Cyber Risk Exposure Management Consultant

About the Role

We are seeking an experienced Senior Cyber Risk & Exposure Management Consultant to lead the design of a modernised vulnerability risk scoring and exposure management methodology.

You will design a dynamic, intelligence-driven replacement model that incorporates real-world exploit evidence, industry-specific exposure factors, and a parameterised control effectiveness framework.

This is a design and advisory engagement.

All work is performed on-site in Australia.

Key Responsibilities

• Review and baseline the existing risk calculation policy, scoring methodology, and supporting artefacts.
• Conduct structured workshops with stakeholders across Cyber Security, Networks, Operations, Engineering, Risk, and Compliance.
• Deliver a Discovery Report documenting the current state, gap analysis, and design principles for the replacement model.
• Define the full intelligence feed set spanning enterprise vulnerability intelligence, industry-specific sources, and network equipment vendor advisories.
• Design a replacement inherent and residual risk model incorporating exploit intelligence, probabilistic scoring, exploitation evidence flags, and asset criticality.
• Design industry-specific exposure factors: network reachability tier, segmentation zone, blast radius, emergency services dependency, and operational sensitivity windows.
• Deliver a Designs covering target architecture, governance model, and transition from the current state with formulas, pseudo-logic, data dictionary, edge case handling, and worked examples across at least three network domains.
• Conduct model validation workshops and Executive Briefing.

Required Skills & Experience

• Deep expertise in vulnerability risk scoring frameworks including CVSS (v3.1 and v4.0), EPSS, and CISA KEV.
• Proven experience in designing and implementing vulnerability risk scoring and exposure management methodologies.
• Strong analytical and problem-solving skills, with the ability to communicate complex technical concepts to non-technical stakeholders.

• Deep expertise in vulnerability risk scoring frameworks including CVSS (v3.1 and v4.0), EPSS, and CISA KEV.
• Proven experience in designing and implementing vulnerability risk scoring and exposure management methodologies.
• Strong analytical and problem-solving skills, with the ability to communicate complex technical concepts to non-technical stakeholders.