About the Role
We are seeking an experienced Senior Cyber Risk & Exposure Management Consultant to lead the design of a modernised vulnerability risk scoring and exposure management methodology.
You will design a dynamic, intelligence-driven replacement model that incorporates real-world exploit evidence, industry-specific exposure factors, and a parameterised control effectiveness framework.
This is a design and advisory engagement.
All work is performed on-site in Australia.
Key Responsibilities
- Review and baseline the existing risk calculation policy, scoring methodology, and supporting artefacts.
- Conduct structured workshops with stakeholders across Cyber Security, Networks, Operations, Engineering, Risk, and Compliance.
- Deliver a Discovery Report documenting the current state, gap analysis, and design principles for the replacement model.
- Define the full intelligence feed set spanning enterprise vulnerability intelligence, industry -specific sources, and network equipment vendor advisories.
- Design a replacement inherent and residual risk model incorporating exploit intelligence, probabilistic scoring, exploitation evidence flags, and asset criticality.
- Design industry-specific exposure factors: network reachability tier, segmentation zone, blast radius, emergency services dependency, and operational sensitivity windows.
- Deliver a Designs covering target architecture, governance model, and transition from the current state with formulas, pseudo-logic, data dictionary, edge case handling, and worked examples across at least three network domains.
- Conduct model validation workshops and Executive Briefing.
Required Skills & Experience
- Deep expertise in vulnerability risk scoring frameworks including CVSS (v3.1 and v4.0), EPSS, and CISA KEV.
- Proven experience designing or significantly enhancing enterprise risk calculation and exposure management models.
- Strong understanding of control effectiveness frameworks including the Australian Essential Eight Maturity Model and NIST CSF 2.0.
- Familiarity with MITRE ATT&CK and D3FEND for threat-informed prioritisation.
- Experience with telco-specific security standards including GSMA FS.31, 3GPP SA3, and ENISA telco threat landscape publications.
- Familiarity with network equipment vendor advisory processes and how they integrate into vulnerability management workflows.
- Strong stakeholder engagement skills — able to facilitate workshops with senior technical and executive audiences.
- Excellent written communication for both technical and executive stakeholders.
