Principal Cyber Risk & Assurance Specialist (GRC)

Principal Cyber Risk & Assurance Specialist

New GRC Leadership Role. Growing GRC Team.

Permanent | Melbourne | Hybrid Flexibility

The Company

We’re partnering with a major Australian critical infrastructure organisation with a significant cyber uplift underway and strong executive backing, the business is investing heavily in maturing its cyber risk, assurance, and resilience capability across both IT and OT environments.

This is a rare opportunity to join a highly visible cyber function during a genuine transformation phase - helping shape the future state of cyber governance within a complex, operationally critical environment.

The Role

This is not a traditional GRC role - and that distinction matters. We're looking for a technical security professional who has evolved into cyber risk and assurance.

You'll operate as the 2IC to the GRC Manager, working as a principal-level individual contributor with the autonomy to lead workstreams, challenge stakeholders, and build mature cyber risk capability across the organisation. The expectation is that you can walk into a conversation with a security engineer or architect, challenge their control assessment with technical credibility, and then translate that into a clear risk position for executive leadership.

Key Responsibilities

• Lead the design, development, and execution of the cyber risk management practice aligned to AESCSF, NIST CSF, NIST 800-82, Essential Eight, and the enterprise risk framework.
• Conduct threat-informed risk assessments across IT and OT environments - applying technical knowledge of control effectiveness to derive accurate risk ratings, not just compliance scores.
• Own and continuously uplift the cyber risk register, including aggregation from operational risk (L3) through to enterprise level (L1/L2).
• Build and own the control assurance function from the ground up - design the testing methodology, assess design and operating effectiveness, validate evidence with technical teams, and manage remediation tracking.
• Drive policy uplift across IT and OT - not just document authorship, but stakeholder engagement, governance process, and genuine adoption across the organisation
• Produce and publish data-driven cyber governance dashboards, KPIs, and KRIs for executive and board decision-making.
• Provide trusted cyber risk advisory to GMs, infrastructure leads, digital architects, and the enterprise risk function.
• Mentor junior analysts and lift the quality and consistency of GRC outputs across the team.

Experience Required

• 10+ years in cyber security, including 5+ years in GRC, cyber risk, or assurance.
• Previous experience in technical security operations, engineering, or architecture before evolving into GRC. This background is essential - pure GRC, audit, or compliance backgrounds from the start of a career will not meet the technical depth requirements.
• Demonstrable ability to explain, assess, and challenge the following at a technical level - not a governance level: endpoint protection, network segmentation and microsegmentation, MFA maturity tiers, PAM, risk-based vulnerability prioritisation, and OT controls.
• Proven ability to independently plan and execute risk assessments, including how risk ratings are derived - not just documented
• Experience building and owning a control assurance program from the ground up - control objectives, testing methodology, evidence requirements, and metrics
• Working knowledge of AESCSF, NIST CSF, NIST 800-53, NIST 800-82, Essential Eight, ISO 27001, and SOCI.
• Experience in energy, utilities, water, transport, or critical infrastructure is strongly preferred - understanding of OT operational constraints, legacy systems.

Why Join?

• Competitive Salary Package + Bonus.
• Genuine capability-build role - not BAU maintenance
• Principal-level IC opportunity with real leadership scope and autonomy
• Direct executive and board visibility from day one
• Complex IT/OT environment you won't find in many Australian organisations
• Long-term GRC maturity journey with sustained investment and board sponsorship

How to apply: Click apply or submit your CV to ***email_hidden*** or [email protected] for a 100% confidential, informal conversation where your privacy will absolutely be respected.

Decipher Bureau and the clients we partner with are committed to creating a diverse environment and are proud to be equal-opportunity employers. All qualified applicants will be considered for employment without attention to race, colour, religion, sex, sexual orientation, gender identity, national origin, veteran, or disability status.