Australia's Cyber Strategy Has Entered Its Next Phase. Has Your Business?
Australia's cyber strategy is no longer just a roadmap.
It's becoming an execution plan.
In June 2026, Minister for Cyber Security Tony Burke announced the Horizon 2 Action Plan, the second phase of the 2023–2030 Australian Cyber Security Strategy. Rather than introducing another vision document, Horizon 2 sets out 19 actions and 64 initiatives, led or co-led by 12 government agencies, designed to lift Australia's cyber maturity through to the end of 2028.
The government has described the plan's intent as building a "human firewall" across the economy, extending focus beyond large organisations and critical infrastructure to small business and everyday staff-targeted threats such as social engineering. Specific initiatives include expanding cyber exercise programs to test preparedness across the supply chains that support government and critical infrastructure.
For many organisations, this might sound like something only government agencies need to follow. In reality, it reflects the direction of Australia's broader cyber ecosystem. Government procurement standards, regulator expectations, insurer requirements, enterprise customer due diligence and supply chain assurance all tend to follow the same trajectory as national cyber resilience expectations. When government raises the bar on cyber maturity, that expectation flows into the private sector through contracts, audits and vendor reviews, whether or not an organisation deals with government directly.
That direction of travel shows up in the numbers too. ASD's Australian Cyber Security Centre (ACSC) responded to 11% more cyber security incidents in FY2024–25 than the year before, official confirmation that the operating environment executives are being asked to explain is continuing to shift, not settling into a steady state.
Executive readiness, defined
Executive readiness is an organisation's ability to demonstrate, explain and govern cybersecurity in a way that supports business decisions, customer assurance, regulatory expectations and organisational resilience.
The question for leadership teams is no longer whether cyber governance matters. It's whether the business is ready for what comes next.
Strategy Is Moving Into Execution
For several years, organisations have invested in policies, controls and technology. Many have achieved certifications. Many have strengthened their technical environments. The official 2023–2030 Australian Cyber Security Strategy document sets out how Horizon 2 shifts that national agenda from planning into execution, useful context for any organisation trying to anticipate where governance expectations are heading next. The emphasis moves from creating cyber strategies to demonstrating measurable progress.
That same shift is happening across the private sector. Enterprise customers expect faster responses to security questionnaires. Supply chains are being examined more closely. AI adoption is creating new governance challenges of its own. Executive teams are expected to understand cyber risk alongside financial and operational risk. Assurance capability is becoming something organisations need to demonstrate continuously.
These two agendas are not really separate. Australia's cyber strategy is moving from a foundations-building phase into one focused on economy-wide execution, at the same time as AI governance is increasingly forming part of that same national policy conversation, reflected in the National AI Plan and the National Framework for the Assurance of AI in Government. For executive teams, the practical effect is that cyber risk and AI risk are increasingly converging into a single governance conversation, rather than two separate ones. That matters because customers, regulators, insurers and suppliers are increasingly asking about them together, not as separate line items.
Horizon 2 is one signal of that broader shift, not the last word on it. As government policy increasingly links cyber and AI governance, executive governance is broadening to reflect that, extending beyond traditional cybersecurity into how an organisation demonstrates control over both. The more useful question for leadership isn't only what government has published. It's what these developments mean in practice for governance, customer assurance and organisational resilience.
Readiness Looks Different From Security
Against that backdrop, a secure organisation is important. A ready organisation is different. Being executive ready means leadership can confidently answer questions such as:
- Could we demonstrate our security posture today?
- Who owns our most significant cyber risks?
- Are compliance activities planned or reactive?
- Do we know where our evidence is?
- Can leadership explain cyber risk in business terms?
Those questions are increasingly asked long before an audit or security incident.
Where Security Assurance Shows Up for Executives
Preparedness is rarely tested in the abstract. It shows up in specific moments, including:
- Responding to a customer security questionnaire
- Renewing cyber insurance
- Preparing a board report on cyber risk
- Completing procurement due diligence as a supplier
- Demonstrating AI governance to a customer or regulator
- Responding to a regulator information request
- Controls and technology are in place
- Certifications have been achieved
- Technical environments are strengthened
- Reporting focuses on technical metrics
- Cybersecurity is primarily owned by IT
- Evidence can be produced on demand
- Risk ownership is clearly defined
- Compliance activity follows a plan, not a deadline
- Leadership explains risk in business terms
- Cyber risk ownership is shared across leadership and the business
Where Organisations Often Fall Behind
Understanding that distinction is one thing. Applying it is another. Many organisations don't struggle because they lack security controls. They struggle because information is fragmented. Evidence sits in different systems. Responsibilities aren't clearly defined. Executive reporting focuses on technical metrics rather than business outcomes.
When an important customer, regulator or board member asks for assurance, teams begin gathering information instead of presenting it. That delay often reveals a governance gap rather than a technology gap.
In many cases, governance already exists on paper: policies, frameworks and committees are all in place. What's missing is embedding that governance into everyday business decision-making. A policy that only surfaces during an annual review isn't governance. It's documentation.
The Opportunity for Leadership
Closing those gaps isn't only a compliance exercise: it's where the opportunity lies. Horizon 2 isn't simply another government initiative. It reflects the direction organisations are already experiencing. Rather than reacting to each new requirement, businesses that adapt early build a repeatable way of demonstrating preparedness.
Who Horizon 2 Actually Affects
Horizon 2 is a government strategy, but its effects reach well beyond government. Here's how it tends to land across different types of organisations.
Executive Preparedness Starts With Visibility
Before investing in another framework, another tool or another compliance project, leadership should understand where the organisation stands today. Not from a technical perspective. From a business perspective.
Can your executive team confidently answer the questions that customers, boards and regulators are increasingly asking? If not, the first step is understanding where the gaps exist.
Conclusion
Cybersecurity expectations continue to evolve. Australia's Horizon 2 Action Plan is another reminder that organisations are moving into a period where execution, visibility and preparedness matter as much as strategy.
The organisations that adapt earliest are unlikely to be those with the most technology. They are more likely to be the ones whose leadership can demonstrate preparedness with confidence.
None of this means every organisation needs to implement new controls immediately. What Horizon 2 highlights is the value of understanding current governance maturity first. The Executive Business Readiness Scorecard offers a practical starting point for that conversation.
Horizon 2 moves the national strategy from planning into execution.
The same shift is already happening inside your customers, insurers and regulators.
Increasingly, organisations are expected to demonstrate preparedness throughout the year, not only at scheduled audits.
How Executive Ready Is Your Organisation?
Assess Your Readiness Across Governance, Assurance and Compliance
The Executive Business Readiness Scorecard helps leadership teams assess their readiness across governance, customer assurance, compliance planning, AI oversight and business resilience. Whether you're preparing for your next board meeting, responding to a customer security questionnaire or planning future compliance initiatives, it provides a practical starting point for understanding where your organisation stands.
Take the Executive Business Readiness Scorecard →📂 Browse our blog for more insights on cybersecurity, AI governance, and data protection.