Table of Contents
1. Lack of management support 2. Lack of resources and funding 3. Culture 4. Legacy systems & technical debt 5. Difficulty communicating the changes to stakeholders: 6. Difficulty in monitoring and maintaining the controls1. Lack of management support
One pitfall when implementing Essential 8 is a lack of support from management and a focus on treating it as an IT project rather than a management initiative. In order for the Essential 8 controls to be effective, it is important that they have the support of management and that the implementation is led and supported by management at all levels of the organisation. If the initiative is seen as solely an IT project, it may not receive the necessary support and resources from other areas of the organisation. Additionally, some individuals or teams within the organisation may resist changes to their usual processes or systems, which can make it difficult to implement Essential 8. These factors can hinder the successful implementation of Essential 8 and the organisation's ability to effectively manage its cyber security risks.
2. Lack of resources and funding
One pitfall when implementing Essential 8 is a lack of resources and funding. Implementing the ASD Essential 8 controls may require significant resources, including time, money, and personnel. If an organisation does not have the necessary resources available, it may be difficult to implement the controls effectively. Additionally, insufficient funding can be a major roadblock to implementing Essential 8. It can be difficult to secure the necessary budget to make the necessary changes and improvements to the organisation's cyber security posture. These factors can hinder the successful implementation of Essential 8 and the organisation's ability to effectively manage its cyber security risks.
3. Organisational Culture
Culture eats strategy. An organisational culture that prioritises cyber security and has mature risk management practices can greatly facilitate the implementation of the Essential 8. In such a culture, individuals may be more willing to adopt new processes and technologies and may be more proactive in identifying and addressing cyber security risks. On the other hand, an organisational culture that does not prioritise cyber security or is resistant to change can hinder the implementation of Essential 8. In such a culture, individuals may be less willing to adopt new processes and technologies, and the organisation may be slower to address cyber security risks. Additionally, if leadership is not fully supportive of the implementation of Essential 8, it may be difficult to secure the necessary resources and funding to make the necessary changes. Overall, an organisational culture that is supportive of cyber security and willing to adapt to new technologies and processes can greatly facilitate the implementation of Essential 8.
4. Legacy systems & technical debt
Legacy systems and technical debt can pose challenges to the implementation of Essential 8 in several ways:
- Compatibility: If an organisation has outdated systems and software due to technical debt, or if it has legacy systems that are not compatible with the technologies and processes required to implement Essential 8, it can be difficult to implement certain Essential 8 mitigation strategies.
- Upgrade difficulties: If an organisation has a large amount of technical debt, it may be difficult to upgrade systems, operating systems, and other software. Additionally, if a legacy system is not upgradable, it can be difficult to implement Essential 8 mitigation strategies that require software or system updates.
- Resource intensive: Upgrading or replacing legacy systems, or paying down technical debt, can be resource-intensive processes that divert resources away from implementing Essential 8.
- End-of-life systems: If a legacy system is end-of-life, it may be necessary to replace it in order to implement Essential 8. This can be a time-consuming and resource-intensive process.
- Decreased efficiency: Technical debt can decrease the efficiency of an organisation's systems and processes, which can impact the organisation's ability to implement Essential 8 effectively.
Our experience is, legacy systems and technical debt can present major challenges to the implementation of Essential 8, but with careful planning and resource allocation, it is still possible to effectively implement the mitigation strategies.
5. Communications and change management
Implementing the ASD Essential 8 controls may involve changes to the way that an organisation operates, which may affect different stakeholders. If the changes are not effectively communicated to stakeholders, it may be difficult to get buy-in and support for the controls.
- Ensuring buy-in: Change management can help to ensure that all stakeholders are aware of and support the implementation of Essential 8. This is important, as the success of the implementation depends on buy-in and support from all levels of the organisation.
- Minimising disruptions: Change management can help to minimise disruptions to the organisation's operations during the implementation process. This can help to ensure that the organisation is able to continue to function effectively while implementing the Essential 8 controls.
- Managing resistance to change: Change management can help to identify and address any resistance to change within the organisation. This can help to ensure that the implementation of Essential 8 is successful and that the organisation is able to effectively adopt the new processes and technologies required to implement the controls.
- Ensuring a smooth transition: Change management can help to ensure a smooth transition to the new processes and technologies required to implement Essential 8. This can help to minimise disruptions and ensure that the organisation is able to effectively adopt the controls.
Overall, change management is an important aspect of implementing Essential 8, as it helps to ensure that the implementation is successful and that the organisation is able to effectively adopt the new processes and technologies required to implement the controls.
6. Difficulty in monitoring and maintaining the controls
Once the ASD Essential 8 controls are implemented, it is important to monitor and maintain them to ensure that they continue to be effective. If an organisation does not have the necessary resources or processes in place to monitor and maintain the controls, it may be difficult to sustain their effectiveness over time.
Additionally, as Essential 8 is constantly updating and new systems are being implemented in digital transformation projects, it is important to ensure that Essential 8 mitigation strategies are applied to those systems. If this is not done, it may be difficult to maintain the effectiveness of the controls over time and to effectively manage the organisation's cyber security risks.
Resources
- "Essential Eight", by the Australian Cyber Security Centre (ACSC)