Australian universities face an increasingly complex cybersecurity landscape. Obligations under SOCI, the Cyber Security Act 2024, and Essential 8 are stretching ICT teams, and the challenge is structural, not just technical. Decentralised environments, overlapping regulations, controls without clear owners, and reactive audit cycles are problems every institution in this room recognises.

At UWA, a hard government deadline for Essential 8 Maturity Level 1 forced us to confront these challenges directly. Rather than treating compliance as a checkbox exercise, we built a governance model grounded in risk exposure, one designed to outlast the deadline and transfer to any institution, regardless of whether Essential 8 applies to them.

Our model rests on three pillars. First, defining scope honestly: gap analysis, prioritising critical systems, and a formal exemptions framework so teams focus on what actually matters. Second, making accountability stick: distinguishing Asset-Specific controls, where system owners are responsible for their own environment, from Entity-Level controls with a single designated owner university-wide, backed by an executive risk committee and capacity-based remediation plans. Third, centralising results: using Cyber Risk Quantification (CRQ) to identify critical systems, we defined Key Controls aligned to WA Cybersecurity Policy and Essential 8 ML1, assessed twice yearly for both design and operating effectiveness. 

Results feed a single risk register that flags assets outside risk appetite, eliminates duplicated evidence collection, and gives leadership an audit-ready view of risk posture without manual rework.

Every element of this model is designed to be adopted, not just admired.