More cyber security breaches, this time in the finance, judicial and most recently the superannuation sectors. There have been ongoing warnings from ASIC and other regulators for organisations to prioritise their cyber resilience management. ASIC even repeated in Nov 2024, that poor cyber security protection that threatened consumer data was an enforcement priority for them in 2025.
Clearly many organisations have more work to do on their cyber security transformation and governance. There is no shortage of articles and advice intended to guide boards and their CISOs in the establishment of effective cyber governance. Yet, the evidence continues to suggest that there is a “gap” between the message and its execution.
Change is in the air for the cyber security industry
Setting up effective cyber security transformation governance requires focused effort and integrating new policies into the enterprise. A memo from the Chairperson exalting the new cyber security strategy and delegating it to the CISO won’t be enough. After recent superannuation cyberattacks, the Australian Financial Review emphasised that cyber security must be treated as a board-level risk. “As business activities ….. shift to the digital realm cyber security must be treated as a board level strategic and reputational risk on a par with financial reporting and other regulatory compliance obligations”.
This growing inability of enterprise to adequately protect itself and upcoming regulatory changes for a number of protected industries makes this a good time to review cyber security strategies. Is your current governance framework still fit for purpose given the clearer board level responsibilities for greater cyber security awareness and effective risk management?
The effectiveness of risk management policies to support cyber security governance will be so important to some organisations, that establishing an Enterprise Information Security Policy (EISP) to assist reprioritisation of cyber security across the enterprise may be a good next step. Documenting board, delegate and CISO responsibilities will assist in formalising reporting lines, communication channels, and accountabilities. It will also aid the cultural and operational guidance needed to assist explicit business and technical buy-in.
In any review of your cyber security governance there are certainly a number of critical and integrated considerations to address in approaching this new frontier. While not intended to be an exhaustive list, here are four (4) important activities to consider:
Expanding cyber security awareness
Doing their best to keep IT assets and data secure is an obligation on everyone; and that is a cultural change. Cyber security awareness is a lot more than simply improving the cyber literacy between business and technology leaders. The task of upskilling business users and technologists to understand how IT systems and data underpin the functioning of their operational systems, and their ongoing security, should not be underestimated.
It is a lot more than knowing “not to click a link”, it’s about accountability, interpreting cyber security reports, understanding the implications of a breach or even recognising unusual behaviour on a system. It is not the work of a moment, but requires the development of relevant content and its delivery to many different stakeholders across the enterprise.
They need to keep up
By itself, the threat environment is reason enough for some enterprises to review the suitability of their operational risk management systems and practices. Are they suitable to manage the ongoing cyber resilience of the enterprise in the face of growing levels of operational risk?
What about changing regulations? Initially, organisations will seek to stretch their existing resources and capabilities to meet these more hostile threats and changing regulatory requirements. Ultimately, however, operational risk management systems and practices will need to change. Even the new regulations themselves require that more capable and proactive risk management solutions be deployed to better manage operational risk as part of BAU.
The Security of Critical Infrastructure Act 2018 in Australia and the upcoming APRA CPS 230 Operational Risk Management standard in July 2025 are in many ways not dissimilar to the UK’s finance sector FCA PS 21/3 and Europe’s Digital Operational Resilience Act 2022. Boards are now responsible for managing operational risk, overseeing it, and ensuring regulatory compliance, though regulations vary. The requirement that Boards be regularly updated reinforces the importance of the IT systems, resources and assets that support the ongoing cyber security resilience of every enterprise.
Setting up techno-legal systems and practices is necessary to manage the inherent financial, operational, reputational risks associated with cyber security. This will be a challenge for for most enterprises. Recent regulations are elevating cyber security to become a cornerstone of corporate governance.
Implementing a suitable cyber security framework
Selecting a cyber security framework is a vital step in the establishing effective cyber security governance practices. It’s about selecting the best security guidelines, to meet the needs of the enterprise, its digital assets and regulatory obligations. When selecting the right framework, organisations should consider timely compliance reporting and information usage to manage cyber security performance. Regular compliance measurements can ensure that cyber security transformation decisions are informed by ongoing performance against current security controls.
A maintained framework benchmarks risk management effort and control effectiveness against standardised maturity levels. This holds true regardless of the industry. Certainly, expansive frameworks like NIST and ISO/IEC 27000 provide extensive guidance for your information security management system, but they can be less suitable for up-to-the-minute security controls assessments. A broad-based standard or a technical controls framework like the ACSC Essential Eight Maturity Model, for example, is more concise and can be better suited to regularly measuring the state of your controls and benchmarking your ongoing resilience.
Designing risk management systems and processes
The ultimate effectiveness of your cyber security transformation, however, depends on the risk management systems and processes you choose. The frequency of collecting, analysing and reporting information is crucial for the reliability and quality of cyber security governance. The sooner and more regularly threat information is available, the faster it can pre-emptively inform mitigation strategies. Together, this should be used to manage cyber resilience levels.
Simple compliance reporting remains an aspiration for the majority of organisations. But, it is clear that law makers are seeking increasingly capable operational risk management solutions. This will require more reliable and dynamic risk management practices to manage the ongoing resilience of your operation. Already more traditional assessment techniques that are reliant on high levels of subjectivity and manual process are struggling to meet the information quality and timeliness needs of “always on” risk management processes.
Recently, the UK National Cyber Security Centre noted the widening gap between complex threats and UK’s defensive capabilities. Volatile operating environments are threatening cyber security breaches or disruptions to operations everywhere. Therefore, it’s not surprising that regulators are echoing the need for improved operational risk management techniques.
It’s especially important to identify control gaps quickly and adjust security settings. This will re-set control effectiveness and maintain target cyber resilience levels. That’s why we’re seeing more automation in risk management systems and processes. Automation helps to continuously support and inform cyber security governance. Today, off-the-shelf, data-driven risk management solutions provide near real-time monitoring. They offer up-to-the-minute security gap analysis and cyber resilience management, plus, they help meet new continuous reporting requirements.
Conclusion
The pace of cyber security transformation and its governance is evolving to match the real-time demands of business. Protecting operations and the IT systems that support them is now critical to business functioning. Maintaining priority operations, despite potential cyber security disruptions, is key to operational resilience. As a result, the tempo of cyber security and its governance is changing to meet the real-time cadence of business.
Getting cyber security awareness right is essential. Proper governance ensures quality information is available to manage resilience under new regulatory guidelines. This will soon be mandatory for many and desirable for most. However, this transformation will be significant for most organisations. Ultimately, organisations must consider these activities to address the financial, operational, reputational and now legal risks associated with cyber security.
Read more insights from Huntsman Security here.
Products
Solutions
Learning & Resources
About Huntsman
