Cyber Governance, Risk, and Compliance Lead

Company Overview

Founded in 2014, and listed on the ASX since 2015, Superloop’s purpose is to enable better internet for Australian homes and businesses, by enabling challenger retail brands to take a larger share of the market, leveraging Superloop’s Infrastructure-on-Demand platform.

Superloop operates in three segments of the market: consumer connectivity, business network and security solutions, and wholesale connectivity, all of which leverage Superloop’s investments in physical infrastructure assets including fibre, subsea cables and fixed wireless, as well as Superloop’s software platforms. Hundreds of thousands of homes and businesses rely on Superloop everyday for their connectivity needs.

Visit www.superloop.com to learn more.

Business Unit Overview

The Security team report through to our Operations unit which is the engine room of Superloop - responsible for maintaining and supporting all of our products and internal technical infrastructure to ensure the best possible service to both our customers and our very own business. Our Operations unit is responsible for ensuring that the business has the technical capability and capacity to deliver services to all Superloop customers ranging from Home Broadband to International Wholesale.

Our Security team has the board responsibility for both securing the corporate network and the externally customer facing networks and portals. The role can be based Brisbane or Sydney and is a flexible hybrid 3 days in the office 2 days from home.

Role Purpose

As the Cyber GRC Lead, you will be responsible for overseeing Superloop’s cybersecurity governance, risk management, and compliance obligations. This is a key role within the Cyber team, ensuring compliance and continuous improvement of security frameworks, controls, policies, and regulatory compliance programs. You’ll work cross-functionally with IT, legal, and business stakeholders to maintain our ISO 27001 and PCI-DSS certifications and ensure compliance with applicable standards and legislation such as SOCI and manage cyber risk across the organisation.

Key Responsibilities

• Maintain and drive alignment with regulatory and compliance requirements including ISO 27001, SOCI, CPS 234/230, Essential Eight, and other relevant standards.
• Maintain the Information Security Management System (ISMS) and ensure the organisation’s control environment supports certification and audit readiness.
• In conduction with management develop and maintain security policies, standards, procedures, and guidelines; ensure they are current, communicated, and embedded within the business.
• Own and maintain the risk register for cyber security; facilitate risk assessments, control gap analyses, and treatment plans.
• Coordinate internal and external audits, including evidence collection, stakeholder engagement, and remediation tracking.
• Monitor emerging regulations, industry threats, and compliance trends; ensure timely updates to the risk and control environment.
• Support security incident response by advising on reporting obligations and work with technical teams to document root cause analysis, and lessons learned.
• Build strong working relationships with business units to embed a cyber aware culture.
• Maintain records of security exceptions, risk acceptances, and policy deviations, ensuring appropriate sign-off and review processes are followed.
• Work closely with technology and operational teams to ensure security controls are embedded in system designs and change processes.
• Track and report on key GRC metrics and maturity improvements to Cyber leadership and senior management.
• Run third-party risk assessments, vendor due diligence, and contractual security obligations.
• Complete third-party cyber questionnaires from our customers

Qualifications And Experience

• Certified ISO 27001: 2022 Lead Implementor or Auditor required
• Proven experience in a cybersecurity governance, risk, and compliance role, ideally within regulated industries.
• Strong working knowledge of PCI-DSS, CPS 234 and related frameworks.
• Experience managing security audits, certifications, and risk programs in a mid-to-large enterprise environment.
• Understanding of IT and cyber risk management principles, controls, and threat landscapes.
• Exceptional stakeholder engagement skills with the ability to influence at all levels of the organisation.
• Strong analytical and documentation skills, including the ability to articulate risk in business terms.
• Familiarity with GRC tools (e.g. Risk Registers, Policy Management Platforms) is desirable.
• Familiarity with Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) is desirable
• Relevant certifications such as CISM, CRISC, ISO 27001 Lead Implementer/Auditor, or CISSP are advantageous.
• A strong sense of ownership, attention to detail, and a proactive approach to problem-solving.

Key Deliverables

• Ensure we maintain our ISO27001 certification
• Maintain and uplift the organisation’s cybersecurity governance and risk frameworks to meet internal and external expectations.
• Drive security compliance across Superloop and ensure we maintain relevant certifications and regulatory obligations.
• Build a robust cyber risk register with clear ownership, mitigation actions, and executive visibility.
• Ensure security policies are current, enforced, and aligned with operational reality.
• Ensure all SaaS vendors are risk assessed before onboarding and every 2 years thereafter.
• Proactively identify and remediate control gaps, audit findings, and areas of non-compliance.
• Embed a culture of security awareness and shared responsibility through ongoing engagement and guidance.
• Ensure that phishing simulations are run and repeat clickers are educated.