If you've built software and then became obsessed with breaking it — or if you've spent years finding vulnerabilities and now want to prevent them by design — this role was written for you
You'll join the security team of a global pharmaceutical leader to define how applications are built securely from the ground up. This is not a compliance checkbox role. This is about real ownership, real impact, and building a security culture that developers actually embrace.
What you'll do
* Define and implement secure architecture patterns for enterprise applications — from design through deployment.
* Lead threat modeling sessions and security reviews (architecture, code, APIs) across development teams.
* Be the go-to reference for authentication, certificate management, and cryptographic standards.
* Champion secure coding practices — OWASP, SAST/DAST, secure CI/CD — and make developers want to follow them.
* Translate complex security risks into language that resonates with business stakeholders.
* Mentor developers and software architects; turn security-aware engineers into security advocates.
* Contribute to enterprise-wide security frameworks covering IAM, network security, and application interfaces.
What we're looking for
Must-haves:
* 5+ years in cybersecurity with a clear focus on application security.
* Background as a software developer or penetration tester — you understand how things break because you've built or broken them.
* Solid knowledge of authentication protocols, digital certificates, and cryptographic standards.
* Hands-on experience with security architecture reviews and code analysis.
* Fluency in secure coding standards: OWASP Top 10, CWE, and friends.
* Ability to communicate technical risk clearly to non-technical audiences.
* Advanced English and Spanish (working proficiency in both).
Great to have (but not blockers):
* Experience in regulated environments: MDR, HIPAA, GxP, or similar.
* Familiarity with pharma or healthcare sector dynamics.
* Hands-on with tools like Burp Suite, ZAP, SonarQube, or Snyk.
* Knowledge of DevSecOps and secure pipeline design.
* 1+ year in a formal Security Architect or equivalent role.
What we offer
Hybrid model: Meaningful flexibility — most of the team commutes from Barcelona without issue.
Continuous learning: Access to certifications, conferences, and training budget.
Culture: Security-first mindset, low bureaucracy in the security team, and a company that genuinely values this function.
We know this profile is rare. We're not looking for someone who checks every single box — we're looking for someone with the right foundation and the drive to grow into the full scope of this role.
If you came from development and have been shifting toward security, or if you've been doing pentesting and want to move into architecture — let's talk. The 'nice to have' items are genuinely nice to have, not hidden requirements.