Risk Management Analyst

About Cubic

Cubic develops technology solutions that improve how people move through transportation networks and also supports defense capabilities that contribute to mission success and safety. The company operates globally and focuses on solving complex problems through innovation and customer service.

Within Cubic Transportation Systems, the organization delivers intelligent transit solutions and payment technologies for public sector clients worldwide, including fare and payment card services.

Role Overview

This position sits within the information security function and is responsible for supporting security compliance across production transaction-processing environments. The role reviews the effectiveness of security controls and the operating environment, helps plan and scope IT compliance assessments, identifies potential exposures, and contributes to mitigation planning. It also works closely with external auditors on compliance efforts such as PCI-DSS and ISO 27001. The role operates with limited supervision and requires sound independent judgment.

Key Responsibilities

• Act as a subject matter expert for security risk assessment methods, policies, strategy, and related processes.
• Coordinate security audit activities, including scheduling, vendor management, program coordination, and stakeholder communication.
• Work with internal and external auditors and IT teams to complete recurring audits, including control walkthroughs and follow-up actions.
• Lead control reviews and assessments that strengthen ongoing compliance with security standards and policies.
• Oversee solution reviews to confirm that design and implementation meet compliance obligations such as PCI-DSS, ISO 27001, SOC 1, SOC 2, the Australian Essential 8, and New Zealand NZ-ISM.
• Identify and escalate significant security risks tied to applications, development, networking, data centres, cloud environments, physical infrastructure, vendors, and other third parties.
• Work with stakeholders to address compliance gaps, drive remediation ownership, and track progress until issues are resolved.
• Collaborate with system operators and security specialists to define acceptable remediation plans for compliance gaps.
• Record gaps and corrective actions in the OneTrust GRC platform and perform controls monitoring for complex customer-facing systems where needed.
• Build and maintain positive working relationships with Cubic customers and security teams.
• Help educate security leadership and team members on compliant IT practices, while maintaining process and control documentation.
• Recommend practical fixes for audit findings and partner with Operations and Engineering to ensure timely remediation.
• Follow up on corrective actions and verify that weak control conditions are improved, while supporting corporate standards, SDLC, change management, and risk governance requirements.
• Review vendor contracts and SOC reports to understand their effect on the company’s controls and coordinate with third-party vendors as necessary.

General Expectations

• Take ownership of assigned work and communicate issues and progress proactively.
• Demonstrate ethical conduct and clear, accurate communication in complex situations.
• Maintain professionalism in demanding or high-pressure environments.
• Follow the company’s Quality Management System.
• Comply with quality, health, safety, and security policies.
• Support strategic goals and work collaboratively across departments.
• Adhere to Human Resources procedures.

Required Skills and Experience

• Strong English communication skills, both written and spoken, with working knowledge of Microsoft Office tools.
• Ability to collaborate effectively across IT management, business units, clients, and other teams in a matrixed organization.
• Comfort working with colleagues at all levels and across different geographic regions.
• Practical familiarity with PCI DSS 4, ISO 27001:2022, and/or SOC 1 and SOC 2 audits and requirements.
• Advanced stakeholder management and the ability to influence and advise across a complex organization.
• Broad professional judgment and the ability to develop solutions to intricate issues and procedures.
• Experience analyzing complex situations where multiple variables must be evaluated before choosing an approach.
• Ability to define methods and procedures for new assignments and adapt techniques when needed.
• Deep awareness of security risks and threats in the context of operational environments.

Qualifications

• At least 8 years of experience in services or IT systems within a mission-critical environment.
• A university degree in Computer Science, Engineering, another technical discipline, or Business Administration with relevant IT experience.
• Minimum 5 years of experience in IT security and/or payment card processing systems.
• Strong understanding of technical concepts and the ability to work with complex in-house systems.
• Must live within commuting distance of the CTS offices in Wellington, New Zealand, and be able to travel periodically within the region.
• A relevant security or IT compliance certification such as CISA, CRISC, CCSK, CCISSP, GIAC, PCI-ISA/QSA, or an equivalent credential is preferred.
• Working knowledge of or willingness to learn security best practices related to Open Payments, Mobility as a Service, data classification, Microsoft Azure, AWS or similar cloud platforms, web application and API security, network security tools, encryption, database security, operating system hardening, vulnerability assessment, risk mitigation planning, SIEM, and FIM solutions.

Employment Conditions

Employment is subject to the successful completion of a National Police Check.

The responsibilities and requirements listed here are not exhaustive and may change based on business needs.

Equal Opportunity

Cubic welcomes applications from people of all backgrounds and does not discriminate on the basis of any protected characteristic under applicable law.