Product Owner - Cyber Risk Quantification

Product Owner – Cyber Risk Quantification 

Overview 

The Product Owner – Cyber Risk Quantification (CRQ) within Group Security, Chief Information Risk Officer (CIRO) portfolio, is responsible for defining and leading the vision, strategy, and roadmap for CBA’s cyber risk quantification capability. This role translates complex cyber threats and control data into actionable, data-driven risk insights that inform operational and strategic decision-making. The Product Owner ensures CRQ tooling and processes reflect the real-world threat landscape, CBA’s control posture, and the needs of business and technology stakeholders, supporting the Group’s ambition to quantify cyber risk in financial terms and drive better risk outcomes. 

Key Responsibilities 

• Define and lead the vision and roadmap for the CRQ product, ensuring alignment with Group Security strategy, CIRO objectives, and business requirements. 

• Engage with stakeholders across Cyber Security, Risk, Technology, and business risk teams to manage delivery, continuous improvement, and strategic alignment of the CRQ capability. 

• Serve as the in-house subject matter expert for the Group’s cyber risk quantification platform, providing advanced guidance on scenario modelling, quantification outputs and ongoing optimisation to ensure the tool accurately reflects CBA’s threat landscape and business context. 

• Map and model cyber risks using adversary tactics, techniques, and procedures (TTPs), leveraging frameworks such as MITRE ATT&CK and the cyber kill chain, ensuring quantification models reflect realistic attack paths and defence-in-depth mechanisms. 

• Develop detailed, technically grounded cyber loss scenarios to support scenario-based risk quantification and reporting. 

• Continuously refine and recalibrate models using feedback from incidents, red team exercises, detection performance metrics, platform updates, and industry best practices. 

• Provide training, documentation, and expert support to ensure effective adoption and use of the risk quantification capability across the Group. 

• Develop dashboards and visualisations that clearly communicate cyber risk exposure, loss scenarios, and prioritisation insights. 

• Support stakeholders in leveraging the platform’s capabilities for risk analysis, reporting, and decision-making. 

• Collaborate with the Crew on CRQ product configuration, data integration and end-to-end value delivery and product lifecycle management 

• Ensure all obligations across customer, regulatory, internal policy, and process frameworks are fully met. 

Skills & Experience 

• Strong technical foundation in cybersecurity, including adversary emulation, detection engineering, and defensive architectures. 

• Practical knowledge of MITRE ATT&CK, cyber kill chain, and threat modelling principles. 

• Experience with risk quantification platforms or equivalent analytical tooling. 

• Understanding of data integration, API ingestion, and dashboard development.  

• Ability to correlate technical control performance and threat activity to quantitative risk outcomes. 

• Strong analytical and communication skills to translate technical data into actionable insights for business and executive stakeholders. 

• Experience working in complex, large-scale IT or cloud environments preferred. 

Preferred Background 

• Previous experience in cyber risk quantification, cyber scenario reporting and cyber risk management. 

• Familiarity with data transformation for automating data ingestion and scenario computation. 

• Understanding of probabilistic modelling, Monte Carlo simulations, or other quantitative methods is advantageous. 

CBA Mindsets & Behaviours 

• Role model CBA’s Leadership Principles: obsess over customers, create exceptional teams, lead as an owner, be curious and humble. 

• Advocate for continuous improvement, agile maturity, and customer focus within the squad and broader Product Owner community. 

• Ensure all activities align with CBA’s purpose, values, and Code of Conduct.