Speakers
Synopsis
This talk is for CISOs and security experts providing advice to Government agencies. It explores the history and value of the Essential 8 and the reporting requirements and practices that government agencies undertake. It asks the question of whether mandatory compliance targets actually reflect cyber security posture and risk, and details areas of risk which remain unaddressed in the Essential 8. Finally it provides an alternate view of cyber security maturity and provides participants with some options of more holistic and integrated sets of metrics to measure their actual cyber security state.
This talk is for anyone who is subject to or is seeking to implement the ACSC’s Essential 8 in their organisation. The Essential 8 is a good framework, but incomplete. To understand the Essential 8 we must understand the history of it. As a mandatory compliance target it served a purpose when cyber security was less mature, as a kind of cheat sheet for organisations. Since release however, threats have grown in complexity and volume, meaning that the gaps in the Essential 8 may be exploited vulnerabilities. We will explore some alternative schemes worth considering alongside the Essential 8.
Personal introduction – experience and personal commentary only, not representative of any organisation I work or have worked for.
History of the Essential 8 – Top 35, Top 4, Essential 8. Cyber security focus due to role of ACSC. Less focus on cyber security in general business and government sectors. Limited, if any, board awareness. Almost no cloud. Pre-maturity model to existing three level maturity models. PSPF reporting for Australian Government agencies.
Compliance versus Security. Why is this a problem? NAPLAN comparison – teaching to the test, not the outcome. Treating how an organisation implements 8 controls as an assessment of cyber security maturity. Assumption of similar or identical context. Ignoring compensating controls or unusual architecture (cloud, airgaps, non-Windows). No identification of value of system under assessment but treated as a proxy assessment for cyber security ‘goodness’.
Gaps in Essential 8 which should be assessed and addressed. Mitre ATT&CK framework vs Essential 8. Insider Threat. Supply chain attack (including software supply chain). Cloud based systems (particularly SaaS and PaaS). Cyber Threat Intelligence. Incident Response. Training and Security Awareness.
Alternate fairly complete frameworks to supplement include: ISM, Cybersecurity Capability Maturity Model (C2M2), NIST Cybersecurity Framework (CSF), NCSC Risk Management Toolbox. Insider threat resources can be found at AG’s, CISA, CMU, etc.
Concluding Remarks
All frameworks must be tailored to fit context of risk. Job of a CISO to assess and mitigate security risks, not just comply with regulation. Critical to think outside the regulatory framework. Important to have conversations about compliance vs security, and educate more senior leaders about the risks of thinking compliance equals security.
