Quality & Risk Advisor (Security & AI)

SURF is looking for a pragmatic and well-rounded advisor to join the Quality & Risk (Q&R) team. This team consists of experts in the fields of privacy, security, AI, CSR, and risk management. Together, they are responsible for SURF’s quality and compliance standards. We are looking for someone who can bridge the gap between the central guidelines developed by Q&R and the day-to-day practices of our staff. Is that you? Then this position is perfect for you.

Where you will work

SURF is the ICT cooperative for Dutch education and research institutions. Together with them, we work on digital services and complex innovation challenges to improve the quality of education and research.

In doing so, SURF faces the challenge: how can we continue to professionalize without becoming rigid, while maintaining our agility? How do we combine central accountability with appropriate measures for our dozens of different services? This is precisely the area where you, as a Q&R advisor, can make an impact.

The team you will join

You will be working within the Quality & Risk team: For us, quality is the positive embodiment of compliance. At SURF, we do things the right way because we want to (quality), not because we have to (compliance). Within the Quality & Risk team, we have four disciplines: security, privacy, AI, and CSR. Risk management is an integral part of these four disciplines, and our team therefore consists of second-line officers for these five areas.

The Q&R team serves as a single point of contact for the organization: Business Support. Business Support is a subteam within Q&R and handles all incoming questions and requests regarding our four disciplines.

SURF has grown rapidly in recent years, but processes have not always kept pace. While processes have been significantly improved and strengthened within each discipline (e.g., security and privacy), a more integrated approach to quality and compliance is needed. Colleagues also need practical guidance, explanations, and support.

What you will do

Your role is to bridge the gap between the central frameworks, systems, and policy documents that we develop as a team and the day-to-day practices of service owners and other employees.

In recent years, we have adopted a more risk-based approach across all disciplines. In security, this is based on the ISO 27001 framework; privacy has shifted from a “comply or explain” approach to risk-based decisions; and our implementation of the AI Act follows the same methodology. Risk-based working and continuous improvement are central to our approach.

The next step is to further develop and put into practice the frameworks of the four disciplines across the various teams and support departments. We aim to move from compliance to true resilience throughout the chain, and to do so through an integrated approach, coordinated across all four disciplines.

For 2026, our focus is on security and AI, but this may change annually, depending on internal challenges, external threats, and laws and regulations. That is why security and AI knowledge are currently the most important, but sufficient affinity with privacy and CSR is also important.

Furthermore, you will support Business Support by pragmatically and naturally bridging the gap between the Quality & Risk mindset and the working methods of the various target groups. For example, you can put yourself in the shoes of a service owner, an HR employee, and a developer. Naturally, you will also work closely with your colleague who is responsible for

What else you’ll be doing

Together with your colleagues, your core responsibilities will include the following:

• As part of Business Support, you’ll handle incoming questions and requests related to our four disciplines.
• You translate generic documentation into practical tools, clear explanations, and usable templates for colleagues within SURF.
• You contribute ideas and provide advice on practical and workable (security and AI) implementations to operational colleagues such as administrators, (technical) product managers, project leaders, procurement staff, and software developers who are responsible for SURF’s services.
• You communicate internally and with your colleagues via channels such as the intranet, email newsletters, blogs, or SURFtalks, and coordinate content and communication during serious (security) incidents.
• You support the organization in conducting risk analyses, security designs, and solutions. In doing so, you collaborate and coordinate with the rest of the team.
• You assist in the further development, management, and updating of the information security and AI policies for SURF.

Your skills and experience

• You have proven work experience and knowledge in the fields of security and AI. An interest in privacy and CSR is a plus.
• You have at least 2 years of work experience in one or more of our fields, such as security, AI, privacy, compliance, or risk management.
• You preferably have experience implementing security management and measures, privacy, risk and crisis management, compliance, and audit activities, as well as
• knowledge of the ISO 27001 information security standard or comparable quality systems.
• You have experience with the practical implementation of communication, training, and awareness initiatives for IT professionals. This includes organizing and conducting meetings, workshops, or training sessions, setting up and maintaining the intranet, and designing awareness campaigns.
• You have a flair for language and express yourself fluently in both spoken and written Dutch and English.
• You are always eager to learn, flexible, and creative, and can quickly familiarize yourself with new domains and organizations.
• You work independently within a small team of professionals. In addition, you are results-oriented, pragmatic, and sensitive to organizational dynamics, and you know how to effectively connect people and interests.

SURF takes pleasure in doing its recruitment itself; acquisition is therefore not appreciated.