05 June 2026
The Australian Cyber Security Centre’s Essential Eight has become one of the most influential cybersecurity frameworks in Australia. Government agencies reference it, consultants recommend it and organisations of every size use it to guide investment decisions. The framework enjoys a strong reputation because it focuses on practical controls that reduce exposure to common attack techniques. Application control, patching, multifactor authentication and backups all represent sensible security measures. However, effective security depends on more than controls alone. It also depends on information awareness: understanding what information exists, where it resides, how it moves and why it matters.
Yet the popularity of the Essential Eight sometimes obscures an important question. Before an organisation decides how to protect information, should it first understand the information itself?
The Essential Eight does not attempt to answer that question. That is not a flaw in the framework. The framework was never designed to identify information assets, map information flows or determine the business value of information. It assumes that organisations already possess that understanding and need guidance on selecting appropriate controls. In many environments that assumption is perfectly reasonable. In practice, however, many organisations begin implementing controls long before they develop a clear picture of the information those controls are supposed to protect.
This becomes apparent whenever security discussions focus exclusively on technology. Organisations often know how many devices they manage, how many accounts use multifactor authentication and whether critical systems receive security updates. These are useful measurements. They provide evidence that security activities are occurring. They demonstrate effort and investment. They also happen to be relatively easy to measure.
Information presents a different challenge. Ask an organisation where all of its information resides and the answer often becomes less certain. Some information lives in business applications. Some sits in email systems. Some resides with suppliers. Some exists in collaboration platforms, cloud storage services and archived records. Information also develops relationships as it moves through an organisation. A customer record may connect to financial information, operational information, supplier information and reporting information. The value of the information often emerges from those relationships rather than from any individual document or database.
This is where information awareness becomes important. Information awareness begins with understanding information before attempting to protect it. It asks what information exists, who uses it, where it resides, how it moves and what role it plays within the organisation. These questions sound deceptively simple, yet they often reveal assumptions that have remained unexamined for years.
Consider a small psychology practice. The practice may implement multifactor authentication, maintain backups and patch its systems in accordance with the Essential Eight. These controls undoubtedly improve security. At the same time, the practice may struggle to identify every location where sensitive client information resides. Clinicians may exchange information through different systems. Third-party providers may store information on behalf of the practice. Administrative staff may access information for purposes that nobody has formally documented. The technical controls remain valuable, but they exist alongside information relationships that the organisation does not fully understand.
The same pattern appears in consulting firms, engineering businesses and professional service organisations. Security programmes often begin with controls because controls feel concrete. They produce reports, dashboards and measurable outcomes. Understanding information requires a different type of effort. It requires organisations to examine how information supports business objectives, how people use it and how dependencies emerge between systems, suppliers and processes. The work feels less technical, but it often produces deeper insights.
None of this diminishes the value of the Essential Eight. In fact, the opposite is true. Organisations gain the greatest benefit from security controls when they apply those controls in the context of a clear understanding of their information assets. Multifactor authentication becomes more meaningful when an organisation understands which information requires the strongest protection. Backups become more valuable when the organisation knows which information supports critical business processes. Access controls become easier to design when people understand who genuinely requires access and why.
Viewed through this lens, the relationship between the Essential Eight and understanding information becomes much clearer. They address different aspects of the same challenge. The Essential Eight focuses on reducing the likelihood and impact of common attacks. Information awareness focuses on understanding what creates value within the organisation and where risk genuinely exists. One provides protection. The other provides context.
Many organisations treat security as a technology problem because technology is visible. Information is less visible. Information flows between people, systems, suppliers and processes in ways that rarely appear on architecture diagrams or compliance checklists. Yet information remains the reason security exists in the first place. Organisations do not implement multifactor authentication because they love authentication. They do not maintain backups because backups are inherently valuable. They implement these controls because information matters.
That distinction may explain why some security programmes feel disconnected from the organisations they serve. Controls accumulate over time while the understanding of information remains incomplete. The organisation becomes increasingly proficient at operating security controls without necessarily becoming more aware of the information those controls exist to protect.
The Essential Eight remains one of the most practical security frameworks available to Australian organisations. It deserves its reputation. However, organisations should not confuse a control framework with a complete security strategy. Effective security begins with complete information awareness, because information gives purpose to every control that follows. Once an organisation develops that understanding, frameworks such as the Essential Eight become far more powerful, not because the controls change, but because the organisation finally understands what it is protecting and why.
