Setting the scene… You'll probably know this business. ASX-listed enterprise, multiple brands, customer-facing operations right across Australia. I've worked with their security leadership since 2022, good people, deliberate about who they hire. This is a genuine need. The GRC workload has outgrown what the technical team can absorb alongside their day jobs, and the mandate coming down is increasingly GDPR-focused. There's real appetite for someone to support that work, with room to grow into more of it over time. Vanta and UpGuard are both live. The QSA relationship exists. What's missing is someone to properly own the platforms and get stuck into the detail alongside leadership.
What’s in it for you? This is a rare one. You get a live PCI cycle that's genuinely manageable (scope has been kept tight and verification current, so it's about documentation and working through the QSA process division by division, not firefighting). You get real exposure to GDPR work already underway, registers, PIAs, policy alignment, and the chance to grow that into a bigger part of your remit as you find your feet. And you get full ownership of Vanta and UpGuard, with a mandate to actually maximise what they offer rather than tick the login box. You won't be fighting for airtime or justifying why compliance matters. Leadership is bought in, the tooling is in place, and the team is ready for you.
Salary: ~$140,000 – $150,000 base + super.
Location: Sydney. Officially 3 days in office, practically remote-first.
Perks: A corporate discounts package with some very, very attractive things in there.
Team: A security team of 7, geographically spread, technically strong.
What will you be doing? You'll be the dedicated GRC resource this team has needed for a while. On PCI, you'll work with the QSA through various processes and keep documentation tight, support rather than heavy lifting. On GDPR, you'll play a supporting role alongside security leadership, helping with registers, PIAs, and policy alignment, with scope to take on more as you bed into the environment. You'll own Vanta and UpGuard, driving adoption and pulling real value out of both, quantifying risk, and helping define how the business understands people risk and compliance risk against best practice. You'll also keep the third-party risk program moving in the right direction.
You'll report directly to the person who leads the cyber function (a bit of a legend), with visibility to the CTO given the GDPR work. No direct reports. This is an individual contributor role, hands-on and varied, not a management gig.
What you’ll bring - A GRC or technology risk background, comfortable with the fundamentals like ISO 27001 and NIST CSF
- Happy to learn GDPR if you don't already know it, this is a mucking-in role, not a plug-and-play specialist one
- Comfortable supporting registers and documentation, and genuinely happy getting face time with stakeholders to gather what you need
- At ease with GRC tooling, Vanta or UpGuard experience a real plus, but not essential, it's learnable with the right support around you
- Confidence rubbing shoulders with technical teams and business stakeholders alike
- Australian PR at a minimum, no sponsorship available for this role
To be upfront: we're not after a PCI / GDPR specialist with a decade under their belt. We need someone clever, cluey, and capable, with demonstrable cyber GRC experience who can pick things up fast, support what's already in motion, and grow into owning more of it.
How to apply Applications are treated with absolute confidentiality. Click APPLY or contact Michael at mpearman@decipherbureau.com for an informal chat about what you want next in your career. Equal opportunity and diversity are a priority. We encourage applicants from all backgrounds.