Head of Information Security

Reporting to the Chief Operating Officer (COO), the Head of Information Security leads ARPC’s enterprise approach to cyber security covering strategy, implementation, compliance, and incident response.

A core accountability of the role is to advise, write for, and present to the ARPC Board and its Committees supporting the COO, ensuring the Board has clear, timely, and risk-informed visibility of ARPC’s cyber security posture.

The position provides strategic direction and practical leadership to protect ARPC’s information assets and maintain compliance with Government and organisational standards. The role also carries responsibility as ARPC’s Information Security Adviser under the Protective Security Policy Framework (PSPF) for Government.

Key responsibilities

Board Reporting and Advisory

- Prepare, write, and present high-quality cyber security papers and reports to the ARPC Board and Risk Committee supporting the COO, providing clear, risk-informed insights into ARPC’s cyber posture, key risks, and investment priorities.

- Advise the Board and Committees supporting the COO on emerging threats, compliance obligations, and strategic priorities to support effective oversight and decision-making.

- Ensure Board reporting is integrated with executive risk management processes and aligned to ARPC’s enterprise governance frameworks.

Leadership and Management

- Team Leadership: Provide clear direction, coaching, and support to internal team members, fostering a high-performance culture and continuous capability uplift in cybersecurity awareness and technical proficiency.

- Partner Management: Oversee relationships with external cybersecurity partners, including managed service providers, ensuring service delivery meets agreed standards, contractual obligations, and ARPC’s security requirements.

- Role model ARPC’s Values and Code of Conduct and Capabilities set out in ARPC’s Capability Framework.

Strategic Oversight

- Lead and continuously evolve ARPC’s Information Security Strategy, ensuring alignment between strategic intent and operational execution.

- Own ARPC’s Information Security Policy and Strategy, providing direction and oversight for their effective implementation across the enterprise in partnership with the Technology Team.

- Ensure ongoing compliance with the PSPF, Information Security Manual (ISM), Essential Eight, Privacy Act, and other applicable legislative and policy frameworks.

- Oversee governance and management of emerging security risks including those related to artificial intelligence, cloud services, and third-party environments ensuring alignment with government and industry best practice standards.

- Prepare and present high-quality papers and reports to the Board and Risk Committee, delivering clear insights on ARPC’s cyber posture, key risks, and investment priorities.

- Maintain and continuously improve the Information and Cyber Security Risk and Control Library, ensuring accuracy, traceability, and alignment with ARPC’s enterprise risk management framework.

- Lead cyber risk management, assurance, logging and incident response activities to maintain cyber exposure within approved risk appetite.

- Define, implement, and monitor data loss prevention and protection controls in close partnership with the Technology Team.

- Establish, govern, and monitor Zero Trust Network Access (ZTNA) and Security Platform (e.g. EDR/XDR) policies, ensuring compliance, operational effectiveness, and continuous improvement

Organisational Awareness & Training

- Lead the design and delivery of ARPC’s enterprise-wide security awareness and training program, building a strong security culture across all levels of the organisation.

- Oversee implementation of ongoing education initiatives — including phishing simulations, targeted learning campaigns, and behavioural reinforcement — to strengthen cyber resilience.

- Ensure all employees understand and fulfil their security responsibilities, particularly regarding safe use of AI tools, information classification, and secure data handling practices.

- Embed security awareness into onboarding, learning programs, and continuous capability development

- Rationalise and optimise security tools, platforms, and licensing to reduce duplication and maximise value.

- Ensure all security investments are proportionate to ARPC’s risk profile, deliver measurable risk reduction, and support business outcomes

Reporting & Visibility

- Maintain clear, data-driven dashboards and reports for executive and Board assurance, covering cyber risk, control effectiveness, and compliance status.

- Provide visibility into emerging areas such as AI-related security metrics, third-party risks, and Zero Trust maturity.

Owns vendor governance for security-specific providers, including:

- Own governance of all security-specific vendors and service providers, ensuring performance, compliance, and value-for-money outcomes.

- Oversee Managed SOC/SIEM services for 24/7 monitoring, detection, and escalation.

- Manage penetration testing, vulnerability management, and threat intelligence partners.

- Coordinate with providers of security awareness and training to ensure alignment with ARPC’s learning and resilience objectives.

#J-18808-Ljbffr