Security Designer & Risk Advisor

Job Requisition Number: 13996

Date: 8 Apr 2026

Location:

DOCKLANDS, VIC, AU, 3008

You’re only human. 

It’s a strange thing to say, because us humans are capable of incredible things. And at Medibank, we know our greatest potential lies in the people who work with us. 

We strive to make real, fundamental change, driven by a simple purpose: to create the best health and wellbeing for all of Australia.

About the role:

We are looking for a Security Designer & Risk advisor to join Medibank’s Data & Technology Risk Advisory function. This is a senior individual contributor within the Data and Technology Risk Advisory team, a specialist function that provides independent, practical technology and cyber risk advice across Medibank.

The team supports initiatives including technology and security risk assessments, security posture reviews, vendor and customer assessments, and M&A due diligence, partnering closely with Data & Technology, Security and the broader business to enable informed, risk-based decision making.

In this role, the Security Design and Risk Advisor acts as a trusted advisor to engineering and delivery teams, embedding security by design into solutions across cloud, application and data platforms. Combining deep AWS security risk and control assessment expertise with scenario-based risk analysis, the role translates regulatory and security requirements (APRA CPS 230/234, ISO 27001/27005, NIST CSF) into clear, implementable guidance that balances security, resilience and business outcomes.

The role operates in a collaborative, advisory culture, where influence is built through expertise, credibility and clear communication rather than authority. Success requires the ability to challenge constructively, explain complex risks in simple terms to nontechnical stakeholders, and support teams to deliver secure solutions at pace while strengthening Medibank’s overall technology and security risk posture.

Key responsibilities:

Lead security assurance reviews and deliver actionable security requirements to embed secure-by-design controls across solutions.

Perform structured threat modelling (STRIDE, PASTA, attack trees) and translate findings into implementable mitigations.

Review and strengthen integrations (PAM, SSO, CIAM, API security) and advocate zero-trust principles.

Deliver technical risk assessments, scenario-based analysis (likelihood/impact), bow-tie analysis and quantification of residual risk to inform prioritisation and investment.

Conduct risk and control assessments, identify control gaps and recommend treatments aligned to organisational appetite.

Maintain audit-ready documentation aligned with threat/control libraries and regulatory frameworks.

Support external assessments, customer/regulator security questionnaires, TPRM due diligence and M&A security evaluations.

Communicate complex security and regulatory requirements (APRA CPS 230/234, ISO 27001/27005, NIST CSF, PCI DSS, ACSC Essential Eight) in simple, actionable terms for non-technical stakeholders.

Mentor and upskill engineering and technology teams in threat modelling, secure-by-design practices and risk-based decision making.

What we’re looking for:

9+ years’ experience in information security with emphasis on security controls assurance, cloud security or application security.

Deep AWS security expertise: IAM/RBAC, EKS/ECS, KMS, CloudTrail, GuardDuty, Security Hub, multi-account strategy, IaC security (CloudFormation/Terraform/CDK).

Proven threat modelling experience (STRIDE, PASTA, DREAD, attack trees).

Strong skills across network security, zero-trust, federation/SSO/MFA/PAM/CIAM, API security, data protection/encryption and DevSecOps.

Demonstrated risk assessment experience in regulated enterprise environments.

Familiarity with APRA CPS 230/234, ISO 27001/27005, NIST CSF, PCI DSS and ACSC Essential Eight.

Excellent verbal and written communication — able to explain technical risk to non-technical audiences.

Desirable:

Experience in health, insurance, financial services or critical infrastructure.

Hands-on security engineering or offensive security background (pentesting/red teaming).

Security automation, security-as-code experience and familiarity with Kubernetes, OAuth2/OIDC/SAML, and AI/ML security considerations.

Certifications such as CISSP, CRISC, CISM, AWS or SABSA.

Qualifications:

Bachelor’s degree in IT, Cybersecurity, Risk Management or related field (or equivalent experience).

Imagine working with us

We understand that work means different things to everyone...  We know happy, healthy people make great teams, and great teams put more heart into each customer and patient interaction. And that’s why we’re reinventing work.  

Imagine a workplace that helps you and your family thrive. Where connection, personal development and health and wellbeing are front of mind. To learn more about our benefits go to https://careers.medibank.com.au/culture/rewards-benefits/

For you, work should help you Live Better. It should bring you fulfillment and joy. And with Medibank, it could.

Inclusion and Accessibility

We believe in everyone's potential and strive to make Medibank inclusive for all because different perspectives make us better. We encourage applications from everyone, including Aboriginal and Torres Strait Islander peoples, neurodivergent candidates, LGBTQIA+ community including transgender and gender diverse candidates and candidates with a disability.

If you need adjustments or alternative formats at any stage of the recruitment or employment journey, we’re here to help. You can let us know directly in the application form, or if you’d prefer to discuss before applying, please reach out to us careers@medibank.com.au or (03) 8622 5666. Learn more about our commitments and employee stories at https://careers.medibank.com.au/diversity-inclusion/(please copy and paste the URL onto your browser)

Medibank proudly recognised as Best Enterprise Organisation, 2026 AFR BOSS Best Places to Work