The Australian Signals Directorate's decision to retire the Essential Eight framework over the next two years has prompted plenty of discussion about what comes next. What interests me more, however, is what the announcement tells us about how organisations have come to use the framework.For almost a decade, the Essential Eight has shaped how Australian organisations think about cyber security. Boards ask about maturity levels, procurement teams build it into supplier questionnaires, insurers reference it at renewal, and entire security programs have been planned around progressing from one maturity level to the next.

The framework became so widely adopted that, for many organisations, the conversation gradually shifted from "Are we reducing risk?" to "How do we reach the next maturity level?"

A maturity assessment tells you how closely your controls align with a defined set of requirements. It doesn't tell you whether those controls address the risks that matter to your business, whether they're applied consistently across every environment you run, or whether they still hold up as your technology, suppliers, and ways of working change.

The Essential Eight was never designed to tell organisations how secure they were. It was designed to help them become more secure, but somewhere along the way, many organisations quietly confused the two.

The ASD's decision to replace the Essential Eight reflects something many organisations have experienced for years: cyber security guidance cannot remain static when technology and attacker techniques continue to evolve. An assessment is always a measure against today's guidance, not the guidance that existed when an organisation first implemented its controls.

Working with organisations across a wide range of cyber security engagements, we've seen the same lesson repeated time and again.

The businesses that gained the greatest value from the framework weren't necessarily those that achieved the highest maturity level. They were the ones who used it to challenge assumptions about their own environment.

What consistently surprises us during Essential Eight engagements isn't a lack of investment but the widening gap between what organisations believe their controls cover and what they actually cover.

We routinely encounter organisations that consider themselves at Maturity Level 2 or 3, only to discover that their MFA coverage is partial, their application control policy has exceptions that effectively disable it, or their backup strategy has never been validated through an actual restoration test.

The ACSC's own data confirms why these gaps matter: in FY2024-25, 42% of critical incidents involved compromised credentials and 34% involved ransomware - precisely the attack paths the Essential Eight was designed to block. These aren't malicious oversights. The organisations have the tools, the budgets, and the skilled staff.

The failure is in the assumption that "we've got MFA" means the same thing across every system, every account type, and every environment. That gap between enabled on the primary system and deployed across the environment is where most organisations sit, and it's a gap that maturity assessments are specifically designed to expose.

The recurring challenges we see aren't usually technical but stem from assumptions about existing controls that have never actually been tested.

An organisation may be confident it has fully implemented multi-factor authentication because Microsoft 365 is protected, and the control has been reported as complete. A closer review often uncovers privileged accounts, VPN access, or third-party applications sitting outside that coverage. The issue usually isn't capability or neglect. It's that everyone believes the control is already working as intended because it was switched on somewhere important.

The same pattern appears with patching and backups. Operating systems get patched on schedule while critical third-party applications quietly fall months behind. Backup strategies look comprehensive right up until someone asks how long it would take to recover the business after a ransomware attack.

Most of these organisations have capable IT teams and have invested significantly in cyber security. The challenge is that modern environments are complex enough that assumptions slip through and become accepted as fact.

That's where the Essential Eight delivered its greatest value: not the maturity score itself, but the process of validating assumptions that had quietly become embedded in day-to-day operations.

That observation is consistent with how we've always approached the framework. The Essential Eight was never something to "complete". It was the beginning of a security maturity journey that required continuous review as technology, business priorities, and threats evolved.

The retirement also shouldn't be viewed in isolation. As part of the transition, the ASD is evolving the Essential Eight into a broader Essentials series. The first chapter covers enterprise IT, with operational technology (OT) and cloud identified as the next technology domains. That evolution reflects the reality facing most organisations today. Rather than relying on a single framework, the ASD is recognising that different technology environments require different guidance while pursuing the same objective: stronger cyber resilience.

That's a logical progression. Modern organisations no longer operate entirely on Windows desktops and corporate networks. They run hybrid environments spanning cloud platforms, operational technology, SaaS applications, and traditional infrastructure. Measuring all of that through a single maturity model was always going to become increasingly difficult.

Existing Essential Eight investment doesn't lose its value here. What changes is the expectation that organisations will continually validate those controls as their environments evolve, rather than assuming yesterday's implementation remains fit for today's risks.

The better question now isn't, "What maturity level are we aiming for?" It's, "What assumptions are we still making about our security, and when did we last test whether they were true?"

The organisations that benefit most from this next chapter won't necessarily be the ones that adapt to the new framework the fastest. They'll be the ones who use this transition to replace assumptions with evidence and confidence with validation. 


Latest insights

 

Author

Matt Dobinson

As Head of Security Consulting at The Missing Link, I lead offensive security engagements focused on red teaming, penetration testing, and adversary simulation. With a background in software development and systems engineering, I help organisations uncover real-world vulnerabilities and strengthen their defences. Outside of work, I’m usually experimenting with firmware or pulling apart how systems behave under pressure. If it runs code, I’m interested in how it works and how it can be broken.