Cyber Business Analyst

Let's get this out of the way early: while the role is titled "Cyber Business Analyst", it's much more than that. Think a balanced mix of traditional BA work, cyber GRC, and a touch of the technical.
It's also a newly created role, so you won't be inheriting someone else's chaos.

Now, this won't be the right fit for everyone. But for someone? It'll definitely get their cogs turning.

Anyway, you want to know what's in for you, so below are some of the things you'll receive, and can expect, in this permanent role in Western Melbourne.

• You'll earn a base salary between $100k – $112k (super atop this), aligned w. your experience.
• You'll work a 9-day fortnight, with a regular RDO each and every 2-weeks.
• You'll enjoy a hybrid working model, currently 2 days in office each week.
• You'll receive free on-site parking. For some, this'll be a life saver
• You'll cop wellbeing days to spend however you like. Massage? Pilates? Sleep in? Long weekend? You do you.
• You're going to be working with an excellent Manager. This is purely subjective, we get it, but if you get along with warm people with senses of humour, and the drive to genuinely do good work, you'll probably like who you'll report to.
• You'll be joining an organisation who genuinely encourage better ways of working. Got an idea? Do it. Did it succeed? Great Did it fail? No worries, dust yourself off and try again.

So, what will you be stepping into, and what will you be doing in this brand-new role?

You'll be working in a lean, mean and very capable security team of 3 (you'll be the 4th). There's an overarching functional Manager, a Cyber Team Lead, and a Security Analyst you'll be rubbing shoulders with. They're all great people – warm, personable, humorous, caring.

Why does this role exist? Simply put, the function's workload has outgrown what the current team can reasonably manage. Nice, organic growth, which this role will provide much-needed capacity across, allowing the Team Lead to focus on more strategic priorities and roadmap delivery.

A key gap is the lack of IDAM maturity and a formalised role-based access approach – something this role will help address. Your work will support and maintain these critical pieces of the organisation's security posture.

Given the blended nature of the role, here are the main pillars you'll be involved with, and what you'll be tackling within each:

Business Analyst:
You'll be engaging stakeholders, drawing out insights, teasing out the right information, and asking smart, targeted questions. Core BA skills, applied in a cyber context.

Governance, Risk & Compliance:
There's plenty to dig into here, from aligning with multiple frameworks, to assessing risks, supporting audits, and managing controls. It's hands-on, meaningful work that helps strengthen the organisation's cyber posture.

Technical touchpoints:
You're not expected to be in the deep weeds technically, but some fluency helps. You'll need to get comfortable navigating tools (it's a Microsoft environment – think Defender, Sentinel, etc.), and some other stuff. The good news? You'll have plenty of support to get up to speed if it's new territory for you.

Your split? 70% GRC and BA work, and 30% technical.

A deeper dive?

You'll be conducting cyber risk assessments across frameworks like Essential 8, VPDSF, NIST, and giving well-informed advice to ensure alignment therein. You'll support internal and external audits, and create a culture where risk is everyone's responsibility across the org.

You'll also be backing up the Security Analyst and filling gaps on the tools when needed, but you won't be on the tools every day. At times, you'll have things to do outside business hours. Sometimes planned, sometimes unplanned, but please rest assured that it's not regular. An on-call roster will apply and acts as a mechanism to determine who responds to things like incidents if they occur, which we all know can be a reality in the cyber landscape. That said, you'll cop an on-call allowance of $175 / week if that happens.

You'll also get involved with establishing and managing a role-based access control (RBAC) program across all business applications. This will include designing and maintaining the processes that govern how access rights are assigned, modified, and revoked, ensuring users have the appropriate level of access based on their role, and nothing more. You'll work closely with application owners, IT, and security stakeholders to implement a consistent, auditable approach to access management across the organisation (cue your BA skills).

You'll be engaging with business stakeholders across various teams and functions, translating complex technical risks into clear business implications, and delivering actionable cybersecurity guidance. Playing nice with others is a must.

To succeed in a role like this, what will you need?

Let's start by saying that this is something of a Goldilocks zone role. It probably won't suit someone at the very, very start of their career as demonstrable experience is certainly required, and it's probably not at the level that would suit an individual who's been there and done that for many, many years. It's likely somewhere in the middle.

So, can you point to some GRC chops with some technical nous? Are you able to ask good questions, listen intently to the answers, and translate business objectives? This might be for you.

The team currently work 2-days per week in the office, which is located in Melbourne's western suburbs, +/- a 30 min drive from the CBD. We understand driving to Melbourne's west isn't everyone's cup of tea so you'll need to be happy with that arrangement but hey, you will have free parking.

It's worth clarifying that you don't need to be an Australian citizen for this role (being on a visa is fine), but you will need unlimited Aussie work rights. No sponsorship is available and those outside Australia can't be considered, unfortunately.

So, let's recap. If you can point to experience in the following, this could well be an excellent role to sink your teeth into and make your mark.

• Cyber compliance / GRC experience (VPDSS, NIST, ISO27k, E8, PCI-DSS or other frameworks could transfer to this role).
• Technical experience playing with different security tools and systems (experience with the Microsoft stack would be great).
• BA skills across things like stakeholder management, information gathering, translating business goals into actionable insights, etc.

If any of this has piqued your interest, please consider applying. There's much more information – technical and contextual – that can be shared with you on a confidential basis which may help you decide if this is the job for you.

HOW TO APPLY

Please know that any application you make is treated with utter confidentiality. The only people who will know you've applied are you & me. Reach out, and let's chat about what you want.

Click APPLY and/or contact Michael directly on [email protected] for a 100% confidential, informal conversation where your privacy will absolutely be respected.

Decipher Bureau and the clients we partner with are committed to creating a diverse environment and are proud to be equal opportunity employers. All qualified applicants will be considered for employment without attention to race, colour, religion, sex, sexual orientation, gender identity, national origin, veteran, or disability status.

---