Senior Information Security GRC Officer

About the role:

Working directly with the CISO, our approved security uplift program will offer you varied and interesting work as part of an innovative, collaborative and growing team.  

The Senior Information Security GRC (Governance, Risk, and Compliance) Officer plays a crucial role in developing, implementing, and managing the information security governance framework. This role supports compliance with regulatory requirements, mitigates risks, and aligns security practices with industry standards, enabling a secure and resilient insurance business.

Key responsibilities:

Governance

• Support development, implementation and operationalisation of the information security governance framework, policies, and procedures in line with regulatory standards, including APRA CPS 234, NIST, Essential 8, and ISO 27001.
• Support alignment of information security objectives with broader business goals and strategies.
• Support development of security metrics, KPIs and regular reporting to senior leadership and board committees.

 Risk Management

• Conduct risk assessments to identify, evaluate, and prioritise information security risks, providing recommendations for mitigating measures.
• Monitor the risk landscape, including emerging threats, vulnerabilities, and technological changes.
• Collaborate with various business units to embed a risk-aware culture and drive a proactive information security approach.
• Collaborate with 3 lines of defence to manage information security risks, issues, actions, and incidents

Compliance

• Support compliance with relevant regulations, including APRA CPS 234, CPS 230, Australian Privacy Principles, and other regulations and standards where applicable.
• Lead the audit process for information security and track findings and remediations to closure including evidence collection, documentation and reporting.
• Maintain documentation and evidence to demonstrate adherence to security standards and regulatory requirements.

Incident Management

• Support incident reporting processes to document, risk assess and report incidents to internal and external stakeholders.
• Contribute to post-incident reviews and recommend improvements to reduce future risk exposure.

Training and Awareness

• Support information security awareness training programs for employees to promote best practices.
• Support regular updates to staff on the evolving information security landscape and regulatory changes.

To be successful you will have:

• Bachelor’s degree in Information Security, Cybersecurity, IT, Risk Management, or a related field.
• Certifications: CISM, CISA, CRISC, or ISO 27001 Lead Implementer/Lead Auditor preferred.
• 3-5 years of experience in cybersecurity governance, risk management, or compliance roles, preferably in the insurance or financial services industry.
• Strong knowledge of APRA CPS 234 (essential), ISO 27001/27035, NIST, Essential 8, and other relevant cybersecurity frameworks.
• Proven experience managing regulatory audits and risk assessments.

Key skills & Competencies

• Regulatory Knowledge: Deep understanding of Australian financial regulations, including APRA requirements.
• Risk Management: Experience in identifying and managing security risks across multiple business functions.
• Technical Understanding: Familiarity with IT infrastructure, cloud services, and cybersecurity technologies.
• Communication: Strong ability to articulate complex cybersecurity topics to non-technical audiences and senior management.
• Problem-Solving: Ability to proactively identify issues, propose solutions, and drive change.
• Leadership: Demonstrated ability to work with cross-functional teams and influence organizational change.