Start with the basics. Australia's 6 Cyber Security Principles.

There is something my many years in Delivery and Coaching taught me, and it has stuck with me more than any framework or certification.

Even mature-looking organisations and teams, the ones that look like they have everything sorted, do not just forget the basics, they practice anti-patterns on a daily basis. And because everyone around them does the same, it slowly becomes the new normal. Nobody flags it, because it all looks normal.

Then the problems grow too big to ignore, someone finally runs a root cause analysis, and almost every time it traces back to the same place: corrupted foundational practices. The basics that were skipped, bent, or never properly understood in the first place.

That is why, whenever I pick up something new, I go to the theoretical roots and basics first, before I touch the clever stuff. It is slower at the start, and that is okay, it helps in the long run.

Cyber security is no different. Before the tools, the frameworks and the audits, there are a few basics that everything else rests on. I have read plenty of articles and books and watched plenty of videos, and I still keep coming back to these six, the Cyber Security Principles written by Australia's cyber agency, the Australian Signals Directorate, through its cyber arm the ACSC.

So if you are learning cyber security today, or working to make your organisation cyber-safe, start here.

The six principles in one view. The one-line wording is the Australian Signals Directorate's. The panel is mine.

What the principles actually are

The principles are not a list of products to buy. They are the shape of the whole thing. In the ASD's own words, their purpose is to provide strategic guidance on how an organisation can protect its systems and data from cyber threats.

There are six, and they read as a cycle. They start with the culture at the top, move through knowing what you have and protecting it, then into spotting trouble, dealing with it, and getting back on your feet. Govern, Identify, Protect, Detect, Respond, Recover. Let me walk through them in plain English.

The six principles, in plain English

1. Govern. Develop and maintain a strong and resilient cyber security culture.

Security starts as a leadership and culture question, not a tools question. Someone at the top has to own it, the risks have to be visible to the people making decisions, and it has to be treated as part of running the business, not a side task someone gets to when there is time.

2. Identify. Identify assets and associated security risks.

You cannot protect what you do not know you have. This is about knowing your systems and your data, knowing what they are worth, and being honest about where the risks sit. Most organisations are surprised by how much they actually own, and how little of it is written down.

3. Protect. Implement and maintain controls to manage security risks.

This is the part most people picture when they hear the word security. Patch your software, turn on multi-factor authentication, give people only the access they need, encrypt and back up your data, and train your team. The word that does the work here is maintain. Controls that were set up once and never looked at again quietly stop working.

4. Detect. Detect and analyse cyber security events to identify cyber security incidents.

You have to be able to see when something is wrong. That means collecting logs, watching for unusual activity, and knowing the difference between background noise and a real incident. You cannot respond to something you never noticed.

5. Respond. Respond to cyber security incidents.

When something does happen, and at some point it will, you want a plan you wrote on a calm day, not in the middle of the bad one. Contain it, sort it out, report it where you are required to, and capture what went wrong so it is not a mystery next time.

6. Recover. Resume normal business operations following cyber security incidents.

Getting back to normal is its own piece of work. Backups you have actually tested, a clear order for bringing systems back online, and a steady path back to business as usual. The goal is to get the organisation running properly again, and to be better prepared for the next one.

The short version

If you want the six on a single swipe, I have put them into a simple slider, one principle per page, plain English, no jargon. The foundations the rest of it sits on, pitched at anyone getting into this, or any small business owner who wants the gist without wading through a manual. It is attached on the LinkedIn version of this post.

Where I am with this

I am not a career cyber person, and I am not going to pretend these six are the whole of cyber security. They are the foundation. Going back to them is the same move I learned in delivery. If the foundations are sound, everything you build on top has a chance. If they are not, no amount of clever tooling saves you later.

If you work in this space, I would love your read on it. Which of these six do you see organisations get wrong the most? And for anyone learning this alongside me, what helped the basics actually stick?

P.S. The principles come straight from the Australian Signals Directorate. You can read them in full on the ACSC site at cyber.gov.au, in the Information Security Manual, under the cyber security principles. The one-line wording for each principle is theirs. The plain-English notes underneath are mine.