About the role
The Head of Cyber Strategy & Architecture is Tyro's senior authority on security architecture and secure engineering practices. Reporting to the CISO, this role defines and drives the long‐term cyber strategy and security architecture vision that underpins Tyro's growth, resilience, and regulatory posture.
A key expectation of this role is deep, hands‐on experience with secure architecture design principles. The successful candidate will not only set strategic direction but will also meaningfully engage in practical architecture work, supporting teams in designing secure systems, validating solutions, and applying security controls in real‐world environments.
Working closely with technology, product, enterprise architecture, and security leaders, this role champions secure‐by‐design principles and ensures security enables innovation and sustainable business growth.
In this role, you will divide the work week as follows
* 40% Strategic leadership, governance, and executive stakeholder influence, shaping cyber strategy, setting enterprise guardrails, and driving regulatory alignment.
* 40% Hands‐on security architecture and design leadership, actively leading and participating in complex solution designs, conducting deep technical reviews, and validating security controls in real‐world implementations.
* 20% Advisory, mentoring, and continuous improvement, coaching engineers and architects, uplifting secure engineering practices, and driving measurable security maturity improvements across the organisation.
What you'll do
* Define and lead Tyro's cyber strategy aligned to business growth, regulatory obligations, and technology transformation, delivering clear prioritisation and measurable risk reduction outcomes.
* Own and perform hands‐on security architecture across cloud, payments, banking, and product platforms, leading complex design reviews, validating high‐risk initiatives, and ensuring secure‐by‐design principles are practically implemented.
* Lead Product Security and Application Security by embedding security throughout the product lifecycle, strengthening the secure SDLC, advancing threat modelling practices, and integrating automated controls across CI/CD pipelines.
* Establish and govern enterprise security standards including reference architectures, control baselines, and architectural guardrails aligned to NIST CSF 2.0 and Tyro's risk appetite, with clear control traceability and evidence.
* Lead security assurance and certification activities, including ISO 27001 audits, ongoing control effectiveness reviews, and formal attestations, ensuring strong documentation, evidence management, and audit readiness.
* Manage the relationship with Tyro's third‐party penetration testing partner, overseeing scope, quality, reporting, and remediation follow‐through to ensure meaningful risk reduction.
* Ensure regulatory and resilience alignment across APRA CPS 234, PCI‐DSS, and operational resilience requirements, maintaining defensible design and demonstrable compliance.
* Influence executive and technology stakeholders to balance innovation, customer experience, and risk management, positioning security as a strategic business enabler.
What you'll bring
Technical and Craft
* Deep experience designing secure, scalable, and resilient system architectures, including cloud‐native, API‐driven, and distributed systems—using established security principles (least privilege, zero trust, defense‐in‐depth, secure patterns).
* Strong understanding of secure software development principles, the OWASP Top 10, and common application vulnerabilities.
* The ability to define and maintain security reference architectures, control baselines, and technology selection frameworks, ensuring consistent, scalable adoption of secure‐by‐design practices across diverse engineering teams.
* Proficiency in conducting and guiding architecture risk assessments, modelling potential attack paths, identifying control gaps, and providing pragmatic, risk‐aligned recommendations that engineering teams can operationalise.
* Proven experience embedding security controls and practices into Agile and DevOps workflows.
* Experience with security testing tools such as SAST, DAST, and Software Composition Analysis (SCA), using platforms such as GitHub Advanced Security, Aikido and Snyk.
* Experience embedding automated security checks in CI/CD pipelines.
* Experience applying threat modelling and risk assessment methodologies such as STRIDE to identify and mitigate design‐level threats.
* Ability to work effectively with developers, architects, and technology teams to identify, triage, and remediate security issues. Understanding of secure development and configuration practices in cloud environments such as AWS, Azure, or GCP.
* Experience triaging, tracking, and supporting the remediation of identified vulnerabilities using platforms such as Jira or ServiceNow.
* A proactive approach to uplifting security maturity, driving automation, and improving security awareness within development teams.
Personal attributes
* Pragmatic and solutions‐oriented, with a strong ability to find the right balance between business enablement and effective security.
* Strategic and visionary thinker capable of simplifying complex problems and creating clarity in ambiguous situations. Highly collaborative and influential, able to build alignment across diverse technical and non‐technical teams.
* Effective communicator who can translate technical concepts into business‐relevant insights.
* Proactive and accountable, with a passion for improving security maturity and organisational capability.
* Strong leadership presence, fostering trust, engagement, and continuous improvement within the team and broader organisation.
* Analytical and detail‐oriented, with strong problem‐solving skills and a focus on sustainable, risk‐based solutions.
What's in it for you
* A mix of in‐office and remote working
* Learning and career development opportunities
* 16 weeks paid primary carers leave
* 12 weeks paid secondary carers leave
* Annual team‐based volunteer day
* Birthday leave
* Power Up Day (Additional day of leave)
* Weekly team social events, snacks, craft beer and wine, ping pong and video games
* Taco Tuesdays
* Mental health and wellness initiatives
* Novated leasing
Tyro is committed to a diverse, inclusive workplace where everyone thrives. We welcome applicants of all backgrounds and are an equal opportunity employer. If you need accommodations or adjustments at any stage of the recruitment process, simply inform our Talent team during your conversation with them.
#J-18808-Ljbffr