Information Security Analyst

Challenger Limited is an ASX-listed investment management firm managing $123.9 billion in assets (as at 30 June Life with us is fast moving and always exciting. Together we're driving to deliver our vision to provide our customers with financial security for a better retirement.

We achieve this goal by providing a work environment where people from diverse backgrounds, with a range of skills and experiences can contribute and succeed.

Information Security Analyst – Third Party Risk & Controls Testing

Location: Sydney CBD (Hybrid)
Team: IT Risk & Security
Reports to: Manager, IT Risk & Compliance

• We're looking for a proactive, curious, and driven Information Security Analyst to join our IT Risk & Security team.

• This is a great opportunity for someone with a strong audit or Big 4 background — or someone already in a similar role — who's ready to move in-house and broaden their skillset in a dynamic, fast-paced environment.

• We work flexibly from our Sydney CBD office, typically 3 days in-office and 2 days from home.

About the Role

This role is all about managing and mitigating the information security risks that come with working across a complex third-party ecosystem. You'll help ensure our external partners meet Challenger's standards, support regulatory compliance, and contribute to stronger governance and operational resilience across the business.

What you'll be doing

• Third-party risk management: Assess vendor security practices, conduct gap analyses, and drive governance improvements using frameworks like ISO27001, NIST, and CIS.

• Controls testing: Help build maturity in our internal controls testing program, linking findings to risks and supporting the rollout of our new GRC system, Archer.

• Due diligence & assurance: Respond to inbound and outbound due diligence requests, review certifications and audit reports, and support APRA queries (CPS230, CPS234).

• Incident response & compliance: Contribute to incident investigations involving third parties and ensure compliance with internal policies and external regulations.

What's exciting right now

• Archer (our new GRC System) is going live, and you'll help set up automated third-party risk processes and assessments.

• You'll be involved in major workstreams including the Copilot & agents automation project and the BCP module rollout.

• The role offers visibility across the entire security division and the chance to shape how we manage cyber and operational risk.

What we're looking for

We're looking for a thoughtful and curious professional with a solid foundation in information security and third-party risk management, who's ready to take ownership, grow their expertise, and contribute across a broad security and governance landscape.

As well as

• Experience in information security and IT risk, ideally within financial services

• Understanding of third-party risk management (TPRM) principles and practices

• Familiarity with control standards and frameworks such as ISO27001, NIST CSF, SOC 1 & 2, and ASAE3402

• Exposure to APRA regulations, particularly CPS230 and CPS234, and how they apply to third-party risk and cyber resilience

• Experience or interest in conducting due diligence and assurance activities, including reviewing certifications, audit reports, and penetration test results

• Ability to support a controls testing program, including assessing design and operating effectiveness, and reporting on control maturity

• Good grasp of general IT principles and technologies, and how they intersect with risk and compliance

• Strong communication and stakeholder engagement skills — working closely with internal teams and external vendors to ensure alignment and accountability

• Initiative to take ownership of tasks and contribute to process improvement

• A growth mindset — this role offers exposure across the entire security division and a pathway into broader information security and governance programs

Why this role matters

• Manages third-party risk: Ensures our external partners meet Challenger's security and compliance standards.

• Supports regulatory compliance: Helps us meet obligations under CPS230, CPS234, and other relevant frameworks.

• Strengthens operational resilience: Minimises disruptions from third-party incidents and improves visibility of risk across the supply chain.

• Drives governance and assurance: Contributes to better decision-making through structured controls testing and risk reporting.

Why Challenger?

At Challenger, we're small enough to be agile, but big enough to accelerate bold ideas. We support your growth and development, offering flexibility and a culture that values your unique contributions.

• Discretionary bonus scheme

• 18 weeks paid parental leave for all new parents

• Challenger Day – one extra day off every year in recognition of the effort our people make. 

• Additional support leave (fertility, gender affirmation)

• Extra superannuation contributions

• Employee share plan

• Employee Assistance Programme

• Subsidised on-site café and central location near Martin Place Metro

• Access to free onsite yoga, mindfulness and Pilates classes.

• Access to annual free flu shots.

Explore our benefits further:

#LI-KM1

#LI-Challenger

#LI-Hybrid

Challenger's employee value proposition guides how we work: Grow and realise your potential, supporting each other, stronger together and making things happen. Our culture encourages curiosity, considered thinking and meaningful contribution, with opportunities to build a broad and rewarding career.

We are committed to fostering a safe, inclusive and respectful workplace where people of all backgrounds, identities and ways of thinking can thrive, and promoting flexible working to support work-life balance. 

Challenger is proud to be a Workplace Gender Equality Agency (WGEA) Employer of Choice for Gender Equality, a Family Friendly Workplace and recognised as a Bronze Employer in the Australian Workplace Equality Index (AWEI), the national benchmark for LGBTQ+ workplace inclusion.

Job type:

Posting Close Date :