Title: Offensive Security Lead
Victoria, Australia

We bring the energy!
Through purpose and people - not just through the infrastructure we operate, but through the way we show up for each other, our customers’ and our communities. The future of energy is in our hands. Let’s shape it together.
Are you ready to shape the future of energy?
This is a great opportunity for someone who wants to work in critical infrastructure, leading a team of experts in implementing vital policies and establishing and leading AusNet’s Offensive Security capability.
We are looking for an Offensive Security Lead to ensure security controls are continuously assessed against current and emerging threats, driving risk informed remediation and improving the organisation’s cyber resilience through continuous security testing and secure development practices.
The Offensive Security Lead is responsible for establishing and leading AusNet’s Offensive Security capability, providing strategic and technical leadership across penetration testing, red teaming, application security and exposure management to proactively identify, validate and reduce cyber security risk across IT and OT, cloud platforms and applications.
As the technical authority for Offensive Security, the role balances hands-on technical leadership with people leadership, vendor management and strategic planning to ensure security assurance activities deliver measurable reductions in organisational cyber risk.
What you’ll be doing in this role:
- Lead and oversee the organisation’s penetration testing, red teaming and adversary emulation program, validating the effectiveness of preventative, detective and responsive security controls across IT, OT, cloud and critical business applications.
- Have accountability of day-to-day operational outcomes of the function, as well as developing and driving the strategic direction, aligning people and processes to achieve business and cyber department goals.
- Own the Exposure Management capability, including vulnerability management, security validation and remediation governance, ensuring security risks are accurately prioritised, effectively communicated and remediated within agreed risk tolerances.
- Lead the Application Security function by embedding security-by-design principles throughout the software development lifecycle, providing security guidance, code reviews, testing and developer enablement to reduce software security risk.
- Develop and maintain an intelligence-led offensive security program, leveraging threat intelligence, adversary tradecraft and frameworks such as MITRE ATT&CK to continuously evolve testing methodologies and emulate relevant threat actors.
- Technical hands-on red teaming and penetration testing as required, complementing the work provided by our partners.
- Establish and maintain a differentiated OT security testing methodology, ensuring all penetration testing, red teaming and adversary emulation activity against OT/ICS environments follows a safety-first, non-disruptive approach appropriate to live operational technology. This includes defining clear boundaries between passive and active testing techniques, determining where live-fire testing is and isn't permitted on production OT assets, and establishing mandatory coordination and sign-off with OT Engineering and Asset Management teams prior to any testing activity that could impact operational safety or grid reliability.
- Partner with Cyber Defence, Network Security, OT Security, Enterprise Architecture, IAM, GRC and technology delivery teams to validate security controls, improve detection capabilities through purple team activities and strengthen the organisation’s overall cyber resilience.
- Lead the management of third-party security service providers, including penetration testing, application security and vulnerability management partners, ensuring contractual obligations, service levels and quality standards are consistently achieved.
- Liaise with external entities, such as cybersecurity advisory bodies, threat intelligence entities, law enforcement agencies, and external partners, to maintain a strong security posture and stay ahead of relevant security threats.
- Provide authoritative technical advice and risk-based recommendations to senior leadership, supporting investment decisions, security architecture, technology initiatives and strategic cyber security programs.
- Establish and evolve meaningful performance metrics, reporting and dashboards that measure offensive security effectiveness, exposure reduction and remediation performance, providing regular insights to management.
- Support the development of the cyber security strategy, roadmap, budgetary and business cases.
- Instil a high-performance, collaborative culture with a “one team” approach with multiple partners, providing leadership, guidance, and technical expertise, and a strong accountability and outcome focus to achieve business outcomes.
You don’t need to check every box, however we’re looking for a good combination of:
- Extensive experience in cyber security including recent experience as a technical lead in Offensive Security, Penetration Testing, Application Security or Red Team within a large or complex environment.
- Strong knowledge of offensive security methodologies, adversary emulation, penetration testing, app sec, vulnerability management and exposure management
- Demonstrated experience leading and developing high-performing technical teams, with 3-5 years of people leadership experience preferred.
- Experience applying industry frameworks and standards including MITRE ATT&CK, OWASP, NIST, Essential Eight or CIS Controls
- Experience managing third-party security service providers, commercial contracts and service delivery outcomes
- Strong analytical problem solving and decision-making skills, with the ability to balance cyber security risk, business priorities and operational requirements.
- Relevant industry certification such as OSCP, OSCE, GPEN, GWAPT or equivalent for penetration testing and application security; CRTO, CRTP or OSEP for red teaming and adversary emulation; and GICSP or equivalent OT/ICS-specific security training (e.g. SANS ICS courses) given the role's scope across operational technology environments
- A leadership-oriented certification such as CISSP or CISM is also highly regarded, reflecting the role's dual accountability for technical authority and people leadership.
- Familiarity with or accreditation against CREST standards is advantageous, given the role's responsibility for quality-assuring third-party penetration testing and application security providers.
In this role you’ll need to demonstrate some key attributes:
- Proven ability to influence senior stakeholders and communicate complex technical risks and recommendations to technical and executive audiences.
- Critical thinker with a methodological approach to enterprise architecture.
- Results-oriented with a focus on achieving measurable business outcomes.
- Adaptable and resilient in a fast-paced, ever-changing digital landscape.
- Strong convictions balanced against the need to be a team player.
- Build and manage positives relationships with business units across the organisation and with our services and technology partners.
- Build and develop a high-performance team culture, aligned to the AusNet’s values, through effective leadership, support and feedback.
- Promote and foster collaborative team and stakeholder relationships based on mutual trust, integrity, accountability and inclusion.
The AusNet experience is all about…
- Growing your impact: We’ll support you to build your career through real opportunities and strong connections.
- Solving some of the most complex energy challenges of our time: We love unpacking complex challenges in clever ways and looking at things differently.
- Building an energy future to be proud of: We’re a trusted leader, with deep expertise, driven to do what’s right for our communities and customers.
We’re committed to building an inclusive culture and a diverse workforce. We believe different perspectives are essential to our success, and we encourage all applicants to apply. If you need any adjustments during the recruitment process, we're happy to discuss how we can support you.
At AusNet, we bring the energy! Ready to make your impact? Apply now!
We will not be engaging with Recruitment agencies for this role, so please apply directly.