Vacancy Product Manager Security Expertise Center/SURFaudit

Do you want to make education and research defensible against cyber threats? Do you know all about risk management? Are you enthusiastic about the practical implementation of policies made for this purpose? Do you think that cyber safety and information security do not have to be abracadabra and can you translate that into clear communication?

  • Level of education: WO
  • Location: Utrecht
  • Number of hours: 32-40 hours
  • Closing date:


About the Security Expertise Centre and SURFaudit

An important strategic objective of SURF and its members is to make the Dutch education and research sector resilient in the area of cyber security, so that everyone in that sector can work openly, safely and without worry. The institutions want to grow to at least maturity level 3, and SURF will help them do this. A risk-based approach is central to this. SURF will also provide awareness and training programmes.

In order to help institutions increase their level of cyber resilience, SURF is setting up a Security Expertise Centre. Within the expertise centre, SURF will work with the institutions to develop and share knowledge, ranging from policy documents to practical technical guides and best practices.

The SURFaudit service focuses on assessing the information security of the institutions. SURFaudit works with the institutions to develop and maintain standards, assessment models, and other frameworks (privacy, business continuity) to help them improve and know where they stand in relation to the rest. We work with the information security maturity model of the Netherlands Institute of Chartered Accountants (NBA). SURFaudit will also be expanded with methods for making risk management at the institutions more professional.

In this position, you will work in close cooperation with educational and research institutions on one of  

their biggest challenges, namely to be cyber resilient.  

What does the job entail?

You will help set up and organise the Security Expertise Centre in consultation with the product owner, customers (educational and research institutions), and colleagues within and outside SURF. With your broad knowledge of security, you will help estimate the risks and assess possible measures to reduce them, whether those measures are technical, organisational, or otherwise. You will be familiar with relevant standards, frameworks, and assessment frameworks such as ISO, NIST, and others, and be able to interpret and explain these documents in understandable language and translate them into both processes and practical operational security.

Together with the Product Owner Security Expertise Centre, you are responsible for organising the collaboration around the new Security Expertise Centre, coordinating with the various target groups and developing, delivering and maintaining products and tools. Cooperation with SURFaudit is important in this regard.

You also share responsibility for SURFaudit's services, which help institutions measure their maturity level and gain insight into the risks they run in relation to information security. You support institutions in further developing their risk-based approach.                                            

What exactly are you going to do?

  • Based on priorities from the target group, threat images and maturity scores, you will work to develop practical knowledge, tools and support to help institutions increase their level of cyber resilience.
  • You keep information and products of the Security Expertise Centre up to date.
  • You maintain relationships with the customers of the Security Expertise Centre, and gather input and feedback from them.
  • You propagate the results of the Security Expertise Centre within the target group and are an ambassador for cyber security within education and research.
  • You are co-responsible for SURFaudit, in which you maintain and further develop methodologies and tools for measuring maturity and stimulating risk-based work.

We ask

  • WO working and thinking level;
  • Minimum 3 years relevant work experience;
  • Experience with communication on technically complex subjects and information security, experience with (communication on) cyber security is an important advantage;
  • Experience with cybersecurity risk management and risk-based working;
  • Experience in communicating and maintaining (project) results;
  • You are able to work independently as well as in a team;
  • You can enthuse and motivate, also in a non-hierarchical setting;
  • You can work for different target groups and have a good sense of political relationships.

We offer

  • A varied and challenging job for 32-40 hours (0.8 - 1 fte) in an informal and collegial atmosphere with a high level of ambition;
  • SURF offers extensive training opportunities and excellent fringe benefits;
  • This position has a salary range of EUR 4,224 to EUR 6,034 gross based on a full-time appointment;
  • 8.33% holiday allowance, a fixed end-of-year bonus of 8.33%;
  • 36 holidays per year (based on a 40-hour work week);
  • An NS Business Card 1st class;
  • Our Utrecht office is located at walking distance from Utrecht CS.


Please send your motivation and CV to for the attention of Albert Hankel.

Acquisition in response to this vacancy is not appreciated.

More information


  • Who is responsible for the content of the job? Albert Hankel
  • Who is the committed HR advisor? Romanda Lebbink