Cyber security governance, risk and compliance adviser

Also see related Cyber security governance, risk and compliance role profile.

Career stories

GRC Adviser: Higher

Andrew, Department of Corrective Services

Tell me about your career journey up to your current role. How did you get started in your role?

My career journey has been anything but conventional. I began as a prison officer in corrective services, a role I held until the early 1990s. During my time there, I realised I wanted to pursue a different path, so I left with a redundancy package and enrolled in university as a mature-age student in Information Technology. My studies focused on software engineering, programming, and artificial intelligence, with a strong foundation in technical and engineering disciplines.

After university, I managed a large restaurant for a year before transitioning into IT. I started as a graduate in the Department of Education, where I gained experience in helpdesk support, server administration, and enterprise-level systems management. Over time, I moved into internal audit, where my technical expertise proved invaluable. I later transitioned to roles in governance, risk, and compliance (GRC), eventually specialising in business continuity and disaster recovery (BCP/DR). My current role as Manager of Resilience and Assurance at Queensland Corrective Services (QCS) is a culmination of these experiences, blending technical knowledge, audit expertise, and strategic oversight

What attracted you to your current role?

This role aligns perfectly with my background in resilience, governance, and continuity planning. It also offered the opportunity to step up to a higher level of responsibility, allowing me to contribute strategically and tactically rather than focusing solely on operational tasks. Additionally, I was already familiar with many of the team members, which made the transition seamless.

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

My technical background in IT systems administration and enterprise-level infrastructure provided a solid foundation for understanding high-availability systems and disaster recovery. My experience in internal audit honed my ability to assess efficiency, effectiveness (i.e. audit speak for ‘is it value for money?’ and ‘does it work as it should?’), as well as my understanding of governance and risk management. These skills have been instrumental in my current role. My hospitality background has been invaluable for the soft skills side of my role.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

Yes, several certifications and courses have been pivotal. My Certified Information Systems Auditor (CISA) certification from ISACA was very valuable, as it combined my technical knowledge with audit principles. I also completed ISMS lead auditor training, which deepened my understanding of implementing and auditing information security management systems. Additionally, I am PRINCE2 Practitioner certified, which has been invaluable in understanding project management frameworks and advising on cybersecurity integration within project lifecycles. Beyond formal certifications, I regularly attend conferences, professional development sessions, and read white papers to stay current.

What key behavioural skills are most important for this role profile?

Soft skills are critical in my role. Communication and diplomacy are essential, especially when dealing with sensitive topics and providing advice with caveats. Discretion and confidentiality are equally important, as much of my work as an auditor and as a manager involves sensitive information. Adaptability is another key attribute, given the dynamic nature of the role and the need to respond to unexpected challenges.

What key professional skills are most important?

A strong understanding of governance, risk management, and continuity planning is vital. While my technical career background and knowledge allows me to ask the right questions and probe deeper into issues. Familiarity with frameworks like ISMS and PRINCE2, as well as experience in audit and compliance, are also crucial.

Can you walk me through a typical day or week in your current role?

There’s no such thing as a typical day in my role, which is one of the things I enjoy most (and sometimes hate). My mornings often start early, reviewing emails and planning my day. I may address urgent issues, consult on internal projects, or review policies and frameworks. Collaboration is a significant part of my role—I work closely with the GRC team, other departments, and external stakeholders. Meetings are a constant, as are ad-hoc tasks that arise due to the dynamic nature of resilience and continuity planning and being a manager. While the workload can be challenging, the opportunity to mentor others and contribute strategically is incredibly rewarding.

What advice would you give to someone wanting to get started in or transition to a role that you are in?

Keep an open mind and don’t lock yourself into a single career path. My journey has been anything but linear, and I’ve found that adaptability and a willingness to learn are invaluable. Take opportunities to cross-skill and gain experience in related areas, whether it’s information management, procurement, or helpdesk support. Certifications like CISA or PRINCE2 can provide a strong foundation, but practical experience and networking (a key soft skill) are equally important. Lastly, be prepared to pivot if you find that your initial path isn’t the right fit—there are many ways to build a fulfilling career in resilience, GRC and security.

Matthew, Queensland Government

Tell me about your career journey up to your current role. How did you get started in your role?

I spent more than a decade working/consulting in security risk management, crisis management, and physical/protective security roles and was advocating for many years for more seamless integration of physical and cyber security experts to help protect organisations from security threats. I got myself educated on cyber security and started to hunt down any opportunities in GRC.

What attracted you to your current role?

The opportunity to apply strategic security risk and governance skills to contemporary and growing challenges!

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

Strategic policy, program management, physical security risk management, crisis management, intelligence, major event coordination, exercise management.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

Yes! CERT IV in Cyber Security. Project/Program Management is great for any domain, including cyber. ISO27001 auditing is very handy, and even better if supplemented with anything covering information security risk frameworks like NIST or OWASP OCtave Allegro. A Graduate Certificate in Public Sector Management is very handy for GRC to help connect the interface between executive public sector governance and technical cyber security. And a Diploma in Government Security also has made a useful contribution to my GRC skillset. I am sure there are dozens of other courses I haven’t got that will do just as well, as it is really just any balance of good governance with some technical cyber security awareness. You can start on either side of that ledger, so long as you balance out the other side at some point.

What key behavioural skills are most important for this role profile?

Collaborative; creative; analytic; ethical and patient!

What key professional skills are most important?

Governance and decision support; project management; risk analysis; planning; communications and the ability to both verbally and in-writing turn complex (at times technical) information into consumable and actionable language.

Can you walk me through a typical day or week in your current role?

Today looks like this: Met with supervisors to go through forward program (multiple procurement activities and industry briefings to prepare for next week plus discussion on project resources and status updates). Met with SOC Cyber Threat Intelligence experts to discuss future executive briefing requirements. Met with Project teams to ensure a SaaS GRC solution meets stakeholder objectives. Briefed Senior Executive on supply chain risk management initiatives. Had lunch. Drafted a presentation for guiding an analysis of cyber threats and critical assets to organisation – this included research into cyber incidents overseas and in Australia targeting the industry, and the capabilities and objectives of threat actors. And finally ... I finished up by writing this cyber careers case study(!).

What advice would you give to someone wanting to get started in or transition to a role that you are in?

Try and find a way to balance what you already know and have to do to get the job done day-to-day, with the time to research and analyse new stuff. And make sure you are good at working with other people and harnessing their strengths: GRC (and cyber more broadly) is such a wide field that there are wonderful pockets of expertise all over the place and no ‘perfect’ skillset to emulate. Then go find a job to make a start in, and work through changes in the career as you learn and experience new things. Badabing!

GRC Adviser: Practitioner

Aillah, Queensland Government

Tell me about your career journey up to your current role. How did you get started in your role?

I started my career in technical support, working with printer and internet service provider companies, which gave me a strong foundation in IT. While pursuing my Master of Information Technology at Central Queensland University, I worked as a Service Desk Officer at Energy Queensland, gaining further experience in IT operations. During my internship at Central Queensland Hospital and Health Service (CQHHS), I was involved in Governance, Risk and Compliance-related tasks, which developed my interest in this area. After completing my degree, I was offered a temporary IT Governance, Risk and Compliance Officer position – a great opportunity to apply what I had learned both academically and practically.

What attracted you to your current role?

What attracted me to the IT GRC role was the balance it offers between technical understanding and strategic oversight. During my internship at CQHHS, I was involved in GRC-related tasks and found the work meaningful, especially in how it helps protect systems, ensures compliance and supports informed decision-making. It allowed me to apply my technical background in a broader context, and I was drawn to the role’s focus on risk management, policy and aligning IT practices with organisational goals.

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

The key skills and experiences from my previous roles that helped me transition to IT GRC include my strong technical foundation, problem-solving abilities and understanding of IT systems. Working in technical support and as a Service Desk Officer, I developed a deep understanding of IT infrastructure and troubleshooting. This technical knowledge was invaluable when I transitioned to GRC, as it allowed me to assess risks, understand system vulnerabilities and ensure compliance effectively. Additionally, my internship at CQHHS gave me hands-on experience with GRC tasks, such as risk assessments and policy/guidelines/procedures development, which helped me further build the skills needed for the IT GRC Officer role.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

Yes, my Master of IT with a major in Networks and Information Security and a minor in Project Management provided me with a strong technical foundation and a broader understanding of the IT landscape.

Additionally, the certification in Implementing an ISMS ISO/IEC 27001:2022 gave me a deep understanding of information security management systems, which is essential in the GRC field and the Cyber Security Risk Management training further strengthened my ability to assess, manage and mitigate cybersecurity risks. These courses and certifications were instrumental in equipping me with both the technical knowledge and the risk management skills needed to transition into the IT GRC role

What key behavioural skills are most important for this role profile?

In the IT GRC role, key behavioural skills are attention to detail, strong communication and problem-solving. Attention to detail ensures compliance and identifies potential risks in complex systems. Strong communication skills are critical for effectively conveying technical information to non-technical stakeholders and working across departments to implement security policies and risk management strategies. Critical thinking and analytical skills are also vital for assessing risks and developing mitigation strategies. Adapting to change and staying updated on evolving regulations and threats is also crucial in the fast-paced world of IT GRC.

What key professional skills are most important?

The following skills provide a foundation for successfully executing IT GRC responsibilities, from risk assessment to compliance monitoring:

• Risk Management (BURM) – The ability to assess, analyse and manage risks is crucial in GRC, ensuring that organisations effectively understand and mitigate security risks.
• Information Security (SCTY) – A deep understanding of information security principles, frameworks and best practices, such as ISO/IEC 27001 and NIST, is essential for designing and implementing security controls within an organisation.
• Governance, Risk and Compliance (GRC) – Familiarity with GRC frameworks and methodologies and experience in policy development, compliance monitoring and internal auditing are vital to the role.
• Stakeholder Relationship Management (RLMT) – Effective collaboration and communication with stakeholders across various departments to align IT practices with business goals and regulatory requirements are key components of this role.
• Problem Solving and Analytical Thinking – The ability to identify issues, propose solutions and ensure that the organisation’s IT systems align with compliance and security standards critically and analytically.

Can you walk me through a typical day or week in your current role?

I juggle routine tasks and project-based work in a typical week as an IT Governance, Risk and Compliance Officer. I usually start by reviewing emails and SNOW Tasks and updating key registers like the asset register and the Information Security Risk Assessment (ISRA) register. I also support internal audits by gathering evidence, coordinating with stakeholders and helping close out any findings.

Throughout the week, I might review or update IT policies, procedures and guidelines, conduct ISRA assessments for new systems or vendors, or contribute to security awareness activities. Keeping documentation current and ensuring it aligns with regulatory and organisational standards.

I work closely with teams across eHealth, IT Operations, Project Management and Legal/Compliance – depending on what’s needed. One of the ongoing challenges is staying on top of changing standards and ensuring security and compliance are built into projects from the start. I’m also focused on promoting a security-aware culture where cybersecurity becomes part of everyday practice, not just a compliance checkbox.

No two days are the same, which keeps things interesting. The role is structured and collaborative and it’s rewarding to know that what I do directly supports reducing risk and strengthening the organisation’s overall security posture.

What advice would you give to someone wanting to get started in or transition to a role that you are in?

If you're looking to get started or transition into an IT GRC role, my advice would be to build a solid understanding of both IT fundamentals and risk/compliance frameworks. A background in technical support or service desk roles, like I had, can really help you understand how systems work in practice, which is valuable when assessing risks or reviewing controls.

Pursue relevant certifications or training such as ISO/IEC 27001, cybersecurity risk management or ITIL, and try to get hands-on experience wherever possible – even during internships or secondments.

If you already work in IT, express interest in tasks like policy/guidelines reviews, audits or risk assessments. These small steps can lead to bigger opportunities.

Also, focus on developing soft skills, especially communication and attention to detail. In GRC, you often work with non-technical individual or teams, so it's important to communicate in clear, accessible language that everyone can understand.

Lastly, stay curious. The standards, threats and technologies are constantly evolving and a willingness to keep learning goes a long way in this field.

Bianca, Department of Customer Services, Open Data and Small and Family Business

Tell me about your career journey up to your current role. How did you get started in your role?

I started out in the private sector working various jobs and trying to decide the direction I wanted to choose. When I joined the public sector in 2012, I knew this is where I wanted to be.

My career in the public sector has been varied and exciting, with roles in customer service, ministerial support and innovation and strategy. During a secondment within an internal area of a department, I found myself needing to know more about government policy. This is when I decided to embark on a graduate certificate in policy and governance to help me in my role at the time and explore a future in policy.

My love of cyber began early in my career, and without me even knowing what cybersecurity really was! I just knew that keeping customer data safe was essential to delivering trusted government services. I became passionate about data privacy and was exposed to customers who had been scammed – almost daily. This prompted me to undertake study in the cyber space and pursue my dream.

I also think my journey has something to do with having children and the major life changes we go through after having children. It’s like something shifts and our motivation really kick in. I felt motivated to show my children that you can do hard things and that having a rewarding career is something to strive for.

What attracted you to your current role?

When I saw the job description – I knew immediately that this was my dream job. It was the perfect mix of policy and cybersecurity! I was almost finished my certificate IV in cybersecurity, when the role came up. I knew that it was a role where I could help set the direction for cyber for Queensland.

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

There were lots of transferrable skills and experiences that helped me transition to my roles as a policy adviser. I think having experience in a range of roles is what has helped me the most.

Some days I step into my customer service persona when I’m trying to solve a problem, and other days I step into my ministerial support persona to help remind me of the bigger picture and how to understand what is expected from the top down.

I do think the best skill is to be teachable – it’s something that is useful in any situation.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

Graduate Certificate in Policy and Governance (QUT), Certificate IV in Cyber Security (TAFE).

What key behavioural skills are most important for this role profile?

Communication, learning and development, problem solving, adaptability, ethics. Some softer skills like listening and showing empathy are important in any workplace. Relationships are key to success in my role, and for me, it’s about keeping the relationships strong and authentic.

What key professional skills are most important?

Stakeholder relationship management, project management (both from SFIA). I also think that being teachable (I mentioned this above also) is very important in a professional setting.

Can you walk me through a typical day or week in your current role?

A typical week involves a lot of different things! I could be working on a major strategy document, sending out a survey as part of an engagement piece or proofreading a document from a technical specialist – all in one day.

I would say my main responsibility is to be the governance lead for our team and also to ensure that the schedule of policies and artefacts are reviewed and updated in a timely manner.

I provide policy advice internally and externally and hope to be co-authoring a policy in the near future.

The challenge for me is that my role is a big career change and it’s hard being out of my comfort zone. I’d also say that this is a reward too! It’s rewarding to be out of my comfort zone and do things I didn’t think I could do previously.

My biggest reward is working in an amazing team with some great support and the many informal mentors I have. It’s the people in my life who are really the biggest reward.

What advice would you give to someone wanting to get started in or transition to a role that you are in?

Think about your transferrable skills and back yourself. You are your biggest critic! I would advise doing strategic study and talking to people who have done the courses you are interested in. I would also say – It’s never too late!

Gabriela, Queensland Fire Department

Tell me about your career journey up to your current role. How did you get started in your role?

I took the scenic route into cyber.

• Maritime security roots: A decade in cruise-ship operations sharpened my skills in crisis management, safety drills, and taught me the cost of even one weak link..
• Turning point: A personal cyber-fraud incident at sea sparked my passion for cyber hygiene, leading me to dive deep into security education and community work.
• Pandemic pivot: While the world locked down, I levelled up. Certificate IV in Cyber Security (Incident Response & Forensics) at TAFE, Certificate IV Physical Security Management, plus every ISO 27001/GRC workshop I could squeeze in after hours.
• Government pivot: Leveraged my skills into a cyber consultancy role, later joining QFD to build and embed a fit-for-purpose ISMS aligned with IS18, converting risk assessments into executive-ready action.
• Community anchor: began volunteering everywhere I could - TAFE labs, Australian Women in Security Network (AWSN). Early 2021 I founded Cyber Security Champions of Tomorrow (CSCoT), a non-for-profit cyber security community of practice, now 2,200+ members strong across 19 countries, proving grassroots talent pipelines work.

QFD recognised my unique mix of crisis-tested composure and GRC skills and I've quickly moved into principal-level GRC strategy, steering ISMS uplift, risk governance, and incident readiness.

What attracted you to your current role?

• Mission fit: protecting first-responder data so fire-fighters can safely protect Queenslanders.
• Puzzle factor: translating ISO 27001, IS18, PSPF and the Essential Eight into practical, frontline realities.
• Impact at scale: closing one control gap at headquarters strengthens 240+ fire stations overnight.
• Platform to lift others: QFD supports community engagement, aligning perfectly with CSCoT’s diversity and inclusion mission

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

• Incident & crisis coordination: maritime drills mean I can script and run cyber-incident exercises end-to-end, and step in seamlessly during live events (earned the CIO Award 2023 & 2024).
• Root-cause mindset & audit discipline (BBA + Managerial Economics): My economics academic background instilled a root-cause mindset - I break down complex issues, trace impacts, and embed clear control assessments into ISMS processes.
• Multicultural communication: managing a crew of 100+ nationalities during at sea drills was my first stakeholder matrix, teaching me to simplify tech risk into clear narratives for operational teams and executives.
• Logistics & safety planning: expertise in passenger and large groups safety logistics now shapes asset criticality mapping, control ownership, and stress-testing business continuity plans.
• Storytelling under pressure: from calming passengers to briefing boards with clarity, brevity, impact.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

• Cert IV in Cyber Security (TAFE Queensland) - incident response & forensics foundations.
• Certificate IV Physical Security Management - links PSPF/ISO 27001 Annex A to real-world site controls.
• ISO 27001 Lead Implementer - my playbook for every ISMS gap analysis and control design.
• Agile Methodology | Scrum - Keeping ISMS uplift agile, accountable, and aligned to scope.
• Continuous bite-sized learning via QLD Gov – Cyber Security Unit – mainly Risk Management, ISACA, and AWSN – BCMS, ISO31000, OSINT, NIST CSF, etc., expanding my horizons and skills.
• Privacy legislation training (OIC) – Ensuring compliance and privacy-by-design are baked into every project I lead.
• SSCP → CISSP coursework: Training completed; exams pending…the imposter syndrome hits everyone!

What key behavioural skills are most important for this role profile?

• Adaptive leadership: read the room, adjust the strategy swiftly.
• Story-driven communication: translate complex control gaps into relatable narratives. Collaboration under pressure: Led multi-team incident response exercises and 3-line-of-defence workshops.
• Improvement mindset: Rejecting "good enough" as a red flag; every audit finding becomes a sprint backlog.
• Ethical compass: protect privacy and trust above all.
• Leadership: Coach, mentor and multiplying talent.
• My Motto: “None of us is as smart as all of us”

What key professional skills are most important?

• Governance, Risk, Security Management: (GOVN, BURM, SCTY)
• Consultancy, specialist advice: (CNSL, TECH)
• Internal Audit & Assurance, Information and Data Compliance, Quality Management, Information Assurance: (AUDT, PEDP, QUMG, INAS)
• Information & Data Compliance: (PEDP)
• Information Security Management: (SCTY)
• Stakeholder Relationship Management: (RLMT)
• Strategic Planning, Information Security, Demand Management, Stakeholder Management: (ITSP, SCTY, DEMM, RLMT)
• Project & Portfolio Management: (PRMG, PPMO)
• Data Classification & Protective Security Alignment: PSPF & IS18 frameworks.
• Sourcing, Contract and Supplier Management: (SORC, ITCM, SUPP)

Can you walk me through a typical day or week in your current role?

• Morning: Prioritise audit findings, conduct root-cause analysis, hold ISMS gap-analysis stand-ups.
• Mid-day: Update policies and directives aligned with PSPF; prepare steering committee briefings; plan incident-management exercises to test readiness.
• Rewards: Seeing firefighters confidently trust that their data and systems will be reliable during critical moments.
• Challenges: Translating abstract risk appetite into realistic and actionable timelines amid resource constraints.
• Key Partnerships: ICT Operations, Infrastructure, Legal, HR, Audit & Risk, Communications, Fire Communication Specialist Unit, and external auditors.

What advice would you give to someone wanting to get started in or transition to a role that you are in?

• Build breadth first: learn foundational networking, risk, and regulatory principles - everything connects.
• Form your “coalition of the willing”: Effective change happens when operations, finance, and security teams co-own solutions.
• Volunteer smartly: join incident drills, policy reviews; pressure teaches faster than theory alone.
• Find three mentors: a tech deep diver, a strategic storyteller, and a wellbeing guardian.
• Invest in soft skills early: the bigger the title, the fewer keystrokes you make. Influence becomes your toolset.
• Stay curious: Approach breach reports like mystery novels - every incident is a free lesson.
• Give back: Mentor actively - because nurturing talent pipelines benefits everyone.

Katie, Queensland Government

Tell me about your career journey up to your current role. How did you get started in your role?

My career journey has been anything but linear, but I think that’s what makes it interesting. I actually started with a nursing degree at university, but I quickly realised that I was too emotionally invested to thrive in that field. After university, I took a job in the mailroom at a consulting firm, delivering mail across seven floors. From there, I moved into a legal secretary role at a law firm, where I eventually worked as a conveyancing clerk.

My career took a significant turn when I joined an electronics manufacturing company in an admin role. During my interview, the owner asked if I knew what ISO 9001 was. I didn’t, but he saw potential in me and mentored me through implementing a quality management system for the business. That experience introduced me to ISO standards and governance, which became the foundation of my career.

Eventually, I transitioned into government, starting with two different public safety agencies. Over 14 years, I worked in various governance roles, which gave me a deep understanding of government processes. I also spent a lot of time in the community engagement and education space. My introduction to cybersecurity came when I was seconded to help implement an Information Security Management System (ISMS) at the agency I was working in. My experience with ISO standards made me a natural fit for the role, and that’s how I found my way into the cyber field.

What attracted you to your current role?

To be honest, I didn’t initially set out to work in cybersecurity—it kind of found me. But what’s kept me here is how dynamic and varied the field is. Unlike some of my earlier roles, where the work could become repetitive, cybersecurity is constantly evolving. There’s always something new to learn, and I love the variety of people I get to work with. The cyber community, especially within government, is incredibly supportive and collaborative, which makes it a great space to work in.

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

A lot of the skills I’ve picked up over the years have been invaluable in my current role. My time in conveyancing taught me how to stay calm under pressure and manage high-stakes situations, which is crucial in cybersecurity. My experience with ISO standards gave me a strong foundation in governance and risk management, and my time in community engagement helped me develop the ability to communicate complex ideas to diverse audiences. That’s been particularly important in my role, where I often need to translate technical concepts into something non-technical stakeholders can understand.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

The Certificate IV in Cybersecurity was a game-changer for me. It was one of the hardest things I’ve ever done—harder than my university degree—but it was absolutely worth it. It gave me the technical knowledge I needed to communicate effectively with technical teams and understand the concepts they were discussing. I’ve also attended conferences like AusCERT, which have been fantastic for learning and networking.

What key behavioural skills are most important for this role profile?

Adaptability is absolutely critical in this field. Things can change quickly, and you need to be able to pivot and respond to new challenges. An improvement mindset is also important because there’s always room to do things better. And communication is key—you need to be able to engage with a wide range of stakeholders, from technical teams to executives, and tailor your message to suit your audience.

What key professional skills are most important?

Risk management, information assurance, and audit preparation are some of the most important professional skills in my role. Having a solid understanding of governance and how to present to boards has also been incredibly helpful.

Can you walk me through a typical day or week in your current role?

No two days are ever the same, but my main responsibilities include managing our Information Security Policy Framework, running phishing simulations, and overseeing mandatory cybersecurity training for the department. I also handle cybersecurity messaging, whether it’s through newsletters, our intranet, or awareness campaigns.

My team and I manage governance boards, support business areas in uplifting their cyber maturity, and work with system owners on classifying their information and conducting threat and risk assessments. We also ensure cybersecurity conditions are included in contracts and help interpret the results of penetration tests. On top of that, we handle exceptions to policies, for example, request to access the agency’s information and systems from overseas locations. It’s a diverse role, and while it can be challenging, it’s also incredibly rewarding.

What advice would you give to someone wanting to get started in or transition to a role that you are in?

You don’t need to be a technical IT person to work in GRC, but having a basic understanding of technical concepts definitely helps. The Certificate IV in Cybersecurity is a great way to build that foundation. What’s more important is the ability to communicate technical information in a way that non-technical people can understand.

I’d also say don’t be discouraged if you feel out of your depth at first. Resilience is key—there will be times when you don’t know the technical jargon, and that’s okay. Remember that you bring a different skill set to the table, and that’s just as valuable. Finally, take advantage of any opportunities to gain hands-on experience, whether it’s through mentorship, secondments, or mobility programs.

Cybersecurity is such a broad and exciting field, and there’s room for people with all kinds of backgrounds. If you’re curious and willing to learn, there’s a place for you here.

GRC Adviser: Foundation

Kassom, Department of Customer Services, Open Data and Small and Family Business

Tell me about your career journey up to your current role. How did you get started in your role?

Prior to this job I had done an internship at a federal organisation where I was largely working on understanding different roles within an organisation more than completing a specific job. I also worked as an administration officer in a private company. This is my first job within my ‘field’. I graduated with a Bachelor of Commerce and immediately commenced a graduate certificate in Cyber Security. When I finished my undergrad I applied to a bunch of grad programs, largely government ones. When it came to adding my preferences, I always put cyber as one of my top ones (if possible) even though it was only really aligned with my post grad studies, not my undergrad. From there I did online exams and online and in-person interviews for different graduate programs. I got a few separate offers for different graduate roles but chose to go with cyber because I felt it was the most interesting field. All my other options were more in the finance and economics space which didn’t seem as dynamic to me.

What attracted you to your current role?

I was interested in the holistic view that areas such as strategy and policy provide you. Both streams cover a broad range of activities and as someone starting a career in cyber, I thought it would be a good way to learn all the different aspects of cyber in QLD Government. I also liked the collaborative nature of the work as no (effective) strategy or policy can be written/ published by one person or in a siloed working environment

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

Working in strategy and policy (or in any governance space) means that you actively work with a huge range of stakeholders and have to follow very specific processes. I think that both my internship and time working as administration were very useful in understanding business processes and effective communication. Having past experience working with more senior stakeholders whilst in an administration role helped inform how I can interact with senior stakeholders in the policy space, making the transition far easier. It also gave me a leg up as I had more tactile experience outside of just technical knowledge, which was very valuable to interviewers.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

My graduate certificate in cyber security was essential in me getting my role. Whilst I always will believe that cyber can be taught ‘on the job’ having formal educationprovided me with the knowledge to ‘hit the ground running’. Most other candidates for my roles understood cyber on a broad, technical level but had no detailed knowledge or experience in discussing the real world implications of cyber security.

What key behavioural skills are most important for this role profile?

Collaboration, communication, Problem solving, Adaptability (not ordered)

What key professional skills are most important?

Change control, information management, governance, research

Can you walk me through a typical day or week in your current role?

My daily/ weekly schedule changes a lot depending on what is going on in the broader cyber teams. Generally, I will be communicating with other teams/ document authors about how their work is going, what I can do to support and next steps. This takes up a huge chunk of my day as one of the key responsibilities of my team is to enable the delivery of policies, guidelines and standard, etc. to support cyber security governance. I also do a lot of presentations/ reporting about research or updates on the status of work. This again takes a large amount of time because I work in an extremely collaborative space, so I often have to take many different peoples work in to account for one presentation. I also work on ad hoc tasks such as questions from the sector or updating outdated documents/ websites.

What advice would you give to someone wanting to get started in or transition to a role that you are in?

I would say to learn about some of the governing principles of cyber – especially for risk management. This is as simple as googling Australian Government cybersecurity recommendations. Having the initial knowledge base makes it much easier to extend your knowledge in the policy and strategy space. I would also recommend keeping up to do on the cyber security landscape globally as that greatly influences strategy and policy. Last but not least I would really suggest learning how to effectively work with different types of people to ensure that you A) have a positive working environment and B) deliver the best work possible.