IT professionals monitor dashboards and code in a control room for system operations and security

Signed, sealed, exposed?

Cyber resilience now depends on board-level accountability, executive ownership and sustained investment.


In brief:

  • Cyber risk has become a leadership issue that needs clear ownership beyond the technology function.
  • SOCI compliance depends on stronger governance, accountable decisions and sustained investment.
  • Organisations should treat cyber resilience as a strategic priority, not just a technical control.

This article first appeared on LinkedIn

The most important cyber control under the Security of Critical Infrastructure Act 2018 (SOCI) isn’t technical. It’s the one that now requires the CEO’s signature and the CFO’s funding.

For organisations operating Australia’s critical infrastructure, SOCI has entered a new phase. On the surface, it looks like another regulatory update. The start of another loop of new requirements, new reporting, perhaps another technology uplift to achieve compliance.

But the shift is far greater than a new tech platform. Frontier AI is accelerating the cyber threat lifecycle, enabling adversaries to identify and exploit exposures at a velocity that outpaces traditional control uplift programs (from weeks to hours). At the same time, geopolitical tension and global instability reinforce how critical sectors like energy and water are to essential services and national resilience.

Why the patchwork won’t pass anymore

SOCI resets what “reasonable” cyber capability looks like across the 11 sectors deemed essential to national security, with enhanced rules proposed for high-risk asset classes, including energy, water and transport.

Early SOCI compliance allowed many organisations to meet expectations through fragmented controls and “reasonable steps”. A patchwork approach was enough to clear the first bar. The next bar is much higher, and many cyber programs will be exposed.

Frontier AI models are changing the economics of cyber risk. Tasks that once required specialist expertise and time-intensive reconnaissance may increasingly be accelerated through AI-assisted vulnerability identification and exploitation. In critical infrastructure environments, many of which still rely on decades-old operational technology and legacy protocols, this lowers the barrier for adversaries to uncover and combine weaknesses that may previously have remained obscure or difficult to exploit. This raises the stakes considerably.

The Australian Securities and Investments Commission (ASIC) has issued an unambiguous message to the market: “Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.”

 

Regulators are now looking for demonstrable, sustained capability – not isolated tools, platforms or dashboards, but systems and end-to-end processes that work together.

 

While there are ‘only’ four enhanced cyber requirements (and none of them are small), meeting them demands a step change in control maturity, and a fundamental rethink of how IT and operational technology environments are separated.

 

At the centre of this sits the Critical Infrastructure Risk Management Program (CIRMP). In plain terms, a CIRMP is a board-approved plan that sets out how an organisation identifies and manages its most material risks, including cyber. It must be reviewed at least annually, signed off by the CEO and submitted to government.

 

Cybersecurity, operational resilience and executive oversight are now bound together in a single, accountable framework.

 

Here’s what’s striking to me: The Department of Home Affairs has consulted with cyber and risk teams, but responsibility now sits with CEOs and CFOs. Investment decisions, governance trade-offs and annual attestations land at the top.

 

This means cyber specialists can no longer optimise controls in isolation; they must work with their colleagues to assess, communicate and agree to the trade-offs between protection, usability and business impact.

Three fronts, one set of trade-offs

When leaders hear the word “cyber”, they think “it’s time to buy some software or contract a cyber monitoring service”. But a cyber uplift at this level isn’t a single project. It’s a program with three interdependent dimensions that will inevitably require executives to make some trade-offs:

 

  1. Architecture and controls. This is the technical reality. Under the strengthened SOCI regime, this means an integrated risk-based cyber controls design across IT, operational technology, cloud and third parties, all aligned to real threat scenarios. Fragmented controls that worked “well enough” at low maturity unravel when regulators expect consistency, evidence and resilience across the whole system.

  2. People and process: Controls only work if they are understood, used and embedded in day-to-day operations. The success of any cyber program is as much a test of human change management as of technology implementation. Many organisations have invested in tools, only to find that behaviour, workflows and decisions have not changed. Incident response, access management, vendor onboarding and escalation pathways rely on people knowing what to do.

  3. Funding and governance: Cyber investment rarely sits in a single budget. It is typically spread across capital projects, operational spend, regulatory compliance and tactical remediation. CISOs need to work with CFOs to learn the ‘dark arts’ of unlocking the full funding available across the investment mix. Boards need full visibility and clarity on who takes responsibility.

You won’t be rolling out one platform. Complying with SOCI may mean rolling out a suite of new platforms.

 

Importantly, it will change the way people work. The two-year window to comply may not be wide enough for cultural change if you start too late.

 

How do organisations accelerate their maturity?

EY teams work with Australia’s largest critical infrastructure operators and we’ve learnt to treat cyber as a transformation program, not a project. This means designing a multi-year roadmap that builds capability over time, with a focus on sustainable controls.

 

The consequences are intensifying in line with the threats. Critical infrastructure accounts for 13% of reported cyber incidents, according to the 2024–25 Annual Cyber Threat Report. Critical infrastructure networks are “routinely targeted” by state-sponsored actors to “pre-position for disruption in a crisis”.

 

That’s why serious breaches of SOCI can attract penalties of up to $330,000 per day, alongside regulatory directions and, in extreme cases, government intervention.

Summary

The key takeaway? Cyber and risk teams understand the controls – but CEOs and boards bear the risk and reputational exposure. That makes SOCI a signature test of leadership.

About this article

Related articles

Plugged in, exposed: Why cyber is the new risk frontier for industrials and energy

Plugged in, exposed: Why cyber is the new risk frontier for industrials and energy