The Australian Signals Directorate (ASD)’s widely used Essential Eight (E8) cybersecurity guidance is “showing its age” after eight years of AI and technological progress, a cyber expert has said as the ASD floats a major update to the guidelines called Essentials.
The new Essentials series, the ASD said as it released the standard for comment by industry and security partners, will offer “prioritised, threat-informed mitigations for contemporary technology environments, supported by practical tools and clear implementation guidance.”
It includes four key attributes including flexibility, a threat informed design, compatibility with existing E8 programs, and a future focused design that, ASD technical expert Jayden Cooke explained, enables ASD to introduce new guidance services and best practice advice.
Cooke said the Essentials series’ design – which will evolve current Essential Eight guidance into the first chapter of an ongoing series – “moves away from relying only on prescriptive technical controls” taken from the ASD’s companion Information Security Manual (ISM).
Those controls – which were introduced in 2017 as the federal government rushed to counter a surge in nation-state activity – include advice for organisations to patch applications and operating systems, implement multi factor authentication, and more.
They were updated in 2023 but have are still focused on traditional network management conceits, leaving businesses and government bodies trying to figure out how to build on their foundation while adapting it to new threats like AI-powered attacks.
The new Essentials framework “is built on ASD’s unique insights, uplift activities and incident response experience,” Cooke explained, “taking a principles-based approach and providing guidance to help organisations achieve stronger cybersecurity outcomes.”
“It helps you understand the kinds of adversary techniques you’re facing and provides practical guidance on how to respond through clear mitigation principles and approaches… while allowing modern and emerging technologies to be applied as your environments are upgraded.”
Giving agencies a new target to miss?
The new guidance comes after years in which businesses and government bodies – for which E8 compliance was mandated years ago – struggled to improve their IT environments to the point where they could be considered to have reached any of its three maturity levels.
Essential Eight audits have shown few are even partly compliant, with ANAO identifying “ongoing low levels of cyber resilience in non-corporate Commonwealth entities” in 2023 and even shortcomings within the Department of Defence.
Threats are becoming more sophisticated, requiring the Essential Eight to keep up. Photo: Shutterstock
A 2024 Auditor-General report excoriated Services Australia and AUSTRAC for only having “partly effective” cybersecurity controls that wouldn’t protect against a major cybersecurity incident, while a recent ASD report found low compliance and reporting practices.
Most recently, ANAO found the federal Department of Parliamentary Services has only “partly effective” cybersecurity – with seven out of eight key cyber controls that “fell short” – despite being obliged for years to adopt the Essential Eight to Maturity Level Two.
Those deficiencies came as the agencies work to adapt security defences to new technologies such as cloud computing, software as a service, microservices, generative AI (genAI) and AI agents that are challenging data privacy and access controls.
New technologies “often bring new or modify existing cybersecurity risk, requiring different controls,” Australian Cyber Security Centre (ACSC) head Stephanie Crowe said in noting that “to defend against modern threats with modern tools, our guidance must evolve as well.”
The new Essentials framework – which will evolve the Essential Eight into a chapter called Essentials for Enterprise IT – will progressively provide specific guidance for areas like operational technology (OT).
“These changes give organisations flexibility in how they implement cybersecurity while providing a clear path to stronger cyber resilience,” Crowe said.
Long overdue for change
The changes come amidst growing concern that AI-enabled cyberattacks are upending long-established cybersecurity practices, with security agencies urging businesses to “act now” to get up to speed with AI security that is changing daily.
The UK’s AI Security Institute (AISI) recently reported that its testing showed Anthropic’s Mythos Preview AI model could complete “expert-level” capture the flag tasks 73 per cent of the time – an achievement that was impossible just a year ago.
Even as AISI found OpenAI’s GPT-5.5 model could do the same and “may be the strongest model we have tested,” the agency and the Australian Safety Institute agreed to share insights around their ongoing testing of AI cybersecurity capabilities.
Given the large and fast-moving threat posed by genAI, the ASD’s overhaul of the Essential Eight is long overdue, Fortinet chief information security officer Cornelius Mare said in calling the Essential series “a welcome update with the previous E8 showing its age.”
In complex 2026 environments the previous E8 is a “mismatch in terms of efficacy against a 2026 threat environment as well as poor ROI,” Mare said, noting that many of the previous controls are aimed at large businesses with IT capabilities small businesses can’t match.
“We have always understood there is no one-size-fits-all approach,” Mare said, “however, having clear guidance as a starting point is valuable.”
“If AI-enabled threats are accelerating and response windows are shrinking, baseline controls can’t sit in a static compliance frame…. As the threat landscape evolves, so too must the baseline required to protect critical infrastructure.”
