Enablemet and is one of the professionals who do the work of delivering a potentially releasable increment of the product at the end of each sprint. Product Teams are structured and empowered by the organization to organize and manage their own work. The resulting synergy optimizes the Product Team’s overall efficiency and effectiveness.

The strategy for all Toolkit products is to continue to evolve the technology platforms in their scope and to actively grow adoption of the platform. To a large extent, this will be done by means of a federated operating model, allowing other regional/local teams to develop on the platforms. To avoid this is introducing security risks special focus from the security specialist is required.

Your responsibilities would include:

• The Security technical specialist will assist with the design, development and implementation of security measures for solutions deployed into various cloud, hybrid, and on-premise systems in HEINEKEN environment.
• Ensure security by design principles are upheld in the implemented products
• Ensure embedding of joint security responsibility models definition related to federated governance systems
• Thoroughly document security decisions and implementations,
• Provide input and feedback on security architectures/setup/configuration
• Perform risk assessments on any new resource/application/functionality implemented in the cloud platforms
• Participate in the Security and Quality assurance chapter and help embed security by design mindset into the HEINEKEN organization
• Ensure performance and automation of compliance and security controls
• Support product teams in security decisions related to the product platforms
• Support in automating continuous security testing for the product platforms
• Support in resolving any security related audit or compliancy issues

You are a good Candidate if:

• 1-3 years working experience in security operations and advanced level of understanding regarding systems security at both technical and procedural level

• Operational experience in securing one or more of the following solutions;
  • low /no-code platforms
  • Robotics process automation (e.g. UiPath)
  • Integration and middleware platforms (Boomi, API Connect, SAP PO)
  • SLDC Tools (E.g. AzureDevOps, Confluence, Zephyr, SonarQube)
  • Microsoft Powerplatforms

• Possess a solid understanding and have experience with systems automation platforms and technologies.
• Certifications such as CEH, CIR, CISM, CISA, CGEDIT, any of the OWASP or similar are a plus
• Knowledge of industry standard security frameworks for information systems (NIST, ISO 27001/2, CSA, COBIT), the Cyber Kill Chain & MITRE ATT&CK framework
• Being able to translate technical language into a story that can be understood, and cohesively present it back to different stakeholders with a clear message
• Bachelor’s degree or equivalent experience
• Have a passion for security and enjoys solving problems
• You understand the Agile mindset and have basic knowledge on working in a Scrum Team. You show end-to-end ownership on work that you do.
• Excellent knowledge of English, written and verbal
• You have experience with outsourced managed services
• You look for structural solutions over one-time quick fixes.
• Experience representing technical viewpoints to diverse audiences and in making timely and prudent technical risk decisions.

Content/Technical experience:

• Knowledge of industry-standard security frameworks for information systems (CVSS, CIS Benchmarking, OWASP, NIST, ISO 27001/2, CSA, COBIT)

• Relevant technical knowledge on securing platforms/solutions such as robotics automation platforms, low/no-code platforms, integration and middleware (for a complete list see section above).
• Basic knowledge of:
  • Working knowledge of common and industry standard cloud-native/cloud-friendly authentication mechanisms (OAuth, OpenID, etc.).
  • Identity and access management
  • Securing other infrastructure. E.g.: Active Directory, Azure AD)
  • System security (operating systems, applications), networking, and web applications
  • Enabling services (e.g. NTP, SMTP, patching, Antivirus)
  • Server infrastructure (VMWare ESXi, storage, Azure, AWS)
  • basic cryptography knowledge (basic algorithm knowledge)
  • DB security knowledge
  • authentication protocol knowledge
  • Key storage solutions, security monitoring solutions (e.g. Splunk), SSO, security solutions (SSL, Remote Access, IPSEC, Reverse Proxy, IDS/IPS, Firewall)