At Roche you can show up as yourself, embraced for the unique qualities you bring. Our culture encourages personal expression, open dialogue, and genuine connections,  where you are valued, accepted and respected for who you are, allowing you to thrive both personally and professionally. This is how we aim to prevent, stop and cure diseases and ensure everyone has access to healthcare today and for generations to come. Join Roche, where every voice matters.

The Position

In a world where every application, pipeline, and cloud workload depends on secure access, the people who build and manage that trust layer are critical. At Roche, our Enterprise Privileged Access Management team is responsible for exactly that — ensuring the right systems and people have the right access, at the right time, with the right controls in place. If you enjoy working on platforms that matter, thrive in a complex global environment, and want to deepen your expertise in one of the most in-demand areas of enterprise security — this is the role for you.

Your Opportunity

As a Cybersecurity Analyst specialising in PAM, HashiCorp Vault, and PKI, you will be a core member of a global security team working at the intersection of platform engineering and cybersecurity. You will own meaningful workstreams, partner with product owners and application teams, and serve as the Tier 3 expert when complex PAM and Vault issues need to be resolved. This is not a monitoring-and-ticket role — you will be expected to design, build, and continuously improve.

In this role, you will:

• Drive HashiCorp Vault platform delivery in partnership with the product owner — leading initiatives to upgrade and automate privileged access controls across the enterprise

• Design and deploy automation scripts and integrations (PowerShell, Python, Ansible) to streamline Vault operations and reduce manual effort

• Build self-service portals and APIs that make secret usage effortless for application teams, embedding DevSecOps principles into access processes

• Integrate secrets management into CI/CD pipelines and IaC toolchains across major cloud platforms (AWS, Azure, GCP)

• Monitor, maintain, and evolve PKI infrastructure including certificate lifecycle management via platforms such as Keyfactor and RedHat IDM

• Implement certificate automation standards such as ACME for internal issuance and integrate PKI workflows into deployment pipelines

• Secure containerised environments (Docker, Kubernetes) through mutual TLS implementation

• Act as the Tier 3 escalation point for complex PAM and HashiCorp Vault issues — providing advanced troubleshooting, guidance, and architectural direction

Who you are

You hold a Bachelor's Degree in Computer Science, Engineering, or a related discipline — or bring equivalent experience that demonstrates the same depth of knowledge.

You have 3–5 years of hands-on experience in cybersecurity or identity and access management, ideally within a large, global, or regulated organisation. You work well independently, take ownership of your deliverables, and have a track record of not just maintaining security systems — but actively improving them.

Your technical background includes:

• HashiCorp Vault — you have configured and administered Vault in a team environment, with practical experience across secrets engines (KV, PKI, Database, cloud), auth methods (AppRole, Kubernetes, LDAP, JWT/OIDC), and policy management; experience with Vault Agent or Kubernetes sidecar injection is a plus

• PKI and certificate lifecycle management — you understand CA hierarchy, certificate issuance and renewal, and have worked with platforms such as Keyfactor, RedHat IDM, or Microsoft ADCS; familiarity with ACME-based automation for internal certificate issuance is advantageous

• Secrets management automation — you have written scripts and integrations using Python, PowerShell, or Ansible to streamline security operations and reduce manual effort

• CI/CD and Infrastructure-as-Code — you are comfortable working within DevOps toolchains (Terraform, Jenkins, GitLab CI/CD, or GitHub Actions) and have experience integrating secrets management or PKI workflows into deployment pipelines across AWS, Azure, or GCP

• Network and protocol fundamentals — you have a solid working knowledge of SSL/TLS, cryptography, key exchanges, cipher suites, and trust validation, and can apply this when troubleshooting complex security workflows

• CyberArk — working knowledge of CyberArk alongside HashiCorp Vault is an advantage, as the team operates across both platforms

Beyond the technical skills, you bring:

• A clear, confident communication style — you can explain a complex security concept to a developer, a cloud engineer, and a business stakeholder in three different ways without losing accuracy

• A continuous improvement mindset — you proactively spot gaps, inefficiencies, and risks rather than waiting to be asked

• Comfort with ambiguity and change in a large, matrixed organisation

• Familiarity with ITIL principles (Incident, Problem, Change, Request Management) is a plus, particularly for those with experience in validated or regulated environments

Who we are

A healthier future drives us to innovate. Together, more than 100’000 employees across the globe are dedicated to advance science, ensuring everyone has access to healthcare today and for generations to come. Our efforts result in more than 26 million people treated with our medicines and over 30 billion tests conducted using our Diagnostics products. We empower each other to explore new possibilities, foster creativity, and keep our ambitions high, so we can deliver life-changing healthcare solutions that make a global impact.

Let’s build a healthier future, together.

Roche is an Equal Opportunity Employer.