At Roche you can show up as yourself, embraced for the unique qualities you bring. Our culture encourages personal expression, open dialogue, and genuine connections, where you are valued, accepted and respected for who you are, allowing you to thrive both personally and professionally. This is how we aim to prevent, stop and cure diseases and ensure everyone has access to healthcare today and for generations to come. Join Roche, where every voice matters.
The Network & Perimeter Security product makes Roche’s connectivity accessible and secure through actionable, policy-driven processes. The capabilities we provide enable Roche to identify, inspect, and mitigate network-based risks, manage regulatory compliance, and oversee egress/ingress traffic across all layers. Our solutions are primarily instantiated through leading-edge security platforms and automated orchestration. We work closely with Cloud, Infrastructure, and Incident Response teams to provide enterprise visibility into Roche’s network security posture.
You’ll be working within the Network Security Product area. This area is accountable for the end-to-end delivery of solutions—designing, building, and maintaining the technologies that protect Roche networks and the Internet, whether on-prem or cloud-based. This includes continuous improvement of capabilities like Internet Security Stack, DDoS Protection, Site-to-Site Connectivity (VPN), Network Access Control and Deep Packet Inspection to stay ahead of an ever-evolving threat landscape.
Job description
As a Senior Cybersecurity Engineer for Internal Network Defense, you will be the primary guardian of our internal environment, protecting our most sensitive segments—from manufacturing plants and research labs to warehouses and corporate offices. Your mission is to architect and enforce robust "East-West" segmentation, preventing lateral movement and securing the diverse environments that drive our core business. This is a technical "implementer" role where you will architect, design, build, and operate high-performance security boundaries using a dual-vendor strategy (Palo Alto and Fortinet). Beyond traditional enforcement, you will champion the adoption of AI-driven insights to identify latent risks and define the safe boundaries for automated security workflows, ensuring our internal network is resilient, compliant, and prepared for machine-speed threats.
Job responsibilities
Architecture, Design & AI Ambition
Segmentation Strategy: Design, develop and document robust network segmentation architectures leveraging Fortinet and Palo Alto firewalls to meet complex business and security requirements.
AI-Driven Risk Discovery: Actively explore and integrate AI opportunities to analyze internal traffic patterns and identify emerging security risks within complex Manufacturing and Lab environments.
Automated Guardrails: Define and establish clear boundaries and governance for automated workflows, ensuring that machine-driven policy changes remain within safe, predictable parameters.
Solution Blueprints: Create detailed network diagrams, technical design documents, and implementation plans for new segmentation environments (Labs, Manufacturing, Research).
Implementation & Deployment
Firewall Engineering: Configure, deploy, and manage Palo Alto Networks (PA-Series, VM-Series) and Fortinet FortiGate firewalls at scale.
Centralized Management: Utilize Panorama and FortiManager to enforce consistent security policies, NAT rules, VPNs (IPSec/SSL), and advanced routing features.
Infrastructure Evolution: Lead the migration and upgrade of existing internal firewall infrastructure, ensuring zero-downtime transitions in critical environments.
3. Operational Excellence & Visibility
Technical Subject Matter Expertise: Serve as the lead engineer for complex network security escalations, performing deep-packet analysis and root-cause investigations to implement long-term architectural fixes.
Validated Environments: Apply security best practices within validated (GxP) environments, ensuring compliance with manufacturing and healthcare regulations.
Continuous Improvement: Stay current with emerging threats, vulnerabilities, and security technologies to proactively refine internal defenses.
Automation & Orchestration: Manage security policies as code while continuously improving automation workflows and cross-platform orchestration to eliminate manual friction, reduce operational overhead, and ensure consistent, high-speed security enforcement.
On-Call Readiness: Available for on-call support on a rotating schedule to ensure the continuous availability and integrity of global edge security services.
Qualifications
Educational Background: Bachelor’s degree in Computer Science, Software Engineering, Information Security, or a related technical field.
Professional Experience: 3+ years of experience in designing, deploying, and supporting Next-Generation Firewalls (NGFW) in large enterprise environments.
Automation Engineering: Proven experience using Ansible, Terraform, or Python to manage network security infrastructure at scale.
Large-Scale Infrastructure: Experience managing security controls in complex, global environments involving thousands of diverse device profiles (IoT, Medical, Corporate).
Regulated Industry: Experience working in highly regulated environments (e.g., Pharmaceuticals, Healthcare, or Finance) is highly preferred.
Palo Alto Mastery: Deep knowledge of PA-Series, Panorama, App-ID, User-ID, WildFire, and Threat Prevention.
Fortinet Expertise: Extensive hands-on experience with FortiGate, FortiManager, FortiAnalyzer, and the Fortinet Security Fabric.
Security Foundations: Solid understanding of security concepts, trends, and best practices, specifically for "Defense in Depth" within internal networks.
Networking Depth: Strong foundation in core routing/switching, VPN architectures, and network protocols.
Skills below will be considered a plus:
Vendor certifications: Fortinet NSE 4-8 or Palo Alto Networks: PCNSA PCNSE, Cisco CCNP
Cybersecurity certification: CISSP
Infrastructure as Code (IaC): Proficiency in Terraform and GitHub to maintain version-controlled, reproducible security configurations.
Scripting & Integration: Strong skills in Python or Go to build custom API integrations between security platforms and internal orchestration tools.
Governance Frameworks: Familiarity with NIST, IEC 62443, ISO 27001, and FAIR data principles.
Communication: Strong ability to build trust with network and infrastructure experts and explain complex security policy concepts to non-technical stakeholders.
Innovation & Curiosity: A relentless passion for staying ahead of threat actors by researching emerging network security trends and automated enforcement techniques.
Thriving in Ambiguity: Ability to navigate global complexity and drive clarity when translating high-level security requirements into functional network policies.
Self-Starter: Proven ability to manage technical workstreams from concept to production with minimal supervision, taking full ownership of the Edge Defense product lifecycle.
Additional Qualifications
Demonstrated ability to mentor colleagues with less experience and provide guidance on cybersecurity best practices and analysis techniques
Strong facilitation, communication, and conflict resolution skills to ensure alignment across multiple product squads and complex stakeholder networks
Demonstrated interpersonal, collaborative and commitment to operational excellence skills.
A healthier future drives us to innovate. Together, more than 100’000 employees across the globe are dedicated to advance science, ensuring everyone has access to healthcare today and for generations to come. Our efforts result in more than 26 million people treated with our medicines and over 30 billion tests conducted using our Diagnostics products. We empower each other to explore new possibilities, foster creativity, and keep our ambitions high, so we can deliver life-changing healthcare solutions that make a global impact.
Let’s build a healthier future, together.
Roche is an Equal Opportunity Employer.