EPISODE · Mar 2, 2026 · 22 MIN
Under-Resourced and Over-Exposed: Why Boards Must Rethink Security Governance under the Security of Critical Infrastructure Act 2018
from In Australia’s National Interest - Security of Critical Infrastructure · host Pentagram Advisory
Across Australia’s critical infrastructure sectors, many organisations are working hard to comply with the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security has matured. CIRMP frameworks are in place. Annual attestations are part of governance cycles.But is security risk truly being governed and resourced proportionately to exposure?In this episode, Pentagram Advisory explores a recurring structural imbalance in how security risk is integrated into enterprise governance. We examine why compliance alone is not enough, why security risk management must be aligned to risk appetite, and why Boards must treat protective security as a capital allocation discipline — not a technical sub-function.We discuss:The difference between compliance and risk stewardshipWhy threat assessment and security risk assessment must be currentGovernance gaps and fragmented ownership under SOCIThe risks of under-resourcing outside cyberHow Boards can ask the right questions before signing their CIRMP attestationThis conversation is designed for Board directors, senior executives, risk professionals, and those responsible for implementing SOCI obligations.Because protecting critical infrastructure is not just a compliance requirement — it is a matter of national resilience.
What this episode covers
Across Australia’s critical infrastructure sectors, many organisations are working hard to comply with the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security has matured. CIRMP frameworks are in place. Annual attestations are part of governance cycles.But is security risk truly being governed and resourced proportionately to exposure?In this episode, Pentagram Advisory explores a recurring structural imbalance in how security risk is integrated into enterprise governance. We examine why compliance alone is not enough, why security risk management must be aligned to risk appetite, and why Boards must treat protective security as a capital allocation discipline — not a technical sub-function.We discuss:The difference between compliance and risk stewardshipWhy threat assessment and security risk assessment must be currentGovernance gaps and fragmented ownership under SOCIThe risks of under-resourcing outside cyberHow Boards can ask the right questions before signing their CIRMP attestationThis conversation is designed for Board directors, senior executives, risk professionals, and those responsible for implementing SOCI obligations.Because protecting critical infrastructure is not just a compliance requirement — it is a matter of national resilience.
NOW PLAYING
Under-Resourced and Over-Exposed: Why Boards Must Rethink Security Governance under the Security of Critical Infrastructure Act 2018
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Mar 19, 2026 ·34m
Feb 18, 2026 ·11m
Feb 11, 2026 ·45m