09 June 2026
Security frameworks and risk management help organisations navigate a complex world. They provide structure, establish common language and reduce overwhelming problems into manageable pieces. The Australian Cyber Security Centre’s Essential Eight, ISO 27001 and the Information Security Manual (ISM) all serve this purpose. They help organisations make sense of cybersecurity. Yet every framework carries an inherent danger. A framework is a model of reality, not reality itself. The map is not the territory.
Robert Pirsig explored this idea in Lila. In one passage, Phaedrus enters Cleveland Harbour and struggles to reconcile what he sees with what he expects to see. His mental model of the harbour does not align with the harbour itself. The more he relies on the model, the more confusing the situation becomes. The harbour has not changed. His understanding of it has. The episode highlights a simple but important truth: abstractions help us understand reality, but they can also blind us to it.
Describing attributes is not describing reality
Organisations encounter the same challenge every day. Risk registers, dashboards, policies, frameworks and maturity models all describe aspects of reality. They help decision-makers understand complex environments and prioritise action. However, these tools can also create a subtle illusion. The abstraction begins to feel more tangible than the thing it represents.
Cybersecurity provides countless examples. Boards review dashboards filled with green indicators. Auditors confirm that required controls exist. Security teams report progress against framework objectives and maturity targets. Every report suggests that the organisation understands its risks and manages them effectively. Yet attackers do not target dashboards, maturity scores or policy documents. They target systems, people, data and weaknesses that exist in the real world.
This distinction matters because organisations naturally gravitate towards things they can measure. We count patched systems, completed training sessions, documented policies and implemented controls. We track maturity levels and compliance outcomes. These activities matter, but they remain indicators rather than outcomes. An organisation can achieve impressive scores against a framework while still leaving critical business assets exposed.
Good security needs to be both supple and powerful
The Essential Eight demonstrates both the value and the limitations of security frameworks. Its controls address common attack techniques and provide practical guidance for organisations seeking a practical security baseline. Application control, patching, multifactor authentication and backups all contribute to stronger security outcomes. However, the framework cannot identify which systems would cause the greatest harm if compromised. It cannot determine which business processes deserve the highest level of protection. It cannot reveal where years of operational shortcuts have quietly accumulated risk.
The same observation applies to ISO 27001 and the ISM. Both frameworks provide valuable structure and encourage disciplined thinking. Both help organisations improve their security posture. Neither replaces the judgement required to understand a specific organisation’s people, systems, processes and objectives. A framework help you to put muscle into your security posture, but it can also make it brittle and cause people to seek workarounds.
Match the controls with the risk
In our own reviews of organisations, we rarely encounter businesses that have completely ignored recognised frameworks. More commonly, we encounter organisations that have implemented controls diligently but have never stepped back to examine whether those controls align with their most significant risks. Security teams often know their Essential Eight maturity level in great detail. They sometimes struggle to identify their most critical information assets, the threats most likely to affect them or the business consequences of a successful compromise.
This is where the distinction between compliance and security becomes important. Compliance demonstrates that an organisation has performed certain activities. Security requires an organisation to understand what it values, who might threaten it and how it can reduce meaningful risk. The two overlap significantly, but they are not identical.
The organisations that gain the greatest value from security frameworks treat them as the beginning of a conversation rather than the end of one. They use frameworks to understand their environment, then apply experience, analysis and independent review to determine whether they are protecting what matters most. With this they can compare framework results against business realities, challenge assumptions and see beyond the dashboard.
The Essential Eight, ISO 27001 and the Information Security Manual remain valuable tools. Organisations should use them. They should measure against them to improve against them. They should simply avoid mistaking them for the landscape they describe.
A map can tell you where you are supposed to be. It often takes an experienced guide to tell you where you actually are.
