As the Product Area Lead – Exposure Management, you will lead ANZ’s enterprise exposure management capability, ensuring the bank maintains a clear, continuously updated view of its cyber attack surface. This role is critical in identifying, prioritising and driving remediation of cyber exposures before they can be exploited, helping protect ANZ’s customers, assets and reputation.

You will operate across a global, complex technology estate spanning on-premises, hybrid and multi-cloud environments, setting standards, leading strategy, and delivering measurable risk reduction outcomes.

In this role, you will:

• Lead ANZ’s exposure management programme, covering attack surface management, vulnerability management and remediation oversight.
• Define and maintain enterprise-wide visibility of cyber exposures across internal, external and third-party environments.
• Establish and enforce vulnerability scanning standards, policies and coverage across the technology estate. 
• Own and continuously improve the end-to-end vulnerability lifecycle, including discovery, triage, prioritisation and closure. 
• Implement risk-based prioritisation frameworks that incorporate threat intelligence, exploitability and asset criticality. 
• Define and manage remediation SLAs, including escalation pathways to senior technology and risk stakeholders where required.
• Deliver reporting and insights tailored to multiple audiences, from engineering teams through to executives and board-level stakeholders. 
• Ensure compliance with regulatory and audit requirements, supporting examinations and assessments.
• Lead tooling strategy, integration and vendor management across the exposure management ecosystem.
• Build, lead and develop a high-performing team of specialists, and define the multi-year roadmap aligned to ANZ’s risk appetite and technology strategy.

• Demonstrated experience leading vulnerability or exposure management programmes in large, complex organisations.
• Deep technical expertise across vulnerability management platforms (e.g. Tenable, Qualys, Rapid7) and scanning methodologies. 
• Strong understanding of risk-based prioritisation frameworks (e.g. CVSS, EPSS) and ability to contextualise cyber risk. 
• Proven experience designing and managing remediation frameworks, SLAs and escalation processes at scale. 
• Experience delivering executive and board-level reporting, translating technical risk into meaningful insights. 
• Strong stakeholder management skills with the ability to influence senior leaders and regulators.
• Experience leading and developing specialist technical teams. 

Desirable capabilities:

• Familiarity with exposure assessment platforms and attack path analysis tools.
• Understanding of offensive security concepts and threat-informed defence approaches. 
• Experience integrating security tooling with enterprise systems such as CMDBs and ITSM platforms. 
• Knowledge of regulatory frameworks (e.g. APRA CPS 234) and industry standards.

Key capabilities:

• Ability to simplify complex cyber risk into clear, actionable insights
• Strong analytical and data-driven decision-making skills
• Effective programme leadership and governance discipline
• Ability to build trusted relationships and drive accountability across stakeholders