Security Risk Management under the SOCI Act: A Board Imperative

Black compass on detailed map symbolizing navigation and exploration.

Introduction

Across Pentagram Advisory’s engagements with critical infrastructure entities nationwide, we have observed a persistent structural imbalance in how security risk is governed and resourced — one that warrants Board-level attention.

Cyber security functions are comparatively established, well resourced, visible and structured. Yet outside cyber, responsibility for the security of critical infrastructure assets is generally fragmented across HR, procurement, operations, security, legal, and risk teams. Ownership is blurred. Accountability is diffuse. Resourcing is thin.

In many organisations, effective implementation of the Security of Critical Infrastructure Act 2018 (SOCI Act) depends not on institutional design, but on the capability and goodwill of a small number of committed individuals. They often operate under vague or non-existent governance.

That model is not sustainable.

As the next cycle of annual Critical Infrastructure Risk Management Program (CIRMP) attestations approaches, Boards and senior executives should pause and ask a more fundamental question:

What assurance underpins our attestation — and is our security risk management model structurally sound?

This is not simply a compliance matter. It is a question of governance, fiduciary oversight and resilience.

The Structural Imbalance: Mature Cyber, Underdeveloped Enterprise Security

It is neither surprising nor problematic that cyber security has matured faster than other hazard domains. Cyber risk is clearly articulated, widely understood and frequently tested by real-world events. The financial and operational consequences of cyber incidents, including business interruption, ransom payments, regulatory scrutiny, reputational damage and increased insurance premiums, are tangible and painful. Clear frameworks exist. Dedicated roles exist. Investment logic is familiar. When risk is visible and consequences are measurable, capital allocation follows.

However, the SOCI framework is an all-hazards regime. It requires risk identification and mitigation across:

cyber and information security

personnel security

supply chain security

physical and natural hazards.

In practice, many organisations demonstrate a systemic imbalance:

Cyber teams are comparatively well staffed and well funded.

Natural and physical security are often present, though generally with historical settings.

Personnel security is underdeveloped.

Supply chain security is often least developed.

Protective security expertise, including knowledge of security assessments, is limited or absent.

CISOs are often treated as default enterprise security leads, even where their mandate is cyber-specific.

Boards receive detailed cyber metrics but limited visibility across other hazard vectors.

Investment often follows clarity rather than consequence. Controls progress because they are measurable, not necessarily because they are proportionate to assessed threats or established based on an enterprise security view.

Without an integrated security risk assessment across critical assets, organisations risk either:

underinvesting in areas of material exposure; or

overinvesting in visible but lower-consequence risks.

Both represent inefficient capital allocation and increase exposure to risk.

Security risk management is not an overhead. It is a capital allocation discipline. When treated as such, it enables deliberate trade-offs rather than reactive spending.

The Foundation: Threat Assessment and Security Risk Assessment

Protective security refers to the policies, procedures, and practices designed to safeguard an organisation’s people, information, and physical assets from harm, theft, or compromise. It encompasses a multi-layered approach to managing risks across governance, personnel, physical, and information security domains.

Threats to an organisation can be placed into two categories: human-based sources of harm and natural (or non-human) sources of harm.

Security risk management begins with understanding threat.

If an organisation has not conducted a structured protective security threat assessment, identifying credible threats, capability, intent and plausible attack pathways (also known as vulnerabilities) with respect to its assets and operations, then security initiatives lack a credible foundation.

Threat assessment is not speculative information gathering. It is a disciplined process that:

establishes the threat context

identifies natural / non-human sources of harm

for human-based harms, aligns adversary capability and intent with operational realities

informs realistic “most consequential” and “most likely” risk scenarios

feeds directly into enterprise risk analysis.

However, threat assessment at the enterprise level alone is insufficient.

Organisations must then conduct comprehensive security risk assessments across all critical assets, considering:

all SOCI hazard vectors

interdependencies and cascading effects

detection, response and recovery capability.

personnel and supply chain vulnerabilities

Without this discipline:

controls are implemented without clarity of purpose

resource requests appear tactical rather than strategic

Boards cannot confidently position residual risk against risk appetite.

No Board would manage financial risk without understanding exposure, tolerance and residual position. Security risk management should be treated with the same rigour.

Director Duties and Foreseeable Risk

Foreseeable security risks to critical infrastructure are no longer hypothetical. They are well documented, intelligence informed and nationally acknowledged. The Australian Securities and Investments Commission has emphasised that directors must exercise due care and diligence in relation to foreseeable risks.

Where such risks are not systematically identified, assessed and positioned against risk appetite, it becomes difficult for Boards to demonstrate that they have exercised informed oversight.

Security risk management is not a technical subfunction. It is part of the Board’s duty of care and due diligence to ensure that material risks are understood and managed so far as is reasonably practicable.

Post-incident scrutiny rarely asks whether an organisation was procedurally compliant.

It asks:

Were foreseeable risks identified?

Was the Board adequately informed?

Were reasonable steps taken?

Was investment proportionate to exposure?

Is there a record of the decision-making?

Compliance artefacts alone will not answer those questions.

When Security Depends on Goodwill

One of the most concerning patterns across sectors is concentration risk within security functions.

We repeatedly see:

highly capable individuals carrying disproportionate responsibility

small teams managing cyber uplift, personnel security, supply chain risk, regulatory reporting, education, business as usual, and incident response simultaneously

no single senior executive accountable for SOCI implementation across the enterprise

heavy reliance on personal judgement and informal networks

a lack of security-relevant education and guidance available to enable the people undertaking these tasks.

This creates structural fragility:

burnout risk

succession risk

knowledge concentration risk

organisational exposure if a single individual departs in terms of their efforts and their knowledge.

If the effective security posture of a critical infrastructure asset shifts materially when one person leaves, that is a governance design flaw — not an individual performance issue.

Protective security cannot depend on dedication alone. It must be embedded in institutional architecture.

SOCI is Not Foreign to the Business

Compliance fatigue is real. Many sectors are heavily regulated.

However, the principles underpinning the SOCI Act are not foreign to business practice.

They reflect established disciplines:

financial risk management

safety and workforce duty-of-care frameworks

business continuity and resilience planning

insurance and risk transfer logic.

SOCI does not introduce a parallel universe. It requires that security risks to critical assets be treated as enterprise risks.

When security risk is embedded within Enterprise Risk Management:

it competes for capital allocation transparently

residual risk is visible to decision-makers

trade-offs are explicit

risk appetite becomes meaningful

decisions can be recorded and will be defensible.

When security risk sits outside Enterprise Risk Management, it is marginalised and under-resourced.

Compliance Fatigue vs Risk Stewardship

The critical distinction is this:

compliance asks: Do we have the required documentation?

risk stewardship asks: Are we within tolerance for likely material security risks?

An organisation can comply procedurally and remain substantively exposed.

Where audits focus primarily on artefacts rather than effectiveness, there is a risk of false assurance. Boards may receive comfort from documentation while underlying exposure remains poorly understood.

Reframing the conversation from compliance to enterprise risk stewardship does not increase regulatory burden. It elevates the discussion to its proper governance level.

Enabling Security Leaders to Speak in Board Language

Many protective security leaders understand the risks deeply. What they often lack is structural permission and enterprise language to articulate them.

When security risk is framed solely as compliance, it limits constructive dialogue about:

residual exposure

capacity constraints

investment prioritisation

trade-offs against risk appetite.

Boards can create psychological permission across the enterprise by explicitly inviting:

evidence-based security risk reporting

clear articulation of residual risk

honest discussion of resourcing gaps

alignment with the organisation’s risk appetite statement.

When security leaders frame resource needs in terms of movement in residual risk, rather than compliance gaps, the conversation shifts from “cost” to “risk decision”.

This is empowering for middle and senior leaders who are currently overextended and under-resourced.

Practical Governance Actions for Boards

Boards and executives need not create entirely new structures. Often the answer lies in integration and clarity.

Boards should ask:

1. Is executive accountability explicit?

Is there a named senior executive formally accountable for SOCI implementation?

Does that role have authority across HR, cyber, procurement, operations and risk functions?

Is reporting direct to the Board or a relevant Board committee (often the Audit and Risk Committee) ?

Are responsibilities clearly documented and understood across the organisation?

Collective responsibility without explicit accountability creates fragmentation. Effective security risk management requires a clearly identified executive owner with sufficient authority to integrate hazard domains and escalate resource needs where residual risk exceeds tolerance.

2. Is there clear RACI ownership?

Across HR, cyber, procurement, operations and risk:

Who is Responsible for implementing controls?

Who is Accountable for outcomes and reporting?

Who is Consulted in decision-making?

Who is Informed of risk posture and changes?

Diffuse ownership across functions creates gaps and weakens oversight. Clear RACI ownership ensures that security risk management is coordinated, measurable and defensible — particularly where hazard domains intersect.

3. Is threat assessment structured and current?

Has the organisation conducted a formal, documented threat assessment?

Is it informed by credible intelligence and relevant to the organisation’s operational context?

Is it reviewed periodically and reported to the Audit and Risk Committee or its equivalent?

Are realistic “most likely” and “most consequential” scenarios tested?

Threat assessment should not be informal or assumption based. Threat assessment provides the foundation for security risk analysis and investment prioritisation. Without a structured and current threat context, risk assessments and control decisions may be misaligned with actual risk exposure.

4. Has a comprehensive security risk assessment been conducted?

Has the organisation conducted a formal security risk assessment across all SOCI hazard vectors and identified critical assets?

Is the assessment up-to-date and reflective of the current threat environment?

Have changes in operations, outsourcing, technology or workforce model been incorporated?

Are interdependencies and cascading impacts considered?

A security risk assessment should not be a static compliance document. It must be reviewed periodically and refreshed when threat context or operational conditions change. Controls cannot be proportionate if the underlying security risk picture is outdated.

5. Are residual risks positioned against risk appetite?

Are residual security risks clearly articulated in enterprise risk language?

Are trade-offs between risk reduction and resource allocation visible to the Board?

Are security risk acceptance decisions explicit and documented?

Is residual exposure within the organisation’s approved risk appetite and tolerance?

Risk appetite statements are meaningful only if security risks are positioned against them. Where residual exposure is unclear, acceptance decisions may be implicit rather than deliberate. Boards should ensure that security risk treatment, and any decision to tolerate residual risk, is transparent, informed and aligned with stated appetite.

6. Is resourcing aligned to assessed exposure?

Is current full-time equivalent (FTE) and capability allocation mapped against assessed security risk exposure?

Is resourcing balanced across all hazard domains, not only cyber?

Are single points of failure or concentration security risks identified?

Have capacity constraints been transparently reported to the Board?

Boards should request a simple comparative view of FTE and capability allocation across hazard domains. Resourcing should follow assessed risk, not historical structure, legacy reporting lines or the visibility of one hazard over another.

The Role of the Security Maturity Assessment

Pentagram’s evidence-based CIRMP Security Maturity Assessment and Evaluation Model can support Boards in this oversight function.

Properly designed and executed, such an assessment:

tests effectiveness, not just documentation

examines linkage between threat context, risk assessment and controls

identifies imbalance across hazard domains

surfaces governance and resourcing gaps

translates technical findings into enterprise risk language.

It becomes not a compliance checklist, but a governance instrument — equipping Boards with defensible evidence and enabling security leaders to articulate needs clearly. Further, over time, it creates a record of threat, risk, and decisions that is a resource for reference and clarification.

The upcoming CIRMP Attestation: A Governance Moment

The next CIRMP annual attestation cycle is not merely an administrative deadline. It is an opportunity for Boards to test their assurance.

Before signing the attestation, Boards should ask:

What evidence underpins our confidence?

Have we stress-tested our threat assessment?

Have we conducted a comprehensive security risk assessment?

Are personnel and supply chain hazards treated with the same rigour as cyber?

Are we relying on individual goodwill to sustain compliance?

An attestation supported by disciplined security risk management strengthens resilience. An attestation supported only by artefacts may create misplaced comfort.

From Good Intentions to Sustainable Resilience

Critical infrastructure security in Australia should not depend on individual dedication, inherited structures, or compliance artefacts.

It should rest on:

disciplined threat assessment

comprehensive security risk assessment

explicit executive accountability

integration into enterprise risk management

clear positioning against risk appetite

resourcing aligned with exposure.

Conclusion

Security risk management is not a peripheral technical function. It is the mechanism through which organisations protect their most critical assets, their communities, their reputation, and their business.

But for critical infrastructure entities and their Boards, the responsibility extends further. The assets they operate underpin the essential services – water, energy, telecommunications, health, transport and financial systems – that sustain Australia’s economy, social stability, and national security.

Disruption to these assets is not merely a corporate event; it has national security implications.

The SOCI Act reflects this reality. It recognises that the protection of critical infrastructure is fundamental to Australia’s resilience, sovereignty and public trust. Boards overseeing these assets are not only managing operational risk; they are exercising stewardship over infrastructure that millions of Australians depend upon daily.

As Boards prepare for the next CIRMP attestation, this is a governance moment.

It is an opportunity to move beyond compliance fatigue and embrace genuine risk stewardship — ensuring that security risk is clearly understood, deliberately positioned against risk appetite, and resourced proportionately to exposure.

Most importantly, it is a moment to ensure that those tasked with protecting critical infrastructure are supported not by goodwill alone, but by sound governance design, adequate resources, and a shared understanding of risk.

Critical infrastructure resilience is not built on documentation. It is built on disciplined security risk management — aligned to national security expectations and commensurate with the significance of the assets entrusted to organisational care.