pentagramadvisory

Executive framing: why this distinction matters now As organisations subject to the Security of Critical Infrastructure Act 2018 (SOCI Act) continue to mature in their implementation of the Critical Infrastructure Risk Management Program (CIRMP), many Boards and executives are now asking a sensible question: “Are we compliant, and what does CIRMP maturity actually tell us?” Yet, before […]

In October – November 2025, I was invited to speak to groups on matters relating to Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act).  I presented to representatives of the Australian superannuation industry, the Victorian transport industry sector, a cyber security conference, a critical infrastructure sector national conference, and a Department of Premier and Cabinet.  For all but

Introduction For many organisations, insider threat feels remote, something that happens elsewhere, under unusual circumstances, involving unusual people. That sense of distance is comforting. It taps into a well-documented psychological tendency in human nature: we assume that rare or uncomfortable risks are more likely to affect others than ourselves. This cognitive bias allows leaders to

A supply chain is only as strong as its weakest known link Australia’s critical infrastructure sectors depend on complex and interlinked supply chains that now sit at the centre of national resilience. This article describes an eight-step framework for risk-based supply chain mapping and categorisation aligned with theSecurity of Critical Infrastructure Act 2018 (SOCI Act) and its

The challenge of identifying critical workers Across Australia’s critical infrastructure sectors, one of the most persistent challenges in implementing the Security of Critical Infrastructure Act 2018 (SOCI) and its subordinate Rules has been identifying and managing critical workers – those individuals whose absence, compromise, or misconduct could disrupt essential services or cause significant harm to the operations of

Despite years of investment in cyber security policies, controls and monitoring, insider threats remain one of the toughest risks to manage.  Firewalls and detection tools can block opportunity, but they cannot eliminate people’s intent.  At the heart of the issue is not just cyber security systems, but people. What drives employee behaviour is often nested in the psychological

Foreign interference: an identified and recognised threat Australia’s intelligence and security community has delivered an unequivocal warning.  In the 2024 Annual Threat Assessment, ASIO Director-General Mike Burgess stated that espionage and foreign interference sit at CERTAIN – the highest level on the scale.  By 2025, ASIO assessed that hostile regimes were increasingly willing to disrupt or destroy critical infrastructure to impede

Prologue Environmental, Social, and Governance (ESG) is now a decisive force in investment and corporate strategy.  The Global Sustainable Investment Review 2022 reported that ESG investing has captured more than US$30 trillion in assets. Setting aside debates about ideology and contemporary drivers, ESG’s practical purpose is to balance risk and return in external investment choices, while