The Australian Signals Directorate (ASD) and the Australian Institute of Company Directors (AICD) have released critical guidance for boards navigating the increasingly complex cyber threat landscape in 2025-26. As cyber threats intensify globallyā€”driven by geopolitical tensions and sophisticated adversariesā€”boards must elevate their cyber security governance to protect their organizations, shareholders, and customers.

The Heightened Threat Environment

Australia faces unprecedented cyber challenges. The numbers tell a sobering story: espionage cost the nation $12.5 billion in FY23-24, while cybercrime costs continue to rise sharply, particularly for large enterprises. State-based actors are pre-positioning for potential disruptive attacks against critical infrastructure, and malicious actors are targeting Australian organizations of all sizes and types.

For board members, the message is clear: cyber security is no longer just an IT concernā€”itā€™s a fundamental business risk that demands board-level attention and strategic oversight.

[

austrailiacyberboard

austrailiacyberboard.pdf

410 KB

download-circle](/files/austrailiacyberboard.pdf)

Key Focus Areas for 2025-26

The ASD-AICD guidance highlights several critical priorities where boards should focus their attention:

1. Secure by Design and Secure by Default

Boards need to understand whether the technology their organizations use or provide to customers incorporates security from the ground up. This means asking tough questions about whether products and services are built with security as a foundational element, not an afterthought.

2. Protecting Crown Jewels

Organizations should operate with an ā€œassume compromiseā€ mindset. This means identifying and prioritizing the defense of your most critical assetsā€”those that would cause the most damage if compromised. Not all data and systems are equal; boards must ensure resources are allocated to protect what matters most.

3. Enhanced Detection and Response Capabilities

Effective event logging and threat detection are essential for identifying malicious behavior within your IT environment. Boards should ensure their organizations have enterprise-wide approaches to monitoring and responding to threats in real-time.

4. Legacy IT Management

Legacy information technology presents significant and enduring cyber security risks. The most effective mitigation is to replace it before it becomes unsupported, but when thatā€™s not feasible, compensating controls and careful risk management become critical.

5. Cyber Supply Chain Risk

Third-party suppliers, manufacturers, and service providers represent a significant attack surface. Boards must have visibility into how cyber security risks are managed throughout the supply chain and ensure contractual obligations include robust security requirements.

6. Post-Quantum Cryptography Transition

The emergence of quantum computing will render most contemporary cryptography insecure. Forward-thinking boards should already be overseeing plans to transition to quantum-resistant algorithms before this becomes a crisis.

Practical Questions Boards Should Be Asking

The ASD-AICD guidance provides both high-level governance questions and detailed technical questions across each priority area. Here are examples of the threshold governance questions boards should be asking:

Event Logging & Threat Detection:

  • Have we established an event logging policy with clear retention, access, and review procedures?
  • Have we defined event logging and monitoring responsibilities across teams?
  • Have we identified all critical systems requiring event logging?

Legacy IT Management:

  • Have we identified and documented all legacy IT in use?
  • Have we assigned risk ownership for each piece of legacy IT?
  • Have we established a legacy IT risk management strategy?

Cyber Supply Chain:

  • Have we developed a cyber supply chain risk management policy?
  • Have we identified all suppliers with access to our systems and data?
  • Have we assessed suppliersā€™ cyber security postures?

Bridging the Gap: From Questions to Action

While these questions provide a strong framework for governance oversight, boards often struggle with translating strategic discussions into operational reality. This is where practical tools become invaluable.

Introducing the CyberBoard Assessment Tool

To help boards move from questions to actionable insights, weā€™ve developed the CyberBoard Assessment Toolā€”a comprehensive platform designed specifically to help boards and executives assess their cyber security posture against the ASD-AICD framework.

What the CyberBoard Tool Offers:

  1. Structured Assessment Framework: The tool is built around the key priority areas outlined in the ASD-AICD guidance, allowing boards to systematically evaluate their organizationā€™s cyber security maturity.
  2. Governance & Technical Questions: Includes both threshold governance questions for board-level discussion and supplementary technical questions for deeper dives with management.
  3. Gap Analysis: Identifies specific areas where your organization may be falling short of recommended practices.
  4. Actionable Reporting: Generates clear, board-ready reports that highlight risks, priorities, and recommendations.
  5. Progress Tracking: Allows organizations to track improvements over time and demonstrate cyber security maturity growth to stakeholders.
  6. Benchmarking: Compare your organizationā€™s cyber security posture against industry peers and best practices.

Why This Matters for Your Board

The ASD-AICD guidance makes clear that effective cyber security governance is not optionalā€”itā€™s a fiduciary responsibility. Boards that fail to provide adequate oversight of cyber security risk exposing their organizations to:

  • Significant financial losses from breaches and incidents
  • Regulatory penalties and legal liability
  • Loss of customer trust and reputational damage
  • Operational disruptions and service delivery failures
  • Potential personal liability for directors

By systematically working through the questions in the ASD-AICD framework and using tools like the CyberBoard Assessment, boards can:

  • Demonstrate due diligence in cyber security oversight
  • Identify gaps before they become crises
  • Allocate resources more effectively
  • Communicate cyber risks clearly to stakeholders
  • Build a culture of security throughout the organization

Taking the First Step

For many organizations, particularly small-to-medium enterprises and not-for-profits, implementing all the guidance may not be immediately possible. However, the framework still provides immense value by helping boards understand their current posture and identify priority areas for improvement.

The key is to start somewhere. Begin by:

  1. Reviewing the full ASD-AICD guidance (available at cyber.gov.au)
  2. Conducting an honest assessment of your organizationā€™s current cyber security posture
  3. Using structured tools like the CyberBoard Assessment to systematically evaluate your organization
  4. Identifying quick wins that can be implemented immediately
  5. Developing a roadmap for addressing more complex challenges over time

Conclusion

The cyber threat landscape in 2025-26 demands that boards take a proactive, informed approach to cyber security governance. The ASD-AICD guidance provides an excellent framework for understanding what good cyber security governance looks like, but boards need practical tools to translate that framework into action.

By combining the strategic questions from the ASD-AICD guidance with practical assessment tools like CyberBoard, boards can move beyond theoretical discussions to drive real improvements in their organizationā€™s cyber security posture. The stakes are too high, and the threats too serious, for boards to rely on good intentions alone.

Take action today: Download the full ASD-AICD guidance, schedule a board discussion around these priorities, and consider using the CyberBoard Assessment Tool to conduct a comprehensive evaluation of your cyber security governance.

The ā€œCyber security priorities for boards in 2025-26ā€ guidance is jointly published by the Australian Signals Directorate and the Australian Institute of Company Directors. This article is designed to complement that guidance and should be read in conjunction with the full publication available at cyber.gov.au.