Fortinet CISO Welcomes Australia’s New Essentials Series as Essential Eight Shows Its Age
The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) have announced a new Essentials series to replace the Essential Eight framework. Cornelius Mare, Chief Information Security Officer for Australia at Fortinet, says the update is overdue — and that the timing matters more than many organizations realize.
Why the Essential Eight Needed an Update
Mare welcomed the new series directly. “The Essentials series is a welcome update with the previous Essential Eight showing its age and no longer being the optimal fit for a 2026 environment characterised by Software-as-a-Service (SaaS), cloud, bring-your-own-device (BYOD), microservices, and AI agents.”
He identified two core problems with the previous framework. First, it no longer matched the current threat environment. Second, it delivered a poor return on investment. “Some of the enterprise-level controls in the previous Essential Eight are extremely difficult to implement from a costing perspective,” Mare said, noting that much of the Australian economy consists of small and medium-sized businesses for whom those controls were never practical.
His view on what any replacement framework must deliver was clear: “Any controls must remain simple, have business context and be cost-effective while still providing a realistic view of an organisation’s maturity journey.”
Boards Are Asking for Audits — But Compliance Isn’t Enough
Mare noted a shift happening at the board level. More directors are requesting Essential Eight audits, driven in part by the Australian Institute of Company Directors’ (AICD) efforts to promote cyber maturity. “We are seeing more boards now requesting Essential Eight audits… which is strengthening CISO conversations at the board level because directors are also hearing this from their peers.”
However, he cautioned against treating the framework as a checkbox exercise. “The reality is many organisations are likely still using the Essential Eight as a compliance exercise rather than to provide a proactive risk and context-based program of increasing maturity and resilience.”
The Five Eyes Warning Changes the Equation
Mare connected the framework update directly to a broader shift in the threat landscape. The Five Eyes cybersecurity agencies recently issued a joint statement warning that AI will reshape risk within months. For Mare, that warning makes static compliance frameworks untenable.
“If AI-enabled threats are accelerating and response windows are shrinking, baseline controls can’t sit in a static compliance frame,” he said.
What the New Framework Needs to Deliver
Mare outlined what he believes the Essentials series must accomplish going forward. Organizations need a baseline that supports the safe adoption of emerging technologies and AI — one built on context-aware frameworks rather than fixed control lists.
“As the threat landscape evolves, so too must the baseline required to protect critical infrastructure,” he said. “It will be important to define a baseline that supports safe adoption of emerging technologies and AI, with more context-aware frameworks that help secure critical infrastructure and Australian businesses.”
He also acknowledged that while no single framework fits every organization, authoritative guidance from ASD still carries real value. “We have always understood there is no one-size-fits-all approach; however, having clear guidance as a starting point is valuable, particularly when it comes from ASD and can be used by businesses as an authoritative reference.”
Conclusion
The Essential Eight update reflects a broader reality: cybersecurity frameworks must evolve alongside the threats they are designed to counter. For Australian businesses — particularly small and medium-sized organizations — the new series offers an opportunity to move beyond compliance and build genuine, scalable cyber resilience.
Stay Informed With Cyber News Live
Cyber threats are constantly evolving, and staying informed is critical to protecting your organisation.
Follow Cyber News Live for the latest cybersecurity news, threat intelligence, expert analysis, and practical guidance to help strengthen your cyber defences.