Well known Aussie digital enterprise. Fast-moving, tech-led, operating at serious scale, and in the middle of a major multi-year platform modernisation program. New architecture, growing risk surface. Cyber GRC is embedded in that work, not watching from the sidelines.

These guys have been on a deliberate maturity journey for several years now. Controls assurance, NIST alignment, ISO 27001, PCI-DSS, vendor risk, security awareness. They've done the hard work of acknowledging where the gaps were and actually doing something about it. AI is in the mix, the program is accelerating, and they need someone to help run the assurance engine properly.

• Hybrid WFH / in-office setup, Melbourne CBD.
• Start ASAP, role's approved and ready to go.

You’ll be executing a risk-based controls assurance plan aligned to NIST CSF v2, assessing control design and operating effectiveness across systems, applications, processes and IT General Controls. Deficiency management end-to-end: log it, assess the risk, drive remediation, close it out or get to a risk acceptance.

You’ll also be collaborating with geographically diverse teams on cyber security reviews for new vendors, contribute to security awareness activity, and support external certifications. The team is leaning into automated assurance tooling to lift coverage and reduce manual effort. This is an environment thinking ahead, not just maintaining what exists.

• 4+ years in cyber GRC, controls assurance, or a related advisory or audit role.
• Big 4, advisory, or internal audit background. You’ll know how to assess controls and document evidence properly.
• Solid working knowledge of NIST CSF. ISO 27001, COBIT or PCI-DSS exposure is a bonus.
• You can tell the difference between a well-designed control and one that's actually operating effectively. You've had to make that call and defend it.
• Clear communicator across technical and non-technical audiences.
• Aussie PR or citizenship. No exceptions.

• You’ve worked inside a structured assurance or risk program, not just helped design one on paper.
• You can manage multiple workstreams without dropping the ball.
• You don’t wait to be told what the risk is. You go find it.
• You can hold a room with senior stakeholders and bring non-technical people on the journey.

Your application is completely confidential. Only you and I will know. Want to chat about what you’re looking for? Reach out anytime.

Click APPLY or email me directly at for an informal, 100% confidential conversation.

We’re committed to diversity and inclusion. All qualified applicants will be considered fairly, regardless of race, colour, religion, sex, sexual orientation, gender identity, national origin, veteran, or disability status.