In Australia’s National Interest - Security of Critical Infrastructure

Insider threat is the misuse by a trusted person of privileged access to, or influence over, assets and operations. The trusted person’s actions may be unintentional, or their actions may be intentional. In either instance the harm caused can be the same. But to become an ‘insider’ a person has to be granted admission.Australian media reported in April 2026 that an employee of the New South Wales Treasury had been charged for allegedly downloading over five thousand government documents.In this podcast, Pentagram recounts the public information about the case and explores insider threat issues which the case highlights.

In March 2026, the Commonwealth Government published the Independent Review of the Security of Critical Infrastructure Act 2018. The intent of the Review, conducted by Dr Jill Slay between November 2025 and January 2026, was to assess whether Australia's Security of Critical Infrastructure Act 2018 (SOCI Act) is achieving its intended objectives, functioning as intended, and is not producing unintended consequences. In this article, Pentagram Advisory Pty Ltd (Pentagram) will provide excerpts of the Review and also comment on components of the Review that Pentagram considers to be of most interest to Pentagram’s SOCI client entities and to our Community of Practice.

Pentagram Advisory Pty Ltd invites you to watch and / or listen this recording of our recent article about the risks that war with Iran poses to Australia's critical infrastructure entities.Whilst critical infrastructure entity attack surfaces span a myriad of threat vectors, including cyber attacks, Pentagram's article focuses on the people component - those people employed within Australia's critical infrastructure entities as possible sources of harm.Iranian expatriates in Australia are of course especially vulnerable to Iranian government interference, coercion, and espionage. Australia, as a compassionate pluralist society, will see our first instinct be to offer assistance and protection to this group. But we must also appreciate that there is a risk, likely from a very few Iranians, that there could be insider threats, either coerced of volunteering to undertake acts of harm against Australia's critical infrastructure.We also must appreciate that Khamenei was not just head of the Iran theocracy, but was a global Shia leader and sponsor of terror. On that basis, non-Iranian Shia and anti-Westerners may also be aggrieved by Khamenei's assassination at the beginning of the war, and by the ongoing war. Such people may also be coerced or volunteer to cause harm in Australia.This is a challenging topic, rife for rendering by some people as a dog whistle for discrimination based on religious or ethnic affiliation. That can be one way to view this matter. Another way to view discussion about this threat is to admit to the reality that we have evidence of Iranian government acts that have, and continue to, intimidate Iranian expatriates living in Australia. Further, the Iranian Government has sponsored violence in Australia. And that was before the war!Do we ignore reality, and the increased likelihood of Iranian Government action against Australia (there are reports of increased cyber attacks from Iranian sources), or do we shy away from known and potential harms to Australia for fear of offending a small group of people? Remember, vanishingly few people will evolve to become pro-Iranian insider threats, more are likely to be coerced to act or volunteer to act. Either way, the harm is the same. To protect Australia's critical infrastructure, a key foundation of Australia's national security, leaders need to understand the reality of the threats we face and that requires the courage to engage with difficult challenges as explored in the article.

In October and November 2025, the heads of Australia’s two most significant strategic intelligence assessment agencies made public their views on the geostrategic threats confronting Australia today. In those remarks, both leaders set out some of the threats and explored some of the consequences that could be inflicted upon Australia, including Australia’s critical infrastructure assets, if action is not taken now to detect, deter, and defend against these threats to Australia’s national security.Australia has been warned for years by its intelligence agencies, and by its allies, of the threats to our critical infrastructure by threat actors including hostile nation states, organised crime, and issue-motivated groups and individuals. Have Australian governments, private sector entities, or citizens responded in any meaningful way to these warnings, or have we been party to a slow-motion car crash, which we belatedly realise we are in the drivers’ seat for?

Why do employees sometimes go above and beyond to protect their organisation — and other times bend rules, ignore policies, or disengage from security altogether?In this episode, Pentagram Advisory explores the role of the psychological contract — the unwritten expectations of trust and fairness between employer and employee — and how its breakdown fuels insider threats. Drawing on research from the University of Warwick, we unpack why technical controls alone aren’t enough, how to recognise early signs of a breach, and what leaders can do to repair trust before it escalates into a security risk.For leaders, executives, and practitioners, this is a reminder that the deciding factor in insider threat is rarely opportunity — it is choice. And choice is shaped by trust.

ESG is one of the most decisive forces shaping corporate strategy and investment worldwide. But while environmental and governance issues dominate the headlines, the social dimension — the human factor — is often overlooked.In this episode, Pentagram Advisory explores why personnel security is the missing link in many ESG programs. We examine the risks posed by workforce vulnerabilities, insider threats, and supply chain exposures, and why boards and executives must integrate personnel security into ESG strategy to build resilience, protect value, and maintain stakeholder trust.Join us as we uncover how the people side of ESG could be the decisive factor in safeguarding purpose, performance, and profitability for organisations managing critical assets.

Foreign interference is no longer a distant problem — it is happening here in Australia, today.In this episode, Pentagram Advisory explores the growing threat of Chinese foreign interference and its impact not only on Australia’s national security but also on everyday workplaces. Drawing on recent cases and real examples, we examine how interference targets individuals, communities, and institutions, and why no workplace is immune.From political asylum cases like Ted Hui and Kevin Yam, to the covert collection of information from community groups, this episode highlights how interference can affect colleagues, threaten trust, and undermine social cohesion. We also outline practical steps workplaces can take — from recognising warning signs to building a culture of safe reporting and resilience.Join Pentagram Advisory’s Tim Slattery and Marina Shteinberg as they unpack the risks, share insights from recent reports, and provide guidance for boards, executives, and employees on staying alert without fuelling bias.

Two years on from the introduction of the Critical Infrastructure Risk Management Program (CIRMP) under the SOCI Act, what have we learned — and where do we go next?In this episode, Pentagram Advisory explores how organisations can use the annual CIRMP review and Board-approved report to strengthen governance, integrate SOCI-related security risks into their Enterprise Risk Management Framework, and build resilience that goes beyond compliance.We discuss practical steps for improving Board oversight, closing the gap between operational insights and strategic decisions, and embedding CIRMP into everyday risk management. Whether you’re a security leader, risk manager, or Board member, this conversation offers actionable insights to ensure your CIRMP drives value for your organisation.Based on our article CIRMP turns Two: Strengthening Annual Review, Board Oversight, and Risk Integration.

What does it take to build a trusted workforce — one that is resilient, high-performing, and secure? In this episode, Tim Slattery and Marina Shteinberg from Pentagram Advisory explore the invisible but critical psychological contract between organisations and their people.Based on their article Building a Trusted Workforce – Managing Human Risk with Purpose, this episode examines how trust is formed (and broken), the role of pre-employment screening and ongoing assessments, and how organisations can move beyond compliance to create a culture of security and care.Listen now to learn practical strategies for managing people risk with empathy, structure, and purpose.

This episode is titled: Pentagram Advisory First Anniversary – Celebrating One Year of CollaborationThis episode will explore a unique and unexpected aspect of Pentagram’s first year of operation – that is Pentagram’s connecting with other service providers that bring a natural point of collaboration with Pentagram. This collaboration provides additional and complementary benefits for our clients and followers. Collaboration also provides opportunities for Pentagram to contribute to meeting the needs of collaborators’ clients. The key message is that Pentagram has nested with other like-minded providers that share Pentagram’s values and vision to strengthen Australia’s national security by lifting up the security and resilience of Australia’s workforce and critical infrastructure.

This episode is titled: Insider Threat – Australian Government Recognises the Need for Insider Threat Programs. This podcast will explore the Australian Government’s efforts in recent years to mitigate insider threat in both the government and private sectors. The key message is that there is a need for insider threat program and that need comes from recognising the potency of the insider threat to harm Australia’s national security, defence, economic wellbeing, and social coherence. In terms of security threats, the two most potent threats are from people and cyber sources. We hope you enjoy this podcast and find it informative.

An insider threat incident at Canberra Hospital in May 2025, in which an employee targeted another employee ,reveals critical lessons for Critical Infrastructure Risk Management Program (CIRMP) compliance and personnel security under the Security of Critical Infrastructure Act 2018.