Whilst it might be a somewhat controversial opinion, I think it’s important to highlight that the ASD Essential 8 is collection of security controls, not a overarching cyber security strategy. It’s fantastic to see the C-Suite and boards talk about the Essential 8, and cyber security but I fear it’s being used as an milestone to say security is good. Unfortunately, whilst it’s a fantastic resource, the Essential 8 is not an indicator of good or great security. It is a set of security controls that are prioritised based on a specific threat model for a specific set of organisations. Something like NIST CSF 2.0 however, is a much more strategic framework that focuses on detection, protection, response and overall cyber security governance. And through their National Cybersecurity Center of Excellence they are providing industry specific profiles and guidance.

Understanding Cybersecurity Frameworks: Strategic Governance vs Tactical Implementation

In the rapidly evolving landscape of cyber threats, security leaders must navigate an array of frameworks to guide their organisations towards better resilience. Today, in Australia, there is a huge focus throughout the industry, cyber insurance and boardrooms on on the ASD Essential 8. However, it’s purposes differs significantly from a standard like ISO27001, or NIST CSF, and understanding these distinctions is critical to leveraging them effectively.

Strategic Governance Frameworks: Setting the Direction

Governance frameworks such as NIST CSF 2.0 provide a strategic lens for understanding and managing cybersecurity risks. These frameworks are designed for board-level discussions, offering a structure to:

• Map and understand organisational risks.
• Set out objectives on the governance of your cyber security program
• Define and achieve desired cybersecurity outcomes.
• Align cybersecurity initiatives with broader business objectives.

NIST CSF 2.0, for instance, introduces maturity tiers and security control categories, helping organisations assess their current state and set realistic improvement goals across the board, not just on a subset of security controls. By focusing on outcomes — such as mitigating top risks or improving risk understanding — governance frameworks drive meaningful conversations and decision-making. And yes, the Essential 8 does have maturity levels but it doesn’t discuss critical aspects such as how are you detecting and responding to threat, what is your plan for when a compromise or incident occurs or how as mentioned, and most importantly, governance of your security program.

Tactical Frameworks: Driving Outcomes with Controls

On the other hand, tactical frameworks like the ASD Essential 8 focus on specific controls to address defined risks. These frameworks provide practical guidance for implementing defences but should not be mistaken for comprehensive cybersecurity strategies. The Essential 8 reflects a threat profile specific to certain adversaries and operational contexts — which may not align with your organisation’s unique risk landscape.

To maximise the value of tactical frameworks:

• Overlay their recommendations with your organisation’s actual threat profile, informed by threat intelligence and risk management.
• Use them as tools to achieve specific outcomes, rather than as standalone solutions.
• Measure success through targeted metrics, such as adversary techniques covered or critical risks managed.

The Essential 8 is a fantastic resource, but I feel shouldn’t be used as a guide post for a good or great security program overall. I strongly recommend that unless there is critical business imperatives to implement the Essential 8, first build out a solid foundational program and governance structure for your cyber security capability. What does great look like to the business, and what are your key risks, and go from there.

A Balanced Approach: Strategy Informing Tactics

Combining strategic governance frameworks with tactical controls frameworks ensures that cybersecurity efforts are both comprehensive and actionable. But the critical point is that you need to build a solid foundation with a strong governance framework, and have a strong understanding of your risk and adversary profiles. What sand castles do we have that we care about, and who and how will they break in to kick them over? Controls are and important part of this equation, and some it’s important to balance the strategy with the tactical. This involves:

1. Outcome-Focused Planning: Shift the focus from individual controls to overarching objectives. For instance:

• “We have mitigated X top risks identified in our risk assessment/adversary profiles.”
• “We have mapped and understood Y critical risks.”

1. Adversary-Centric Defences: Leverage resources like MITRE ATT&CK Technique Inference Engine to prioritise defences against techniques most relevant to your threat and adversary profile. Remember, it’s not about covering every possibility but addressing what truly matters.
2. Validation Through Adversary Simulation: Trust but verify your detections and capabilities by conducting regular purple team exercises. Simulating adversarial behaviour uncovers gaps and ensures that defences and response procedures perform as intended.
3. Automate the testing of your most critical and high value controls and detections so that you know they will work when they need to. Ensuring that you have regular automated testing compliments and scales the assurance that adversary simulations provides. It helps ensure you detections and controls are reliable and a misconfiguration or data change hasn’t slipped in unnoticed.

Metrics That Drive Behaviour

Metrics are a powerful tool for steering organisational behaviour, but they must be outcome-oriented. I often see organisations focus at the board level on the Essential 8. It’s a great start, and amazing to see boards start to discuss cyber, but as it’s a set of recommended controls I be super keen to see the discussion elevate to more strategic metrics and maturity measurements. It’s important to focus on metrics that help demonstrate the forward journey of the cyber security program, not just we’ve achieved the set level for the 4 of the Essential 8 and therefore we are done.

For example:

• Strategic Metrics: Focus on critical risks managed, overall maturity improvements, and alignment with business objectives.
• Tactical Metrics: Track adversary techniques covered, adversary profiles updated, and time to containment for incidents.

By emphasising metrics that highlight achieved outcomes but also showing what is still to be done it’s important we effectively communicate the tangible security improvements that have been and are yet to be delivered.

Conclusion

Effective cybersecurity requires a continuous evolution of cyber security capabilities based on a your organisations risk and adversary profile. It’s fantastic that boards and the C-Suite are talking about cyber security, but I think it’s critical we shift the discussion away from a subset of security controls (which are important) to a much more strategic vision and governance framework. I think the nuance that something like the Essential 8 are based on a specific threat profile, for a specific environment is lost, and it’s started to be become a yard stick for good overall security. But there is so much more to security than the tactical execution of a list of controls. By understanding the distinctions between governance frameworks like NIST CSF 2.0 and tactical guides like ASD Essential 8, security leaders can create a balanced approach that prioritises outcomes, aligns with organisational risks, and builds resilience against evolving threats. The goal is not just to implement controls but to achieve a state of preparedness and adaptability that can withstand today’s dynamic threat environment.