25 June 2023

Marketing to Critical Infrastructure: A Guide for Cyber Security and IT Services Companies

Understanding the Security of Critical Infrastructure Act for 2018 and its reforms, and using it in increasing awareness and demonstrating how your cyber security and IT services are capable of addressing Critical Infrastructure leaders’ pain points can help you secure more clients in these sectors. In this guide, we will discuss how security and IT service organisations can market to CI companies more effectively.

marketing to critical infrastructure | Filament

With cyber-attacks becoming more dangerous and frequent, securing critical infrastructure is vital.

As a result, cyber security and IT services companies need to adapt their marketing strategies to cater to this sector.

Understanding the Security of Critical Infrastructure Act for 2018 and its reforms, and using it in increasing awareness and demonstrating how your services are capable of addressing CI leaders’ pain points can help you secure more CI clients.

In this guide, we will discuss how security and IT service organisations can market to CI companies more effectively.

What Is Critical Infrastructure?

Critical infrastructure refers to the systems, assets, and networks that are fundamental for the functioning of a society, economy, or country. They’re essential for maintaining public safety, national security, and the overall well-being of a population.

The critical infrastructure sector is very important and its failure can lead to catastrophic circumstances, which makes it more vulnerable to cyber attacks than other industries.

Some examples of critical infrastructure include energy, communication networks, transportation, financial systems, and defence.

Protecting critical infrastructure is a top priority for the Australian government, and many of the security measures that were amended in recent years are specifically created for CI protection and improving its resilience.

The Security of Critical Infrastructure Act 2018: Explained

The Security of Critical Infrastructure Act (SCIA) 2018 aims to enhance the security and resilience of critical infrastructure assets. It focuses on protecting critical infrastructure from potential security threats and risks like ransomware.

Key provisions of the act encompass:

  • Critical Infrastructure Assets: Concerned with defining CI sectors and assets.
  • Enhanced Cyber Security Obligations: The act imposes security obligations on companies with critical infrastructure assets. These obligations implementing appropriate security measures, conducting risk assessments, and developing incident response plans.
  • Sector-specific Regulations: Explains additional security measures, guidelines and regulations that are specific to particular sectors.
  • Security Risk Assessments: Provides a framework for conducting security risk assessments of important critical infrastructure assets to spot potential threats and set the necessary protective measures.

Which Sectors Are Affected?

The Australian legislation now classifies 30% of Australian industries as critical infrastructure. These include:

  • Water and Sewerage
  • Energy
  • Communications
  • Food and Grocery
  • Data Storage or Processing
  • Defence
  • Transport
  • Financial Services and Markets
  • Healthcare and Medical
  • Space
  • Higher Education and Research

How Will This Impact Critical Infrastructure Companies?

The reforms introduced by the SOCI Act in Australia have significant implications for businesses, particularly those in critical infrastructure sectors.

The act relies on principle-based rules and regulations. This provides flexibility, but at the same time, it creates uncertainty for CI organisations, which can lead to poor decision-making subject to human judgment.

What’s more, complying with the new regulations will result in significant costs for businesses. The draft Regulatory Impact Statement (RIS) announced that the average one-time cost per entity to implement a written Risk Management Program rules is a whopping $9 million, in addition to an average ongoing cost of $3.7 million per year to maintain compliance.

A significant portion of these costs primarily falls on the organisations, but indirect costs are likely to pass on to customers.

Another requirement is a timely notification of cyber security incidents. Businesses are required to report critical incidents within a maximum of 12 hours of knowing about their existence. Reporting other incidents, on the other hand, can be delayed by up to 72 hours.

The 2021 and 2022 Amendments: Enhancing Critical Infrastructure Resilience

The Security Legislation Amendment (Critical Infrastructure) Act 2021 and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 were introduced in two stages to strengthen the resilience of critical infrastructure.

These critical infrastructure reforms have expanded the scope of the Act, raising the number of critical infrastructure (CI) sectors from 4 to 11, and incorporating 22 categories of critical infrastructure assets.

These acts have also extended the government’s power for gathering information, issuing directives, and intervening as a last resort across the 11 critical infrastructure sectors, with certain safeguards in place.

The positive security obligation entails providing ownership and operational details to the Register of Critical Infrastructure Assets, mandatory reporting of cyber incidents within specified timeframes, and the development, adoption, and maintenance of a Risk Management Program that encompasses cyber security, personnel security, physical security, and supply chain disruption threats.

Reporting requirements and positive security obligations are either currently in effect or will be enacted once the implementing regulations take effect, targeting anything that may be considered as a critical infrastructure asset.

Certain systems of national significance may also be subject to higher level cyber security obligations, such as incident response planning, vulnerability assessment, and the provision of system information.

Many participants in the supply chain, such as responsible entities, direct interest holders, reporting entities, managed service providers, and operators, are directly affected by these obligations.

How Cyber Security and IT Services Companies Can Market to Critical Infrastructure More Effectively

Cyber Security and IT services can utilise the following tactics to explain the value of their offerings to potential critical infrastructure clients:

Explain the Current Security Landscape and How Critical Infrastructure Is Under Threat

After the COVID-19 pandemic, many business models were disrupted, along with supply chains across the world. This has led to an increased risk of security attacks, especially with a huge percentage of the workforce working remotely leading to a larger attack surface.

Add to that the insufficient risk management practices, resilience and accountability, and we’re basically dealing with a recipe for disaster. Further, the growing interdependence across organisations in Australia has increased the chance of successful cyber attacks, especially with these attacks becoming more frequent and advanced.

Explaining these concerns for CI organisations is vital to raise awareness of the looming danger of sophisticated cyber attacks.

Address the Primary Pain Points for Critical Infrastructure Business Leaders

C-Level Pain Points

For C-level executives, the primary challenge is providing the required resources needed to comply with the new CI reforms. C-levels are also expected to lead the decision-making process throughout the organisation in response to the reforms.

Board Pain Points

CI board members must be aware of all the cyber security risks that could damage their organisations. They need to lead the implementation of a robust cyber attack response strategy that enables them to restore their business operations back to normal with minimal losses.

Moreover, board executives need to be aware of their new obligations, which most importantly include signing the new Risk Management Program (RMP). They also need to govern CI entities with utmost care and responsibility.

IT Management Pain Points

IT managers need to support risk management by helping identify potential security threats and vulnerabilities that may lead to catastrophic consequences for the organisation. They also lead the implementation of new cyber security and data protection measures that ensure compliance with the SCIA requirements and obligations.

Risk Management Pain Points

Since new reforms for the CI Security Act require implementing a Risk Management Program (RMP), risk management executives must ensure that their operations and processes are in line with the newly-introduced regulations. This can be achieved by re-assessing the processes.

Articulate Your Competitive Differentiation in the Context of Critical Infrastructure

Demonstrating what sets you apart from the competition is vital when marketing your services to CI companies with SEO or other marketing channels. Here’s what you need to communicate in your competitive differentiation:


Cyber security and IT companies can emphasise their expertise in identifying and mitigating potential cyber threats and vulnerabilities within critical infrastructure systems. Depending on the company’s domain, this may include implementing robust security measures such as firewalls, intrusion detection systems, and encryption protocols to safeguard sensitive data and prevent unauthorised access.


Critical infrastructure companies require resilient systems that can withstand and recover from disruptions like cyber attacks, natural disasters, or even human error. Cyber security and IT services companies should demonstrate how their solutions can improve the resilience of critical infrastructure systems.

This may include implementing backup and recovery strategies, disaster recovery plans, and redundancy measures to reduce downtime and ensure uninterrupted business operations.


Compliance with regulatory requirements and industry standards is essential for critical infrastructure companies, particularly in highly regulated sectors such as energy, telecommunications, and transportation

Cyber security and IT services companies can demonstrate their solutions’ significance by explaining how they can assist critical infrastructure companies in achieving and maintaining compliance.

They can highlight their knowledge of relevant regulations and standards, such as the Security of Critical Infrastructure Act 2018, the Australian Government Information Security Manual (ISM) and industry-specific guidelines, and how their solutions align with these requirements.

By ensuring that critical infrastructure companies meet compliance obligations, IT companies can demonstrate the value of their services in avoiding penalties, reputational damage, and potential service disruptions.

Business Continuity

Cyber security and IT services companies can showcase their solutions’ importance for critical infrastructure companies by communicating how they can ensure uninterrupted business operations.

They can highlight how their solutions support business continuity by implementing measures such as robust data backups, redundant systems, and disaster recovery plans.

By ensuring that critical infrastructure systems can continue functioning during and after disruptions, these companies contribute to minimising downtime, reducing financial losses, and maintaining the delivery of essential services.

Want to Market Your Cyber Security and IT Services to Generate Demand Within Critical Infrastructure Sectors?

At Filament, we help cyber security and IT organisations generate demand and drive better results with case-specific marketing strategies.

Having worked with a wide range of partners, vendors, and organisations across various technology industries, we know the ins and outs of launching and maintaining robust marketing strategies that work.

Reach out to us now to discuss how we can help you reach and acquire more CI clients.

More insights