Choodamani Bhandary
Gungahlin,Australia
Summary
Dynamic Cyber Security Adviser with extensive experience at the Australian Taxation Office, specializing in risk mitigation and compliance. Proven track record in leading security audits and enhancing risk management frameworks. Skilled in threat modeling and fostering collaborative relationships, driving strategic improvements to elevate organizational security posture.
Overview
14
14
years of professional experience
1
1
Certification
Work History
EL1 Team Lead
Australian Taxation Office
10.2018 - Current
- I have been working in the Cyber Governance branch as a Cyber Security Adviser and my role involves leading, coordinating, administering and facilitating various security related activities in Compliance and Assurance (C&A) team to support the branch and the ATO
- Being strategically focused I translate operational goals and create a shared sense of purpose within the team, engaging others to align with the strategic direction for Risk Management and compliance
- This view allows me to consider a wider range of issues and their implications for the team
- I enjoy and continue to build and sustain relationships with my network of key people both internally and externally while recognizing our shared security agendas, this focus allows me to work towards mutually beneficial outcomes in the security space for ATO and across Government as a whole
- As a growth orientated leader, I strive to achieve and encourage other team members to do the same
- I commit to achieving quality outcomes while ensuring documentation and process are consistently maintained
- I have adopted a mentoring/coaching style, assisting team members to self-problem solve, empowering them to take the lead on key pieces of work while recognizing, rewarding, and acknowledging their achievements
- Leading management of cybersecurity risks and treatments to ensure security recommendations are implemented to improve security posture of ATO systems and applications
- Leading review and analyse of priority risks and recommendations, suggest improvements and actions based on the security assessment findings
- Continued work on risks and treatments with system owners, ATO executives and their delegates to prioritise remediation activities
- Lead and support Cyber Governance (CGov), C&A team activities including security audits, Self-Attestation and risk assessments
- Recent examples – Siebel SRA, IODL risk mapping
- Ensure risks are reported accurately to committees and ATO executives
- Ensure ATO systems have proper risk management and system certification in place
- Represented Cyber Governance as SME during IT Strategic Sourcing (ITSS) Program during 2023/2024 which involved engagement with technical and non-technical audiences where I had to simplify technical information into non-technical language
- Currently involved in procuring Governance, Risk & compliance (GRC) as Risk & Treatments SME
- I have acted on EL 2 role multiple times to support C&A team, which has given me more exposure to Cyber Governance branch functions that require us to lead by example and focus on our client needs and expectations
- This opportunity has supported and motivated my learning including building capability, setting clear direction for teams while delivering strategic business outcomes for ATO
- I believe with collaboration and consultation within the branch and broader ATO, we can exceed our client’s expectations
- During my acting role as EL 2, I have managed budget forecasts for C&A against upcoming projects understanding our involvement throughout the project
- I am also involved in forecasting and managing FTE against budget allocated to C&A by periodically reviewing our status, maintaining our priority and deliverables
Cyber Security Adviser
Australian Taxation Office
09.2015 - 10.2018
- I lead the certifications (Authority to Operate) of ATO systems/applications on my Director’s behalf in C&A team
- This involves reporting on treatment/recommendation progress to the certification authority
- As part of continuous improvement, we have now adopted a 24-month cycle for certifications aligning with ACSC recommendation
- We have been working closely with our Service Providers to begin the process and manage the requirement of maintaining a secure systems posture over the duration of the 24 months
- In conjunction with the providers, we have developed a IRAP Governance Framework to track and manage updates against PSPF and ISM control requirements over the 24-month duration, while also tracking any shift in risk for the system/application
- I have been providing input into ATO’s annual compliance reporting against PSPF 11 E8 compliance and risk process validation on Cyber Risks and their status for 5 years
- I am also indirectly involved on development of Technology Security Risk Management Plan (TSRMP), which is a new directive from Home Affairs for Australian Government Agencies
- I practice key cybersecurity principles (govern, identify, protect, detect and respond) within ISM which provide strategic guidance on how ATO can protect the information and operational technology systems, applications and data from cyberthreats
- The current projects in Cyber Programs (e.g
- MACH8, MFA, Backup & restore) will uplift our compliance with ACSC Information Security Manual (ISM) Essential 8 Maturity Level to ML2, strengthen our cybersecurity posture
- I also lead the IT Security Risk Treatment process for the management and tracking of risks across ATO cybersecurity
- This aligns with the strategic direction of the ATO and the ATO Enterprise Risk Management framework
- Provide strategically informed compliance and risk advice aligned to industry best practices, ATO Policy, PSPF and ISM requirements, guiding various stakeholders within ATO including Service Providers
- Monitor certification and accreditation of ATO systems
- Monitor risks and treatments, report outstanding issues to management and ATO executives
- Provide advice on remediation work and progress on various cybersecurity related risks within the branch
- Perform and assign risk mapping to non-compliances identified during audit/IRAP assessment
- Engage and collaborate with other areas within ATO regarding risks e.g
- Technology risks, EST risks
- I have been managing and mentoring staff since 2017
Cyber Security Adviser
Australian Taxation Office
07.2012 - 01.2015
- Collaborate and work with security counterparts within the branch, Service Providers and other stakeholders
- Represent Cyber Governance branch in meetings and forums
- Management of risks and recommendations for Service Providers, Strategic Vendors and Partners
- Review and update Risk Database with Service Provider’s Security Risk Management Plan (SRMP)
- Manage and maintain IT Security risk treatments Database i.e
- Enter reports, update status, communicate risks, close risks etc
- Ensure accuracy of information entered, follow team processes to report risks to IT Security risk treatment executive committee (ITSRT)
- Seek closure of risks and treatments from ITSRT after successful implementation of treatments
- Prepare agenda, record minutes and develop Charter for ITSRT
Graduate IT Officer
Australian Taxation Office
01.2011 - 01.2012
- Introduction of APS values, Employment Principles and Code of Conduct
- Exposure to Cyber Security in the ATO
- Threat Modelling, risk assessments and risk treatments concepts
- Completion of Project Management in the ATO as a part of graduate program
- Contribute to development of Risk Treatment Database during initial requirements gathering
- Contributed on IT Security Risk Treatment Executive Committee Charter meetings
Education
Master of Cyber Security -
University of New South Wales
01.2020
Certificate IV in Government (Investigation) -
Canberra Institute of Technology
01.2015
Diploma of Security & Risk Management -
Australian Forensics Services
01.2012
Certificate IV in Project Management -
Australian Taxation Office
01.2011
Bachelor of Information Technology -
University of Central Queensland
01.2002
Skills
Risk mitigation and Management
Compliance and Assurance
Risk Assessments
Threat Modelling
Security Audits
Websites
Certification
- Certified Information Security Auditor (CISA), 2023
- Certified Information Security Manager (CISM), 2023
- SANS SEC501 Enterprise Defender, 2015
- Information Security Management Systems (ISMS) Auditor/Lead Auditor, 2015
- SANS SEC401.1 Security Essentials Bootcamp, 2014
- Infosec Registered Assessors Program (IRAP), 2013
References
- Michael Speldewinde, Senior Director, Cyber Governance, Australian Taxation Office, 0418 624425
- Soe Khin-Hinder, Director, Cyber Governance, Australian Taxation Office, 02–621 65930, 0416216081
Timeline
EL1 Team Lead
Australian Taxation Office
10.2018 - Current
Cyber Security Adviser
Australian Taxation Office
09.2015 - 10.2018
Cyber Security Adviser
Australian Taxation Office
07.2012 - 01.2015
Graduate IT Officer
Australian Taxation Office
01.2011 - 01.2012
Master of Cyber Security -
University of New South Wales
Certificate IV in Government (Investigation) -
Canberra Institute of Technology
Diploma of Security & Risk Management -
Australian Forensics Services
Certificate IV in Project Management -
Australian Taxation Office
Bachelor of Information Technology -
University of Central Queensland
Similar Profiles
Paul BakerPaul Baker
Asst. Commissioner - IT Infrastructure Services at Australian Government – Australian Taxation OfficeAsst. Commissioner - IT Infrastructure Services at Australian Government – Australian Taxation Office
Susan XuerebSusan Xuereb
Compliance Officer at Australian Taxation OfficeCompliance Officer at Australian Taxation Office
Christopher MellingChristopher Melling
APS 3 Pay and Lodge Officer at Australian Taxation Office (ATO)APS 3 Pay and Lodge Officer at Australian Taxation Office (ATO)