Manager, Governance, IT Risk and Assurance

About the role

In this role, you will lead the Governance, Risk and Assurance (GRA) portfolio within Information Technology and Digital Services (ITDS), working within Security and Digital Operations. You will provide confidence to senior leaders, governance committees, auditors and relevant oversight bodies that cyber and technology risks are being appropriately managed and that key controls are fit-for-purpose and operating effectively. You will shape how Line 1 cyber and technology risk is governed, measured and reported, ensuring alignment with NIST Cybersecurity Framework (CSF) 2.0, the University's risk appetite and its enterprise risk framework. You will develop and maintain the ITDS governance, risk and compliance framework, including the Line 1 control library, policies, standards, control requirements, risk and issues registers and associated reporting. You will ensure that cyber and technology risks and control gaps identified through projects, third-party suppliers and service providers, incidents, technical assessments and assurance activities are consistently assessed, recorded, assigned, treated and reported. You will oversee the Line 1 assurance plan and control testing program, bringing together design reviews, evidence-based control validation and technical assurance activities, including penetration testing and red teaming. You will ensure findings are clearly risk-rated, assigned to accountable owners, tracked through remediation and validated before closure. You will also oversee the governance and assurance of secure-by-design practices, working closely with security and solution architecture teams to embed approved reference architectures, patterns and security guardrails into technology roadmaps, projects and major technology decisions. Alongside this, you will lead targeted cyber awareness and engagement initiatives informed by risk, incidents and assurance outcomes. As a trusted advisor to the Chief Information Security Officer (CISO), you will translate technical and risk insights into clear, evidence-based advice for executives and governance forums, while leading and developing a team of specialist practitioners. What Success Looks Like: A current and practical ITDS GRC framework and Line 1 control library aligned to NIST CSF 2.0, enterprise risk arrangements and the University's risk appetite. A reliable risk and issues register that integrates cyber and technology risks identified through projects, third-party suppliers and service providers, incidents and assurance activities. An integrated third-party cyber risk approach that ensures material supplier risks, control gaps, remediation actions and accepted residual risks are visible, owned and reported. A risk-based assurance plan delivering evidence-led testing, clear reporting, accountable remediation and validated closure. Clear KRIs, KPIs and control effectiveness measures that support decision-making by ITDS leaders and governance committees. Secure-by-design guardrails demonstrably incorporated into technology roadmaps and delivery activity, resulting in improved risk outcomes. Measurable cyber culture uplift through targeted awareness and engagement initiatives informed by risk and assurance insights. Please refer to the Position Description for full details. About You Tertiary qualifications in information technology, cyber security, risk management or a related discipline, or equivalent relevant experience. Extensive experience leading governance, risk and assurance activities in a complex organisation. Strong working knowledge of cyber and technology risk frameworks and standards, such as NIST CSF 2.0, ISO/IEC 27001, ISO/IEC 27005, ISO 31000 and the Essential Eight. Experience establishing or managing assurance testing programs, control effectiveness reviews, risk treatment oversight and evidence-based reporting. Experience overseeing third-party cyber risk or supplier assurance activities, including the assessment, treatment and reporting of material technology supplier risks. Experience working with technology delivery, architecture and secure-by-design practices in complex digital environments. Demonstrated ability to lead specialist practitioners and provide clear, evidence-based advice to senior leaders and governance forums. Strong written and verbal communication skills, with the ability to translate technical risk into practical business decisions.