Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Securities & Investments Commission’s (ASIC) plans for 2022-26 include driving good cyber risk and operational resilience practices across all sectors of the economy for 2022-2026. A big question is how to simplify the process of cyber security risk governance for all stakeholders, and improve education and training in a discipline which is complex and has an acknowledged skills deficit. Stakeholders are finding their voice.
The recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), introduced concepts of “positive cyber security obligations” and legal precedent established in the ASIC vs RI Advice Group case, confirm the ongoing evolution of a cyber security governance system or framework. The accountability of senior executives and directors and their oversight obligations are emerging like road signs in the fog. Also, the acknowledgement that cyber security risk can be reduced through [active management and] adequate cyber security documentation and controls. Further guidance will assist all stakeholders understand what is adequate cyber security documentation and a control framework.
In May 2022, ASIC was successful in its action against RI Advice Group, a Financial Services provider, for breaching its licence by failing to effectively manage the cyber security risks associated with protecting customer information. Up until now, it’s the cyber insurance sector that has largely driven cyber risk management thinking. Faced with growing loss ratios, insurers recognise the need to improve the quality of cyber security risk information and better manage their risk. Their requirements for more rigorous underwriting methodologies and security controls have now yielded greater accuracy in risk understanding and pricing.
As regulators and the courts play catch up, it is clear that these same risk management principles apply for senior executives and directors. Inadequate risk management systems and controls mean poor quality cyber security information to inform decision making. This is amplified for senior executives and directors whose ongoing risk management and oversight responsibilities are significantly more onerous than any insurance underwriter.
In the absence of guidance, nightmarish stories of cyber attacks and countless sponsored articles that rehash directors’ responsibilities only drive cyber anxiety. Not cyber security improvement. Talk of how failure to properly consider cyber security risk may put them at risk of breaching their duty of care abounds. Concern in some circles is that the fragmented and inadequate nature of cyber security risk systems and processes is unable to provide intelligible information suitable to inform cyber security risk decisions.
The disconnect here is the lack of adequate data-driven information to inform the effective management of cyber security resilience and risk management decisions. Subjective questionnaires and efforts “that seek to mark your own homework” can’t replace quantitative measurement of risk. Only evidence-based metrics are adequate to inform a formal process or framework. Little wonder that executives and directors are feeling under pressure; maybe it’s because they feel they don’t know, what they don’t know.
This security information quality problem is the same as the one faced by the cyber insurance industry. It was solved with more rigorous risk assessment and insurance contracts that allocate clear risk responsibilities between the parties. Just like insurers, senior executives and directors need to ensure that there is a clear understanding of and accountability for the quality of the risk information being provided to them and its adequacy to inform cyber security oversight.
While it may not be apparent to some who rely on it; right now, a considerable amount of the operational risk assessment information is not fit for purpose. Growing legal responsibilities mean that much of this arbitrary and unverifiable information is unsuitable to meet the needs of senior executives and directors and their oversight obligations. Quantitative measurement, enables evidence-based comparative risk appraisal; while qualitative judgements, are inevitably prone to human bias, and will result in lower confidence decision-making – cyber security risk or otherwise.
In late August the Cyber Security Industry Advisory Committee (IAC) released its annual report. It observed, that there is a need for a governance “framework that is coordinated and integrated”. Experienced committee members, familiar with the cyber security sector, repeated many of their findings of previous years:
The report and the scale of the interdependencies of a whole-of-nation strategy reminds us that cyber security impacts everything, everywhere. “Without a rigorous evaluation and measurement system and against an evolving maturity index, there is too much reliance [being placed] on qualitative anecdotes and commentary to determine the progress and effectiveness of initiatives under the Strategy [to improve cyber resilience across the economy]”. This is the very problem faced by business and directors. Whether because of a disclosure obligation or a duty of care, directors too are observing the fragmented nature of the cyber security governance framework and the absence of a framework to effectively manage and report on cyber security resilience.
The focus of a new Federal Minister responsible particularly for Cyber Security will undoubtedly assist in removing some of this fragmentation around cyber security information sources, guidance and the regulatory requirements, to better anchor a governance framework and improved cyber security processes and resilience. If senior executives, experienced in cyber security management, and lawyers skilled in matters of the law are seeking clarification, it’s fair to assume that many others are too. How can a cyber security assessment report, without evidence-based measurement, reliably inform a cyber risk management process?
Whether it’s a Notifiable Data Breach or disclosure of the nature now required by the SOCI Act, to notify the Australian Cyber Security Centre (ACSC) of a significant cyber security incident within 12 hours of becoming aware of it; it will be difficult to confidently assess and comply with the requirements without an empirical based risk measurement system.
Systematic frameworks, risk management instruments and tools abound in the field of risk management and oversight; and business has relied on these methods and practices to manage all types of operating risk– credit or FX, for example. Irrespective of the nature and complexity of the risk to be managed, however, the broad principles of risk likelihood, mitigation and impact remain familiar constants for directors and risk management decision-makers. Cyber security is no different. Except to say that the risks are more complex and the frameworks, tools and risk management methodologies still evolving. Selecting the correct cyber security risk framework may depend on your regulators, the industry or any jurisdictional operating obligations; but at a management level, however, the suitability of security risk frameworks, their simplicity, ease of use, fidelity and accuracy of the information are vital.
Australia has a proven cyber security risk framework, which was published as a cyber security maturity model as early as 2017. In drawing a distinction from the broader cyber security governance framework talked about earlier, the ACSC Essential Eight Security Framework is internationally regarded as one of the most effective IT risk cyber security frameworks in the world – with its easy to use, systematic and incremental risk assessment capability. This is particularly so when it is used to automatically measure the presence, effectiveness and maturity of a set of eight key cyber risk mitigation strategies. In this “industrialised” form it provides the basis of an empirical measurement and quantitative security control reporting platform to assess the resilience of your risk prevention, containment and recovery efforts.
Obviously, additional controls can be added to increase the reach of your security controls, but as eight technical controls, it’s a very accessible way to establish an “IT asset-centric” baseline of security resilience and, according to the ACSC, reduce your cyber security risk.
The benefits of the ACSC Essential Eight framework are compelling:
For the first time in more than 20-years, international security agencies have begun issuing multiple joint guidance statements. Perhaps this is in the recognition that cyber security control effectiveness has become an almost universal measure of resilience; and our adversaries similar, if not the same. The implications are clear, irrespective of whether you follow another cyber security framework or have other jurisdictional obligations, for local organisations the ACSC Essential Eight provides quick and easy visibility of your cyber security controls and maturity levels. By automating the empirical measurement and reporting of those eight key controls, senior executives and directors can quickly assess the levels of cyber resilience and make data-driven cyber security decisions with confidence.
What we do know is that qualitative anecdotal risk information is not enough. It will inevitably impact the adequacy of the cyber security risk management process and potentially decisions that impact the cyber security strategy itself. Ongoing cyber security resilience is now a feature of modern enterprise as it seeks to transform its business processes for greater efficiencies, bringing with it the inevitable increases in cyber risk. Another feature is the risk team who is responsible for the assessment, management and reporting of those risks. They educate stakeholders, develop assessment tools and build systematic models to better explain the nature and quantum of mitigated and ultimately the residual risks. The better the visibility of risk the more reliable the quality of risk oversight – at all stages of its lifecycle.
We spoke before about the volatility of the cyber security risk environment and the need for the never-ending mitigation of vulnerability gaps. It’s the reason why detail matters. It’s why risk measurement needs to be accurate and objective and provide a relative measure or priority of a particular risk and its proposed mitigation strategy. It’s also why quantitative “risk accounting” and auditable assessment processes that support cyber security IT frameworks are vital to an effective cyber security risk management and oversight process.
New risk management processes and technologies will evolve to support a broader cyber security governance framework and near real time empirical risk measurement system. Right now, however, the ACSC Essential Eight risk framework is ideally suited to the systematic measurement of enterprise (and even nationwide) cyber resilience. What is required, however, is education and practical advice to better integrate the Essential Eight risk framework into the execution of the broader national cyber security resilience Strategy.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.