At the Art of Play with my youngest some time back, I was reminded how covering things up only masks the problem. It got me thinking about the art of mastering cyber risk. Disconnected governance, incomplete controls or sheer technology complexity can mask the risk lurking beneath the surface—untreated and potentially catastrophic.

Critical Infrastructure organisations are under increasing pressure to manage complex cybersecurity risks. The consequences of a cyber incident in sectors like energy, water, healthcare and transport can be devastating—not just financially, but in terms of safety, service availability and public trust.

Yet, despite the high stakes, many Critical Infrastructure organisations often manage operational technology (OT) risk separately from strategic organisation risk. This fragmented, manual approach can’t keep pace with the evolving threat landscape. Risks remain siloed, under-prioritised and disconnected from business strategy. SUGGEST ‘risks in a fragmented, manual approach’

It’s time for a shift. Critical Infrastructure leaders need to move beyond checklists and spreadsheets toward integrated, strategic risk management. This is not just good practice— in Australia it’s a regulatory requirement under the Security of Critical Infrastructure (SOCI) Act and its Critical Infrastructure Risk Management Program (CIRMP) obligations.

The Challenge: OT Risk Buried in Spreadsheets

Operational technology (OT) environments in Critical Infrastructure sectors are complex, blending industrial systems with modern IT networks. Worryingly OT cybersecurity risks are often tracked in static spreadsheets disconnected from enterprise risk registers and decision-making.

This leads to several potential problems:

• Fragmented Risk Visibility: OT risks aren’t rolled up into business-level insights.
• Overloaded Registers: Technical risks flood risk registers, leaving executives overwhelmed and disengaged.
• Ineffective Treatment: Without clear ownership and strategic prioritisation, critical risks remain unaddressed.
• Misallocation of Funding: Risk that isn’t aligned across the enterprise could miss out on the funding needed to ensure that its treated correctly.

A spreadsheet can’t keep up with today’s cyber threats. Critical Infrastructure organisations need a dynamic, scalable approach that connects cybersecurity risks with business impact.

Moving from Compliance to Resilience

The SOCI Act, through the CIRMP requirement, sets the foundation for better risk management. CIRMP obligates Critical Infrastructure organisations to actively manage four key areas:

1. Cyber and Information Security Risks – Safeguarding digital and OT systems.
2. Personnel Security Risks – Protecting against insider threats.
3. Supply Chain Security Risks – Securing third-party relationships.
4. Physical Security Risks – Defending against physical sabotage or intrusion.

But let’s be clear—compliance alone won’t make an organisation resilient. The goal isn’t just to meet regulatory requirements; it’s to build a risk management culture that genuinely protects critical services.

A Smarter Approach to Risk Management

Here’s how Critical Infrastructure organisations can move beyond spreadsheets and compliance to strategic, integrated risk management:

1. 1. Establish Context and Governance

• Define your organisation’s risk appetite in practical terms.
• Understand which critical systems, assets, and supply chain components need protection.
• Ensure executive and board-level accountability for risk management.

2. 2. Adopt a Fit-for-Purpose Framework

Choose a framework that support CIRMP and particularly OT environments:

• ISO 31000 for enterprise-wide risk management.
• ISO 27000 for cyber security risk management.
• NIST Cybersecurity Framework (CSF) for cyber and information security.
• AESCSF (Australian Energy Sector Cyber Security Framework) for energy sector OT-specific risks.

3. 3. Identify and Prioritise Risks Across Domains

• Implement continuous risk identification processes across IT, OT, supply chain, and physical assets.
• Roll up technical risks into organisation level strategic categories for executive decision-making.

4. 4. Translate Cyber Risks into Business Risks

Executives need to see how cybersecurity impacts business outcomes, not just technical metrics. Here’s how to roll up cybersecurity risks into business-aligned categories:

• Safety: Cyber incidents that could cause physical harm to people or damage critical assets.
• Availability: Disruptions to essential services like energy, water, and healthcare.
• Integrity: Manipulation of data or systems that erode operational trust.
• Confidentiality: Breaches of sensitive or regulated data.
  • Financial: Fraud, unauthorised transactions, or costly downtime.
  • Reputation: Loss of public trust and stakeholder confidence.

5. 5. Treat Risks with Clear Ownership

• Agree clear ownership of risks across cyber, OT, supply chain, and physical security domains.
• Develop risk treatment plans that prioritise impact over technical complexity.

6. 6. Monitor, Review, and Improve

• Continuously monitor controls and update risk treatments.
• Integrate lessons learned into risk management practices.
• Keep the board engaged with meaningful, business-focused risk reporting.

Learning from Finance and Safety Disciplines

Cyber risk management doesn’t need to start from scratch. The financial and safety sectors have spent over a century refining risk frameworks, governance models, and treatment strategies.

Applying these principles to cyber risk can accelerate resilience:

• Quantify Risk: Use financial models to express cyber risk in dollar terms.
  • Consider using the Factor Analysis of Information Risk (FAIR) methodology for quantifying and managing risk.
• Prioritise Like Safety: Apply safety risk methodologies to prioritise high-impact cybersecurity threats.
• Governance Matters: Adopt accountability structures similar to financial compliance models.

This isn’t about reinventing the wheel—it’s about learning from what works.

Beyond Spreadsheets: Building a Resilient Future

Operational and cybersecurity risks in Critical Infrastructure sectors are too critical to be buried in spreadsheets or treated as mere compliance checklists. Leaders must transform risk management into a dynamic, strategic function that directly supports service reliability and public safety.

The SOCI Act’s CIRMP obligations set out the minimum requirements, but it’s up to Critical Infrastructure leaders to turn those requirements into actionable, business-aligned strategies. By integrating OT risks into enterprise risk frameworks and translating cyber threats into strategic insights, organisations can truly protect Australia’s most critical services.