Cyber Security Essentials | Risk Management & Reporting

August 23, 2024

Table of Contents

I read an article the other day describing the ACSC Essential Eight (E8) as the starting point to future-proof your organisation. It’s true; a regular E8 report on the status of each of your security controls can confirm your cyber posture. But whether that information will ultimately assist you in future-proofing your cyber security activities will depend on the reliability of that information and how you use it.

Completing an E8 risk assessment ticks some important boxes. It provides the security team, and hopefully business leadership, information about the state of the organisation’s security controls and posture, which helps them fulfill their increasing IT security reporting obligations. Importantly, the E8 assessment process you choose will determine the usefulness of the results. Many E8 assessments quickly become obsolete due to the significant amount of time it takes to gather and complete. This means, as a management tool, it becomes irrelevant. However, using timely and relevant information to complete an E8 assessment, can assist in proactively future-proofing your organisation.

Once upon a time IT risk assessments were onerous and, as a result, were conducted infrequently. Today, depending on the methodology chosen, it can still be costly, incredibly time consuming and inherently inaccurate. Subjective techniques, sampling and unverifiable answers to questionnaires lack the evidence-based information that stakeholders now need to support their decision making. So, while a traditional E8 risk assessment can deliver a guide to E8 cyber maturity that meets existing compliance obligations, its usefulness in managing your cyber resilience into the future is limited.

Dynamic risk management

The volatile, complex nature of the cyber security threat environment, sets it apart from just about any other risk management endeavour. Threat vectors shift quickly and often with profound implications for the operation of an enterprise. With the limited range of cyber security risk management tools available, “self-insurance” and best practice frameworks become the order of the day. That then demands a high quality of risk management decisions – both operationally and strategically, which can only happen with timely and accurate information to inform them. This need for speed means organisations require dynamic management techniques to effectively manage their cyber security risk. Due to the ever-changing threat environment, organisations need:

  • processes to rapidly identify emerging risks in the threat environment,
  • an ability to pinpoint resulting weaknesses in existing controls,
  • to make decisions on appropriate risk mitigation strategies.

It is particularly important in larger organisations where the extensive tentacles of the business create larger and more complex attack surfaces to monitor and defend.

The cadence of risk information collected from the environment must stay ahead of the changing threat environment. Determining and responding to emerging cyber security gaps means being able to collect, analyse and report on large volumes of bottom-up security risk data from across the enterprise. Knowing when a vulnerability has altered your attack surface is important; but having evidence of its location, priority and associated IT assets means you can manage it. It’s the reason why organisations are turning to data-driven threat assessment solutions to ensure organisational resilience can keep pace.

International security agencies have long-encouraged organisations to align cyber security management activities with their broadly published risk-based principles. These threat assessment techniques, have recently been labelled by Gartner as Continuous Threat Exposure Management (CTEM) or ad hoc TEM solutions. At one end of this “CTEM solution spectrum”, security teams can establish their own methods to identify emerging cyber security threats that are not being adequately addressed by existing security controls (see “TEM Solutions” below). At the other end, cyber security maturity levels and security control effectiveness, like the ACSC recommended Essential 8 can be measured continuously, even automatically, to quickly and reliably identify and prioritise any emerging security gaps for mitigation.

Regardless of the changing threat environment, ongoing cyber resilience levels can be managed with quick, reliable information about security gaps to inform adjustments to security control settings. What’s important to remember in all of this is that the quality of gathered threat information can significantly impact the reliability and utility of your risk assessment metrics.

TEM solutions – what are they?

Readers familiar with the ACSC E8 Maturity Model will be familiar with its recommendation for regular risk-based threat management processes that identifies priority assets, undertakes vulnerability assessments and highlights preventative security policies, procedures and controls for improved cyber resilience performance.

IT Analyst firm, Gartner, recently made a similar observation: “Today’s cybersecurity attackers pivot fast, leaving organizations scrambling to automate controls and deploy security patches to keep up, but such tactics don’t reduce future exposure. What’s needed is a continuous threat exposure management (CTEM) program that surfaces and actively prioritizes whatever most threatens your business. Creating any such program requires a five-step process.”

Regardless of where you take your advice, the message is clear, organisations need to evolve their threat management processes to address the increasingly dynamic threat environment they operate in. They need to move beyond traditional assessment techniques and look to adopt more data-centric risk-based assessment processes. Due to its importance, business and security stakeholder participation must increase during this process:

  1. Discover the key enterprise IT assets, systems and data
  2. Identify the associated security vulnerabilities
  3. Prioritise high value assets and effective mitigating strategies
  4. Determine the mitigation strategy effectiveness
  5. Implement the control and regularly assess mitigation strategies

TEM technology to solve the availability problem

Software solutions are now available to automate the TEM process and eliminate some of the concerns around the quality of risk information. Huntsman Security’s Essential 8 Auditor is easy to install, unobtrusive, and objectively measures the effectiveness of your existing controls against the threat environment you operate in. It quickly identifies vulnerability gaps by completing objective E8 risk assessments on demand. Being software means its systematic process regularly provides evidence-based measurements that will form the basis of your cyber security risk management improvement program.

Technology like this, ensures that a reliable, up to the minute assessment of your ACSC E8 maturity level is always available to support your decision-making. No more guesswork. They identify the location and nature of control weaknesses, guide mitigation efforts and inform stakeholders of the current cyber security resilience state.

IT Analyst Firm, Gartner's 5 Steps in the Cycle of Continuous Threat Exposure Management (CTEM) supporting Essential Eight decision-making.

The impact of data-driven CTEM platforms

Data-driven CTEM platforms significantly change the cyber security risk management overhead and dynamic for organisations. Continuous data-driven CTEM platforms, like the Huntsman Security Essential 8 Scorecard, alter the accessibility and accuracy of threat management information available to cyber security decision makers.

Leveraging CTEM technology to continuously, or even regularly, collect and analyse enterprise-wide information, and identify and locate emerging cyber security gaps, transforms cyber risk management into a proactive risk management process. It is particularly well suited to large enterprises, providing an ability to quickly locate misconfigurations, unpatched systems or otherwise ineffective controls. With this information, they can then adjust security control settings, which is particularly valuable.

Gartner predicts that, “By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach.” Data-driven CTEM platforms add process and confidence to the outcome of ACSC’s recommended practices.

Given that most attackers actively seek easy targets with attacks that leverage failures in baseline security controls, the reality could be more extreme, a trend that executives of all businesses will be unable to ignore. As the successful management of cyber security resilience becomes an increasing responsibility of the leadership and security teams, better quality information is required. The absence of objective and reliable performance metrics that detail the state of every E8 control, limits security teams from gathering necessary information that fundamentally measures cyber security risk management improvement. The inability to provide a feedback loop on the success of an amended risk management process, denies all stakeholders the opportunity to identify and adjust control settings, while also having visibility on current security trends.

With data-driven CTEM platforms, near real-time information about your cyber security risk position is accessible to all stakeholders. Cyber operations and security teams can use the information to actively manage and report their security risk position, and improve their cyber security governance. Cyber security gaps can emerge quickly – unpatched software or the installation of an untested software upgrade can quickly leave your organisation vulnerable. Cyber security incidents are becoming more widely disclosed and adversaries are able to quickly scan your environment from afar. This makes being able to quickly reveal and mitigate exploitable vulnerabilities an important preventative step.

We have discussed the range of CTEM solutions available from analyst-based audits through to automated data-driven platforms. The choice of solution, obviously depends on the size of your enterprise and the value of your key IT assets, systems and data. But it is worth considering the ACSC recommendations when it comes to the quality of security information that supports your E8 assessment – the better the quality of the evidence, the better your risk management practices and cyber security resilience.

Due to the increasing reliance on IT assets, systems and data to conduct business, the message to corporate leadership is that cyber security is a cornerstone of ongoing organisational resilience. Poor cyber resilience can quickly put your operations at risk of disruption, or worse. For that reason alone, it’s important that your business leaders maintain informed oversight of your cyber security governance.  The cyber health of your IT assets and systems is a key determinant in the resilience of business operations and the regulatory obligations of directors.

Undoubtedly your organisation uses operational management systems to inform business strategy and decision making in today’s business environment. Cyber security risk management is no different. It too, requires timely and accurate information to ensure informed decisions, the effective ongoing management of your business and the resilience of its operations. You wouldn’t use last year’s results to report this year’s financial performance. Too much has changed. 

The good news is that your E8 assessment results, if reliable and regularly accessible, can seriously influence the success of your cyber security efforts.

Huntsman Security has been successfully providing TEM and CTEM security software to large and small Government and commercial customers for a number of years. Customers of all sizes use it to assist them in proactively improving the effectiveness of their security controls and enhance their cyber security resilience.

If you want to discuss any of the above with a cyber security expert, please don’t hesitate to contact us.


References

 “How to Manage Cybersecurity Threats, Not Episodes”, By Kasey Panetta, Gartner®21 August 2023.

https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes

Essential Eight Assessment Process Guide, Australian Cyber Security Centre, Australian Govt, Nov 2022

A cyber-risk readiness checklist

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.