Thinking

Workforce assurance in critical infrastructure series Executive Summary Workforce assurance is now a key national security capability for Australia’s critical infrastructure sectors. As the operating environment becomes more complex, the risks associated with trusted insiders, including employees, contractors and third-party personnel with legitimate access, are increasing. Many organisations continue to rely heavily on the AusCheck

Executive framing: why this distinction matters now As organisations subject to the Security of Critical Infrastructure Act 2018 (SOCI Act) continue to mature in their implementation of the Critical Infrastructure Risk Management Program (CIRMP), many Boards and executives are now asking a sensible question: “Are we compliant, and what does CIRMP maturity actually tell us?” Yet, before

In October – November 2025, I was invited to speak to groups on matters relating to Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act).  I presented to representatives of the Australian superannuation industry, the Victorian transport industry sector, a cyber security conference, a critical infrastructure sector national conference, and a Department of Premier and Cabinet.  For all but

Introduction For many organisations, insider threat feels remote, something that happens elsewhere, under unusual circumstances, involving unusual people. That sense of distance is comforting. It taps into a well-documented psychological tendency in human nature: we assume that rare or uncomfortable risks are more likely to affect others than ourselves. This cognitive bias allows leaders to

A supply chain is only as strong as its weakest known link Australia’s critical infrastructure sectors depend on complex and interlinked supply chains that now sit at the centre of national resilience. This article describes an eight-step framework for risk-based supply chain mapping and categorisation aligned with theSecurity of Critical Infrastructure Act 2018 (SOCI Act) and its

The challenge of identifying critical workers Across Australia’s critical infrastructure sectors, one of the most persistent challenges in implementing the Security of Critical Infrastructure Act 2018 (SOCI) and its subordinate Rules has been identifying and managing critical workers – those individuals whose absence, compromise, or misconduct could disrupt essential services or cause significant harm to the operations of

Despite years of investment in cyber security policies, controls and monitoring, insider threats remain one of the toughest risks to manage.  Firewalls and detection tools can block opportunity, but they cannot eliminate people’s intent.  At the heart of the issue is not just cyber security systems, but people. What drives employee behaviour is often nested in the psychological