Risk Register to Reality: What Threat Actors Teach Us About Broken GRC Practices

Risk Register to Reality: What Threat Actors Teach Us About Broken GRC Practices

If you work in cybersecurity long enough, you learn this painful truth: compliance checklists don’t stop threat actors.

As CISOs, we invest significant time in maintaining risk registers and aligning with frameworks such as ISO/IEC 27001, NIST CSF, or ASD Essential Eight. These frameworks are invaluable—they guide our governance, define our risk appetite, and inform internal controls. I often refer to these frameworks as a "method for navigating chaos." They provide valuable structure in seemingly disordered situations, guiding us toward clarity and effective solutions. But somewhere along the way, many organisations forget that these aren’t just compliance tools. They are supposed to be operational tools, reflecting our threat landscape.

Recent high-profile breaches by sophisticated groups, such as APT41, Scattered Spider, LockBit, and Black Basta, have shed light on a troubling issue: many Governance, Risk, and Compliance (GRC) programs are out of touch with the realities of frontline cyber defence. Despite having risk registers that identify vulnerabilities, established policies, and adopted frameworks, these defences have proven inadequate. Attackers continue to slip through the cracks, often employing well-known and preventable tactics that should have been detected. It’s clear that bridging this gap is essential to strengthening our cyber defences and safeguarding our organisations from evolving threats.

When Frameworks Drift from Reality

Most GRC programs aim to define risks, assign ownership, and drive mitigation strategies. But in practice, risk registers are too often:

• Static documents, updated once a quarter

• Overloaded with theoretical risks but light on real threat modelling

• Disconnected from security operations and architecture teams

This disconnect becomes deadly when threat actors like Scattered Spider exploit known gaps in identity governance, or when APT41 targets software supply chains—vulnerabilities that were already “accepted” in many registers due to complexity or cost.

How Threat Actors Exploit GRC Failures

Let’s unpack the common governance gaps that these attackers continue to exploit—and what it says about the real state of our GRC maturity.

1. Lack of an Up-to-Date Asset Inventory: APT41, the China-nexus espionage group, often exploits orphaned or unmanaged systems in supply chains. If you don’t know what’s in your environment, you can’t protect it.

2. Weak Third-Party Risk Management: In 2023, APT41 breached multiple software providers, using them as pivot points to infiltrate downstream targets. Supply chain security is no longer an edge case—it’s a core business risk.

3. Untested or Incomplete Incident Response Plans: The MGM Resorts breach by Scattered Spider wasn’t just a phishing issue—it was a failure of detection and coordinated response. Social engineering succeeded, but the absence of rapid containment turned it into a crisis.

4. Absence of Privileged Access Controls: LockBit and Black Basta routinely exploit over-permissioned accounts, RDP access, and lateral movement paths. The MITRE ATT&CK technique T1078 (Valid Accounts) frequently appears in ransomware incidents.

5. Inadequate End-User Awareness and Training: Humans remain the first line of defence—and the most vulnerable. Scattered Spider exploited MGM helpdesk staff using simple vishing techniques. Security awareness isn’t a one-off training—it’s a culture.

Mapping Attacker Tactics to Control Failures

Below is a table linking real-world attack techniques to the security controls that should have prevented them, drawing on ISO 27001:2022 and the NIST CSF Functions.

Turning the Risk Register into a Strategic Weapon

A risk register that lives in SharePoint, gets updated before board meetings, and never informs architectural decisions is worse than useless—it’s dangerous. Here’s how to fix it:

• Connect Risk to Threat Intelligence: Risk statements must reflect adversary TTPs (tactics, techniques, and procedures). Build registers that speak the language of MITRE ATT&CK and local threat reports. Tie risks to observable behaviour, not abstract likelihood matrices.

• Make Controls Testable and Owned: Every risk should have a control that is measurable, automated where possible, and has a named owner. Move beyond “policy exists” to “control works.” Incorporate GRC into continuous security testing and red team exercises.

• Integrate GRC into Operational Cadence: Embed GRC into daily stand-ups, sprint planning, and change advisory boards. Treat it as an enabler of secure design—not an afterthought for audits. Use your register to drive investment decisions and board reporting.

Final Thought

Cybercriminals don’t care if you’re “aligned to ISO” or scored well in your internal NIST self-assessment. They care about the gaps between policy and practice. If your GRC framework doesn’t reflect operational reality, it’s not just ineffective—it’s a liability.

Boards, auditors, and risk managers need to stop viewing GRC as documentation and start demanding evidence of security outcomes. The threats are evolving. So must we.