By Stu Long, Orro CTO
Orro Insights: Special Report on cyber governance continuous monitoring Australia.
Governance frameworks require active, ongoing risk management — but most organisations respond by producing documentation. Policies are written, registers are updated, audits are completed, and certifications are renewed. What they produce is a record of what security looked like at a point in time. What boards and regulators are increasingly asking for is evidence of what it looks like now.
Key Takeaways: Cyber Governance Continuous Monitoring Australia
- Compliance documentation describes what an organisation’s security posture was at the last assessment. Continuous exposure management produces evidence of what it is today — the difference is the gap most governance programmes cannot currently close.
- APRA CPS 234 requires APRA-regulated entities to actively maintain their information security capability with respect to changes in vulnerabilities and threats. A quarterly scan and annual review does not meet that standard.
- ASD’s Essential Eight at Maturity Level 2 and above requires ongoing, automated vulnerability assessment — not periodic attestation. Organisations that attest compliance without continuous scanning are compliant on paper and exposed in practice.
- Continuous Threat Exposure Management (CTEM) produces the verified, current evidence that governance frameworks assume exists but rarely specify how to generate: an ongoing picture of actual attack surface exposure, prioritised by exploitability and business risk.
- Australian boards are now legally accountable for the quality of their cyber governance, not just its existence. Recent ASIC enforcement actions confirm that documentation-based governance is insufficient where active risk management was required and demonstrably absent.
The Problem with Point-in-Time Governance
A risk register is a historical document. So is a penetration test report. So is a compliance certification. Each of these reflects the organisation’s security posture at the moment it was produced — and from the moment it is produced, the environment begins to change. New vulnerabilities are disclosed daily. Configurations drift. Assets are added or modified. Integrations change as business requirements evolve.
This is not an argument against documentation-based governance. Risk registers, assessment reports, and compliance certifications serve important purposes: they create accountability, establish a shared understanding of risk, and provide the audit trail that regulators require. The problem arises when documentation is treated as evidence of current posture rather than as a record of past assessment. A board that governs technology risk on the basis of last quarter’s findings is making decisions about a security environment that may look substantially different from the one the organisation is operating in today.
The gap between assessment date and the present moment is not a flaw in the governance framework. It is a structural feature of any programme built on periodic review. What the programme lacks is the operational layer that keeps that picture current between assessments — and without that layer, the documentation tells the board what risk looked like at a point in time, not what it looks like now.
What Boards and Regulators Are Actually Asking For in 2026
The regulatory and governance environment in Australia is no longer satisfied with point-in-time compliance. Three distinct pressures are converging on organisations to raise the evidence standard for security governance.
The regulatory direction is explicit. APRA CPS 234, the information security prudential standard binding over 680 APRA-regulated entities, requires organisations to actively maintain information security capability with respect to changes in vulnerabilities and threats (APRA, Prudential Standard CPS 234 Information Security, 2019) — including those resulting from changes to information assets or the business environment. The word “actively” is deliberate. It means ongoing maintenance, not periodic certification. APRA’s tripartite assessment programme, which has reviewed more than 300 entities, has consistently found that organisations satisfy the documentation requirements while carrying material gaps in continuous active management. The regulatory focus has intensified since those assessments: APRA has not amended the standard, but it has escalated enforcement, with the Medibank capital charge establishing that consequences for systemic control failures are real and significant.
For organisations operating under the ASD’s Essential Eight Maturity Model (ASD/ACSC, Essential Eight Maturity Model, November 2023 update), the expectation of continuous monitoring is built into the framework. At Maturity Level 2 and above, the model requires automated vulnerability scanning of internet-facing services on a daily basis, and weekly scanning of workstations, servers, and network devices. The November 2023 update strengthened these requirements further, tightening patching timeframes and shifting centralised logging requirements from Maturity Level 3 down to Maturity Level 2. An organisation that claims Maturity Level 2 on the basis of an annual assessment rather than an ongoing scanning programme is not compliant with what the framework actually requires.
The board liability environment has shifted. ASIC has made clear — through enforcement action and published guidance — that directors who accept compliance dashboards as sufficient evidence of security posture are not meeting their obligations. The Australian Institute of Company Directors’ Cyber Security Governance Principles, which carry ASIC Chair endorsement, state unequivocally that boards carry ultimate accountability for how cyber risk is governed, not merely for having a governance programme in place. In proceedings against FIIG Securities, the Federal Court in February 2026 ordered the firm to pay $2.5 million in penalties (Cliffside, Cyber Security Act 2024 Australia Compliance Guide, 2026) following ASIC’s allegation that it had failed to take adequate steps to protect against cybersecurity risks. The controls FIIG lacked were not exotic capabilities — they were the baseline requirements of the Essential Eight. The clear message from regulators is that demonstrating the intent to manage cyber risk is no longer sufficient. Active, evidenced management is the standard being applied.
Insurers and auditors are raising their own bar. Cyber insurers are tightening underwriting criteria and conducting more rigorous pre-placement reviews of security posture. Auditors are asking more specific questions about how organisations maintain and verify their controls between formal reviews. Both are asking the same underlying question: not what controls you say are in place, but how you know they are working now. Documentation that answers “what did we have in place when this was last checked?” does not satisfy the question.
Why Documentation Cannot Close the Evidence Gap
There is an important and sometimes uncomfortable distinction between a compliance programme that is functioning correctly and one that is actually producing security. These two things can and regularly do diverge — not because organisations are acting in bad faith, but because the mechanisms they use to assess compliance operate at a different cadence from the rate at which the environment changes.
Consider what a well-run, documentation-based compliance programme actually produces. A quarterly vulnerability scan is conducted and findings are recorded. A 30-day remediation window is established for critical findings. The process runs as designed. In the interval between scans, new vulnerabilities are disclosed, configurations change, and assets join or leave the network — all outside the programme’s visibility window. An organisation can be fully compliant with its own assessment schedule while carrying weeks of unmanaged exposure at any given moment.
Orro works with organisations that have mature compliance programmes and well-maintained documentation, and still identify significant, current exposure when they move from periodic assessment to continuous visibility. The documentation accurately reflects what the organisation assessed. What it does not reflect is what changed in the weeks between assessments.
This matters not because documentation is worthless — it is a necessary foundation — but because it creates a false confidence risk. Boards and executives who receive well-prepared compliance reporting can reasonably believe they have a current picture of the organisation’s security posture. In a documentation-based programme, they do not. They have a picture of what the posture looked like on the days the assessments were run.
The IBM Cost of a Data Breach Report 2024 found that Australian companies needed an average of 266 days to identify and contain cyber incidents (IBM/Ponemon Institute, Cost of a Data Breach Report 2024, July 2024) — eight days longer than the global average. In a programme built around quarterly assessments and monthly remediation cycles, 266 days of exposure is not a failure. It is an almost inevitable outcome.
CTEM as the Evidence Engine Governance Requires
Continuous Threat Exposure Management is the operational discipline that produces the ongoing, verified evidence that governance frameworks assume but rarely specify how to generate. Where periodic assessment produces a point-in-time finding, a CTEM programme produces an ongoing, continuously validated picture of the organisation’s actual attack surface: what is exposed, what is exploitable, and what the current risk priority is.
The governance relevance of CTEM lies not just in what it finds but in what it produces as evidence. Each cycle of a CTEM programme generates a documented record of what was identified, how it was prioritised, what action was taken, and when. This is precisely the evidence trail a regulator or auditor requires when they ask for proof of active risk management — not a policy that says risk management is happening, but a verifiable record that shows it.
Consider how CTEM output maps to the specific requirements of the frameworks Australian organisations are governed by. APRA CPS 234 requires entities to actively maintain information security capability with respect to changes in vulnerabilities and threats. CTEM provides exactly that: continuous identification of new and changed exposure, with a documented response. The ASD’s Essential Eight at Maturity Level 2 and above requires ongoing vulnerability scanning, with daily scanning of internet-facing services and weekly scanning across workstations and network devices. CTEM operationalises and exceeds that requirement, with the added benefit of connecting scan output to exploitability assessment and business risk prioritisation. ISO/IEC 27001:2022 — a standard Orro holds as a certified organisation — requires ongoing evaluation of information security risks and continuous improvement of the information security management system. CTEM’s continuous assessment cycle and evidence trail directly supports that requirement.
The second significant benefit is the quality of metrics it produces for governance reporting. One of the most persistent challenges for CISOs is translating security operational data into language that drives board decisions. Most security reporting is built on operational metrics: vulnerability counts, patch status, incident volumes. These are meaningful to security teams but difficult for boards to govern against. CTEM produces metrics that are naturally board-reportable: current exposure trend over time, mean time to remediate critical exposures, proportion of the attack surface under continuous monitoring, and risk posture relative to a defined baseline. A board can evaluate whether exposure is trending up or down. It can ask whether the organisation’s mean time to remediate is improving. It can understand what proportion of the environment is under continuous monitoring versus assessed periodically. These are governance metrics built on verified current data, not dashboards assembled from the last assessment cycle.
Orro observes that the organisations making the most effective use of continuous exposure data for board reporting are not the ones that have built the most sophisticated programmes. They are the ones that have been most deliberate about connecting what the programme produces to the specific questions their board is asking. The goal is not a more complex dashboard — it is a clearer answer to “are we managing our most significant exposures, and can we show the work?”
Evidence Snapshot: The Governance Data Every CISO Needs
The gap between periodic assessment and continuous evidence
- Australian organisations needed an average of 266 days to identify and contain a data breach in 2024 — eight days longer than the global average of 258 days. Detection and escalation costs averaged AUD $1.65 million per incident. (IBM/Ponemon Institute, Cost of a Data Breach Report 2024, July 2024)
- The average cost of a data breach in Australia reached a record AUD $4.26 million in 2024 — a 27% increase since 2020. Organisations not using security AI and automation paid an average of AUD $1.74 million more per breach than those that were. (IBM/Ponemon Institute, Cost of a Data Breach Report 2024, July 2024)
- Global median attacker dwell time rose to 14 days in 2025 — up from 11 days in 2024 — driven by sophisticated espionage operations and insider threats prioritising long-term, stealthy access. These actors specifically exploit visibility gaps and logging deficiencies to remain undetected. (Mandiant, M-Trends 2026 Executive Edition, 2026)
The regulatory and board governance landscape
- APRA has left CPS 234 unamended since commencement, but has intensified enforcement — including the landmark $250 million capital charge imposed on Medibank Private following its 2022 data breach. APRA’s tripartite assessment programme found widespread, systemic gaps in continuous active management across more than 300 APRA-regulated entities. (APRA, Prudential Standard CPS 234, 2019; enforcement commentary via Cliffside, APRA CPS 234 Compliance Guide, 2026)
- In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million in penalties following ASIC proceedings alleging failure to take adequate steps to protect against cybersecurity risks. The controls FIIG lacked correspond directly to Essential Eight baseline requirements. (ASIC v FIIG Securities Limited [2026] FCA 92, via Cliffside, Cyber Security Act 2024 Australia Compliance Guide, 2026)
- ASD’s ACSC notified entities more than 1,700 times of potentially malicious cyber activity in FY2024-25 — an 83% increase from the previous year. Critical infrastructure entities were notified over 190 times, a 111% increase. (ASD, Annual Cyber Threat Report 2024–25, October 2025)
The cost of delayed detection
- Organisations with internal detection capabilities identified breaches and shortened the data breach lifecycle by 61 days on average, saving nearly USD $1 million in breach costs compared to those disclosed by an attacker. (IBM, Cost of a Data Breach Report 2024 press release, July 2024)
What Board-Ready Governance Looks Like With Continuous Exposure Data
The board reporting problem for most CISOs is not a communication problem. It is a data problem. The data available to security teams — vulnerability scan outputs, patch status reports, audit findings — is not naturally structured for governance reporting. It requires significant translation to become the kind of information a board can evaluate and govern against.
A governance programme supported by continuous exposure management changes the nature of what the CISO can bring to the board. Instead of a compliance status dashboard built on last quarter’s assessment, the CISO presents a current exposure position. Risk is described not in theoretical threat categories but in verified, exploitable exposure ranked by business impact. Remediation is not evidenced by the completion of a project or the closure of an audit finding — it is evidenced by the closure of specific identified exposures, with a verifiable trail. Trend data shows whether the organisation’s posture is improving, stable, or deteriorating over time, and why.
A board that has access to this kind of reporting can ask genuinely specific questions and receive evidenced answers: What is our current exposure in our OT environment? How has our mean time to remediate critical vulnerabilities changed over the last two quarters? What proportion of our attack surface is under continuous monitoring, and what is outside that coverage? These are not hypothetical questions — they are the questions ASD’s Board Cyber Security Priorities 2025-26 guidance specifically encourages directors to ask. The gap between asking the question and receiving an evidenced answer is the gap that continuous exposure management closes.
This is not a future state. It is the operational outcome of a mature continuous exposure programme applied to governance reporting. What it requires is deliberateness: the programme must be designed not only to find exposure but to produce the evidence outputs that governance reporting requires.
The Starting Point
For organisations that want to close the gap between documentation and evidence, the most accessible entry point is a governance-aligned exposure assessment: a structured evaluation of where the current assessment cadence leaves gaps in continuous evidence capability, mapped against the specific obligations of the frameworks the organisation is governed by. This does not require a full continuous monitoring programme to be in place before it begins. It identifies where the evidence gaps are, what the regulatory consequence of those gaps is, and what actions will close them in order of risk and regulatory priority.
The assessment is most valuable when it addresses both dimensions of the problem: the operational dimension (where is the organisation’s attack surface, and how current is the visibility into it?) and the governance dimension (what does the current evidence capability actually demonstrate to a regulator or board, and where does it fall short?). The organisations that emerge from that assessment with the clearest action plan are those that have connected the two dimensions deliberately, rather than treating continuous monitoring as a security operations project and governance reporting as a separate documentation exercise.
If this article has raised questions about whether your current governance reporting reflects your organisation’s live security posture or its last assessment result — about how your existing compliance programme maps against the continuous evidence expectations of APRA CPS 234 or the Essential Eight, or what board-ready exposure reporting would look like built on continuous validation rather than periodic review — Orro’s team is available for a confidential discussion. There are no obligations, just a conversation with practitioners who work across these environments every day.
Does Your Board Have the Proof They Need?
Orro’s Continuous Threat Exposure Management practice helps Australian organisations build the continuous visibility and evidence capability that governance frameworks require — and boards increasingly demand. Download the Australian CISO’s Guide to Governance Under Pressure or the Executive CTEM Playbook to explore what continuous exposure management looks like as a governance discipline, or speak with Orro’s team to assess the gap between your current assessment cadence and the evidence standard your frameworks require.
