As Product Owner Cybersecurity Testing & Exposure Management, you are responsible for building, managing, and further developing the services related to security testing and vulnerability management within the organization. You translate the needs of internal stakeholders into a clear product vision and roadmap, and you direct the realization through external partners and internal teams. You ensure a structured and qualitative execution of the services (scope, planning, reporting, follow-up, and quality assurance) and make sure that stakeholders are served in a timely and accurate manner.

Penetration Testing

You plan, coordinate, and execute penetration tests on applications, systems, and infrastructure — both independently and in collaboration with external specialized parties. You support internal stakeholders in determining scope and objectives, and you monitor the quality of each project: from initial request and scope definition to test execution, reporting, and vulnerability follow-up. You have a clear quality role: you review and validate the delivered reports (consistency, completeness, reproducibility of findings, clear risk assessment, and concrete remediation advice) and make adjustments where necessary so that stakeholders can rely on usable and actionable results.

Ethical hacking

You take an active role in the development and follow-up of ethical hacking initiatives, including vulnerability disclosure and bug bounty programs. You organize a structured and secure handling of reported vulnerabilities and work together with both internal teams and external researchers to properly analyze, prioritize, and follow up on vulnerabilities.

Exposure management

You manage and further develop the exposure management services, including the management and optimization of solutions such as vulnerability scanners and attack surface management (ASM). You ensure proper configuration, integration, reporting, and follow-up of findings, and you align prioritization and remediation with the involved product and platform teams. You define KPIs/SLAs and monitor the quality of the service delivered by suppliers and/or internal executors.

Continuous improvement

You actively keep track of developments in the field and investigate new approaches, methodologies, and technologies — such as hybrid test forms and emerging test techniques — to make the cybersecurity testing services more efficient and future-proof.

Requirements and experience

• Demonstrable experience as a Security Consultant within one of the following environments: data, infrastructure, applications, ...
• Demonstrable expertise in a specific knowledge domain of information security (e.g., implementing information security management processes, performing vulnerability analyses and pentests, optimizing application security through cost-effective means, implementing Privileged Access Management, implementing encryption solutions)
• Demonstrable experience in analyzing, optimizing, and documenting security processes and governance
• Demonstrable experience with security management techniques and/or frameworks (e.g.: ISO27000 series, COBIT for Security, NIST, OWASP, CIS Critical Security Controls for Effective Cyber Defense)
• Demonstrable knowledge and experience through certifications depending on domain of expertise (e.g. CISM, CISSP, CEH)
• Language requirement: Dutch at European CEFR level C2

Context / Requirements

Digitaal Vlaanderen’s mission is to build a coherent, government-wide information policy and to support and help realize the transition of the Flemish government toward a data-driven government. The agency’s products and services are organized into programs in order to maximize synergies through this programmatic approach and to provide optimal service to our VO partners. Digitaal Vlaanderen is a digitization agency of the Flemish government that is committed to the digital transformation of services and cooperation between governments, citizens, and businesses. We support and guide Flemish and local governments in their digital transformation and their search for the government of tomorrow.

Business Context

You will work within the Flemish Center for Digital Security (VCDV), part of Digitaal Vlaanderen. The VCDV acts as the central expertise center for digital security within the Flemish government and supports both Flemish entities and local authorities with expertise, services, and coordination regarding cybersecurity.

Within this context, a structural service is being developed around vulnerability management, including penetration testing and ethical hacking. The purpose of this service is to timely identify vulnerabilities and to support organizations within the Flemish government and local authorities in strengthening their digital security.

Technical context

Within this role, it is expected that the Product Owner will help build, operationalize, and monitor the services related to cybersecurity testing and exposure management. The position combines substantive knowledge of offensive security with explicit product ownership: gathering needs from stakeholders, prioritizing, developing a roadmap, managing suppliers, and monitoring the quality of services.

The technical environment in which these services are offered is very diverse and includes various technologies, platforms, and architectures that are used within the Flemish government and by local authorities. This means that cybersecurity testing must be applicable to diverse applications, infrastructures, and digital platforms.

The main tasks and responsibilities include:

• Identifying the needs of internal stakeholders (Flemish entities and local authorities) and translating them into a clear product vision, backlog, and roadmap for cybersecurity testing and exposure management.

• Organizing, executing, and coordinating penetration tests on applications, APIs, platforms, and infrastructure, including scope definition and test strategy in collaboration with involved stakeholders.

• Managing external service providers (including pentest suppliers) and monitoring quality and consistency: setting up a clear review and acceptance flow for deliverables, substantive quality control of pentest reports (scope coverage, clarity of findings, reproducibility, risk/rating, impact, evidence, and remediation proposals), and follow-up of agreements regarding lead times and communication.

• Managing exposure management solutions such as vulnerability scanners and attack surface management (ASM): configuration, integrations, reporting, tuning (false positives/coverage), and lifecycle management.

• Developing and managing ethical hacking initiatives, such as vulnerability disclosure programs and bug bounty programs, including triage, analysis, prioritization, and follow-up of reports.

• Preparing and executing sourcing processes (including RFI/RFP): establishing requirements and evaluation criteria, assessing quotations, substantiating selection, and helping to develop contract/SLA agreements.

• Managing supplier relationships and service delivery: monitoring SLAs/KPIs, organizing service reviews, handling escalations, and continuous improvement based on data and feedback.

• Ensuring end-to-end quality assurance: clear intake, transparent planning, uniform reporting, follow-up of remediations, and periodic communication to stakeholders.

• Overseeing the use of recognized methodologies and standards for cybersecurity testing, such as OWASP Testing Guide, PTES, or similar reference frameworks.

• Keeping track of developments within the field of cybersecurity testing and exposure management and contributing to the further development and improvement of services (processes, metrics, tooling, and approach).