In Australia’s National Interest - Security of Critical Infrastructure

Beyond Compliance with the SOCI Act: Why Effective Security Risk Management Matters More Than a ‘Compliant’ CIRMPA Pentagram Advisory perspectiveAs organisations across Australia’s critical infrastructure sectors continue to mature under the Security of Critical Infrastructure Act 2018, many Boards and executives are asking a familiar question: Are we compliant?In this episode, Pentagram Advisory reflects on why compliance alone is not enough — and why a Critical Infrastructure Risk Management Program (CIRMP) that satisfies regulatory requirements may still fail to protect critical assets in practice.Drawing on Pentagram’s advisory work with SOCI-regulated entities across multiple sectors, the discussion explores the critical distinction between compliance and effectiveness, and why the SOCI Act should be understood as a national security framework, not an administrative checklist.The episode examines the role of risk appetite and risk tolerance in shaping security risk decisions, the danger of false assurance created by procedural audits and box-ticking, and why genuine confidence comes from understanding how security controls perform under real-world conditions.It also highlights why SOCI should not be viewed as foreign to good business practice. Many protective security measures already exist within organisations — the challenge is connecting them, governing them effectively, and ensuring they deliver the intended security outcomes.This conversation is intended for Board members, CEOs, executives, and senior risk and security leaders seeking to move beyond compliance and build genuine confidence in their organisation’s security risk management under the SOCI Act.

In October and November 2025, the heads of Australia’s two most significant strategic intelligence assessment agencies made public their views on the geostrategic threats confronting Australia today.  In those remarks, both leaders set out some of the threats and explored some of the consequences that could be inflicted upon Australia, including Australia’s critical infrastructure assets, if action is not taken now to detect, deter, and defend against these threats to Australia’s national security.Australia has been warned for years by its intelligence agencies, and by its allies, of the threats to our critical infrastructure by threat actors including hostile nation states, organised crime, and issue-motivated groups and individuals. Have Australian governments, private sector entities, or citizens  responded in any meaningful way to these warnings, or have we been party to a slow-motion car crash, which we belatedly realise we are in the drivers’ seat for?

In this episode, we explore why understanding the whole person is essential to managing insider threats across Australia’s critical infrastructure sectors. Drawing on decades of national security experience, the discussion examines why insider threat remains one of the most complex and misunderstood challenges under the Security of Critical Infrastructure Act 2018 (SOCI Act).We unpack the behaviours, vulnerabilities and coercive pressures that can turn a trusted insider into a threat, the realities of foreign interference, and the importance of moving beyond simplistic assumptions about ‘rights’ and workplace culture. The episode also highlights why a whole-person approach to personnel security is not only effective, but necessary for organisations seeking to build a trusted workforce.This episode is based on an article by Tim Slattery, who served 37 years in Australia’s defence, intelligence and national security community before moving into consulting. Tim now co-leads Pentagram Advisory, with a focus on insider threat mitigation and personnel security across government, industry and critical infrastructure.If you work in protective security, critical infrastructure, risk management or insider threat programs, this episode provides practical insights into one of the most pressing and least understood challenges facing Australia today.

In this episode, we explore one of the most overlooked vulnerabilities in today’s organisations: the way familiarity, comfort and trust can blind leaders to emerging insider-related risks.Drawing on recent NPSA research and Pentagram Advisory’s insights, we unpack why insider threat often feels “unlikely,” how the psychological contract shapes behaviour long before policies do, and why point-in-time checks provide only the illusion of safety.We examine the cultural resistance to insider threat programs, the language barriers that shape organisational acceptance, and the leadership blind spots that allow early warning signs to go unnoticed.Most importantly, we discuss how shifting from blind trust to informed trust can strengthen culture, governance and accountability — and what it takes to build a truly trusted workforce in an evolving threat landscape.If your organisation is reassessing its people-related risks, workforce suitability, or insider threat maturity, this episode provides a clear, practical lens to recalibrate assumptions and enhance preparedness.

In this episode, we unpack one of the most critical challenges facing Australia’s essential services: understanding and managing the risks hidden within complex supply chains. Modern critical infrastructure depends on long, interconnected, and often opaque networks of suppliers — and under the Security of Critical Infrastructure Act 2018, these dependencies are now a regulated security obligation.Drawing on Pentagram Advisory’s Eight-Step Risk-Based Supply Chain Mapping and Categorisation Framework, we explore how organisations can move beyond tick-box compliance and build a defensible, intelligence-led approach to supplier assurance.From governance and threat analysis to mapping, tiering, and continuous monitoring, this episode breaks down each step in practical terms for boards, senior executives, and security practitioners.You’ll hear how the right framework can transform supplier oversight from a procurement activity into a core protective security function — strengthening resilience, reducing over-reliance, and giving decision-makers a clear line of sight into vulnerabilities across every tier of the supply chain.Whether you work in energy, water, transport, telecommunications, or any sector covered by the SOCI Act, this episode provides essential insights for building assurance in an increasingly interconnected and risk-exposed environment.A supply chain is only as strong as the weakest link you can see.Tune in to learn how to make those links visible, verifiable, and secure.