A strong cyber approach starts with understanding how systems operate in practice, not just how they are designed on paper. Jayden brings that perspective into his role as a Consultant, combining technical knowledge with an ability to communicate complex concepts into clear insight.  His experience across architecture, governance, and operations allows him to engage across different layers of an environment, connecting detail with decision-making. The result is a considered, grounded approach that supports more confident and informed outcomes. Read his Ctrl In Focus Q&A below.

 

Q. Tell us about your role at ctrl:cyber?  

A. So I primarily work in the Governance Risk & Compliance (GRC) space, performing reviews of clients’ cybersecurity posture, connecting my technical computer science background to the higher-level understanding of a businesses’ cyber operations. I also tinker about in the Vulnerability Management space, doing automated risk-based data analysis to prioritise remediation actions. I fix the occasional broken monitor too – someone’s got to!

 

Q. What first sparked your interest in computer science?

A. Truly I just wanted to play games with my friends, and someone had to be the one to set it up. I remember how great it felt to learn about unzipping files back in the day, and from there I’ve been chasing that high, trying to bend computers further to my will. At first that meant making games in Scratch, then to a computer science degree, and since to homelabbing. 

 

Q. Your background spans computer architecture, encryption, and software development. How do those foundations influence the way you approach client challenges today? 

A. Each of those categories has led me a rather in-depth knowledge of the internals of computers, and the science behind them – shocker, I know. That understanding helps significantly when you’re interviewing clients on their architecture and design; often the best person to talk to will be a system administrator, and their work is incredibly technical. Being able to understand those technicalities and respond accordingly, and identify any edge-cases, is something I attribute primarily to my background. The software development also comes in handy; it should come as no surprise to anyone in the industry that reporting and metrics are ever-changing, and for that it’s invaluable to be able to get data into useful formats to substantiate your arguments. 

 

Q. You’ve had exposure across offensive testing, governance, and broader cyber operations. What has stood out to you about how those disciplines connect in practice? 

A. To be honest, I’m fascinated by the separation of Penetration Testing and GRC work. When you’re doing Governance and Compliance, you really need to know what the state of the target environment is. You need to know what controls are enabled, what mitigations are in place, what policies have been stood up. But the nature of the work is you can only request so much evidence, and the people responsible for providing you evidence are incentivised to make their system look good (they have a bonus to earn, and fewer misconfigurations means less work!). So, when you receive a policy document asserting that all internet-facing servers are updated within 48 hours, it should be the Offsec teams’ job to go through and do what they do best; finding out-of-date software and proving to the client that Governance does not imply Compliance. 

 

Q. There is significant momentum around AI adoption. What do organisations need to be more deliberate about? 

A. The key point I come back to is that AI as we use it today is not general purpose. You use it as a tool to accomplish a specific objective; whether that’s to categorise faces, generate text for an email, summarise the news. At the end of the day, AI takes an input and gives back an output. Without oversight, without controls, what you’ve created is another Robodebt. The key is organisations really need to ensure they have proper, human oversight on AI systems. People are more than just inputs and outputs; we have the privilege of thinking critically and responding in a variety of different ways and mediums in a way that AI just can’t do reliably. 

 

Q. When designing AI-enabled systems, where should governance be embedded from the outset?

A. Everywhere! If you’re establishing governance, you should have time to consider what functions the AI-enabled system is going to perform, and then you can match those up to governance and oversight. In terms of where governance should be prioritised, I think the key question that should be asked first is “Which company am I giving this data to?”, and then the next question is “What are they doing with my data?”. Answering those questions is key; especially for sensitive or business-critical data. 

 

Q. You studied Computer Science at the University of New South Wales. What mindset or principle from that time still shapes your thinking? 

A. UNSW was awesome for hands-on learning. Labs and practical application of learning really engage you in the material, and that model really informs how I go about my work. Engaging with a client about their firewall policies is much easier if you’ve set one up yourself. That’s why I find myself drawn to homelabbing – Setting up a home-network-wide adblocker is super useful, and teaches me things that come in handy at work, too. 

 

Q. Outside of work, how do you spend your time? Are there interests or hobbies that influence the way you think? 

A. I spend my free time playing every puzzle game I can get my hands on. Sokobans are super varied, have some fun discovery elements, and easy to undo if you make a mistake. Variant Sudoku is great when you have a grid with no digits and need to find something to latch on to. Detective games are fun for really stretching the limits of your inference. Problem Solving is my bread and butter, but also my water and the air I breathe. All my hobbies have something in common, I think!

 

Q.“Cyber Together” is central to how we think about advancing the industry. What does that concept mean to you in practice?

A. I think “Cyber Together” is both about collaboration between businesses, and collaboration within a business. I think a GRC Assessment and an internal pen-test together would reveal much more information than either one on its own; The GRC Team can more accurately reflect the state of compliance to governance, and the Pentest team can get a more complete download of “expected environment and potential gaps” before they go in and start digging. 

Jayden’s perspective reflects the direction modern cyber programs are taking, where effectiveness is shaped by how well technical insight, governance, and real-world application come together. It reinforces the importance of looking beyond surface-level assurance, focusing instead on how environments actually perform, how people interact with them, and how decisions are made under pressure. It is this combination of depth, context, and practical thinking that continues to strengthen outcomes and elevate standards across the industry. 

Read more Ctrl In Focus interviews  ↗