Security Designer & Risk Advisor

You’re only human.   

It’s a strange thing to say, because us humans are capable of incredible things. And at Medibank, we know our greatest potential lies in the people who work with us.   

We strive to make real, fundamental change, driven by a simple purpose: to create the best health and wellbeing for all of Australia.  

Enterprise Digital 

We are building an expert team to deliver best in class solutions for our customers. Our mission is to “Create delightful experiences that help our customers achieve better health”. 

Want to meet the team and learn more about working with our digital and technology teams? Follow this link to learn more: https://digitalcareers.medibank.com.au 

About the role:

The Security Design and Risk Advisor is a senior individual contributor within the Data and Technology Risk Advisory team, a specialist function that provides independent, practical technology risk advice across Medibank. The team supports initiatives including technology and security risk assessments, security posture reviews, vendor and customer assessments, and M&A due diligence, partnering closely with Data & Technology, Security and the broader business to enable informed, risk-based decision making. 

In this role, the Security Design and Risk Advisor acts as a trusted advisor to engineering and delivery teams, embedding security by design into solution architecture across cloud, application and data platforms. Combining deep AWS security architecture expertise with scenario-based risk analysis, the role translates regulatory and security requirements (APRA CPS 230/234, ISO 27001/27005, NIST CSF) into clear, implementable guidance that balances security, resilience and business outcomes. 

The role operates in a collaborative, advisory culture, where influence is built through expertise, credibility and clear communication rather than authority. Success requires the ability to challenge constructively, explain complex risks in simple terms to nontechnical stakeholders, and support teams to deliver secure solutions at pace while strengthening Medibank’s overall technology and security risk posture. 

Key responsibilities:

• Conduct architecture reviews to embed secure-by-design principles and produce actionable security requirements. 
• Lead structured threat modelling (STRIDE, PASTA, attack trees) and deliver implementable controls. 
• Provide AWS security architecture guidance (multi-account strategies, IAM, VPC/network segmentation, encryption/KMS, secrets management, logging/monitoring, GuardDuty, Security Hub, CloudTrail, Config, WAF, secure CI/CD). 
• Review and strengthen integration patterns (PAM, SSO, CIAM, API security) and zero-trust architectures. 
• Deliver risk advisory: scenario-based risk assessments, bow-tie and attack-path analysis, risk and control assessments, quantification of residual risk, and treatment recommendations aligned to risk appetite. 
• Maintain audit‑ready documentation of risk outcomes and treatment strategies; align with threat/control libraries and regulatory requirements. 
• Provide IaC security guidance (CloudFormation, Terraform, CDK), establish guardrails and baselines for containers (ECS/EKS), serverless (Lambda) and microservices. 
• Coordinate responses to security questionnaires and external assessments; support TPRM due diligence and M&A security evaluations. 
• Mentor and upskill technology teams on secure design, threat modelling and risk-based decision-making; communicate recommendations to technical and non-technical audiences. 

What we’re looking for:

• 9+ years in information security with focus on security architecture, cloud security or application security. 
• Deep AWS security expertise: IAM, EKS, KMS, CloudTrail, GuardDuty, Security Hub, Well‑Architected Framework, multi-account strategies, IaC security (CloudFormation/Terraform/CDK). 
• Proven threat modelling experience (STRIDE, PASTA, DREAD or attack trees). 
• Strong security architecture skills: network security, zero‑trust, federation/SSO/MFA, PAM, CIAM, data protection/encryption, API security, DevSecOps. 
• Risk assessment experience in regulated enterprise environments; familiarity with APRA CPS 230/234, ISO 27001/27005, NIST CSF, ACSC Essential Eight. 
• Excellent communication skills with ability to explain technical risks to non-technical stakeholders. 

Qualifications: 

• Bachelor’s degree in IT, Cybersecurity, Risk Management or related discipline (or equivalent experience). 
• Relevant certifications preferred: CISSP, CISM, CRISC, AWS certifications, SABSA. 

Strongly desirable:

• Experience in health, insurance, financial services or critical infrastructure. 
• Hands-on security engineering or offensive security (pen testing/red teaming). 
• Security automation/security-as-code experience. 
• Knowledge of AI/ML security, Kubernetes, OAuth2/OIDC/SAML. 
• Compliance & governance 
• Ensure advisory activities comply with APRA CPS 230/234, ISO 27001/27005, NIST CSF, ACSC Essential Eight and Australian Privacy Principles. 
• Maintain audit-ready documentation and monitor regulatory changes affecting technology risk posture. 

Imagine working with us 

We understand that work means different things to everyone...  We know happy, healthy people make great teams, and great teams put more heart into each customer and patient interaction. And that’s why we’re reinventing work.    

Imagine a workplace that helps you and your family thrive.  Where connection, personal development and health and wellbeing are front of mind. To learn more about our benefits go to https://careers.medibank.com.au/culture/rewards-benefits/

For you, work should help you Live Better. It should bring you fulfillment and joy. And with Medibank, it could. 

Inclusion and Accessibility  

We believe in everyone's potential and strive to make Medibank inclusive for all because different perspectives make us better. We encourage applications from everyone, including Aboriginal and Torres Strait Islander peoples, neurodivergent candidates, LGBTQIA+ community including transgender and gender diverse candidates and candidates with a disability.

If you need adjustments or alternative formats at any stage of the recruitment or employment journey, we’re here to help.  You can let us know directly in the application form, or if you’d prefer to discuss before applying, please reach out to us careers@medibank.com.au or (03) 8622 5666. Learn more about our commitments and employee stories at https://careers.medibank.com.au/diversity-inclusion/(please copy and paste the URL onto your browser)