Bridging the Gap: Why Cyber Governance Needs More Than Strategy

In 2024 the Commonwealth Cyber Security Posture Report (the Report) recorded that most Australian Government entities had established corporate governance mechanisms to oversee their security risks and prepare for cyber threats.

The Report noted improvements in the areas of cyber strategy development, business continuity planning (BCP), incident response planning (IR) , and learning and development (L&D) activities. Nearly all surveyed agencies reported having these plans available.

Graph 1: Number of Commonwealth agencies with core cyber documents in place

A deterioration in the technical hardening of systems was also observed. Only 15% of departments or agencies, as compared to 2023’s 25%, implemented the controls needed to meet the minimum cyber security maturity requirements outlined within the Australian Government’s Protective Security Policy Framework (PSPF).[1]

Graph 2: Number of Commonwealth agencies implementing technical controls to meet minimum cyber security maturity requirements

The year-on-year reduction in cyber hardening is less alarming than the progress made over the 2021 – 2024 reporting period. Governing boards oversaw improvements within the areas of cyber strategy, BCP, IR and L&D. This did not translate to improvements in the implementation of technical cyber security controls that harden the security of systems, in line with the PSPF’s minimum cyber security maturity requirements.

Governance boards overseeing a department’s cyber security program need management teams to provide both insights and assurance. Insights should enhance a board’s awareness and understanding of risks, leading to better strategic planning and decision-making. Assurance is the process of evaluating and verifying that the strategies implemented are working as planned, as well as aligned with the overall objectives of the entity. Both are needed for a board to acquit itself of its responsibilities.

Progress and risks associated with L&D, BCP, IR and cyber strategy can be communicated in a simple and clear way. Executives overseeing these items can likely interrogate and challenge management teams effectively and frame issues using their existing experience and knowledge.

A technical understanding of an organisation’s architecture, systems and data flows or a cyber security team with excellent communication is a necessary requirement to overseeing cyber hardening activities. Accepting risks related to legacy systems, balancing the trade-offs between business and security requirements requires tailored information to help inform decision making that still improves the agency’s cyber posture.

The disparity between strategy and hardening domains suggests that leaders charged with the oversight of an agency’s cyber program have half the information they need. Improved communication between technical managers and the governing boards is a must to support improvements in both domains.

Arch’s Essential Eight Maturity Assessments focus on identifying challenges that may exist with legacy systems, implementation costs or with remediation timeframes, and communicating these clearly to the board. We link gaps to existing strategies and implementation roadmaps and support the identification of compensatory arrangements that support uplift in both domains.

In an environment with increasing cyber risk, governing boards must require teams provide the information they need to make informed decisions about both technical and non-technical matters.

Contact us to discuss how to improve your governance of these areas with an Essential Eight Maturity Assessment.