With each incident, the message grows louder that cybersecurity is just as much a governance issue as it is an IT issue. This urgency is what prompted the Australian Signals Directorate (ASD) and the Australian Institute of Company Directors (AICD) to publish the Cyber Security Priorities for Boards 2025–26.
Let’s unpack what the report says, why it matters, and how Illumio can help organisations align with its guidance.
Why the Cyber Security Priorities for Boards guidance matters now
Australia’s threat environment is more volatile than ever. According to the guidance, espionage alone cost the economy $12.5 billion in FY23–24, and cybercrime continues to surge across industries, especially for large enterprises.
What’s changed is how the risk is perceived at the top. Directors are now expected to understand their organisation's exposure, ask sharp questions, and invest in strategies that go beyond prevention.
The new baseline is to assume compromise and focus on breach containment. Some guidance, such as preparing for quantum computing, feels futuristic. The core message, though, is to master the basics now.
Cyber resilience is about controlling risk right now by improving visibility, protecting legacy systems, containing lateral movement, and managing your most vulnerable entry point: the supply chain.
Key cybersecurity priorities from the report
Here’s an overview of the five board-level focus areas from the ASD and AICD guidance, and how Illumio can help organisations achieve alignment.
1. Secure-by-design and secure-by-default technologies
Security should be embedded from the start instead of bolted on later. Boards are expected to ask whether the tech they use and deliver to customers meets this standard.
Illumio Segmentation enforces least-privilege access across data centers and clouds. This makes sure your architecture is secure by design. You will contain breaches before they spread, protect critical assets, and meet the principles of frameworks like ASD’s Information Security Manual (ISM), Essential Eight, and Zero Trust.
2. Critical asset defence and an assume compromise mindset
In today’s threat landscape, no organisation can expect to stop every attacker. Instead, it’s more important to focus on protecting your critical assets, including the systems, applications, and data that matter most, with the assumption that attackers will get in.
With Illumio, you will visualise how workloads communicate, identify high-risk threat paths, and apply enforcement policies that separate your most important systems from everything else. This helps contain attacks fast and makes “assume breach” a strategy, not a fear.
3. Robust event logging and threat detection
Organisations need enterprise-wide visibility and real-time detection as a baseline. More importantly, though, they need to be able to quickly turn detection into action. This means more automation and AI-powered solutions that can keep up with the speed of sophisticated breaches.
With Illumio Insights, you get AI-powered observability that doesn’t just detect anomalies but also highlights toxic combinations and provides step-by-step remediation actions. This means threat detection doesn’t just end with an alert. It leads to practical, AI-powered insights that can automatically stop threats from spreading through your network.
4. Legacy IT risk management
Unsupported and unpatched systems are soft targets and offer pivot points to reach other critical assets. The report urges boards to replace legacy IT where possible or deploy strong compensating controls.
Illumio provides a fast, effective way to isolate legacy IT without re-architecting. You can tightly control access, monitor behaviour, and enforce segmentation, all without touching the application or the network. This is one of the many places where Illumio can help your organisation see immediate risk reduction.
5. Cyber supply chain risk oversight
Third-party access is one of the highest risk areas for most organisations. Boards must understand which people and systems have access, where, and whether it’s segmented and monitored.
While the report highlights quantum threats, most organisations aren't ready to replace traditional asymmetric cryptography just yet. Still, the guidance urges boards to begin preparing for a post-quantum cryptography transition. This reflects a nod to the future of cybersecurity risk, with data harvested today and decrypted tomorrow.
Illumio can help you limit supplier access to just what’s needed, enforcing policy controls and monitoring all communication between vendors and internal systems. If a supplier is compromised, segmentation prevents them from becoming the attacker’s gateway.
What good cyber governance looks like
In addition to the five focus areas, the guidance also includes dozens of practical questions boards should be asking, such as:
- “Do we have compensating controls around legacy systems we can’t retire yet?”
- “Are we segmenting third-party vendor access based on risk?”
- “Do our detection systems prioritise what matters most?”
- “Are we planning for emerging threats like post-quantum cryptography while strengthening fundamentals like observability and breach containment?”
These questions reflect the shift in expectation: cybersecurity is now a board-level responsibility, and governance must evolve accordingly.