In Australia’s National Interest - Security of Critical Infrastructure

Insider risk rarely appears suddenly.In this episode, we explore why behavioural change is often the earliest warning signal — long before systems detect a problem.Learn how insider risk develops over time, how to recognise subtle behavioural indicators, and how organisations can respond early through human-centric approaches, strong culture, and proportionate action.Technology detects events. Behaviour reveals trajectories.The earliest signals of insider risk are not hidden in systems — they are visible in people.🎧 Listen to understand how to recognise these signals earlier — and respond before risk becomes an incident.Brought to you by Pentagram AdvisorySupporting organisations to strengthen resilience across insider threat, workforce security, and critical infrastructure protection.

This article explores the risks and consequence for Australia stemming from the 2026 war with Iran and resultant oil supply shock.

Why People Protect the OrganisationWhat drives people to act in the organisation’s interest—especially when no one is watching?In this episode, we explore why security is not sustained by controls alone, but by human behaviour. We examine the role of intrinsic motivation, trust, and purpose in shaping security culture, and how these factors influence insider risk.Drawing on insights from workforce assurance and Trusted Workforce Programs, this discussion highlights how organisations can move beyond compliance to build environments where people choose to act responsibly.Because ultimately, security depends not just on systems—but on people.Presented by Pentagram AdvisorySupporting organisations to strengthen security, resilience, and workforce assurance in complex environments.This podcast reflects insights gained through our work across Australia’s critical infrastructure sector, informed by collaboration with the SOCI community, ongoing research, and engagement with government.

Pentagram Advisory Pty Ltd invites you to watch and / or listen this recording of our recent article about the risks that war with Iran poses to Australia's critical infrastructure entities.Whilst critical infrastructure entity attack surfaces span a myriad of threat vectors, including cyber attacks, Pentagram's article focuses on the people component - those people employed within Australia's critical infrastructure entities as possible sources of harm.Iranian expatriates in Australia are of course especially vulnerable to Iranian government interference, coercion, and espionage. Australia, as a compassionate pluralist society, will see our first instinct be to offer assistance and protection to this group. But we must also appreciate that there is a risk, likely from a very few Iranians, that there could be insider threats, either coerced of volunteering to undertake acts of harm against Australia's critical infrastructure.We also must appreciate that Khamenei was not just head of the Iran theocracy, but was a global Shia leader and sponsor of terror. On that basis, non-Iranian Shia and anti-Westerners may also be aggrieved by Khamenei's assassination at the beginning of the war, and by the ongoing war. Such people may also be coerced or volunteer to cause harm in Australia.This is a challenging topic, rife for rendering by some people as a dog whistle for discrimination based on religious or ethnic affiliation. That can be one way to view this matter. Another way to view discussion about this threat is to admit to the reality that we have evidence of Iranian government acts that have, and continue to, intimidate Iranian expatriates living in Australia. Further, the Iranian Government has sponsored violence in Australia. And that was before the war!Do we ignore reality, and the increased likelihood of Iranian Government action against Australia (there are reports of increased cyber attacks from Iranian sources), or do we shy away from known and potential harms to Australia for fear of offending a small group of people? Remember, vanishingly few people will evolve to become pro-Iranian insider threats, more are likely to be coerced to act or volunteer to act. Either way, the harm is the same. To protect Australia's critical infrastructure, a key foundation of Australia's national security, leaders need to understand the reality of the threats we face and that requires the courage to engage with difficult challenges as explored in the article.

Insider threats rarely begin with malicious intent — they often emerge gradually as ordinary life pressures create unexpected vulnerabilities around trusted employees.In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore the seven risk factors behind insider vulnerability, drawn from the Australian Government Personnel Security Adjudicative Standard within the Protective Security Policy Framework.Using a realistic workplace scenario, the discussion explains how organisations responsible for critical infrastructure can recognise emerging vulnerabilities early and strengthen Trusted Workforce Programs, insider threat prevention, and workforce assurance.

Across Australia’s critical infrastructure sectors, many organisations are working hard to comply with the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security has matured. CIRMP frameworks are in place. Annual attestations are part of governance cycles.But is security risk truly being governed and resourced proportionately to exposure?In this episode, Pentagram Advisory explores a recurring structural imbalance in how security risk is integrated into enterprise governance. We examine why compliance alone is not enough, why security risk management must be aligned to risk appetite, and why Boards must treat protective security as a capital allocation discipline — not a technical sub-function.We discuss:The difference between compliance and risk stewardshipWhy threat assessment and security risk assessment must be currentGovernance gaps and fragmented ownership under SOCIThe risks of under-resourcing outside cyberHow Boards can ask the right questions before signing their CIRMP attestationThis conversation is designed for Board directors, senior executives, risk professionals, and those responsible for implementing SOCI obligations.Because protecting critical infrastructure is not just a compliance requirement — it is a matter of national resilience.

How do you strengthen workforce assurance for existing employees — without creating the very insider risk you’re trying to reduce?In this episode, Pentagram Advisory explores one of the most sensitive challenges facing critical infrastructure organisations: introducing a Trusted Workforce Program into an established workforce.As regulatory expectations evolve and insider threat becomes more visible, many organisations are expanding screening and personnel security measures. But poorly managed change can disrupt trust, undermine morale, and elevate behavioural risk.This episode examines:• Why workforce assurance must be systemic, not episodic• The difference between background checks and true governance• How enterprise risk, role risk and individual suitability connect• Why change can increase insider risk if trust is mishandled• Practical steps for introducing screening for legacy workforces proportionatelyWorkforce assurance is not about suspicion or surveillance. It is about governance, proportionality, and sustaining trust over time.For leaders responsible for security of critical infrastructure, personnel security, insider threat mitigation, or CIRMP obligations, this episode provides practical guidance grounded in risk and organisational psychology.Because in high-consequence environments, trust is not a one-time decision — it is a system.

Workforce assurance is now a strategic security capability for Australia’s critical infrastructure sectors.In this episode, we explore how organisations can build defensible workforce assurance for non-citizen offshore applicants whose personal, professional, and behavioural history may sit largely outside Australian systems.We examine why traditional, point-in-time background checking alone cannot provide sufficient assurance in this context, and why a trusted workforce assurance model must be risk-led, role-based, and supported by layered corroboration and ongoing suitability monitoring.This discussion is relevant for boards, executives, security, risk, HR, and governance professionals responsible for roles with access to critical systems, data, and operations.Presented by Tim Slattery and Marina Shteinberg, Pentagram Advisory.

In this final episode of Pentagram Advisory’s three-part Workforce Assurance in Critical Infrastructure series, we explore why trust cannot stop at the point of hiring — and why the highest personnel security risks often emerge long after someone has joined an organisation. From ongoing suitability and the critical role of reporting, to treating offboarding as a security event and recognising post-employment risk, this episode unpacks how workforce assurance must operate across the entire employment lifecycle. We discuss how organisations can move from clearance to care, and from point-in-time screening to a proportionate, risk-led model of continuous assurance that supports people while protecting critical assets. If you work in or support Australia’s critical infrastructure sector, this episode offers practical insights into building a Trusted Workforce Program that aligns with CIRMP expectations, the Protective Security Policy Framework, AS 4811:2022, and international good practice — and ultimately strengthens organisational resilience. Brought to you by Tim Slattery and Marina Shteinberg from Pentagram Advisory.

The Bondi Beach massacre in December 2025 is the most deadly and consequential terrorist attack on Australian soil. That it happened is a national tragedy. That it happened is not a surprise.Pentagram's podcast explores the possible consequences for Australia's society, for people - be they Muslim, Jew or gentile - and how this might affect people in the workplace, with particular focus on Australia's critical infrastructure workplaces. The article calls for private sector leadership, in the absence of government leadership, and provides approaches that workplace leaders might take to support people in the workplace. The article also talks about actions to manage people who may present aberrant workplace behaviours stemming from the Bondi Beach massacre.

Pre-employment screening in critical infrastructure is often treated as a compliance step — a set of standard checks applied to every role, regardless of the risk it carries. But this approach rarely delivers real security assurance.In this episode, we explain how organisations can move beyond generic, outsourced background checks and build proportionate, risk-led pre-employment screening in-house, using many of the processes they already have in place. Most organisations are already doing a lot — identity checks, right-to-work verification, referee checks, licence validation, probity declarations. The challenge is not starting from scratch, but organising these activities into a structured, defensible workforce assurance capability.We unpack the key principles of effective pre-employment screening, including proportionality, relevance, fairness, transparency, and privacy, and show how screening should be driven by role risk and consequence, not by habit or convenience. We also explain why government and outsourced checks, while useful, cannot substitute for an organisation’s own responsibility to understand its specific security risks.This episode provides practical guidance on how to design tiered, role-based screening models, distinguish between eligibility and suitability, and use risk factors ethically — without stigmatising people or creating unnecessary barriers to employment.If your organisation is looking to strengthen its approach to workforce assurance under AS 4811:2022, the PSPF, and the SOCI framework, this episode offers clear, implementable ideas you can apply internally — without creating more burden, cost, or complexity.

In this episode, we explore why many critical infrastructure organisations continue to rely on the AusCheck background check as their primary assurance measure — and why that reliance creates a dangerous illusion of safety.AusCheck provides coordinated, point-in-time background checking that is primarily focused on identifying terrorism-related and criminal risks. It does not provide an understanding of the broader personal security risks that may need to be monitored and managed across the employment lifecycle.We unpack:• what AusCheck actually does — and doesn’t do• why legislative rigidity makes reform slow and complex• how insider threat now develops over time, not at hiring• why outsourcing background checks can remove visibility rather than improve it• why proportionate, risk-led workforce assurance is essential for critical infrastructureThis episode sets the foundation for a three-part series. Next, we will look at practical, proportionate pre-employment screening. Then, we will explore ongoing suitability and managing personnel risk over time.Boards, executives and risk leaders will find this particularly useful — especially if your organisation still equates “passing a check” with low risk.

Beyond Compliance with the SOCI Act: Why Effective Security Risk Management Matters More Than a ‘Compliant’ CIRMPA Pentagram Advisory perspectiveAs organisations across Australia’s critical infrastructure sectors continue to mature under the Security of Critical Infrastructure Act 2018, many Boards and executives are asking a familiar question: Are we compliant?In this episode, Pentagram Advisory reflects on why compliance alone is not enough — and why a Critical Infrastructure Risk Management Program (CIRMP) that satisfies regulatory requirements may still fail to protect critical assets in practice.Drawing on Pentagram’s advisory work with SOCI-regulated entities across multiple sectors, the discussion explores the critical distinction between compliance and effectiveness, and why the SOCI Act should be understood as a national security framework, not an administrative checklist.The episode examines the role of risk appetite and risk tolerance in shaping security risk decisions, the danger of false assurance created by procedural audits and box-ticking, and why genuine confidence comes from understanding how security controls perform under real-world conditions.It also highlights why SOCI should not be viewed as foreign to good business practice. Many protective security measures already exist within organisations — the challenge is connecting them, governing them effectively, and ensuring they deliver the intended security outcomes.This conversation is intended for Board members, CEOs, executives, and senior risk and security leaders seeking to move beyond compliance and build genuine confidence in their organisation’s security risk management under the SOCI Act.

In October and November 2025, the heads of Australia’s two most significant strategic intelligence assessment agencies made public their views on the geostrategic threats confronting Australia today.  In those remarks, both leaders set out some of the threats and explored some of the consequences that could be inflicted upon Australia, including Australia’s critical infrastructure assets, if action is not taken now to detect, deter, and defend against these threats to Australia’s national security.Australia has been warned for years by its intelligence agencies, and by its allies, of the threats to our critical infrastructure by threat actors including hostile nation states, organised crime, and issue-motivated groups and individuals. Have Australian governments, private sector entities, or citizens  responded in any meaningful way to these warnings, or have we been party to a slow-motion car crash, which we belatedly realise we are in the drivers’ seat for?

In this episode, we explore why understanding the whole person is essential to managing insider threats across Australia’s critical infrastructure sectors. Drawing on decades of national security experience, the discussion examines why insider threat remains one of the most complex and misunderstood challenges under the Security of Critical Infrastructure Act 2018 (SOCI Act).We unpack the behaviours, vulnerabilities and coercive pressures that can turn a trusted insider into a threat, the realities of foreign interference, and the importance of moving beyond simplistic assumptions about ‘rights’ and workplace culture. The episode also highlights why a whole-person approach to personnel security is not only effective, but necessary for organisations seeking to build a trusted workforce.This episode is based on an article by Tim Slattery, who served 37 years in Australia’s defence, intelligence and national security community before moving into consulting. Tim now co-leads Pentagram Advisory, with a focus on insider threat mitigation and personnel security across government, industry and critical infrastructure.If you work in protective security, critical infrastructure, risk management or insider threat programs, this episode provides practical insights into one of the most pressing and least understood challenges facing Australia today.

In this episode, we explore one of the most overlooked vulnerabilities in today’s organisations: the way familiarity, comfort and trust can blind leaders to emerging insider-related risks.Drawing on recent NPSA research and Pentagram Advisory’s insights, we unpack why insider threat often feels “unlikely,” how the psychological contract shapes behaviour long before policies do, and why point-in-time checks provide only the illusion of safety.We examine the cultural resistance to insider threat programs, the language barriers that shape organisational acceptance, and the leadership blind spots that allow early warning signs to go unnoticed.Most importantly, we discuss how shifting from blind trust to informed trust can strengthen culture, governance and accountability — and what it takes to build a truly trusted workforce in an evolving threat landscape.If your organisation is reassessing its people-related risks, workforce suitability, or insider threat maturity, this episode provides a clear, practical lens to recalibrate assumptions and enhance preparedness.

In this episode, we unpack one of the most critical challenges facing Australia’s essential services: understanding and managing the risks hidden within complex supply chains. Modern critical infrastructure depends on long, interconnected, and often opaque networks of suppliers — and under the Security of Critical Infrastructure Act 2018, these dependencies are now a regulated security obligation.Drawing on Pentagram Advisory’s Eight-Step Risk-Based Supply Chain Mapping and Categorisation Framework, we explore how organisations can move beyond tick-box compliance and build a defensible, intelligence-led approach to supplier assurance.From governance and threat analysis to mapping, tiering, and continuous monitoring, this episode breaks down each step in practical terms for boards, senior executives, and security practitioners.You’ll hear how the right framework can transform supplier oversight from a procurement activity into a core protective security function — strengthening resilience, reducing over-reliance, and giving decision-makers a clear line of sight into vulnerabilities across every tier of the supply chain.Whether you work in energy, water, transport, telecommunications, or any sector covered by the SOCI Act, this episode provides essential insights for building assurance in an increasingly interconnected and risk-exposed environment.A supply chain is only as strong as the weakest link you can see.Tune in to learn how to make those links visible, verifiable, and secure.

Welcome to another podcast in Pentagram Advisory’s ‘In the National Interest’ series, a series in which we explore geostrategic issues relevant to the security of Australia’s critical infrastructure.In this episode we will explore the subject of the China’s waging of cognitive warfare against Australia and other Western democracies. We will explore the relevance of the threat of cognitive warfare Australia's critical infrastructure and consider mitigations that critical infrastructure owners and operators may take.

Across Australia’s critical infrastructure sectors, one of the most persistent challenges under the Security of Critical Infrastructure Act 2018 is identifying and managing critical workers — those individuals whose absence, compromise, or misconduct could disrupt essential services.In this episode, Pentagram Advisory introduces the Seven-Step Critical Worker Identification and Risk Management Framework — a practical, regulator-aligned approach that helps organisations move from compliance to confidence.Tim and Marina unpack the legislative foundations, share insights from industry engagements, and outline how clear governance, operational mapping, and proportionate assurance measures can transform workforce compliance into lasting capability and assurance.Whether you are a security or risk professional, HR leader, or executive responsible for essential services, this episode will help you strengthen your organisation’s resilience and meet the intent of the SOCI framework with clarity and purpose.🔗 For more insights, visit Pentagram Advisory or follow us on LinkedIn.

Why do employees sometimes go above and beyond to protect their organisation — and other times bend rules, ignore policies, or disengage from security altogether?In this episode, Pentagram Advisory explores the role of the psychological contract — the unwritten expectations of trust and fairness between employer and employee — and how its breakdown fuels insider threats. Drawing on research from the University of Warwick, we unpack why technical controls alone aren’t enough, how to recognise early signs of a breach, and what leaders can do to repair trust before it escalates into a security risk.For leaders, executives, and practitioners, this is a reminder that the deciding factor in insider threat is rarely opportunity — it is choice. And choice is shaped by trust.