Principal - Security Governance

Purpose of Role

The Principal, Security Governance role is integral to maintaining the organization’s cyber health and resilience against cyber threats. This role is responsible for developing and maintaining robust information security processes, ensuring disaster recovery (DR) readiness, contributing to the cyber security strategy, and managing cyber risk in alignment with business objectives. Additionally, it encompasses enforcing compliance with standards like the ACSC Essential 8 and ISO27001, evolving cyber reporting for management, and supporting security operations. The role also entails assessing third-party vendor risks, updating security training to reflect the current threat landscape, and coordinating audit and penetration testing activities to address vulnerabilities promptly.

Responsibilities & Accountabilities

**Strategy, Policies and Procedures**
- Develop and maintain Information Security processes and operational procedures.
- Ensure technical DR processes are maintained across all services, including those delivered by QTC’s key vendors.
- Provide input into the development and maintenance of QTC’s Cyber Security Strategy.
- Develop and manage Cyber Security Risk Management processes with an understanding of business requirements and alignment with cyber strategy with business objectives.

**Standards, Reporting and Compliance**
- Ensure compliance with agreed targets and cyber security standards (eg. ACSC Essential 8, ISO27001).
- Develop, maintain, and evolve QTC’s cyber reporting for all levels of management.
- Support the broader security operations team in the implementation and management of security controls across QTC’s technology environment.

**Third Party Vendor Risk**
- Work with procurement, legal and business stakeholders across the organization to assess and manage third-party vendor risk.
- Review and assess vendor security certifications to ensure validity and applicability to the service being delivered.

**Cyber Awareness and training**
- Support the delivery of security awareness campaigns.
- Update security training content to ensure it remains relevant to the evolving threat landscape.

**Audit, Vulnerabilities and Penetration findings.**
- Co-ordinate and support the successful completion of cyber audit and penetrations testing activities across QTC.
- Support the remediation of all findings to ensure they are addressed in the agreed timeline.

Competencies

Technical Competencies
- Understanding of Operating Systems: Proficiency in various operating systems like Windows, UNIX, and Linux is crucial for managing security across different platforms.
- Networking Knowledge: A solid grasp of networking concepts, protocols, and security measures is essential for protecting an organization’s network infrastructure.
- Risk Assessment: Understanding of risk assessment activities to identify vulnerabilities and potential threats to the organization’s cyber environment.
- Compliance: Experience in ensuring adherence to relevant cyber security laws, regulations, and standards.
- Threat Modelling: Knowledge of threat modelling tools and techniques to anticipate and mitigate potential attacks.
- Intrusion Detection: Expertise in using intrusion detection systems (IDS) and understanding attack signatures and anomalies that may indicate a security breach.
- Virtualization and Cloud Security: Understanding of virtualization technologies and cloud security principles to secure virtual environments and cloud-based services.
- Cyber Security Frameworks: Familiarity with cyber security frameworks like the NIST Cybersecurity Framework or the ISO/IEC 27001 standard to guide the organization’s security strategy.
- Incident Response Planning: Ability to develop and implement cyber incident response plans to quickly and effectively address security breaches.
- Disaster Recovery: Aligning disaster recovery processes with broader business continuity processes and requirements.
- Input into design processes to ensure alignment with existing security standards and policies.

Behavioural Competencies
- Integrity, including upholding strong professional and ethical standards.
- Has developed a deep understanding of what drives each stakeholder (their needs, desires and motivations) Speaks up early and often and takes initiative regarding opportunities for improvement.
- Actively tries to improve knowledge management systems and processes within their team.
- Establishes a positive environment by always acting with positive intent, and assuming positive intent from others.

Leadership Competencies
- Builds trust and confidence with the team by communicating clearly, following through on commitment, values diverse perspectives.
- Holds themselves to a standard of excellence and takes pride in their work.
- Strong communication skills to effectively convey complex technical information to non-technical stakeholders and to collaborate with other departments.
- Ability to lead and