In Australia’s National Interest - Security of Critical Infrastructure

Insider threats rarely begin with malicious intent — they often emerge gradually as ordinary life pressures create unexpected vulnerabilities around trusted employees.
In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore the seven risk factors behind insider vulnerability, drawn from the Australian Government Personnel Security Adjudicative Standard within the Protective Security Policy Framework.
Using a realistic workplace scenario, the discussion explains how organisations responsible for critical infrastructure can recognise emerging vulnerabilities early and strengthen Trusted Workforce Programs, insider threat prevention, and workforce assurance.

Across Australia’s critical infrastructure sectors, many organisations are working hard to comply with the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security has matured. CIRMP frameworks are in place. Annual attestations are part of governance cycles.
But is security risk truly being governed and resourced proportionately to exposure?
In this episode, Pentagram Advisory explores a recurring structural imbalance in how security risk is integrated into enterprise governance. We examine why compliance alone is not enough, why security risk management must be aligned to risk appetite, and why Boards must treat protective security as a capital allocation discipline — not a technical sub-function.
We discuss:
The difference between compliance and risk stewardship

Why threat assessment and security risk assessment must be current

Governance gaps and fragmented ownership under SOCI

The risks of under-resourcing outside cyber

How Boards can ask the right questions before signing their CIRMP attestation

This conversation is designed for Board directors, senior executives, risk professionals, and those responsible for implementing SOCI obligations.
Because protecting critical infrastructure is not just a compliance requirement — it is a matter of national resilience.

How do you strengthen workforce assurance for existing employees — without creating the very insider risk you’re trying to reduce?
In this episode, Pentagram Advisory explores one of the most sensitive challenges facing critical infrastructure organisations: introducing a Trusted Workforce Program into an established workforce.
As regulatory expectations evolve and insider threat becomes more visible, many organisations are expanding screening and personnel security measures. But poorly managed change can disrupt trust, undermine morale, and elevate behavioural risk.
This episode examines:
• Why workforce assurance must be systemic, not episodic
• The difference between background checks and true governance
• How enterprise risk, role risk and individual suitability connect
• Why change can increase insider risk if trust is mishandled
• Practical steps for introducing screening for legacy workforces proportionately
Workforce assurance is not about suspicion or surveillance. It is about governance, proportionality, and sustaining trust over time.
For leaders responsible for security of critical infrastructure, personnel security, insider threat mitigation, or CIRMP obligations, this episode provides practical guidance grounded in risk and organisational psychology.
Because in high-consequence environments, trust is not a one-time decision — it is a system.

Workforce assurance is now a strategic security capability for Australia’s critical infrastructure sectors.
In this episode, we explore how organisations can build defensible workforce assurance for non-citizen offshore applicants whose personal, professional, and behavioural history may sit largely outside Australian systems.
We examine why traditional, point-in-time background checking alone cannot provide sufficient assurance in this context, and why a trusted workforce assurance model must be risk-led, role-based, and supported by layered corroboration and ongoing suitability monitoring.
This discussion is relevant for boards, executives, security, risk, HR, and governance professionals responsible for roles with access to critical systems, data, and operations.
Presented by Tim Slattery and Marina Shteinberg, Pentagram Advisory.

In this final episode of Pentagram Advisory’s three-part Workforce Assurance in Critical Infrastructure series, we explore why trust cannot stop at the point of hiring — and why the highest personnel security risks often emerge long after someone has joined an organisation. 
From ongoing suitability and the critical role of reporting, to treating offboarding as a security event and recognising post-employment risk, this episode unpacks how workforce assurance must operate across the entire employment lifecycle.
We discuss how organisations can move from clearance to care, and from point-in-time screening to a proportionate, risk-led model of continuous assurance that supports people while protecting critical assets. 
If you work in or support Australia’s critical infrastructure sector, this episode offers practical insights into building a Trusted Workforce Program that aligns with CIRMP expectations, the Protective Security Policy Framework, AS 4811:2022, and international good practice — and ultimately strengthens organisational resilience. 
Brought to you by Tim Slattery and Marina Shteinberg from Pentagram Advisory.