Christoph Gruber, Head of IT Security at UNIQA: Purpose-Led Security, Subject-Matter Experts, and a Culture That Puts Expertise First

What stood out from the session

In our session “Christoph Gruber, Head of IT Security at UNIQA,” we got an unfiltered look at how security is led, organized, and lived at UNIQA Insurance Group AG. Gruber describes a dynamic team of roughly 40 people, structured across three groups and, within those, organized by “expertise fields.” The central figures in those fields are Subject Matter Experts (SMEs) who shape their domains not only technically, but also procedurally and content-wise—delivering a security service to the whole of UNIQA.

At the core is “Leading by Purpose.” The mission is clear: protecting UNIQA’s and its customers’ data and infrastructure. What struck us most is how security is positioned as a company-wide service—owning its technology stack while also consulting infrastructure, software development, testing, and IT operations. This blend of ownership, enablement, and measurable outcomes (“reports tailored to the consumer”) makes the work tangible, impact-focused, and visible across the organization.

Team design: Three groups, expertise fields, and real ownership

Gruber describes a three-layered setup:

• Three groups make up the structural baseline.
• Within those groups, teams organize around expertise fields (Subject Matter Experts).
• SMEs carry end-to-end responsibility for their domains—shaping content, processes, and technology—and deliver a service to the entire company.

He mentions several specific fields:

• Vulnerability Management (with “one and a half” experts—one FTE plus part capacity)
• Software Development (in the sense of security-related competencies)
• Infrastructure
• Network

The key sentence here—“every expert is called upon to shape their field”—sets the tone. This isn’t a model built on mere execution; it’s about authorship. SMEs set standards, define processes, choose tools, and establish service quality—with an explicit mandate to create value for “the whole UNIQA.” That responsibility doubles as a growth path: if you shape a field, you grow in impact and seniority.

SMEs plus juniors: mentorship baked into the model

Alongside SME roles sits a clear mechanism for developing talent. A Subject Matter Expert can have a junior alongside them—or two SMEs can jointly mentor a shared junior. The goal is to transfer expertise, replenish skills, and make knowledge spreadable across the team. Mentorship isn’t a “nice to have” here; it’s structural.

Hiring, internal mobility, and the transfer of perspectives

“I care a lot about the recruiting process,” Gruber says—and notes he relies on colleagues in People Management to search internally. Many join from other teams horizontally, moving into security out of curiosity and the realization that it’s a compelling field.

This internal mobility is more than a sourcing tactic. It’s a two-way knowledge and culture exchange:

• New colleagues bring rich operational or development experience.
• The security team passes on the specific “security view” of topics.

Gruber emphasizes the immediate value: expertise flows into the security organization and is put to use right away. At the same time, the security mindset is instilled in the new joiners—and with that, spread throughout the wider company. For talent, that’s a meaningful proposition: come from development or operations, apply your existing skills, and grow professionally in security.

Onboarding as culture: the buddy concept

Gruber deliberately avoids calling it a “process” and instead frames it as culture: every new hire gets a buddy—usually a more senior teammate with longer tenure in the team or in security. The goals are straightforward:

• Mindset transfer: what the UNIQA security perspective means in practice.
• Process orientation: which internal workflows matter and why.
• Social navigation: how to find your way around the team.

It’s a pragmatic and human approach. As Gruber notes:

The buddy model builds connection, reduces friction in the first weeks, and accelerates productive impact. For candidates, it’s a strong signal: your start is supported, the team takes your learning curve seriously, and seniority expresses itself by enabling others.

A “culturally agnostic” engineering culture

Few lines land as memorably as this one:

This is more than a lighthearted aside; it’s a performance contract. People are measured by expertise and contribution to purpose—not by style or etiquette. In practice, that means:

• Heterogeneity is normal—in appearance and personality.
• Unity comes from the purpose: protecting data and infrastructure.
• Different backgrounds are welcome so long as they compound into security impact.

For engineers, this matters. It signals an environment where you can be yourself—so long as the work delivers and the shared focus is maintained.

Leading by Purpose: a clear and measurable mandate

Gruber articulates the mission succinctly:

That’s both compass and yardstick. The team works with a focus on Austria while assuming responsibility for international services operated out of Vienna. The result is a compelling mix for security professionals: local anchoring with international scope.

Purpose meets measurability

Security at UNIQA isn’t just intent. Gruber stresses the importance of reporting—tailored to each consumer—so “we can prove that we are secure and not just rely on gut feeling.” For engineering, that translates into:

• Standards and measures are evidenced with data.
• Results are packaged for whoever needs to consume them.
• Security isn’t only effective behind the scenes; it’s visible and demonstrable.

Technology and responsibility: define, enable, harden, report

The security team defines its own technology for security purposes. Gruber names several building blocks:

• Protection against malware
• Logfile analysis “in a CM”
• Managing and steering firewalls
• Generating reports

This ownership extends across infrastructure, process, and tooling—designed to provide a dependable security service. At the same time, the team acts as consultants and enablers to the wider IT organization:

• Infrastructure colleagues are supported and guided to make their work more secure.
• The security perspective is infused into software development, testing, and IT operations.
• Data center providers are managed and integrated into a coherent reporting framework.

The picture is clear: UNIQA Security operates end-to-end—from technical implementation to process consulting to communicating results to internal and external stakeholders. If you want to not only “build security,” but also “explain it” and “prove it,” this is the right arena.

Collaboration as a service: security for the entire UNIQA

Gruber explicitly speaks of “a service to the whole UNIQA.” That choice of words defines how collaboration works:

• Security is part of the value creation of all IT functions.
• The work is both proactive (setting standards, defining tools) and supportive (advising, enabling, steering providers).
• Results are reported in the right channels for the right audience—so they get understood and used.

Crucially, this service posture makes security approachable. Rather than policing, the team partners with others. For talent who want their impact felt beyond their immediate scope, this is compelling: shape the security landscape and enable others to contribute visibly and efficiently.

Development paths: from lateral move to field shaper

From SMEs, juniors, and internal mobility emerges a clear growth path:

1. Enter with an existing skillset (e.g., from IT operations or development), and acquire the security mindset through onboarding.
2. Deepen in an expertise field, supported by a buddy and close collaboration with SMEs.
3. Expand ownership: co-shape processes, tooling, and service quality in your area.

There’s no rigid track. Those who take responsibility, set standards, and share knowledge can significantly shape their field. That’s especially attractive for experienced engineers seeking room to lead without relying solely on formal hierarchy.

What Gruber looks for—and what UNIQA offers in return

The session offers clear signals without overinterpreting:

• Curiosity and appetite for learning: many move horizontally into security because they discover it’s an exciting field.
• A sense of ownership: SMEs are expected to “shape their field”—that requires initiative.
• Service and consulting mindset: security’s impact is delivered through development, testing, and operations—those who can explain and persuade move the needle.
• Team orientation: mentoring (juniors/SMEs) and the buddy approach require sharing and absorbing knowledge.

What UNIQA Security offers in return is equally clear:

• Ownership: define and run your own technology, processes, and reporting—with impact across the company.
• Variety: from engineering (malware protection, logfile analysis in a “CM,” firewall management) to consulting and provider management.
• Visibility: reports tailored for different consumers make outcomes demonstrable.
• Cultural fit through diversity: “culturally agnostic,” expertise-centered—from suits to shorts and Birkenstocks.
• Supported growth: buddy onboarding, SME mentorship, and internal knowledge transfer provide a deliberate path into security.
• International context: a focus on Austria paired with responsibility for international services operated from Vienna.

How the work feels: effective, collaborative, and provable

The session’s elements combine into a clear picture of day-to-day security work at UNIQA:

• Effective: define, implement, and improve measures—from firewalls to logfile analysis—with real influence on the company’s security posture.
• Collaborative: enable colleagues in development, testing, and operations to meet security expectations; steer data center providers.
• Provable: report outcomes so they’re understood, consumable, and actionable—“to prove that we are secure and not just rely on gut feeling.”

This trio highlights what makes the role appealing: it blends engineering, consulting, and communication—taking security out of the engine room and into organization-wide accountability.

Concrete reasons why tech talent should take a closer look

From the perspective of developers, ops professionals, and aspiring security specialists, several points stand out:

• You want to create, not just comply: as an SME, you shape content, processes, and tooling—and deliver a tangible service to the whole of UNIQA.
• You prefer learning with people over paperwork: the buddy concept and mentorship are built-in.
• You value diversity: expertise is what counts—not etiquette. Culture is “agnostic,” impact is the focus.
• You seek visibility: security outcomes are reported to the right audiences—impact is seen, not hidden.
• You want to bridge security and engineering: from malware protection to logfile analysis in a “CM” to firewall management.
• You want to enable others: bring the security perspective into development, testing, and operations—and make others better.
• You want international exposure without losing local roots: international services are operated out of Vienna with security responsibility in the team.

Quotes that stick

• “My team is very dynamic. I currently have around 40 employees.”
• “We have these Subject Matter Experts … every expert is called upon to shape their field themselves.”
• “… delivering a service to the whole UNIQA.”
• “We have a buddy concept … to convey the mindset … and to make it easier to find your way around the team.”
• “Security specialists are a bit idiosyncratic.”
• “I’m culturally agnostic … expertise is at the center, not cultural aspects.”
• “Leading by Purpose … to protect the data and infrastructure …”
• “We define the technology … how we analyze logfiles in a CM, how we steer and manage firewalls.”
• “… reporting into the right channels depending on the consumer … to prove that we are secure and not just rely on gut feeling.”

Closing: Security as a service—anchored in purpose, ownership, and diversity

Our conversation with “Christoph Gruber, Head of IT Security at UNIQA” reveals a security organization structured around expertise fields, with real responsibility placed in the hands of Subject Matter Experts and a buddy/mentoring culture that intentionally develops new talent. The unifying thread is purpose: protecting data and infrastructure—with a focus on Austria and internationally operated services in Vienna.

For tech talent, this is compelling because it combines engineering, enablement, and verifiable outcomes. You shape technology and process, empower colleagues in development, testing, and operations—and make the impact of your work visible through reporting. If you see security as a service to the whole organization, UNIQA offers a place where expertise counts and diversity is welcomed.

• 

  

  GenAI myUNIQA

  Aleksandar Kamenica von UNIQA zeigt in seinem devjobs.at TechTalk einen Anwendungsfall für AI innerhalb des Unternehmens und wie das Team zu der Lösung gekommen ist.

  Watch now

• 

  

  Eva-Maria Tscherne, Business Analyst bei UNIQA

  Eva-Maria Tscherne von UNIQA spricht im Interview über ihren Background wie sie zur Business Analyse gekommen ist und was ihre aktuelle Rolle beinhaltet und gibt Tipps zur Weiterentwicklung.

  Watch now
• 

  

  Martin Fuger, Test Analyst bei UNIQA

  Martin Fuger von UNIQA erzählt im Interview darüber, wie er zur Test Analyse gekommen ist, wie dort der Tagesablauf in der Arbeit aussieht und welche Dinge seiner Ansicht nach für Neueinsteiger wichtig sind.

  Watch now
• 

  

  Barbara Sikora, Product Owner bei UNIQA

  Barbara Sikora von UNIQA spricht im Interview über ihren Werdegang bis hin zur aktuellen Arbeit als Product Owner und gibt Tipps für Anfänger.

  Watch now