Australia’s New Boardroom Baseline: 5 New ASD and AICD Security Priorities

In the past two years, Australia has seen a wave of cyberattacks that’ve rattled boardrooms.

Health providers, telecom giants, insurers, and even government agencies continue to be the target of sophisticated breaches, many of which made front-page news.  

With each incident, the message grows louder that cybersecurity is just as much a governance issue as it is an IT issue.

This urgency is what prompted the Australian Signals Directorate (ASD) and the Australian Institute of Company Directors (AICD) to publish the Cyber Security Priorities for Boards 2025–26.  

While this guidance was created with Australian organizations in mind, its relevance extends far beyond Australia’s borders. The cyber threats, regulatory pressures, and governance expectations it addresses are global. The guidance outlined in this report represents a baseline for cyber resilience everywhere.

Let’s unpack what the report says, why it matters, and how Illumio can help organizations align with its guidance.

Why the Cyber Security Priorities for Boards guidance matters now

Australia’s threat environment is more volatile than ever.  

According to the guidance, espionage alone cost the economy $12.5 billion in FY23–24, and cybercrime continues to surge across industries, especially for large enterprises.

What’s changed is how the risk is perceived at the top. Directors are now expected to understand their organization's exposure, ask sharp questions, and invest in strategies that go beyond prevention.  

The new baseline is to assume compromise and focus on breach containment.

Some guidance, such as preparing for quantum computing, feels futuristic. The core message, though, is to master the basics now.

Cyber resilience is about controlling risk right now by improving visibility, protecting legacy systems, containing lateral movement, and managing your most vulnerable entry point: the supply chain.

Key cybersecurity priorities from the report

Here’s an overview of the five board-level focus areas from the ASD and AICD guidance:

1. Secure-by-design and secure-by-default technologies

Security should be embedded from the start instead of bolted on later. Boards are expected to ask whether the tech they use and deliver to customers meets this standard.

2. Critical asset defense and an assume compromise mindset

In today’s threat landscape, no organization can expect to stop every attacker. Instead, it’s more important to focus on protecting your critical assets, including the systems, applications, and data that matter most, with the assumption that attackers will get in.

3. Robust event logging and threat detection

Organizations need enterprise-wide visibility and real-time detection as a baseline. More importantly, though, they need to be able to quickly turn detection into action. This means more automation and AI-powered solutions that can keep up with the speed of sophisticated breaches.

4. Legacy IT risk management

Unsupported and unpatched systems are soft targets and offer pivot points to reach other critical assets. The report urges boards to replace legacy IT where possible or deploy strong compensating controls.

5. Cyber supply chain risk oversight

Third-party access is one of the highest risk areas for most organizations. Boards must understand which people and systems have access, where, and whether it’s segmented and monitored.

While the report highlights quantum threats, most organizations aren't ready to replace traditional asymmetric cryptography just yet.  

Still, the guidance urges boards to begin preparing for a post-quantum cryptography transition. This reflects a nod to the future of cybersecurity risk, with data harvested today and decrypted tomorrow.

What good cyber governance looks like

In addition to the five focus areas, the guidance also includes dozens of practical questions boards should be asking, such as:

• “Do we have compensating controls around legacy systems we can’t retire yet?”
• “Are we segmenting third-party vendor access based on risk?”
• “Do our detection systems prioritize what matters most?”
• “Are we planning for emerging threats like post-quantum cryptography while strengthening fundamentals like observability and breach containment?”

These questions reflect the shift in expectation: cybersecurity is now a board-level responsibility, and governance must evolve accordingly.

How Illumio aligns with the Cyber Security Priorities for Boards guidance

At Illumio, we can help organizations in Australia and across the APJ region meet these priorities with confidence by delivering AI-powered segmentation and security observability.

Here’s how Illumio maps directly to the report’s board-level guidance:

1. Secure by design: microsegmentation and least-privilege access

Illumio Segmentation enforces least-privilege access across data centers and clouds. This makes sure your architecture is secure by design.  

You will contain breaches before they spread, protect critical assets, and meet the principles of frameworks like ASD’s Information Security Manual (ISM), Essential Eight, and Zero Trust.

2. Critical asset protection with ‘assume breach’ at the core

With Illumio, you will visualize how workloads communicate, identify high-risk threat paths, and apply enforcement policies that separate your most important systems from everything else. This helps contain attacks fast and makes “assume breach” a strategy, not a fear.

3. Event detection with AI-powered actionability

Too many tools generate too many alerts, leading to alert fatigue and misplaced focus.  

With Illumio Insights, you get AI-powered observability that doesn’t just detect anomalies but also highlights toxic combinations and provides step-by-step remediation actions.

This means threat detection doesn’t just end with an alert. It leads to practical, AI-powered insights that can automatically stop threats from spreading through your network.

4. Legacy IT isolation with virtual air gaps

Legacy systems are often the weakest link and the most difficult to retire.  

Illumio provides a fast, effective way to isolate legacy IT without re-architecting. You can tightly control access, monitor behavior, and enforce segmentation — all without touching the application or the network.

This is one of the many places where Illumio can help your organization see immediate risk reduction.

5. Supply chain access segmentation and monitoring

Boards know third-party risk is a blind spot. With Illumio, you can limit supplier access to just what’s needed, enforcing policy controls and monitoring all communication between vendors and internal systems.

If a supplier is compromised, segmentation prevents them from becoming the attacker’s gateway.

The new standard for Australian cyber governance

The ASD and AICD published this guidance in response to real breaches, rising threat levels, and increasing pressure on directors to prove their cybersecurity strategy is both proactive and effective.

The report proves that cybersecurity fundamentals matter now more than ever:

• Can you see what’s happening across your environment?
• Can you isolate critical systems?
• Can you stop a breach before it spreads?

Illumio helps you answer “yes” with segmentation and observability that deliver actionable outcomes beyond compliance.

Ready to align your cybersecurity strategy with the latest guidance? Essayez Illumio Insights gratuitement aujourd'hui.