TL;DR: Australia’s ASD and AICD say boards should now assume compromise, prioritise containment, and focus on critical assets, legacy systems, detection, and supply chain oversight after cyberattacks have hit health, telecom, insurers, and government, with espionage costing $12.5 billion in FY23 to 24, according to Illumio. The governance shift is clear: resilience now depends on visibility, segmentation, and access control, not prevention alone.
NHIMG editorial — based on content published by Illumio: Australia’s New Boardroom Baseline, 5 New ASD and AICD Security Priorities
By the numbers:
Questions worth separating out
Q: What breaks when boards focus on prevention but not containment?
A: When boards treat prevention as the whole strategy, organisations often leave critical assets reachable through too many identities and network paths.
Q: Why do third-party and non-human identities increase resilience risk?
A: Third-party and non-human identities often carry legitimate trust but limited lifecycle control, which makes them ideal pivot points once an attacker gets a foothold.
Q: How do security teams know whether segmentation is actually working?
A: Segmentation is working when a compromised account or workload cannot freely reach crown-jewel systems, even if authentication succeeds.
Practitioner guidance
- Define critical-asset containment zones Group crown-jewel systems into explicit containment zones, then block unnecessary east-west traffic into those zones so compromise cannot spread freely across environments.
- Review third-party and service account reach Inventory external user accounts, supplier sessions, and service identities, then remove standing access that is broader than the specific business function requires.
- Isolate legacy systems with compensating controls Place unsupported or hard-to-patch systems behind segmentation controls and reduce their identity dependencies so compromise does not become a bridge to modern systems.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- Board-question prompts mapped to each of the ASD and AICD priority areas, useful for governance workshops and control reviews.
- How Illumio positions segmentation and observability across critical assets, legacy systems, and third-party access paths.
- The article’s examples of where detection needs to turn into action, including its discussion of AI-powered observability and remediation steps.
- The source post’s framing of post-quantum preparation alongside today’s containment priorities, which this analysis only summarises.
👉 Read Illumio’s analysis of Australia’s new board security priorities →
Cyber resilience boards are missing the containment question?
Explore further
Board resilience is increasingly an identity problem in disguise. Once organisations accept that prevention fails, the real question becomes which identities can still move laterally, reach critical assets, or operate unchecked after first access. That makes PAM, IAM governance, and NHI lifecycle control central to cyber resilience. The governance lesson is simple: containment depends on access design, not only on detection.
A question worth separating out:
Q: Who is accountable when supplier access becomes an attack path?
A: Accountability sits with the organisation that granted and governed the access, even if the third party initiated the relationship. Boards and security leaders need evidence that supplier identities are inventoried, bounded, monitored, and removed when no longer needed. That is a governance obligation, not just an operations task.
👉 Read our full editorial: Australia’s board security baseline: why containment now outranks prevention