In Australia’s National Interest - Security of Critical Infrastructure

Pentagram Advisory

What comprises Australia’s national interest, and how does the rise of insider threat activity in Australia’s critical infrastructure connect to Australia’s national interest? I expect this topic was not the first thing on your mind when you woke this morning ready for breakfast and a hot shower, however the topic is relevant because it is fundamental to you having breakfast, a wash, and getting on with you day. Let me explain.

  1. MAR 2

    Under-Resourced and Over-Exposed: Why Boards Must Rethink Security Governance under the Security of Critical Infrastructure Act 2018

    Across Australia’s critical infrastructure sectors, many organisations are working hard to comply with the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security has matured. CIRMP frameworks are in place. Annual attestations are part of governance cycles. But is security risk truly being governed and resourced proportionately to exposure? In this episode, Pentagram Advisory explores a recurring structural imbalance in how security risk is integrated into enterprise governance. We examine why compliance alone is not enough, why security risk management must be aligned to risk appetite, and why Boards must treat protective security as a capital allocation discipline — not a technical sub-function. We discuss: The difference between compliance and risk stewardship Why threat assessment and security risk assessment must be current Governance gaps and fragmented ownership under SOCI The risks of under-resourcing outside cyber How Boards can ask the right questions before signing their CIRMP attestation This conversation is designed for Board directors, senior executives, risk professionals, and those responsible for implementing SOCI obligations. Because protecting critical infrastructure is not just a compliance requirement — it is a matter of national resilience.

    22 min

  2. FEB 13

    How to Introduce Workforce Assurance for Existing Workers without Increasing Insider Risk

    How do you strengthen workforce assurance for existing employees — without creating the very insider risk you’re trying to reduce? In this episode, Pentagram Advisory explores one of the most sensitive challenges facing critical infrastructure organisations: introducing a Trusted Workforce Program into an established workforce. As regulatory expectations evolve and insider threat becomes more visible, many organisations are expanding screening and personnel security measures. But poorly managed change can disrupt trust, undermine morale, and elevate behavioural risk. This episode examines: • Why workforce assurance must be systemic, not episodic• The difference between background checks and true governance• How enterprise risk, role risk and individual suitability connect• Why change can increase insider risk if trust is mishandled• Practical steps for introducing screening for legacy workforces proportionately Workforce assurance is not about suspicion or surveillance. It is about governance, proportionality, and sustaining trust over time. For leaders responsible for security of critical infrastructure, personnel security, insider threat mitigation, or CIRMP obligations, this episode provides practical guidance grounded in risk and organisational psychology. Because in high-consequence environments, trust is not a one-time decision — it is a system.

    15 min

  3. FEB 2

    Trusted Workforce Assurance In Australia For Non-Citizen Offshore Applicants In Critical Infrastructure Sectors

    Workforce assurance is now a strategic security capability for Australia’s critical infrastructure sectors. In this episode, we explore how organisations can build defensible workforce assurance for non-citizen offshore applicants whose personal, professional, and behavioural history may sit largely outside Australian systems. We examine why traditional, point-in-time background checking alone cannot provide sufficient assurance in this context, and why a trusted workforce assurance model must be risk-led, role-based, and supported by layered corroboration and ongoing suitability monitoring. This discussion is relevant for boards, executives, security, risk, HR, and governance professionals responsible for roles with access to critical systems, data, and operations. Presented by Tim Slattery and Marina Shteinberg, Pentagram Advisory.

    16 min

  4. JAN 26

    From Entry to Exit: Why Workforce Assurance must be Continuous

    In this final episode of Pentagram Advisory’s three-part Workforce Assurance in Critical Infrastructure series, we explore why trust cannot stop at the point of hiring — and why the highest personnel security risks often emerge long after someone has joined an organisation.  From ongoing suitability and the critical role of reporting, to treating offboarding as a security event and recognising post-employment risk, this episode unpacks how workforce assurance must operate across the entire employment lifecycle. We discuss how organisations can move from clearance to care, and from point-in-time screening to a proportionate, risk-led model of continuous assurance that supports people while protecting critical assets.  If you work in or support Australia’s critical infrastructure sector, this episode offers practical insights into building a Trusted Workforce Program that aligns with CIRMP expectations, the Protective Security Policy Framework, AS 4811:2022, and international good practice — and ultimately strengthens organisational resilience.  Brought to you by Tim Slattery and Marina Shteinberg from Pentagram Advisory.

    25 min

  5. JAN 19

    In the National Interest – Leadership required to protect Australia’s critical infrastructure and its workforce from extremism in the wake of the Bondi attack

    The Bondi Beach massacre in December 2025 is the most deadly and consequential terrorist attack on Australian soil. That it happened is a national tragedy. That it happened is not a surprise. Pentagram's podcast explores the possible consequences for Australia's society, for people - be they Muslim, Jew or gentile - and how this might affect people in the workplace, with particular focus on Australia's critical infrastructure workplaces. The article calls for private sector leadership, in the absence of government leadership, and provides approaches that workplace leaders might take to support people in the workplace. The article also talks about actions to manage people who may present aberrant workplace behaviours stemming from the Bondi Beach massacre.

    20 min

  6. JAN 12

    Rethinking Pre-Employment Screening: Building Proportionate, Risk-Led Workforce Assurance

    Pre-employment screening in critical infrastructure is often treated as a compliance step — a set of standard checks applied to every role, regardless of the risk it carries. But this approach rarely delivers real security assurance. In this episode, we explain how organisations can move beyond generic, outsourced background checks and build proportionate, risk-led pre-employment screening in-house, using many of the processes they already have in place. Most organisations are already doing a lot — identity checks, right-to-work verification, referee checks, licence validation, probity declarations. The challenge is not starting from scratch, but organising these activities into a structured, defensible workforce assurance capability. We unpack the key principles of effective pre-employment screening, including proportionality, relevance, fairness, transparency, and privacy, and show how screening should be driven by role risk and consequence, not by habit or convenience. We also explain why government and outsourced checks, while useful, cannot substitute for an organisation’s own responsibility to understand its specific security risks. This episode provides practical guidance on how to design tiered, role-based screening models, distinguish between eligibility and suitability, and use risk factors ethically — without stigmatising people or creating unnecessary barriers to employment. If your organisation is looking to strengthen its approach to workforce assurance under AS 4811:2022, the PSPF, and the SOCI framework, this episode offers clear, implementable ideas you can apply internally — without creating more burden, cost, or complexity.

    29 min

  7. JAN 5

    Why the AusCheck background check is not enough — moving towards proportionate, risk-led workforce assurance

    In this episode, we explore why many critical infrastructure organisations continue to rely on the AusCheck background check as their primary assurance measure — and why that reliance creates a dangerous illusion of safety. AusCheck provides coordinated, point-in-time background checking that is primarily focused on identifying terrorism-related and criminal risks. It does not provide an understanding of the broader personal security risks that may need to be monitored and managed across the employment lifecycle. We unpack: • what AusCheck actually does — and doesn’t do• why legislative rigidity makes reform slow and complex• how insider threat now develops over time, not at hiring• why outsourcing background checks can remove visibility rather than improve it• why proportionate, risk-led workforce assurance is essential for critical infrastructure This episode sets the foundation for a three-part series. Next, we will look at practical, proportionate pre-employment screening. Then, we will explore ongoing suitability and managing personnel risk over time. Boards, executives and risk leaders will find this particularly useful — especially if your organisation still equates “passing a check” with low risk.

    33 min

  8. 12/17/2025

    Beyond Compliance With The Security Of Critical Infrastructure Act 2018

    Beyond Compliance with the SOCI Act: Why Effective Security Risk Management Matters More Than a ‘Compliant’ CIRMPA Pentagram Advisory perspective As organisations across Australia’s critical infrastructure sectors continue to mature under the Security of Critical Infrastructure Act 2018, many Boards and executives are asking a familiar question: Are we compliant? In this episode, Pentagram Advisory reflects on why compliance alone is not enough — and why a Critical Infrastructure Risk Management Program (CIRMP) that satisfies regulatory requirements may still fail to protect critical assets in practice. Drawing on Pentagram’s advisory work with SOCI-regulated entities across multiple sectors, the discussion explores the critical distinction between compliance and effectiveness, and why the SOCI Act should be understood as a national security framework, not an administrative checklist. The episode examines the role of risk appetite and risk tolerance in shaping security risk decisions, the danger of false assurance created by procedural audits and box-ticking, and why genuine confidence comes from understanding how security controls perform under real-world conditions. It also highlights why SOCI should not be viewed as foreign to good business practice. Many protective security measures already exist within organisations — the challenge is connecting them, governing them effectively, and ensuring they deliver the intended security outcomes. This conversation is intended for Board members, CEOs, executives, and senior risk and security leaders seeking to move beyond compliance and build genuine confidence in their organisation’s security risk management under the SOCI Act.

    11 min
See All (60)

About

What comprises Australia’s national interest, and how does the rise of insider threat activity in Australia’s critical infrastructure connect to Australia’s national interest? I expect this topic was not the first thing on your mind when you woke this morning ready for breakfast and a hot shower, however the topic is relevant because it is fundamental to you having breakfast, a wash, and getting on with you day. Let me explain.

Information