Financial institutions are leading the way in their pursuit of adaptive protections against evolving information-stealing threats.

Securing information assets to be resilient against a broad spectrum of threats is a journey many Australian organisations find themselves on. A steady stream of data breach disclosures – and a desire not to join that list – is keeping them motivated to stay the course.

For banks and other financial entities, there’s additional motivation in the form of regulation – Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 – which aims to ensure their information security capabilities are proportionate to their risks.

There’s no one-size-fits-all approach to meeting CPS 234’s requirements. Achieving compliance requires a strategic approach that evolves as the organisation matures its cybersecurity efforts, and as the threat landscape changes.

These twin drivers are probably no better illustrated than by two letters from APRA this year, sent three months apart, highlighting common CPS 234 compliance weaknesses.

In June, APRA worried that backups weren’t sufficiently segregated from production environments, and may be susceptible to compromise. This coincided with the emergence of ransomware attacks that targeted both production and backup environments to increase harm and make recovery harder.

Just three months later, the common challenges were completely different: weaknesses in the management of privileged credentials and access to information, and the threat of IT assets drifting out of their secure configuration over time.

APRA hits the nail on the head in its first letter on the reason for this rapid shift in priorities: the cyber threat landscape is fast moving, requiring constant rejigs of information security priorities and controls.

Which brings us to a key point: CPS 234 is not just about meeting a regulatory requirement. The intent is to build a resilient organisation that is capable of protecting its most valuable technology assets in the face of increasingly sophisticated cyber attacks.

Rapid evolution of threats is a feature of cybersecurity that is addressed by being resilient. But knowing this does not make it easier to keep pace with – or get ahead of – the threat landscape.

What’s helping security teams and organisations, particularly those in the finance sector, achieve resilience goals are structured maturity models – which document “guided journeys” to take an organisation from basic security measures up to an advanced, adaptive security program.

Such models can allow entities to benchmark their current state, set a path for continuous improvement along their unique journey, and ultimately create a robust, defensible security posture aligned with CPS 234 requirements.

What follows is an outline of a five-level maturity model, where each level represents a progression in the organisation’s ability to manage risk.

Level 1: Initial

Organisations should begin by defining the roles and responsibilities of the board, management, and key stakeholders. Basic information security policies must also be documented, covering key areas such as access control, data protection, and incident response. Importantly, organisations should also initiate efforts to classify their information assets by criticality and sensitivity starting with the most sensitive and high-risk resources first.

Level 2: Defined

This starts to move an organisation from reactive to proactive security measures, implementing systematic controls outlined in CPS 234. It includes establishing a security policy framework that matches the organisation’s size and risk profile. Third-party assets are evaluated for their potential security risk, ensuring that external threats are known, documented, and managed effectively.

Though limited in scope, systematic testing of controls begins. Incident management plans should also be developed and tested, ensuring preparedness to respond to threats like malware, ransomware, and credential theft.

Level 3: Managed

This represents a significant step forward in cybersecurity maturity. At this level, information security capabilities are well-defined and consistently applied across the vast majority of the organisation.

CPS 234’s requirement for robust incident detection and response is also addressed. Incident management plans are living documents, reviewed and updated regularly based on the evolving threat landscape. Information security capabilities are actively maintained and updated to address new attack vectors, and third-party risk management capabilities are further enhanced.

Level 4: Integrated

The Integrated level is characterised by the alignment of cybersecurity efforts with broader business objectives. The organisation’s information security program is dynamic, evolving in response to changes in the business environment and the threat landscape at large.

Security policies, controls, and incident management processes are aligned to the organisation’s strategic goals and objectives. The board is engaged in overseeing the organisation’s security posture, and all stakeholders understand and participate in the development and testing of policies and controls.

Level 5: Adaptive

The pinnacle of cybersecurity maturity, many organisations may never achieve this – but it remains a desirable end goal. At this level, information security capability is fully integrated, adaptive, and self-improving. The organisation not only meets the requirements of CPS 234 but exceeds them, using pre-emptive technology and processes to continually enhance its security posture.

Real-time threat intelligence enables the organisation to anticipate and respond to security events before they occur. Mature incident management is automated, and all decisions – human or machine – are data-driven.

This level is also characterised by continuous improvement. Security policies, controls, and incident management processes are regularly revised based on lessons learned from previous events and emerging threats, ensuring resilience is maintained.