Risk-aligned cybersecurity is an approach that designs security operating models, controls, and investment around the specific threats and business risks an organisation faces — rather than around compliance checklists or technology product catalogues. Instead of asking "are we compliant?" risk-aligned cybersecurity asks "are we protected against the threats that would cause material harm to this business, and is our security investment proportionate to that risk?" This produces security programmes where controls are designed to address identified threats, investment is directed to protecting critical assets, and maturity is measured by risk reduction rather than framework scores.

A cybersecurity operating model defines how an organisation organises, governs, delivers, and measures its security capability. It includes the security function's structure and accountabilities, its relationship to business leadership and the board, the threat intelligence and risk assessment processes that inform security decisions, the control architecture that protects critical assets, the incident response capability that manages breaches, and the maturity programme that sustains improvement over time. An effective operating model aligns all of these elements to the organisation's threat landscape and business risk profile — not to a generic framework or vendor architecture.

CPS 234 is APRA's prudential standard on information security, applying to all APRA-regulated entities including banks, insurers, and superannuation funds. CPS 234 requires entities to maintain information security capability commensurate with the size and extent of threats to their information assets, implement controls to protect those assets, and test control effectiveness through a systematic testing programme. Entities must notify APRA of material information security incidents and ensure that information security roles and responsibilities are clearly defined. CPS 234 explicitly requires capability that is proportionate to threat — not just compliant with a checklist — which is why threat-informed, risk-aligned security is essential for APRA-regulated entities.

The Essential Eight is the Australian Signals Directorate's (ASD) set of prioritised mitigation strategies for cybersecurity incidents. The eight strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multifactor authentication, and regular backups. Maturity is measured across four levels (Level Zero through Level Three), with Level Three representing full alignment to ASD's recommended implementation. Australian government entities are required to achieve target maturity levels, and the Essential Eight is increasingly adopted by regulated private sector organisations as a baseline cybersecurity framework.

Cybersecurity investment should be prioritised based on threat-informed risk assessment — directing resources to protect the assets most likely to be targeted by the threats most likely to materialise, where the consequence of a successful attack would cause material business harm. This requires three inputs: a clear understanding of which assets are critical to the business (crown jewels), an assessment of the relevant threat landscape (which actors, vectors, and techniques are most likely), and an evaluation of current control effectiveness against those threats. Investment is then directed to close the gaps with highest residual risk — not to add tools, achieve compliance scores, or respond to the most recent vendor briefing.

A penetration test is a scoped technical assessment that identifies vulnerabilities in defined systems, applications, or networks — testing whether controls can be bypassed under controlled conditions. A red team engagement is a broader adversary simulation that tests the entire security operation — detection, response, escalation, and containment — against realistic multi-vector attack scenarios, often including social engineering and physical access. Penetration tests answer "can our systems be breached?" Red team engagements answer "would we detect and respond to a realistic attack before material harm occurs?" Both are valuable, but they test different things and should be selected based on the risk questions the organisation needs answered.