top of page

Key strategic security priorities for boards, management and IT Teams in 2025

Writer's picture: danielweisdanielweis

With the dawn of a new year now upon us, its important for both directors, c-suite, management and IT teams to now set their security roadmap and strategic priorities for the year ahead to ensure ongoing organisational cyber resilience.


In this article I want to cover off some of the biggest cybersecurity gaps facing most organisations today and to provide a checklist of areas, coverage, and knowledge you should have.


If you haven't already, Cyber should be embedded into your existing risk management processes, remembering cyber risk can never be reduced to zero in any organisation.


Defining your risk appetite

The first thing that should be defined by your organisation (and typically at the board level) is the organisations cyber-risk appetite, that is, the amount and type of risk an entity is willing to accept to achieve its (strategic) objectives. The risk appetite will align with the strategic plan and the risk appetite will have a number of flow on effects for an organisation, for example an organisation that has a low risk appetite is often more likely to have a higher cybersecurity budget allocated from management/board and more stringent and defined policies, procedures and controls.

Typically an organisation can define its risk appetite by:


  • Clearly articulating its strategic objectives and risk tolerance. This involves understanding the organisation's mission, vision, values, and desired outcomes, and determining the level of risk it is willing to accept in pursuit of those objectives.

  • Identifying and categorizing potential risks. This may include financial, operational, reputational, legal, and strategic risks.

  • Assessing the likelihood and potential impact of each identified risk. This helps prioritise risks and determine their potential impact on the organization's objectives.

  • Developing a formal risk appetite statement. This statement should clearly articulate the organization's acceptable level of risk for different risk categories, such as financial, operational, IT, Cyber, Governance, reputational etc. An example looks like the below:

Example risk appetite statement

  • Communicating and training all employees on the risk appetite statement. This ensures that all employees understand the organisation's risk tolerance and how it applies to their work.

  • Regularly monitoring and reviewing the risk appetite statement. This ensures that the statement remains aligned with the organisation's strategic objectives and risk profile.



Understanding New Cyber Security Reforms and legislation

A lot of changes were implemented last year both here and overseas which organisations need to be aware of when it comes to understanding their regulatory and compliance requirements.

Australia

Last year we received our first cyber security bill, which has become the Cyber Security Act 2024. More information can be found here: Cyber Security Legislative Package 2024 – Parliament of Australia and Cyber Security Bill 2024 – Parliament of Australia

The guts of the changes in the bill that affect organisations:


  • Mandatory Ransomware Payment Reporting: Organisations now must report ransomware payments to the Department of Home Affairs within 72 hours. 

  • Establishment of a Cyber Incident Review Board: It is expected that an incident review board will be stood up within organisations (so this now needs to be incorporated into your incident response plan (SIRP)) and this board will review significant cyber incidents.

  • Mandatory Security Standards for Smart Devices: Australian manufacturers and suppliers of relevant connectable products now must ensure their products comply with mandatory security standards.

  • Limited Use Framework: Information shared with the National Cyber Security Coordinator (NCSC) through voluntary or mandatory reporting (such as the OAIC) is subject to a limited use framework. This doesnt change any reporting obligations for an organisation, but something to be aware of, that your data breach information you provide may be shared across government departments. 



On top of the cyber security bill requirements, we still have our standard requirements under the OAIC Reporting Scheme and obligations under the privacy act (Australian Privacy Principles (APPs).


APP 11: Requires organizations to take "reasonable steps" to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Notifiable Data Breaches (NDB) scheme: Organisations must notify affected individuals and the OAIC of eligible data breaches.


As these have been around for a long time I wont hash them out again, but if you want to read up, the links are here:


Also don't forget the Corporations Act (2001), Directors have a duty to act in the best interests of the company, which includes considering and mitigating cyber security risks, as well as financial reporting. Organisations may be required to disclose information about material risks, including cyber security risks, in their financial reports. Link Below:


And lastly there are industry and organisation specific compliance and legislation organisations should be comfortable with, such as ASIC Requirements, the Security of Critical Infrastructure Act 2018 (SOCI Act), APRA Requirements (CPS234), Private Health Insurance Act 1973 (Cth), Health Records Act 2001 (Vic) etc.


EU

The EU also implemented the Cyber Resilience Act (CRA) on October 10, 2024. In a nutshell, this new legislation aims to safeguard consumers and businesses buying software or hardware products with a digital component. Where I see this most affecting Australian organisations is in the development of software / SaaS applications and/or hardware that will be sold and used globally.

The key components of the CRA include:


  • Product Security: There are a number of mandatory cybersecurity requirements for a wide range of products with digital elements, from smartwatches to industrial control systems. 

  • Manufacturer Security Standards: Manufacturers and importers now must ensure their products meet certain security standards throughout their development lifecycle, including Secure design and development and minimizing vulnerabilities, and incorporating security features. 

  • Update/Maintenance and Vulnerability Requirements: Manufacturers/Developers must now ensure Regular security updates and address identified vulnerabilities promptly. 

  • Clear and transparent security information: Providing users with sufficient information about the products security features and any known vulnerabilities. 

  • Enforcement: The CRA includes provisions for market surveillance, conformity assessments, and enforcement measures to ensure compliance. 


More information can be found here:


Understanding AI and AI risks

If you are not already across AI risk identification and management, it's time to get onboard. I put out an extensive article last year which can be found here: danweis.me/post/navigating-organisational-risk-related-to-ai which provides this information, but all organisations now need to implement controls and policies for AI usage, and need to consider:


  • AI Usage and Lack of AI control (What we call Shadow AI) where staff are providing information to LLMs and AI services without scrutinization and controls applied.

  • Data Privacy and Security risks - such as Privacy violations and shadow AI, AI Vulnerabilities and Data Poisoning.

  • Biased and discriminating outputs in datasets and training data as well as exposure of sensitive information, such as LLM injection/Prompt injection attacks.

  • Malicious AI and AI attacks - Such as sophisticated social engineering using AI, examples are deepfakes, misinformation campaigns, targeted phishing and automated hacking tools powered by AI.

  • Workforce impacts as a result of AI adoption.

  • AI governance and governance structures, including the standing up of a working / decision making group.

  • AI strategy and organisational policies to protect its usage, as well as ensuring privacy and confidentiality risks are addressed.

  • Lack of AI and robust data governance framework used in the storage and development (training) of AI systems.


The AICD have a good director resource available here: Directors’ Guide to AI Governance.

It's also worth flagging that embedded AI (and AI Agents) is massively increasing at the moment with the goal being to have AI perform actions for people, for example AI is provided a recipe, and it goes out to online stores to grab the ingredients, an interesting post on AI agents can be found here: Big Tech is pushing ‘AI agents.’ They’ll need intimate access to your data. - The Washington Post.


Foster and maintain a culture of Cyber Security and Cyber Resilience.

Fostering a strong cybersecurity culture within an organisation is crucial for its long-term success and resilience. A culture of cybersecurity is top-down commitment which should start at the top and filter down to all employees, partners and suppliers. This includes ensuring Senior management is visibly championing cybersecurity initiatives and are actively participating in training and communicating the importance of security to employees, and allocating resources for security budgets and security improvements.


Leaders must also model secure behavior and demonstrate a commitment to data privacy and security in their own work. 


But a security culture doesn't just end with the organisation, this culture should also extend beyond the organisation to key suppliers and supply chains.


Sharing is caring and Incentivization

An organisation with a well-established security culture will also have a culture of sharing near misses across the organisation and incentivising their employees for good cyber security practices, such as participating in phishing and training exercises or achieving positive results in pentests or simulation exercises. Gamification and cyber events work well in building culture as well as KPIs to incentivise employees. Another useful tool is to build a team of cyber champions across the business that employees can contact with queries, and this in turn reduces the load of internal IT and security teams, freeing them up to focus on other areas.


Contributing to the community

Organisations should also be contributing to and receiving data from intelligence exchanges, such as threat information/feeds, and ensuring this network is providing timely updates on emerging threats. This includes intel feeds from the ASD/ACSC, AISA and security vendors, for example Microsoft, Palo Alto, EDR vendors etc and organisations should participate in the ASD’s Cyber Security Partnership Program which enables participating organisations to share and obtain insight and intelligence on threats with the ASD.


Director and Management Cyber Education

Often I find organisations adopt a good level of cyber training across the employee base, but fail to provide specific training to management, C-suite and Directors. I often find during phishing campaigns that I have launched against organisations, that the employees responded quite well, however the people handing over their passwords are often directors and senior management. It is imperative that Directors and management undertake cyber specific training, targeted to their role.


Employee Training & Phishing

A requirement for all organisations is the adoption of a regular phishing and awareness training platform. Training should be performed monthly and should be a small video on a different topic (microlearning approach) as opposed to long drawn-out security training sessions. The content should be engaging and fun and empower users with knowledge both for at home and in the work environment.

To complement training programs regular phishing campaigns should be completed monthly as a minimum, and can be strengthened using other social engineering simulations, such as Vishing (calling up staff) and Smishing (sending of SMS messages).


Clear policies and procedures

An important component of a strong security cultured organisation (really all organisations) is policies and procedures. I know what you are thinking, policies and procedures are boring! yes they are, but they outline clear expectations for employee behavior and system usage, which in-turn minimises the risk of human error and unintentional security breaches. 

If we look at this from an Incident Response side of things, a well-defined security Incident Response plan (SIRP) and team (SIRT) enables organisations to quickly identify, contain, and mitigate cyber incidents, reducing potential damage and downtime.


And the last important points on policies and procedures are that they help organisations demonstrate compliance with relevant laws and regulations, such as the Privacy Act, the Corporations Act, and industry-specific standards such as ISO, NIST, CIS, ISM etc, not to mention it builds trust and confidence with stakeholders, customers, supplies and partners.

So what policies should we have? It really depends on your organisation and if you trying to align with ISO27001 or similar requirements, but as a minimum;


  • AI Policy / AI Usage Policy - To define how AI can and should be used within the business and to prevent the use of shadow AI.

  • Incident Response Plan/Policy: Outlines procedures for identifying, containing, and responding to security incidents.

  • Acceptable Use Policy (AUP): Outlines acceptable and unacceptable use of company IT resources (e.g., email, internet, usb, social media) and Shadow IT

  • Data Security Policy: Defines how sensitive data is collected, used, stored, and protected. 

  • Business Continuity and Disaster Recovery Plan: Outlines procedures for maintaining business operations in the event of a disruption, including cyberattacks.

  • Vulnerability Management (and patch management) Policy: Outlines procedures for identifying, assessing, and mitigating vulnerabilities.

  • Third-Party Risk Management Policy: Defines how to assess and manage the cyber security risks associated with third-party vendors.


These are the basics but you may also wish to consider:


  • Password Policy: Establishes strong password requirements and guidelines for password management and MFA. 

  • Remote Access Policy: Defines rules and procedures for accessing company systems and data remotely. 

  • Data Classification Policy: Classifies data based on sensitivity levels and assigns appropriate security controls. 


There are stacks of resources online with sample templates and guides, such as on the ACSC website, if you are just getting started.


Technical Controls and appropriate security measures

There are a myriad of different security technologies you can and should adopt, but its not a 1 size fits all. If you are a smaller organisation or SME you should focus towards alignment with the Essential 8 (Essential Eight |).


For larger organisations, they may wisk to align themselves with NIST or CIS and implement additional technical controls accordingly. The basics IMO that every organisation should have in place:


  • Identity and Access Management (IAM) Controls - Including MFA as the baseline (applied everywhere and on everything and/or alternate technologies such as Biometrics adopted), controls such as Least privilege Principles applied to both devices, network and cloud, Conditional Access Controls, Privileged Identity Management (PIM), Just-In-Time Access and Role based Access Control (RBAC).

  • Password Controls - In alignment with NIST recommendations, and the use of Password Managers.

  • Firewalls with IPS, Web filtering and Deep packet Inspection

  • EDR / XDR - Endpoint Protection for devices and servers

  • MDM / MAM - Mobile Devices security controls

  • Application Whitelisting - To limit what applications users can run

  • Patch Management and Vulnerability Scanning technology

  • SIEM - Security Information & Event Management technology (typically used in conjunction with a SOC service (to be discussed later)) to correlate activity and events in your environment

  • Data Loss Prevention (DLP) - to restrict / prevent data exposure. To put this in perspective, Micro SD cards are now 2TB, that's a lot of data that can be copied to the tiniest of cards.

  • Implementing USB Controls - Restricting/Blocking USB access on devices

  • Ensure you are using Wireless IPS - WIPS technology applied to wireless access points detects and prevents attacks against your wireless networks such as rogue access points

  • Encryption - At rest and in Transit


Adopting these technologies will also limit/prevent Shadow IT use within an organisation.


Cyber Insurance

These days its rare to find an organisation that doesnt have cyber insurance coverage of some description, but i'll flag here that it is a good practice to annually review the policy and coverage (and most importantly exceptions) to ensure that it is fit for purpose and has enough $ and event coverage. Cyber insurance can form a key component of risk transference and ensuring cyber resilience.


Cybersecurity Budgets

Now is a good time to start to put together your wish list for cybersecurity tools, resources, products and services. This should align with the organisations risk appetite and cybersecurity strategy to ensure it is in alignment and provides the best value for the organisation based on your industry and risk profile.


Obviously the more that can be allocated the better and it will depend on which technical and non-technical controls you wish to implement and the number of resources you require.


Data Inventory and Data Governance

This is one of the most important activities that you should undertake for your organisation. Typically, I find most organisations just have an Assets Inventory, which is important, but this needs to be expanded to encompass data as well. Nearly all organisations are generally holding too much data, and this is a very common finding on assessments and audits that I have performed. So how does one perform a Data Inventory?


The first step is to understand your data:


  • What data do we collect and store? This includes identifying the key types of data your organisation gathers and retains.

  • Who has access? Who within your organisation and any external partners / supply chain have access to this data?

  • Where is this data stored? What infrastructure facilitates access to this data?

  • Is data storage secure and compliant? This involves ensuring data is stored securely and adheres to relevant regulations.

  • Do we still need all this data? Regular data reviews are crucial to determine if all information held is still necessary.

  • Data Governance Strategy: Do we have a comprehensive plan for managing data from creation to deletion?

  • How is the data managed? Is it purged after a period time or anonymised, what happens if the data is accidentally lost or deleted? What are our recovery options?

  • Where are our key digital assets located? Should this be reviewed, do we have compliance or data sovereignty requirements we need to adhere to?

  • What happens if we have a loss or damage to the infrastructure facilitating services and our BAU?


Also note, a basic data inventory template is available via my website: https://www.danweis.me/bdcyberresources 


Once you have the data inventoried you should;

1. Assess the impact if such data was to be lost or compromised

2. Identify who is has decision making rights on access to such assets and data

3. Who is responsible for the management and protection of these digital assets. 


You should also ascertain what external suppliers host your data and assess how they manage access to your data, including periodic removal of old data, how they audit access to your data and how they ensure the destruction of data at the termination of a contract. 


Governance of data

Then of course we also need to have good governance of data within your organisation. Storing excessive customer and organisational data beyond legal requirements exposes both the organisation and its customers to cyberattacks. This attractive target for criminals can be exploited for financial gain (such as in extortion attacks) or identity theft.


Effective data governance requires directors to grasp the volume and purpose of sensitive data held, such as personal customer and employee data. I’d encourage boards to request an annual "data map" from management, detailing the type, location, access controls, security measures, and legal justification for retaining each data set. This should also be coupled with a data purging regime based off agreed retention periods.


To minimise data risks, organisations should collect and store only the minimum personal information legally required for their services or operations, and only for the minimum of time required. Often organisations continue to hold on to temporary data such as Identity verification documents. It is quite common to identify on Penetration Testing engagements, passport and driver’s license scans, stored within an organisations’ file shares, that were only needed once or twice for identify verification, but were forgotten and remain stored.


This also extends to secure destruction of data. When a system has been decommissioned or repurposed, an organisation should be ensuring the secure destruction of such data and physical hardware to mitigate risks associated with legacy data access.


Encryption and strict access controls are also a key component of a data strategy to safeguard sensitive data. Regularly removing unnecessary information is a key component of a comprehensive data management strategy.


They AICD also have a good guide on Data Governance here: Data Governance as does the Data Commissioner: Guide to developing a data inventory


Assurance Activities

Penetration Testing

These days I don't come across a lot or organisations that don't or have not had any kind of Penetration Testing performed in the past. It is recommended at a minimum that Penetration Testing (pentest) is performed annually, but one of the key points to consider here is scope. 


Most organisations will have their external and/or cloud platforms (and webapps) assessed each year, and often organisations do include components such as phishing, Internal and/or wireless networks, but what about the not so standard attack paths? For example, advanced social engineering tactics such as Vishing and Smishing, USB attacks/Device Implants, Physical Access Testing & Red Teaming. It is recommended that you include as many areas as possible within your budget and rotate the areas that are assessed each year so that your pentest is not always the same scope, as having the same scope leaves plenty of other avenues open for exploitation which have not been tested. 


A lot of this is down to budget allocations, nearly all organisations do not allocate enough budget for Penetration Testing, if you are a director or decision maker when it comes to IT security budgets, you should be increasing your pentest budget as much as possible each year.


Another point I'll touch on is vendor rotation, it is a good idea to rotate vendors, however, this can be bypassed if your vendor is rotating testers for each engagement (and subsequent testing methods and scope) each year, as you are still in essence getting a different lense across your environment, but without the extra strain of vendor vetting and the RFP process.. food for thought.


Last point to touch on is your vendor, you should be using reputable and long-standing penetration testing provider where possible, and not focusing on price. Too often I find organisations are constantly going after the cheapest price (this is often due to management not providing enough budget), but remember the old phrase, you pay peanuts you get monkeys.


To that note if you have had the same vendor for a long time or wish to have a different lense run over your environment please reach out! i'd be happy to assist. (More info on my team can be found here: Nexon Penetration Testing | Nexon Asia Pacific)


Vulnerability scans

Although we talked about vulnerability scanning under technologies, vulnerability scanning, does provide assurance of patch management related activities as well as flag the potential vulnerabilities that may exist within an environment which is why I have included it here.


Nearly all compliance requirements out there mandate the use of scanners and periodic vulnerability scanning. A vulnerability scan involves the purchase and deployment of a solution or product, for example Nessus, which is then utilised to scan all assets within an organisation for vulnerabilities. It will find all of the potential vulnerabilities that may exist across your assets, as well as validate patch management processes and configuration changes / lapses. These tools can also perform compliance specific scans and testing against assets. 


Vulnerability Scanning should be completed monthly as part of standard best-practice risk mitigation practices and findings remediated accordingly.


Security & Compliance Audits

Security audits assess the overall effectiveness of an organisation's cybersecurity controls. Audits aim to identify vulnerabilities, weaknesses, and potential security risks in your systems, networks, and processes. Examples include pentesting, vulnerability scanning, security posture assessments (SPA), Essential 8 audits, NIST audits, internal audits and data audits (executed by internal teams), security policy reviews and awareness training assessments. The goal of audits, of course, is to provide a comprehensive picture of your cybersecurity posture and highlight areas for improvement. They help you prioritise security vulnerabilities and take corrective actions to strengthen your defences.


Security Audits also assist the board with informed decision making, Improved Oversight, Enhanced Risk Communication and Proactive Risk Management.


Compliance audits on the other hand, verify whether your organisation adheres to specific security standards or regulations, for example ISO, PCI-DSS, HIPAA etc. They ensure you meet the requirements set forth by industry regulations, data privacy laws, and/or internal security policies. 


Incident Simulations

It is important to ensure that your organisation is performing incident simulations and testing your incident response plan at periodic intervals. There are 2 types of testing that should be performed annually.


  1. A tabletop exercise - In this component a simulation is performed by the SIRT and is effectively theory based (i.e "this is what we would do in this situation"). It ensures that they have most events covered and that they have processes in place to handle incidents. 

  2. Actual Simulation Exercise - In this component a simulated event is orchestrated (often by a third party such as a pentest team) to launch the attack and test the organisations ability to respond to the attack and to assess how effective their incident response plan and processes are (and how it requires refinement) (this one is more similar to a BCP/DR exercise where an actual event is simulated if this helps in understanding). 


Performing these types of simulations allows an organisation to fine-tune their response processes and systems to ensure that the organisation can quickly and effectively respond to any incident to minimise damage and impact to the organisation.


SOC / Overwatch of your environment

You should also ensure that you have some SOC (Security Operation Center) services in place for your organisation to provide 24 x 7 overwatch over your environment and to respond to suspected incidents. Typically, organisations will use a third party hosted security solution for this, and it usually entails a SIEM deployment of some sort in your environment and/or agents that are installed on all systems.


Its not uncommon for vendors such as CrowdStrike to have their XDR product that is already in use and then the SOC service sits as an overlay on top.


Assess your supply chain risks and perform third party vetting

Nearly every organisation relies upon third parties, such as SaaS providers, to supply key digital and IT services and capabilities that are central to their business operations. 


A key component of supply chain risk management is understanding what makes up your supply chain and what risks are exposed via these providers. Part of an organisations' due diligence is to ensure that all third parties or suppliers that touch your data and/or systems are vetted to determine their security posture and to ensure that they are not inadvertently exposing your systems and data to additional risk.


A questionnaire should be utilised to assess their security posture and it should be completed annually (and during the selection phase). I have a sample questionnaire available via my website and also in my latest book


There are also non security components to consider, such as subcontracting, locations and ownership of data and systems, incident response and disaster recovery, standard contractual and security components, Secure Software Development Practices are in use etc.


The ACSC have a good guide here: Cyber Supply Chain Risk Management | Cyber.gov.au


It's also worth noting that organisations should consider supplier diversification, so that they do not have a single point of failure for critical products and services.


Cybersecurity framework

If you haven't already adopted a Cybersecurity Framework to align to, you may wish to consider aligning to one in 2025. Frameworks act as a guide, helping organisations prioritise their efforts and allocate resources effectively. They provide a common language and understanding of cybersecurity concepts across the organisation, from top management to IT staff which in turn fosters better communication and collaboration, a crucial component of a strong security posture. 


Implementing a framework also aligns with industry best practices and often satisfies regulatory requirements. This not only reduces the risk of non-compliance but also enhances an organisation's reputation and builds trust with stakeholders, including customers and investors. 


Several cybersecurity frameworks are available, each with its own strengths and focus. Some of the main ones include the NIST Cybersecurity Framework, ISO 27001 and CIS Controls. When selecting a framework, you should consider factors such as the industry, size, regulatory and compliance requirements, risk tolerance, and specific requirements.


Wrapping up

I hope this article has provided you some useful information, food for thought and areas to consider for 2025 to strengthen your organisations cybersecurity profile and cyber resilience. In summary:


  1. Define your risk appetite.

  2. Understand New Cyber Security Reforms and legislation.

  3. Understand AI and AI risks.

  4. Foster and maintain a culture of Cyber Security and Cyber Resilience.

  5. Ensure ongoing Employee Training & Phishing.

  6. Implement / Ensure Clear policies and procedures.

  7. Ensure Technical Controls and appropriate security measures have been implemented.

  8. Review your Cyber Insurance and ensure its coverage is suitable.

  9. Plan your Cybersecurity Budgets.

  10. Perform and maintain a Data Inventory and ensure good Data Governance.

  11. Ensure ongoing assurance acitivites, such as Pentests, vulnerability scanning, incident simulations and security and compliance audits and expand the scope where possible.

  12. Implement a SOC to provide Overwatch of your environment

  13. Assess your supply chain risks and perform third party vetting

  14. Adopt a cybersecurity framework (if you haven't already)



All of the information in this post in extensive detail, and much more is also available in my latest book. Please reach out if you would like a discount code to purchase.


I'm looking forward to another year of collaborating with the hundreds of exceptional organisations and individuals I'm fortunate to work with, to ensure that their organisations don't become the next headline! :) 


Additional Resources


HT#s

#boardoomcyber #cybersecurity #cyberresilience #cybersecurityframework #risk #riskmitigation #cybersecurityawareness #cybersecuritytraining #cybersecurityculture #cybersecuritybestpractices #cybersecuritylegislation #cybersecuritythreats #cybersecuritytips #cybersecuritystrategy #compliance #incidentresponse #cybersecurityaudit #cyberinsurance #data #privacy #dataprivacy #dataprotection #AI #artificialintelligence #cloudsecurity #informationsecurity #itsecurity #securityawareness #securitytraining #securityculture #securitybestpractices #securitycompliance #securityincidentresponse #securityaudit #securitybudget #infosec #cybercrime #cybersecurityprofessional #cybersecurityconsultant #pentests #phishing #vishing #danweis #boardoomcybersec #board #danweis #boardoomcyber #hackproofyourself #cybergovernance #pentests #cyberstrategy #governance #supplychain #supplychainrisk

1 view0 comments

Recent Posts

See All

Comments


bottom of page