IT Risk & Security Analyst

The IT Risk & Security Analyst provides first line risk, control and governance oversight across Technology, supporting the effective management of Technology risk in accordance with NAB’s operational risk, compliance and governance frameworks. The role acts as a key first line risk partner to Technology, providing insight, challenge, guidance and assurance to support effective risk-based decision making. The role partners with Technology teams and Divisional Controls stakeholders to identify, assess and manage risks, ensure effective control design and performance, and provide advisory support on Technology processes and controls across International offices (UK, US, Europe and Asia). The role is critical in supporting audit and regulatory obligations, facilitating risk governance forums, and ensuring that Technology risk positions, emerging risks, achievements and progress against enterprise KPIs are accurately represented to stakeholders at all levels of the organisation.

Essential capabilities (core)

• Strong understanding of Technology risk management, operational risk frameworks, and control environments within a regulated financial services context.
• Proven ability to interpret and apply Group Information Risk Policies and standards into practical control implementation.
• Demonstrable experience identifying control gaps and driving remediation to achieve sustainable outcomes.
• Strong experience supporting Internal and External Technology Audits, including evidence management and remediation tracking.
• Working knowledge of risk management systems (e.g. Archer or equivalent) with accurate maintenance of risks, controls and issues.
• Ability to support and contribute to risk governance forums, delivering clear and structured reporting to stakeholders.
• Ability to challenge stakeholders constructively to drive improved risk and control outcomes.
• Strong communication and interpersonal skills, with the ability to engage, influence and build relationships across Technology and Business Units.
• Ability to translate complex risk and control concepts into clear, actionable insights for both technical and non-technical stakeholders.
• Experience working across international teams (UK, US, Europe, Asia) with flexibility to support global engagement, including Australia.
• Proactively identifies emerging risks, control weaknesses and improvement opportunities.
• Takes ownership of issues through to resolution, ensuring remediation is timely, effective and audit-defensible.
• Promotes a strong risk culture, demonstrating accountability, attention to detail and a continuous improvement mindset.

Other capabilities (technical)

• Working knowledge of risk management systems (e.g. Archer or equivalent) for maintaining risks, controls, events and remediation activities.
• Understanding of Technology control frameworks and regulatory requirements (e.g. CPS 230, CPS 234 or similar).
• Experience supporting audit processes, including evidence collation, remediation tracking and reporting.
• Familiarity with risk and control methodologies, including risk profiling, control design and effectiveness assessment.
• Knowledge of Identity and Access Management frameworks, vulnerability management practices and directory services (e.g. Active Directory).
• Ability to provide practical guidance and advisory support to stakeholders on Technology risk, controls and processes, with limited hands-on support where necessary.

Qualification Requirements

• Preference for relevant tertiary/post-graduate qualifications - Degree in Computer Science / information systems or equivalent technical qualification.
• Relevant industry certifications desirable (e.g. CISA, CISM, CRISC or similar risk, audit or security certifications).
• Understanding of industry risk and security frameworks (e.g. ISO 27001, NIST, COBIT) desirable.
• Ongoing commitment to professional development and maintaining knowledge of emerging risk, regulatory and control practices.

Experience

• Typically, 3–6 years’ experience in IT Risk, Technology Risk or Information Security within a regulated, ideally financial services environment.
• Experience implementing and supporting Technology policies and control requirements across International environments (e.g. SDLC, Access Management, Vulnerability Management), aligned to Group risk frameworks.
• Experience in first line risk and control activities, including risk profiling, control design and effectiveness assessment.
• Experience supporting Internal and External Technology Audits, including coordination, evidence provision and remediation tracking.
• Proven ability to identify control gaps and implement sustainable remediation with Technology teams.
• Experience facilitating or contributing to risk governance forums and preparing reporting for senior stakeholders.
• Strong stakeholder collaboration across Technology, Business and Divisional Controls functions.
• Experience working across international teams and time zones, supporting global stakeholder engagement.

Key Decisions

• Prioritise Technology risks based on impact, likelihood and risk appetite.
• Assess control gaps and define remediation or mitigation actions.
• Determine audit responses and remediation approach.
• Decide when risks or issues require escalation.
• Determine how risks are represented in governance reporting.
• Interpret and apply Group Information Risk Policies.
• Classify risk events and determine response actions.
• Determine level of challenge and support required.

Key Accountabilities

• Champion strong risk management behaviours and promote a consistent risk culture across International Technology teams.
• Support identification, assessment and monitoring of Technology risks and control effectiveness across International offices.
• Act as key contact for Internal and External Technology Audits, ensuring timely closure and sustainable remediation of findings and agreed management actions.
• Coordinate and manage Technology Risk Forums, ensuring clear oversight, actions and escalation.
• Deliver accurate, concise reporting on risk position, emerging risks and progress against enterprise KPIs.
• Prepare and contribute to Risk Management Committee packs, ensuring accurate representation of Technology risk position, emerging risks and progress to regional Executive Committees.
• Partner with Divisional Controls teams to support risk profiling, control assurance and maintain framework alignment.
• Interpret and apply Group Information Risk Policies, ensuring compliance and identification of control gaps.
• Support management of risk events, including root cause analysis and driving control improvements.
• Engage with Technology, Risk and Business stakeholders across UK, US, Europe and Asia, supporting effective international collaboration.

Key Interfaces

• Technology (Application & Infrastructure Teams).
• Business Unit Stakeholders (Front Office / Operations/ Markets).
• Divisional Controls Office (DCO).
• Technology & Operational Risk Teams.
• Internal Audit.
• External Audit / Regulators.
• International Offices (UK, US, Europe, Asia).
• Australia-based Technology & Risk Teams.

Key Performance Indicators

• Delivery of key accountabilities within agreed timelines and quality standards.
• Achievement of performance objectives across risk, audit and governance activities.
• Adherence to NAB values and behaviours.
• Effective management of Technology risk in line with policies and compliance obligations.
• Timely escalation and remediation of risks, issues and audit findings.
• Positive stakeholder feedback across Technology, Business and Risk functions.
• Timely and accurate delivery of Risk Management Committee packs to regional Executive Committees.

A diverse and inclusive workplace works better for everyone. At NAB, we’re intent on building a culture we can all be proud of. One based on trust and respect. An uplifting environment where every single one of us feels appreciated and empowered to be our true, authentic selves. A diverse and inclusive workplace where our differences are celebrated, and our contributions are valued. It’s a huge part of what makes NAB such a special place to be.

If you think this role is the right fit for you, we invite you to apply. To be eligible to apply, you must have UK citizenship or UK working rights. Please note candidate screening and interviews may be conducted prior to the closing date of the job advert. Please note unsolicited CVs from agencies will not be accepted.