Cyber Security GRC Specialist
VicTrack
VicTrack is the custodial owner of Victoria's rail transport land, assets and infrastructure. We work to protect and grow the value of the portfolio, to support a thriving transport system and make travel and living better for all Victorians. With much of our asset portfolio dedicated to rail transport - our land, infrastructure, trams, trains and telecommunication networks - our focus is on strategic asset management and supporting the delivery of better transport solutions.
When you join VicTrack, you'll become part of an organisation that celebrates the diverse backgrounds, perspectives, and life experiences of our people. We are committed to fostering a workplace that mirrors the diverse communities we serve. Everyone is welcome to apply for a role at VicTrack and we encourage open discussions about any adjustments you might need during the recruitment process or within the role. If you have a disability or specific access requirements, please let us know how we can offer you additional support.
Benefits
- Free travel on all public transport - Trains | Trams | V/Line
- 17.5% leave loading
- 1 x Extra day off (EDO) per month
- Flexible work environment | hybrid work - 2 x days in office, 3 x days WFH
- Flexible public holidays - swap any public holiday for another day that better suits your lifestyle, culture, or personal commitments
- Stable work environment - Victorian Government state-owned enterprise
- 16 weeks paid parental leave (36 unpaid)
- Comprehensive health & wellness programs
- Additional 5 days of reproductive health and wellbeing leave to support your reproductive health, wellbeing, and related life events
- Free access to on-site gym and end of trip facilities
- Training and development opportunities to help you grow and develop your career
The challenges of our fast-growing sector put our people at the front of some of Victoria's most exciting projects in telecommunications, property development and project delivery - with job opportunities as diverse as our organisation.
The Role
The Cyber Security Governance, Risk and Compliance (GRC) Specialist is responsible for overseeing and managing the cyber security governance, risk and compliance functions within VicTrack. The role ensures the organisation's cybersecurity policies, standards, procedures and controls are aligned with best practices and VicTrack's regulatory compliance requirements.
This position involves identifying, evaluating, mitigating, and monitoring the organisation's cyber security risks. The position also coordinates and facilitates operational functions such as cyber security audits, risk assessments, reporting activities, providing guidance and support to the Manager Enterprise Architecture & Security, the Security team and other VicTrack stakeholders.
- Developing and maintaining the cybersecurity governance framework, including the cybersecurity policies, standards, procedures and guidelines
- Facilitates the creation of suitable awareness training to guarantee that the cybersecurity governance framework, policies and standards are effectively communicated throughout the organisation
- Manages an exception review and approval process, and assures exceptions are documented and periodically reviewed
- Assists with the evaluation of the effectiveness of the information security program by developing, monitoring, gathering, and analysing information security and compliance metrics for management
- Prepare and present cybersecurity reports and dashboards to the management and relevant committees providing insights and recommendations on the cybersecurity performance and improvement opportunities
- Support the continuous improvement of the cyber security framework and processes and identify and implement opportunities for enhancing the cyber security maturity and resilience of the organisation
- Performs third-party supplier risk assessments to ensure supply chain risk is managed throughout the supplier's lifecycle
- Maintains inventory of relevant suppliers/vendors, controls, and risks for ongoing vendor risk management activities
- Identifying and advising on the technical, physical, personnel and procedural risks associated with third party relationships, particularly vendors, contractors and suppliers
- Ensuring the third-party cyber and information security capabilities/services delivered by external parties operate as defined and deliver on contractual obligations
- Review of information security sections within supplier contracts, identifies gaps, and recommends security requirements to close gaps
- Identifies, analyses, evaluates, and documents information security risks and controls based on established risk criteria
- Conducting and analysing risk assessments to identify potential cyber security threats and vulnerabilities within the organisation's IT and Telecommunications infrastructure, systems, and applications
- Develops and implements security risk management plans and mitigation strategies based on the findings and recommendations of the risk assessments and audits
- Assessing and validating information on current and potential cyber and information security threats to the business, analysing trends and highlighting information security issues
- Predicts and prioritises threats to VicTrack telecommunications services and their methods of attack
Assurance: Audit, Compliance and Testing:
- Lead and manage the Cyber Security Compliance Assurance program, scope of which includes meeting cyber security related obligations, internal assessments, and facilitating audits and assurance of cyber security activities and objectives
- Conducting control assurance testing of the information and cyber security controls in line with regulatory requirements and advises on corrective measures
- A bachelor's degree or diploma in information technology (IT), computer science, software engineering, information systems, cybersecurity, data science or related technology field (mandatory)
- Must have one or more industry-recognised Governance, Risk and Compliance certifications (mandatory)
Knowledge & Experience:
- Experience working in a cyber security role, including technical hands-on roles or a similar GRC role
- Experience managing governance, compliance and risk related activities
- Significant working knowledge of the laws, policies, and standards applicable to cyber security, privacy, cyber risk management, and cyber security aspects of protecting critical infrastructure with demonstrable experience interpreting obligations into cyber security practices and delivery within an organisation or enterprise
- Experience developing and maintaining Information Security Management Systems using recognised formal Cyber Security Frameworks in the context of large complex organisations (e.g., VPDSF, NIST, ISM, Essential 8, ISO 27000 etc)
- Experience managing business and enterprise risk, including identification, analysis, mitigation, escalation and resolution
- Experience with the administration of the Cyber Security Third Party Risk Management
- Knowledge of various IT domains, such as infrastructure, software, data, security, cloud, etc, obtained through previous technical hands-on roles or project experience
- Experience engaging and managing government departments and agencies
To Apply
*PLEASE ONLY SUBMIT YOUR RESUME AND/OR COVER LETTER IN PDF FORMAT
If you are interested in this exciting opportunity with us, please click apply and submit your resume in PDF format only. All applications are strictly confidential.
We are proud to be recognized by WORK180 as an employer of choice for women. Explore the WORK180 website to learn about our benefits and policies. Research shows that 60% of women and underrepresented groups may decide not to proceed, even after drafting an application. We believe diversity strengthens every team, so even if you don't meet every qualification, we still encourage you to apply!
Offer of employment is strictly subject to successful background (pre-employment screening) and criminal history check. VicTrack is an equal opportunity and human rights employer.
Applications will be reviewed and processed as they are received, so please don't wait until the deadline to apply.
Closing Date: 30/07/2026
*PLEASE ONLY SUBMIT YOUR RESUME AND/OR COVER LETTER IN PDF FORMAT