In Australia’s National Interest - Security of Critical Infrastructure

In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore what the recently updated CIRMP annual reporting form may reveal about the evolving expectations of the Department of Home Affairs surrounding governance, operational resilience, assurance, and Board accountability under the Security of Critical Infrastructure Act 2018.The discussion examines the broader shift from compliance-focused attestation toward evidence-based assurance, including what the expanded reporting requirements may mean for Boards, senior executives, and responsible entities preparing for the FY2025–26 CIRMP reporting cycle.

When employees leave, it is often treated as a process — access removed, systems closed, the relationship ended.But for people, it is a moment of change.A shift in identity, status and direction — shaped by how that experience is perceived.At the same time, for organisations, this is often when risk is most concentrated. Knowledge remains. Relationships continue. And control begins to reduce.So what really happens to trust at the point of exit?In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore why exit and post-employment risk are often overlooked — and why how organisations manage people at this moment can shape what happens next.

Insider threat is the misuse by a trusted person of privileged access to, or influence over, assets and operations.  The trusted person’s actions may be unintentional, or their actions may be intentional.  In either instance the harm caused can be the same.  But to become an ‘insider’ a person has to be granted admission.Australian media reported in April 2026 that an employee of the New South Wales Treasury had been charged for allegedly downloading over five thousand government documents.In this podcast, Pentagram recounts the public information about the case and explores insider threat issues which the case highlights.

Insider threat is the misuse by a trusted person of privileged access to assets and operations.  The trusted person’s actions may be unintentional or they may be intentional.  In either instance the harm caused can be the same.Organisations make a choice to grant trust to a person when they decide to employ them.  But the pre-employment screening process is really a point-in-time security check which would reject candidates with any obvious security risk attributes.  However, real risk occurs once a person is employed, is inside the organisation, and is often trusted by default. If an organisation does not have appropriate measures in place to observe and evaluate employees then they maximise the risk of insider threat activity.This risk is often exacerbated where organisations rely heavily on initial screening and trust-based models, without implementing mechanisms for continuous monitoring of behaviour and access.   In such environments, abnormal activity may go undetected because there is no established baseline against which to assess deviations.In this podcast Pentagram Advisory explores the insider threat case of a lawyer employed by the New South Wales Director of Public Prosecutions.

In March 2026, the Commonwealth Government published the Independent Review of the Security of Critical Infrastructure Act 2018. The intent of the Review, conducted by Dr Jill Slay between November 2025 and January 2026, was to assess whether Australia's Security of Critical Infrastructure Act 2018 (SOCI Act) is achieving its intended objectives, functioning as intended, and is not producing unintended consequences. In this article, Pentagram Advisory Pty Ltd (Pentagram) will provide excerpts of the Review and also comment on components of the Review that Pentagram considers to be of most interest to Pentagram’s SOCI client entities and to our Community of Practice.

The recent fire at Viva Energy’s Geelong refinery has been widely reported as an industrial incident. But what does it reveal about Australia’s broader vulnerability when disruption occurs at nationally critical assets?In this episode, we move beyond cause and examine consequence — exploring how disruption to a single node in a highly concentrated and globally dependent system can have cascading effects across the economy.Ukraine has shown us what sabotage and disruption of critical infrastructure really look like. In the years leading up to Russia’s full-scale invasion in 2022, fires, explosions, cyber attacks and supply chain disruptions were often treated as isolated events — many ambiguous at the time, and later attributed to acts of sabotage linked to Russian state activity.What becomes clear, over time, is the pattern. Disruption rarely arrives as a single, decisive event — it emerges through a series of smaller incidents that only later form a recognisable and strategically significant pattern.Events like the Geelong refinery fire may be very different in nature — but they highlight how disruption at critical nodes can have broader consequences. Australia’s fuel system is not immune to these dynamics.In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory examine what these patterns mean for Australia’s critical infrastructure — and why organisations must shift from a compliance mindset to one focused on assurance, resilience, and understanding their true points of vulnerability.

Insider risk rarely appears suddenly.In this episode, we explore why behavioural change is often the earliest warning signal — long before systems detect a problem.Learn how insider risk develops over time, how to recognise subtle behavioural indicators, and how organisations can respond early through human-centric approaches, strong culture, and proportionate action.Technology detects events. Behaviour reveals trajectories.The earliest signals of insider risk are not hidden in systems — they are visible in people.🎧 Listen to understand how to recognise these signals earlier — and respond before risk becomes an incident.Brought to you by Pentagram AdvisorySupporting organisations to strengthen resilience across insider threat, workforce security, and critical infrastructure protection.

This article explores the risks and consequence for Australia stemming from the 2026 war with Iran and resultant oil supply shock.

Why People Protect the OrganisationWhat drives people to act in the organisation’s interest—especially when no one is watching?In this episode, we explore why security is not sustained by controls alone, but by human behaviour. We examine the role of intrinsic motivation, trust, and purpose in shaping security culture, and how these factors influence insider risk.Drawing on insights from workforce assurance and Trusted Workforce Programs, this discussion highlights how organisations can move beyond compliance to build environments where people choose to act responsibly.Because ultimately, security depends not just on systems—but on people.Presented by Pentagram AdvisorySupporting organisations to strengthen security, resilience, and workforce assurance in complex environments.This podcast reflects insights gained through our work across Australia’s critical infrastructure sector, informed by collaboration with the SOCI community, ongoing research, and engagement with government.

Pentagram Advisory Pty Ltd invites you to watch and / or listen this recording of our recent article about the risks that war with Iran poses to Australia's critical infrastructure entities.Whilst critical infrastructure entity attack surfaces span a myriad of threat vectors, including cyber attacks, Pentagram's article focuses on the people component - those people employed within Australia's critical infrastructure entities as possible sources of harm.Iranian expatriates in Australia are of course especially vulnerable to Iranian government interference, coercion, and espionage. Australia, as a compassionate pluralist society, will see our first instinct be to offer assistance and protection to this group. But we must also appreciate that there is a risk, likely from a very few Iranians, that there could be insider threats, either coerced of volunteering to undertake acts of harm against Australia's critical infrastructure.We also must appreciate that Khamenei was not just head of the Iran theocracy, but was a global Shia leader and sponsor of terror. On that basis, non-Iranian Shia and anti-Westerners may also be aggrieved by Khamenei's assassination at the beginning of the war, and by the ongoing war. Such people may also be coerced or volunteer to cause harm in Australia.This is a challenging topic, rife for rendering by some people as a dog whistle for discrimination based on religious or ethnic affiliation. That can be one way to view this matter. Another way to view discussion about this threat is to admit to the reality that we have evidence of Iranian government acts that have, and continue to, intimidate Iranian expatriates living in Australia. Further, the Iranian Government has sponsored violence in Australia. And that was before the war!Do we ignore reality, and the increased likelihood of Iranian Government action against Australia (there are reports of increased cyber attacks from Iranian sources), or do we shy away from known and potential harms to Australia for fear of offending a small group of people? Remember, vanishingly few people will evolve to become pro-Iranian insider threats, more are likely to be coerced to act or volunteer to act. Either way, the harm is the same. To protect Australia's critical infrastructure, a key foundation of Australia's national security, leaders need to understand the reality of the threats we face and that requires the courage to engage with difficult challenges as explored in the article.

Insider threats rarely begin with malicious intent — they often emerge gradually as ordinary life pressures create unexpected vulnerabilities around trusted employees.In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore the seven risk factors behind insider vulnerability, drawn from the Australian Government Personnel Security Adjudicative Standard within the Protective Security Policy Framework.Using a realistic workplace scenario, the discussion explains how organisations responsible for critical infrastructure can recognise emerging vulnerabilities early and strengthen Trusted Workforce Programs, insider threat prevention, and workforce assurance.

Across Australia’s critical infrastructure sectors, many organisations are working hard to comply with the Security of Critical Infrastructure Act 2018 (SOCI Act). Cyber security has matured. CIRMP frameworks are in place. Annual attestations are part of governance cycles.But is security risk truly being governed and resourced proportionately to exposure?In this episode, Pentagram Advisory explores a recurring structural imbalance in how security risk is integrated into enterprise governance. We examine why compliance alone is not enough, why security risk management must be aligned to risk appetite, and why Boards must treat protective security as a capital allocation discipline — not a technical sub-function.We discuss:The difference between compliance and risk stewardshipWhy threat assessment and security risk assessment must be currentGovernance gaps and fragmented ownership under SOCIThe risks of under-resourcing outside cyberHow Boards can ask the right questions before signing their CIRMP attestationThis conversation is designed for Board directors, senior executives, risk professionals, and those responsible for implementing SOCI obligations.Because protecting critical infrastructure is not just a compliance requirement — it is a matter of national resilience.

How do you strengthen workforce assurance for existing employees — without creating the very insider risk you’re trying to reduce?In this episode, Pentagram Advisory explores one of the most sensitive challenges facing critical infrastructure organisations: introducing a Trusted Workforce Program into an established workforce.As regulatory expectations evolve and insider threat becomes more visible, many organisations are expanding screening and personnel security measures. But poorly managed change can disrupt trust, undermine morale, and elevate behavioural risk.This episode examines:• Why workforce assurance must be systemic, not episodic• The difference between background checks and true governance• How enterprise risk, role risk and individual suitability connect• Why change can increase insider risk if trust is mishandled• Practical steps for introducing screening for legacy workforces proportionatelyWorkforce assurance is not about suspicion or surveillance. It is about governance, proportionality, and sustaining trust over time.For leaders responsible for security of critical infrastructure, personnel security, insider threat mitigation, or CIRMP obligations, this episode provides practical guidance grounded in risk and organisational psychology.Because in high-consequence environments, trust is not a one-time decision — it is a system.

Workforce assurance is now a strategic security capability for Australia’s critical infrastructure sectors.In this episode, we explore how organisations can build defensible workforce assurance for non-citizen offshore applicants whose personal, professional, and behavioural history may sit largely outside Australian systems.We examine why traditional, point-in-time background checking alone cannot provide sufficient assurance in this context, and why a trusted workforce assurance model must be risk-led, role-based, and supported by layered corroboration and ongoing suitability monitoring.This discussion is relevant for boards, executives, security, risk, HR, and governance professionals responsible for roles with access to critical systems, data, and operations.Presented by Tim Slattery and Marina Shteinberg, Pentagram Advisory.

In this final episode of Pentagram Advisory’s three-part Workforce Assurance in Critical Infrastructure series, we explore why trust cannot stop at the point of hiring — and why the highest personnel security risks often emerge long after someone has joined an organisation. From ongoing suitability and the critical role of reporting, to treating offboarding as a security event and recognising post-employment risk, this episode unpacks how workforce assurance must operate across the entire employment lifecycle. We discuss how organisations can move from clearance to care, and from point-in-time screening to a proportionate, risk-led model of continuous assurance that supports people while protecting critical assets. If you work in or support Australia’s critical infrastructure sector, this episode offers practical insights into building a Trusted Workforce Program that aligns with CIRMP expectations, the Protective Security Policy Framework, AS 4811:2022, and international good practice — and ultimately strengthens organisational resilience. Brought to you by Tim Slattery and Marina Shteinberg from Pentagram Advisory.

The Bondi Beach massacre in December 2025 is the most deadly and consequential terrorist attack on Australian soil. That it happened is a national tragedy. That it happened is not a surprise.Pentagram's podcast explores the possible consequences for Australia's society, for people - be they Muslim, Jew or gentile - and how this might affect people in the workplace, with particular focus on Australia's critical infrastructure workplaces. The article calls for private sector leadership, in the absence of government leadership, and provides approaches that workplace leaders might take to support people in the workplace. The article also talks about actions to manage people who may present aberrant workplace behaviours stemming from the Bondi Beach massacre.

Pre-employment screening in critical infrastructure is often treated as a compliance step — a set of standard checks applied to every role, regardless of the risk it carries. But this approach rarely delivers real security assurance.In this episode, we explain how organisations can move beyond generic, outsourced background checks and build proportionate, risk-led pre-employment screening in-house, using many of the processes they already have in place. Most organisations are already doing a lot — identity checks, right-to-work verification, referee checks, licence validation, probity declarations. The challenge is not starting from scratch, but organising these activities into a structured, defensible workforce assurance capability.We unpack the key principles of effective pre-employment screening, including proportionality, relevance, fairness, transparency, and privacy, and show how screening should be driven by role risk and consequence, not by habit or convenience. We also explain why government and outsourced checks, while useful, cannot substitute for an organisation’s own responsibility to understand its specific security risks.This episode provides practical guidance on how to design tiered, role-based screening models, distinguish between eligibility and suitability, and use risk factors ethically — without stigmatising people or creating unnecessary barriers to employment.If your organisation is looking to strengthen its approach to workforce assurance under AS 4811:2022, the PSPF, and the SOCI framework, this episode offers clear, implementable ideas you can apply internally — without creating more burden, cost, or complexity.

In this episode, we explore why many critical infrastructure organisations continue to rely on the AusCheck background check as their primary assurance measure — and why that reliance creates a dangerous illusion of safety.AusCheck provides coordinated, point-in-time background checking that is primarily focused on identifying terrorism-related and criminal risks. It does not provide an understanding of the broader personal security risks that may need to be monitored and managed across the employment lifecycle.We unpack:• what AusCheck actually does — and doesn’t do• why legislative rigidity makes reform slow and complex• how insider threat now develops over time, not at hiring• why outsourcing background checks can remove visibility rather than improve it• why proportionate, risk-led workforce assurance is essential for critical infrastructureThis episode sets the foundation for a three-part series. Next, we will look at practical, proportionate pre-employment screening. Then, we will explore ongoing suitability and managing personnel risk over time.Boards, executives and risk leaders will find this particularly useful — especially if your organisation still equates “passing a check” with low risk.

Beyond Compliance with the SOCI Act: Why Effective Security Risk Management Matters More Than a ‘Compliant’ CIRMPA Pentagram Advisory perspectiveAs organisations across Australia’s critical infrastructure sectors continue to mature under the Security of Critical Infrastructure Act 2018, many Boards and executives are asking a familiar question: Are we compliant?In this episode, Pentagram Advisory reflects on why compliance alone is not enough — and why a Critical Infrastructure Risk Management Program (CIRMP) that satisfies regulatory requirements may still fail to protect critical assets in practice.Drawing on Pentagram’s advisory work with SOCI-regulated entities across multiple sectors, the discussion explores the critical distinction between compliance and effectiveness, and why the SOCI Act should be understood as a national security framework, not an administrative checklist.The episode examines the role of risk appetite and risk tolerance in shaping security risk decisions, the danger of false assurance created by procedural audits and box-ticking, and why genuine confidence comes from understanding how security controls perform under real-world conditions.It also highlights why SOCI should not be viewed as foreign to good business practice. Many protective security measures already exist within organisations — the challenge is connecting them, governing them effectively, and ensuring they deliver the intended security outcomes.This conversation is intended for Board members, CEOs, executives, and senior risk and security leaders seeking to move beyond compliance and build genuine confidence in their organisation’s security risk management under the SOCI Act.

In October and November 2025, the heads of Australia’s two most significant strategic intelligence assessment agencies made public their views on the geostrategic threats confronting Australia today.  In those remarks, both leaders set out some of the threats and explored some of the consequences that could be inflicted upon Australia, including Australia’s critical infrastructure assets, if action is not taken now to detect, deter, and defend against these threats to Australia’s national security.Australia has been warned for years by its intelligence agencies, and by its allies, of the threats to our critical infrastructure by threat actors including hostile nation states, organised crime, and issue-motivated groups and individuals. Have Australian governments, private sector entities, or citizens  responded in any meaningful way to these warnings, or have we been party to a slow-motion car crash, which we belatedly realise we are in the drivers’ seat for?

In this episode, we explore why understanding the whole person is essential to managing insider threats across Australia’s critical infrastructure sectors. Drawing on decades of national security experience, the discussion examines why insider threat remains one of the most complex and misunderstood challenges under the Security of Critical Infrastructure Act 2018 (SOCI Act).We unpack the behaviours, vulnerabilities and coercive pressures that can turn a trusted insider into a threat, the realities of foreign interference, and the importance of moving beyond simplistic assumptions about ‘rights’ and workplace culture. The episode also highlights why a whole-person approach to personnel security is not only effective, but necessary for organisations seeking to build a trusted workforce.This episode is based on an article by Tim Slattery, who served 37 years in Australia’s defence, intelligence and national security community before moving into consulting. Tim now co-leads Pentagram Advisory, with a focus on insider threat mitigation and personnel security across government, industry and critical infrastructure.If you work in protective security, critical infrastructure, risk management or insider threat programs, this episode provides practical insights into one of the most pressing and least understood challenges facing Australia today.

In this episode, we explore one of the most overlooked vulnerabilities in today’s organisations: the way familiarity, comfort and trust can blind leaders to emerging insider-related risks.Drawing on recent NPSA research and Pentagram Advisory’s insights, we unpack why insider threat often feels “unlikely,” how the psychological contract shapes behaviour long before policies do, and why point-in-time checks provide only the illusion of safety.We examine the cultural resistance to insider threat programs, the language barriers that shape organisational acceptance, and the leadership blind spots that allow early warning signs to go unnoticed.Most importantly, we discuss how shifting from blind trust to informed trust can strengthen culture, governance and accountability — and what it takes to build a truly trusted workforce in an evolving threat landscape.If your organisation is reassessing its people-related risks, workforce suitability, or insider threat maturity, this episode provides a clear, practical lens to recalibrate assumptions and enhance preparedness.

In this episode, we unpack one of the most critical challenges facing Australia’s essential services: understanding and managing the risks hidden within complex supply chains. Modern critical infrastructure depends on long, interconnected, and often opaque networks of suppliers — and under the Security of Critical Infrastructure Act 2018, these dependencies are now a regulated security obligation.Drawing on Pentagram Advisory’s Eight-Step Risk-Based Supply Chain Mapping and Categorisation Framework, we explore how organisations can move beyond tick-box compliance and build a defensible, intelligence-led approach to supplier assurance.From governance and threat analysis to mapping, tiering, and continuous monitoring, this episode breaks down each step in practical terms for boards, senior executives, and security practitioners.You’ll hear how the right framework can transform supplier oversight from a procurement activity into a core protective security function — strengthening resilience, reducing over-reliance, and giving decision-makers a clear line of sight into vulnerabilities across every tier of the supply chain.Whether you work in energy, water, transport, telecommunications, or any sector covered by the SOCI Act, this episode provides essential insights for building assurance in an increasingly interconnected and risk-exposed environment.A supply chain is only as strong as the weakest link you can see.Tune in to learn how to make those links visible, verifiable, and secure.

Welcome to another podcast in Pentagram Advisory’s ‘In the National Interest’ series, a series in which we explore geostrategic issues relevant to the security of Australia’s critical infrastructure.In this episode we will explore the subject of the China’s waging of cognitive warfare against Australia and other Western democracies. We will explore the relevance of the threat of cognitive warfare Australia's critical infrastructure and consider mitigations that critical infrastructure owners and operators may take.

Across Australia’s critical infrastructure sectors, one of the most persistent challenges under the Security of Critical Infrastructure Act 2018 is identifying and managing critical workers — those individuals whose absence, compromise, or misconduct could disrupt essential services.In this episode, Pentagram Advisory introduces the Seven-Step Critical Worker Identification and Risk Management Framework — a practical, regulator-aligned approach that helps organisations move from compliance to confidence.Tim and Marina unpack the legislative foundations, share insights from industry engagements, and outline how clear governance, operational mapping, and proportionate assurance measures can transform workforce compliance into lasting capability and assurance.Whether you are a security or risk professional, HR leader, or executive responsible for essential services, this episode will help you strengthen your organisation’s resilience and meet the intent of the SOCI framework with clarity and purpose.🔗 For more insights, visit Pentagram Advisory or follow us on LinkedIn.

Why do employees sometimes go above and beyond to protect their organisation — and other times bend rules, ignore policies, or disengage from security altogether?In this episode, Pentagram Advisory explores the role of the psychological contract — the unwritten expectations of trust and fairness between employer and employee — and how its breakdown fuels insider threats. Drawing on research from the University of Warwick, we unpack why technical controls alone aren’t enough, how to recognise early signs of a breach, and what leaders can do to repair trust before it escalates into a security risk.For leaders, executives, and practitioners, this is a reminder that the deciding factor in insider threat is rarely opportunity — it is choice. And choice is shaped by trust.

Espionage and foreign interference are now assessed as certain threats to Australia’s critical infrastructure. In this episode, Pentagram Advisory explores how insider threat programs — guided by the Protective Security Policy Framework and aligned with SOCI Act obligations — help organisations counter these risks. We unpack why people are both the first line of defence and the most attractive target.

ESG is one of the most decisive forces shaping corporate strategy and investment worldwide. But while environmental and governance issues dominate the headlines, the social dimension — the human factor — is often overlooked.In this episode, Pentagram Advisory explores why personnel security is the missing link in many ESG programs. We examine the risks posed by workforce vulnerabilities, insider threats, and supply chain exposures, and why boards and executives must integrate personnel security into ESG strategy to build resilience, protect value, and maintain stakeholder trust.Join us as we uncover how the people side of ESG could be the decisive factor in safeguarding purpose, performance, and profitability for organisations managing critical assets.

In August 2025, the Australian Government announced it had evidence that the Iranian Government had directed violent criminal activities in Australia.  The activities were cited as the attacks on two Jewish sites in Australia in 2024.  In response to this evidence, the Australian Government expelled the Iranian ambassador and senior diplomatic staff, and will proscribe Iran’s Islamic Revolutionary Guard Corps (IRGC) as a terrorist group in Australia.  This podcast argues that Iranian activity in Australia meets the definition of foreign interference, explores the significance of these acts, and the possible risks that may be relevant to people and employers from acts of foreign interference, be they from Iran or other hostile states.

Foreign interference is no longer a distant problem — it is happening here in Australia, today.In this episode, Pentagram Advisory explores the growing threat of Chinese foreign interference and its impact not only on Australia’s national security but also on everyday workplaces. Drawing on recent cases and real examples, we examine how interference targets individuals, communities, and institutions, and why no workplace is immune.From political asylum cases like Ted Hui and Kevin Yam, to the covert collection of information from community groups, this episode highlights how interference can affect colleagues, threaten trust, and undermine social cohesion. We also outline practical steps workplaces can take — from recognising warning signs to building a culture of safe reporting and resilience.Join Pentagram Advisory’s Tim Slattery and Marina Shteinberg as they unpack the risks, share insights from recent reports, and provide guidance for boards, executives, and employees on staying alert without fuelling bias.

This episode explores the risk posed to an enterprise from the actions of trusted insiders, also known as third-parties, in the enterprise's supply chain.

Two years on from the introduction of the Critical Infrastructure Risk Management Program (CIRMP) under the SOCI Act, what have we learned — and where do we go next?In this episode, Pentagram Advisory explores how organisations can use the annual CIRMP review and Board-approved report to strengthen governance, integrate SOCI-related security risks into their Enterprise Risk Management Framework, and build resilience that goes beyond compliance.We discuss practical steps for improving Board oversight, closing the gap between operational insights and strategic decisions, and embedding CIRMP into everyday risk management. Whether you’re a security leader, risk manager, or Board member, this conversation offers actionable insights to ensure your CIRMP drives value for your organisation.Based on our article CIRMP turns Two: Strengthening Annual Review, Board Oversight, and Risk Integration.

As organisations implement return-to-office (RTO) policies, the focus is often on productivity, collaboration, and culture. But there's another critical dimension to this shift: security.In this episode, Pentagram Advisory explores the human risks associated with organisational transitions and how poorly managed RTO directives can lead to disengagement, disgruntlement, and increased insider threat risk. Drawing on insights from our article “Returning to the Office – Managing Insider Threats During Organisational Transition”, we unpack the psychological contract between employers and employees, discuss the drivers of insider threats, and outline practical strategies for rebuilding trust, strengthening reporting culture, and supporting managers through change.This episode is essential listening for leaders, security professionals, and HR teams navigating the intersection of people, culture, and protective security.

What does it take to build a trusted workforce — one that is resilient, high-performing, and secure? In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore the invisible but critical psychological contract between organisations and their people.Based on their article Building a Trusted Workforce – Managing Human Risk with Purpose, this episode examines how trust is formed (and broken), the role of pre-employment screening and ongoing assessments, and how organisations can move beyond compliance to create a culture of security and care.Listen now to learn practical strategies for managing people risk with empathy, structure, and purpose.

Explore how a security maturity model can strengthen your organisation’s Critical Infrastructure Risk Management Program (CIRMP) under Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act).In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory unpack what a security maturity model is, why it matters, and how it provides Boards and executives with a clear, evidence-based view of their security posture. To help organisations navigate this environment, Pentagram Advisory has developed a tailored CIRMP Security Maturity Model. This model is specifically designed to reflect the unique operating context, risk environment, and sector obligations of each critical infrastructure entity.Whether your goal is to meet increasing regulatory demands, reinforce resilience, or demonstrate transparent governance, this conversation offers practical insights to guide your journey.For more resources on the security of critical infrastructure, insider threats, and supply chain risk, visit Pentagram Advisory or follow us on LinkedIn.

This episode is titled: Pentagram Advisory First Anniversary – Celebrating One Year of CollaborationThis episode will explore a unique and unexpected aspect of Pentagram’s first year of operation – that is Pentagram’s connecting with other service providers that bring a natural point of collaboration with Pentagram.  This collaboration provides additional and complementary benefits for our clients and followers.  Collaboration also provides opportunities for Pentagram to contribute to meeting the needs of collaborators’ clients.  The key message is that Pentagram has nested with other like-minded providers that share Pentagram’s values and vision to strengthen Australia’s national security by lifting up the security and resilience of Australia’s workforce and critical infrastructure.

Australian media reported in May 2025 that the leader of Australia’s Transport Workers Union (TWU) is prepared to “shut down Australian transport” in 2026 in pursuit of union claims.  In this podcast Pentagram Advisory explores the possible consequences of the TWU threat in the context of the legal obligations that came into effect on 27 March 2025 that transport sector asset owners and operators now face under the Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025 (TSA Act). Especially with regard to personnel security obligations under the TSA Act, TWU members may behave as 'insider threats' that require mitigation. The podcast explores the role of an insider threat program in helping to mitigate these possible threats and how this approach benefits all people and organisations involved .

This episode is titled: Insider Threat – Australian Government Recognises the Need for Insider Threat Programs. This podcast will explore the Australian Government’s efforts in recent years to mitigate insider threat in both the government and private sectors.   The key message is that there is a need for insider threat program and that need comes from recognising the potency of the insider threat to harm Australia’s national security, defence, economic wellbeing, and social coherence.  In terms of security threats, the two most potent threats are from people and cyber sources.   We hope you enjoy this podcast and find it informative.

In this episode, we explore the landmark Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025 — a generational shift in how Australia secures its aviation, maritime, and offshore sectors.Join Timothy Slattery and Marina Shteinberg from Pentagram Advisory as they unpack what the TSA Act means for airports, ports, and offshore facilities. Discover how the new all-hazards approach moves beyond traditional physical security to address operational interference, insider threats, cyber risks, and personnel vulnerabilities — and why this evolution matters.For aviation and maritime industry participants, the application of an all-hazards approach marks a clear evolution from a prescribed, compliance-based regime focused on granting access to secure zones, to a risk- and principles-based, outcomes-focused model that requires mitigation of a far broader range of risks — including cyber, personnel, and supply chain hazards.We’ll walk through the key reforms, practical obligations, and strategic actions your organisation can take now to prepare for compliance and build operational resilience.Whether you're a security leader, risk manager, regulator, or executive in the transport sector, this episode offers valuable insights and clear next steps for navigating Australia’s evolving threat landscape.

An insider threat incident at Canberra Hospital in May 2025, in which an employee targeted another employee ,reveals critical lessons for Critical Infrastructure Risk Management Program (CIRMP) compliance and personnel security under the Security of Critical Infrastructure Act 2018.

In this episode, the Pentagram Advisory team breaks down what directors of responsible entities need to know about their legal obligations when approving the Critical Infrastructure Risk Management Program (CIRMP) annual report. We explore board duties under the SOCI Act and Corporations Act, the importance of ongoing oversight, and offer practical recommendations for management to support board decision-making. Essential listening for directors and executives overseeing critical infrastructure in Australia.

Critical infrastructure is a fundamental enabler of Australia’s national security. Australian governments over decades have recognised the need to protect critical infrastructure from evolving threats as a component of national security, yet have offered policy guidance with little effective action to achieve protection.  Government has put the onus for action onto the private sector to protect nationally critical assets and operations.   In this podcast Pentagram will focus on one subset of the myriad elements required to ensure the safety of all Australians – critical infrastructure, discussing why protecting critical infrastructure is so important that it should be a national security priority.  We will discuss the national-level threats that we need to protect critical infrastructure from.

Observing the absence of usual or the presence of unusual: a new lens on insider threat reportingIn an era dominated by surveillance tools and behavioural analytics, organisations still overlook their most powerful early warning system — people.Reporting data is a critical indicator of whether your organisation’s security measures are both proportionate and effective. It can also serve as an early warning sign of emerging risks. Without this data, organisations are often operating in the dark — unable to respond to threats in a timely or informed manner. In this episode, based on the article "Observing the Absence of Usual or the Presence of Unusual,"  Marina Shteinberg, director and co-founder of Pentagram Advisory, explores the human side of insider threat detection: how observation, intuition, and language shape our willingness to report.Marina delves into the psychology and psycholinguistics behind workplace reporting. Why do people hesitate to speak up, even when they sense something is off? How do words like “snitch” or “whistleblower” influence our moral choices?Discover how organisations can harness the deeply human ability to sense change — often subtle, emotional, and unspoken — and foster cultures where reporting is not seen as betrayal, but as an act of care.Because at its core, security begins with human connection, and our intuition — shaped over thousands of years of social interaction — remains one of the most reliable tools we have.

Written by Timothy SlatteryWhat happens when someone inside the system, entrusted with national secrets, begins to see another country as their true allegiance?This is the dilemma posed by insider threats – trusted individuals who, whether by intent or negligence, cause harm to the organisations that rely on them.In this powerful episode, Timothy Slattery, a former senior national security official with 37 years of experience across Australia’s army, intelligence, and law enforcement sectors, explores a real-life case of divided loyalties within the Australian Defence Force. The story highlights how personal ideology can override professional obligations—even in the most trusted roles.Drawing on two years of ASIO investigations, Tribunal findings, and lessons from critical infrastructure reforms, Tim unpacks why this case matters not just to government, but to all sectors responsible for protecting sensitive information, systems, and people.🎙️ Narrated by Pentagram Advisory.Essential listening for leaders, security professionals, and anyone committed to understanding and mitigating insider risk.

In this episode, we delve into one of Australia’s most pressing national security threats — foreign interference — and its direct implications for our critical infrastructure.Drawing on insights from ASIO’s 2025 Annual Threat Assessment, this podcast unpacks how hostile foreign actors are increasingly targeting Australia’s essential systems, from energy and water to communications and transport. These threats are not theoretical — they are active, covert, and evolving.We explore:What foreign interference is — and how it differs from legitimate foreign influence.Why Australia’s critical infrastructure has become a high-value target.How foreign actors exploit insider access, supply chains, and partnerships.What boards, executives, and operators can do to mitigate the risk.The power of Open Source Intelligence (OSINT) in detecting foreign ties, coercive behaviours, and hidden risks.Join Pentagram Advisory as we offer practical, proportionate strategies to help organisations move from awareness to action — and play a frontline role in protecting Australia’s sovereignty, resilience, and public trust.🎧 Tune in now to learn how your organisation can build real-world defences against this growing national security threat.

In this episode, we dive into a real-world case of insider threat in Australia’s health sector — the data breach at Ambulance Victoria in March 2025, where a former staff member exploited their final day of system access to steal the personal and financial data of up to 3,000 employees.But this is not an isolated incident.We also examine the NSW Ambulance contractor convicted of selling employee data, explore the broader cultural issues that can give rise to insider threat behaviour — including bullying, fraud, and leadership failure — and ask what lessons critical infrastructure organisations must learn to prevent future harm.Organisational culture and leadership play a pivotal role in either enabling or preventing insider threats. A toxic workplace can be both a driver of disgruntlement and a barrier to early detection.Through the lens of recent events and grounded in behavioural insight, this episode unpacks what an insider threat really looks like — and why the most effective response starts not with technology, but with people.🎧 Tune in as Pentagram Advisory offers practical, security-focused insights for boards, executives, and practitioners navigating today’s threat landscape.

What do 19th-century textile workers and today’s AI-disrupted employees have in common? More than you might think.In this episode, we explore the fascinating parallels between the Luddite movement and modern insider threats triggered by the rapid adoption of AI in the workplace. Drawing from recent research and historical insights, we unpack how fear, uncertainty, and loss of control can fuel sabotage — and what organisations can do to prevent it.Tune in to learn:Why AI can be a workplace stressor that triggers insider threatsWhat employers can do to manage the human side of AI adoptionHow the Luddite legacy lives on — in today’s digital agePractical solutions for building trust, transparency, and resilience during digital transformationWhether you are a security leader, HR professional, or tech policy thinker, this is a timely conversation you won’t want to miss.

In the workplace setting an employer provides money and / or other benefits to a person in exchange for their labour, knowledge, and time.  The relationship is formally set out in a contract which details obligations that fall upon both the employer and employee, contractor or volunteer – a principle known as quid pro quo.  Examples of obligations include an employer providing a safe workplace, an employee working to a required standard of quality and time, and both parties behaving in the workplace in accordance with stated organisational values and the common law.When employees do not hold up their part of the quid pro quo bargain then trusted insiders can become insider threats and cause harm to the organisation. In this podcast Pentagram Advisory looks at two recent insider threats in Australia - the 'Bankstown nurses' and soldier Kira Korolev. The cases are very different but both are examples of intentional insiders who caused significant harm, noting the final consequences of their actions are not clear at the time this podcast waa created.

In February 2025 the United States National Counterintelligence and Security Center (or NCSC) released a report titled Insider Threat Mitigation for U.S. Critical Infrastructure Entities – Guidelines from an Intelligence Perspective.  Pentagram Advisory is flagging this report with our followers because the report is equally valid for Australia’s critical infrastructure owners and operators, as defined by Australia’s Security of Critical Infrastructure Act 2018 (the SOCI Act) and linked legislation.  The NCSC report can be read by Australian entities, whether they be critical infrastructure or other types of enterprises, as an up-to-date advice on the growing importance of the insider threat to Australia’s national security overall and to the critical infrastructure community in particular. 

When does a trusted employee become a risk? Insider threats do not emerge overnight—they are often the result of a gradual shift driven by workplace and personal factors. While organisations focus on technical defences, they can overlook the human element: the psychosocial hazards that can turn loyal employees into potential insider threats. Join Pentagram Advisory as we discuss real-world case studies, including Jessica’s story - a trusted IT professional whose workplace experience led her down a dangerous path. Learn how leadership, workplace culture, and proactive monitoring tools like Teamgage can help prevent disengagement, frustration, and ultimately, insider threats.