Setting the scene… You'll probably know this business. ASX-listed enterprise, multiple brands, customer-facing operations right across Australia. Chances are you've interacted with them before. I've worked with their security leadership since 2022 - good people, deliberate about who they hire, and not in the habit of creating roles unless there's a genuine need.
This is a genuine need. The business has grown, the compliance obligations have grown with it, and it's time to bring in someone dedicated to the GRC piece. Vanta is live, the QSA relationship exists, and the foundations are there. What's missing is someone to get in and drive it forward. First dedicated hire of this kind.
What’s in it for you? This is an opportunity inside an established, well-resourced business with a genuinely good culture – fun, collaborative, technically sharp. The tooling is in place. Leadership is bought in. And the technical team is actively looking forward to having someone take the GRC workload off their plate so they can focus on what they do best. You won't be fighting for airtime or justifying why compliance matters. You'll be walking into a team that's ready for you.
Salary: ~$140,000 – $150,000 base + super.
Location: Sydney preferred, other locations considered. Officially 3 days in office, practically remote-first.
Perks: A corporate discounts package with some very, very attractive things in there.
Team: A security team of 7, geographically spread, technically strong.
What will you be doing? As the enterprise’s Cyber Risk & Compliance Analyst, you'll be the dedicated GRC resource this team has needed for a while. Working alongside the broader security team, you'll keep the PCI-DSS annual cycle on track, support the insurance compliance program, accelerate adoption of Vanta as the central hub for GRC activity, and get the third-party risk program into better shape using UpGuard.
Day-to-day, that means tracking and reporting on cyber risk KPIs, uplifting processes to identify legal, regulatory and cyber obligations, maintaining documentation and registers, chasing approvals, and keeping the compliance engine running. It's hands-on, tool-heavy work and that's exactly the point.
You'll report directly to the person who leads the cyber function (a bit of a legend) and work closely with the broader technical cyber team. No direct reports. This is an individual contributor role where you'll be rubbing shoulders with a team that knows its stuff.
What your first few months might look like… There's no set 30-60-90-day plan. The reality is more fluid than that. You'll land in the middle of a live PCI cycle, which means getting up to speed fast, supporting the QSA relationship, and making sure the annual assessment doesn't become a last-minute scramble. Beyond that, you'll be getting across the vendor landscape, finding your feet in Vanta and UpGuard, and starting to put some structure around third-party risk. It's a genuine hit-the-ground-running situation and that's exactly what the right person will love about it.
What you’ll bring - Solid GRC or technology risk background - NIST CSF, PCI-DSS, and ideally ISO 27001 are familiar territory.
- Happy working across compliance, risk registers, documentation, and vendor risk, and happy to get into the detail.
- Comfortable with third-party and vendor risk, and keen to build the function out properly
- At ease with GRC tooling. Vanta experience a real plus, UpGuard a bonus.
- Confidence rubbing shoulders with technical teams and business stakeholders alike.
- Full Australian work rights. No sponsorship is available for this role.
- Demonstrable cyber GRC experience, whether internally or in a consulting environment.
How to apply Applications are treated with absolute confidentiality. Click APPLY or contact Michael at mpearman@decipherbureau.com for an informal chat about what you want next in your career. Equal opportunity and diversity are a priority. We encourage applicants from all backgrounds.