In Australia’s National Interest - Security of Critical Infrastructure

Why People Protect the Organisation
What drives people to act in the organisation’s interest—especially when no one is watching?
In this episode, we explore why security is not sustained by controls alone, but by human behaviour. We examine the role of intrinsic motivation, trust, and purpose in shaping security culture, and how these factors influence insider risk.
Drawing on insights from workforce assurance and Trusted Workforce Programs, this discussion highlights how organisations can move beyond compliance to build environments where people choose to act responsibly.
Because ultimately, security depends not just on systems—but on people.
Presented by Pentagram Advisory
Supporting organisations to strengthen security, resilience, and workforce assurance in complex environments.
This podcast reflects insights gained through our work across Australia’s critical infrastructure sector, informed by collaboration with the SOCI community, ongoing research, and engagement with government.

Pentagram Advisory Pty Ltd invites you to watch and / or listen this recording of our recent article about the risks that war with Iran poses to Australia's critical infrastructure entities.

Whilst critical infrastructure entity attack surfaces span a myriad of threat vectors, including cyber attacks, Pentagram's article focuses on the people component - those people employed within Australia's critical infrastructure entities as possible sources of harm.

Iranian expatriates in Australia are of course especially vulnerable to Iranian government interference, coercion, and espionage. Australia, as a compassionate pluralist society, will see our first instinct be to offer assistance and protection to this group. But we must also appreciate that there is a risk, likely from a very few Iranians, that there could be insider threats, either coerced of volunteering to undertake acts of harm against Australia's critical infrastructure.

We also must appreciate that Khamenei was not just head of the Iran theocracy, but was a global Shia leader and sponsor of terror. On that basis, non-Iranian Shia and anti-Westerners may also be aggrieved by Khamenei's assassination at the beginning of the war, and by the ongoing war. Such people may also be coerced or volunteer to cause harm in Australia.

This is a challenging topic, rife for rendering by some people as a dog whistle for discrimination based on religious or ethnic affiliation. That can be one way to view this matter.

Another way to view discussion about this threat is to admit to the reality that we have evidence of Iranian government acts that have, and continue to, intimidate Iranian expatriates living in Australia. Further, the Iranian Government has sponsored violence in Australia. And that was before the war!

Do we ignore reality, and the increased likelihood of Iranian Government action against Australia (there are reports of increased cyber attacks from Iranian sources), or do we shy away from known and potential harms to Australia for fear of offending a small group of people?

Remember, vanishingly few people will evolve to become pro-Iranian insider threats, more are likely to be coerced to act or volunteer to act. Either way, the harm is the same. To protect Australia's critical infrastructure, a key foundation of Australia's national security, leaders need to understand the reality of the threats we face and that requires the courage to engage with difficult challenges as explored in the article.

Insider threats rarely begin with malicious intent — they often emerge gradually as ordinary life pressures create unexpected vulnerabilities around trusted employees.
In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore the seven risk factors behind insider vulnerability, drawn from the Australian Government Personnel Security Adjudicative Standard within the Protective Security Policy Framework.
Using a realistic workplace scenario, the discussion explains how organisations responsible for critical infrastructure can recognise emerging vulnerabilities early and strengthen Trusted Workforce Programs, insider threat prevention, and workforce assurance.

Across Australia’s critical infrastructure sectors, many organisations are working hard to comply with the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security has matured. CIRMP frameworks are in place. Annual attestations are part of governance cycles.
But is security risk truly being governed and resourced proportionately to exposure?
In this episode, Pentagram Advisory explores a recurring structural imbalance in how security risk is integrated into enterprise governance. We examine why compliance alone is not enough, why security risk management must be aligned to risk appetite, and why Boards must treat protective security as a capital allocation discipline — not a technical sub-function.
We discuss:
The difference between compliance and risk stewardship

Why threat assessment and security risk assessment must be current

Governance gaps and fragmented ownership under SOCI

The risks of under-resourcing outside cyber

How Boards can ask the right questions before signing their CIRMP attestation

This conversation is designed for Board directors, senior executives, risk professionals, and those responsible for implementing SOCI obligations.
Because protecting critical infrastructure is not just a compliance requirement — it is a matter of national resilience.

How do you strengthen workforce assurance for existing employees — without creating the very insider risk you’re trying to reduce?
In this episode, Pentagram Advisory explores one of the most sensitive challenges facing critical infrastructure organisations: introducing a Trusted Workforce Program into an established workforce.
As regulatory expectations evolve and insider threat becomes more visible, many organisations are expanding screening and personnel security measures. But poorly managed change can disrupt trust, undermine morale, and elevate behavioural risk.
This episode examines:
• Why workforce assurance must be systemic, not episodic
• The difference between background checks and true governance
• How enterprise risk, role risk and individual suitability connect
• Why change can increase insider risk if trust is mishandled
• Practical steps for introducing screening for legacy workforces proportionately
Workforce assurance is not about suspicion or surveillance. It is about governance, proportionality, and sustaining trust over time.
For leaders responsible for security of critical infrastructure, personnel security, insider threat mitigation, or CIRMP obligations, this episode provides practical guidance grounded in risk and organisational psychology.
Because in high-consequence environments, trust is not a one-time decision — it is a system.