Principal Consultant, Internal Governance, Risk and Compliance

As Head of Governance, Risk and Compliance, you will be the most senior specialist in Nexon's Cyber Compliance and Strategy team and the primary owner of our enterprise-wide Governance, Risk and Compliance (GRC) programme. You will form a key part of the Cybersecurity Centre of Excellence, under the CISO. This is a strategic, individual-contributor leadership position that carries significant influence across the organisation. You will drive the continual maturation of Nexon's internal GRC capabilities, translating complex regulatory obligations into operational excellence and measurable business value. The role is 100% internally focused - there are no client-facing consulting, delivery, or sales-support responsibilities.

Key Responsibilities
Lead and Deliver Internal GRC Initiatives

• Conduct comprehensive risk assessments, maturity and gap analyses, and develop practical, prioritised roadmaps and policies aligned with Australian regulations (including the SOCI Act, Privacy Act, APRA CPS 234, and ASD Essential Eight) and international standards (NIST CSF, ISO
• Facilitate internal control and compliance audits, driving sustained regulatory compliance, operational resilience, and continuous improvement of our security posture, liasing with compliance, penetration testing, and external partners to validate our posture.
• Perform rigorous security control and technical architecture reviews, benchmarking against recognised frameworks.
• Deliver clear, business-focused recommendations to remediate identified gaps and elevate Nexon's overall security posture.
• Translate complex technical risks into straightforward business impacts for senior stakeholders and the executive team.

Chair the Governance, Risk and Compliance Committee (GRC-C)

• Operationalise the cyber security strategy by translating executive direction into actionable policies, standards, controls, and risk treatment plans.
• Prepare and present high-quality reporting to the Cyber Executive Steering Committee and other governance bodies.

Develop and Manage Internal GRC Programmes

• Continuously build, refine, and mature Nexon's internal GRC frameworks, incorporating proactive risk management, policy enforcement, regulatory compliance monitoring, and improvement activities.
• Ensure operational processes remain fully aligned with legislative requirements and industry-leading practices, reinforcing Nexon's position as a trusted managed service provider.
• Provide expert guidance and reusable patterns to operational and technical teams responsible for implementing and monitoring controls.
• Serve as a standing member or chair of relevant security and risk committees.

Mentorship and Organisational Leadership

• Mentor and coach junior members of the cyber risk and compliance team, fostering a culture of high performance, knowledge sharing, and continuous learning.
• Design and deliver internal training and upskilling programmes that support our goal of maintaining Australia's strongest cybersecurity capability.
• Exercise enterprise-wide leadership by advising teams and steering the organisation toward high-quality, risk-aligned solutions.

Internal Enablement and Thought Leadership

• Design and facilitate internal workshops, compliance briefings, and executive advisory sessions that strengthen security awareness, advance GRC maturity, and embed a risk-first, human-centric security culture.
• Contribute internal thought leadership through published content, strategic roadmaps, and executive-level briefings.

Strategic Planning and Continuous Evolution

• Develop and maintain cybersecurity strategies and governance frameworks that align with business objectives and regulatory requirements.
• Create, review, and enforce cybersecurity policies and standards, ensuring they are clearly communicated and understood across the organisation.
• Support technical owners in developing detailed technical standards that enable policy compliance.
• Monitor the effectiveness of security controls, identify enhancement opportunities, and drive changes in response to emerging threats and regulatory developments.

Our Ideal Candidate

• At least five years of demonstrated success leading complex security and compliance programmes across diverse industry sectors.
• Deep expertise in Australian regulatory environments (SOCI Act, Privacy Act, APRA CPS 234, Essential Eight, etc.), risk management practices, and recognised security frameworks (ISO 27001, NIST CSF, ISM, CIS Controls).
• Proven ability to build trusted relationships with senior executives and translate technical risk into clear business impact.
• Strong leadership and mentoring skills with a genuine passion for developing people and organisational capability.
• Experience designing scalable security architectures, processes, and governance models in a managed-service or enterprise environment.
• Excellent analytical, problem-solving, and communication skills, with the ability to convey complex concepts to both technical and non-technical audiences.
• Industry-recognised certifications such as CISSP, CISM, CRISC, SABSA, GIAC, or equivalent are highly regarded.