Shifting the Compliance Paradigm: One Paddock, One Cow, and the Future of Australian Personnel Security

Discover how WorkSec Director Sari Mustonen-Kirk believes outsourced personnel security and practical governance can help Australian SMEs navigate DISP compliance and strengthen sovereign capability.

Shifting the Compliance Paradigm: One Paddock, One Cow, and the Future of Australian Personnel Security

The landscape of the Australian defence industry is moving fast. As the Defence Industry Security Program (DISP) shifts from a newly established framework into an actively audited compliance regime, small-to-medium enterprises (SMEs) face a major operational shift. 

Between tight procurement deadlines, the need for specialised security staff, and complex technical reporting obligations, many businesses across the country are currently adapting to the new paradigm. 

Sari Mustonen-Kirk, Director at WorkSec and a finalist for the 2026 Defence Leader of the Year (SME) at the Australian Defence Industry Awards, has advice for the organisations, large and small, that make up this vital supply chain. In this comprehensive interview, Sari strips back the jargon to discuss the human reality behind national security, the “trusted architecture” required to suipport our sovereign supply chain, and her famous “one paddock, one cow” approach to elite compliance.

Part 1: The Award and the Shifting Landscape

Question: Sari, congratulations on being named a finalist for the 2026 Defence Leader of the Year in the SME category. Looking back at the 2025 calendar year that earned you this nomination, what do you think truly set your approach apart?

Sari Mustonen-Kirk: Thank you! It’s incredibly exciting. When I was named a finalist, we quickly realised something important: these leadership awards aren’t ultimately about products or platforms. They are about people.

The crux of my approach and why I believe I actually made the finalist list is a holistic, 360-degree view of the defence industry ecosystem. I don’t look at workforce security as an isolated administrative task. I flew up, took a bird’s-eye view, and mapped out the entire universe: the defence force personnel, Primes, the procurement teams, associations, informal networks, charities, recruiters, consultancies, talent pools, and SMEs themselves.

Question: You’ve often described the current state of the defence sector as being in an “early” phase of its regulatory cycle. What do you mean by that, and what are you seeing on the ground?

Sari Mustonen-Kirk: If you look at the history, the “New DISP” framework was rolled out in 2019. Following several Australian National Audit Office (ANAO) reports, it became apparent that Defence had to readjust its frameworks to track who held clearances and who was compliant. This adjustment phase is a common theme during any major regulatory change. 

Now, look at what happens in any heavily regulated environment when a regime changes. I saw the exact same patterns play out in a past life when ASIC transitioned the financial markets into the modern AFSL licensing regime. First, regulators establish the framework and ask the industry to jump on board. Everyone scrambles to first figure out which boxes to tick, then how to do them. But it isn’t until regulators actively audit organisations that they discover what everyone has managed to get right and where governance and processes remain immature. That’s where the risks really live. 

Right now, DISP has matured its expectations and governance framework and is in the process of auditing its members. However, the system is still working through the intricacies of bedding down this new operating environment because the remediation and escalation pathways aren’t fully matured yet. Unless AI speeds everything up drastically, we are still two to five years away from a seamlessly policed, fully mature ecosystem. At WorkSec, we chose not to wait around for that to happen. From Day One, we made it our overriding goal to be a “DISP darling,” an elite role model for how an emerging framework should look applied in practice.

Part 2: The SME Conundrum and the Power of Co-Sourcing

Question: The outside world tends to view “Defence” as a massive, monolithic military body. But you’re focusing heavily on the support infrastructure behind it – the small and medium businesses. Why are SMEs feeling the regulatory pinch so acutely right now?

Sari Mustonen-Kirk: Supply chain security requirements are now being enforced and becoming a ‘must’ to operate in this environment, rather than simply a ‘should.’ Defence is pushing hard to ensure its entire supply chain consists of accredited DISP members and appropriately cleared personnel at increasingly sensitive and secret levels.

Imagine this scenario, which happens all the time: You’re a highly specialised engineering or manufacturing SME. It’s 4:30 PM on a Friday afternoon, and you find out you’ve just won a crucial defence tender. But there’s a catch, you need five of your key staff cleared to start work. You start googling at 11:00 PM on a Friday night, realising you don’t have the regulatory infrastructure, don’t know how to navigate the Ordinary Queue at AGSVA, and have no internal compliance tracking. It’s harrowing for a business owner because it threatens to divert all your energy away from your actual core capability.

Question: How does WorkSec step in to address that specific piece of the puzzle and alleviate the burden?

Sari Mustonen-Kirk: We act as their co-sourced or outsourced personnel security (PERSEC) partner. If an SME’s internal DISP membership is caught up in the backlog, or if they lack the bandwidth to manage it, they nominate us. We handle the applications, mandatory Emploment Suitability Checks, onboarding and sponsor their personnel’s clearances. The SME retains daily operational supervision of their staff, but we take over the heavy lifting on compliance.

Even when an SME finally gets their own internal DISP membership approved, they hit a second wall: hiring a dedicated Security Officer (SO). Good SOs are rare, expensive – and if you only hire one, they can never take a holiday without creating a massive gap in your security coverage. When you look at the commercial math, it’s vastly superior for an SME to outsource that entire model to a dedicated specialist. We live and breathe PERSEC, and we validate that outsourced model every single day.

Question: You have a wonderful, memorable phrase for this type of business focus. Can you share it with us?

Sari Mustonen-Kirk: (Laughs) Yes, I often speak in metaphors, but people seem to instantly understand them. I always say WorkSec is “one paddock, one cow.” It means we’re not trying to be twenty different things to twenty different markets. We do one thing exceptionally well: PERSEC. That’s our laser focus: providing outsourced security officer frameworks for SMEs so they can service major defence contracts with confidence.

That same focus also lets us support the supply chain more practically. Sure, we help SMEs and supply chain partners sponsor and govern their own people, but where immediate capability is needed, we can introduce pre-cleared talent from our own pool into trusted defence environments. It’s still the same paddock: the right cleared people, in the right governed settings, faster and with less burden on the whole system.

Part 3: The Human Element and “Trusted Architecture”

Question: In a highly regimented, protocol-heavy environment like defence, you place a massive emphasis on culture and what you call a “Head and Heart” model. How do you build a flexible, agile team within such rigid industry guardrails?

Sari Mustonen-Kirk: It comes down to our mantra: “High Tech, High Touch.” With the rapid rise of AI, keeping a deep, authentic human connection in our business processes is more critical than ever.

Internally, we design our roles around three dimensions: Strengths, Capacity, and Capability. Capability is your background and experience. Capability is a given. But Capacity is who you are as a human being today. We don’t force people into a rigid 9-to-5 desk routine; we manage by outcomes and hours per month. If one of our security officers needs to go to the dentist or take a Monday off, they flag it in our internal system, and another team member steps in. Our internal ethos is “kick it to me.” Our clients are professionals and SMEs in the defence supply chain, and most of them aren’t working 9-to-5 either. We give the market what it needs when it needs it.

And, because we give our humans the absolute best working environment, they willingly and happily provide a level of hyper-responsiveness that you simply can’t automate with a machine or a model. If an anxious client calls us out of hours or early on a Saturday morning, a real human being answers the phone.

Question: You’ve mentioned that you’re currently working on a concept called “Trusted Architecture” for organisational design. How does that translate to the daily responsibilities of managing national security clearances?

Sari Mustonen-Kirk: Our Trusted Architecture is about redesigning position descriptions so they recognise where trust can break and how it can be strengthened to reflect the real-world human dynamics of security, not just corporate text. In any assurance regime, the most critical assets are what I call the “named humans.” Under the Defence Security Principles Framework (DSPF), a security officer is an appointed individual personally responsible for sponsoring a cleared individual. 

The relationship relies on a collaborative reporting structure. If an individual clearance holder undergoes a major change in personal circumstances – say they win the lotto or buy a brand-new Ferrari out of nowhere – they are legally obligated to report that financial shift. But what if they don’t? The employer on the ground might notice the sudden change. Under our model, the SME serves as the daily “eyes on the ground,” while WorkSec serves as the governance engine that runs mandatory security awareness briefings, compliance check-ins, and travel reminders. All those human pieces have to work together as a team to protect national security.

Part 4: The Vision for Sovereign Capability

Question: When you hear people in the industry complaining about delays or frustrations with defence departments, your perspective is surprisingly empathetic toward the regulators. Why is that?

Sari Mustonen-Kirk: When I go out into the field, I hear a lot of people moaning about the problems and blaming the departments. But I think there is a profound lack of awareness regarding what massive cultural and digital transformation actually requires.

We are asking a massive sector with millions of moving parts – literally, if you consider how many people defence employs directly and indirectly – to jump from “then” to “now” almost overnight. Defence isn’t doing a poor job; the regulators aren’t doing a slow job. It’s part of a necessary evolutionary process that ultimately affects every Australian. I want WorkSec’s voice to always be an informed, constructive one that helps raise awareness, builds bridges, and takes action, rather than wasting words complaining about speed bumps.

Question: Looking ahead at the next 12 months, what is your ultimate vision for WorkSec as you move deeper into 2026 and prepare for 2027?

Sari Mustonen-Kirk: 2025 was spent truly learning what the industry needed. 2026 is about consolidation, growth, and the start of delivering structural solutions based on those insights. We are looking to evolve our security officer models and work with a range of potential partners to build out new PERSEC services that we will offer back to the wider industry.

On a broader scale, I am deeply proud that we have the actual muscle and influence to improve Australia’s national security posture. By streamlining compliance for local SMEs and building a true security-aware culture among the people in our supply chains, we are actively helping innovative and family-owned Australian businesses enter the supply chain. That is how we build genuine sovereign capability. If we can engineer, manufacture, service, and secure our own defence assets domestically, we start to mitigate the risk of running out of critical supplies during a global crisis.

For me, this award nomination is a beautiful validation that a collegiate executive team can operate from both the head and the heart, play directly to their strengths, and deliver smashingly awesome results for our country.

Question: It sounds like you are successfully fattening that metaphorical cow.

Sari Mustonen-Kirk: (Laughs) We are.  Life on the farm is good!

Stuart Rainsford
Stuart Rainsford

Managing Director with expertise in Defence, IT, and governance, leading WorkSec to strengthen Australia’s Trusted Workforce.

Share this article

More Insights

Read WorkSec insights and expert commentary on security clearances, defence industry trends, personnel security, compliance, and Australia’s evolving secure workforce.

Insights
Tue 25 Nov

PSPF Direction 003-2025: Online Disclosure of Security Clearances

Australia’s PSPF Direction 003-2025 clamps down on advertising security clearances online, with Defence Industry and DISP entities expected to tighten policies, training and spot checks.

Insights
Sat 25 Oct

Cleared Careers Part 2: The Security Cleared Talent Pool

Competition for security-cleared talent in Australia’s defence and government sectors is surging, with WorkSec helping candidates navigate eligibility, suitability, and sponsorship to build trusted, cleared careers.

Insights
Sat 25 Oct

Cleared Careers Part 1: The Cleared Industry

Teaming and partnering in the defence sector help businesses meet DISP sponsorship and compliance needs with trusted, cleared workforces.

Insights
Fri 30 May

Defence Industry Leadership – The Business of Trust

Trust in defence industry supply chains is at the heart of bolstering our national security.

START YOUR PATH TO INDUSTRY-READY CAPABILITY

Whether you’re an individual seeking security clearance sponsorship or an organisation needing personnel security governance, reach out to WorkSec today to take the next step in securing your future.

Get Started Background

Stuart Rainsford

Managing Director
Stuart Rainsford

Stuart is the Managing Director, Chief Security Officer, and Chief Information Security Officer of WorkSec. With more than 20 years of experience in enterprise security, ICT, and Defence, Stuart is a seasoned leader specialising in strategic planning, risk management, and operational excellence. Recognising the critical talent shortage in the Defence Industry, Stuart founded WorkSec to address personnel security governance challenges and strengthen Australia’s sovereign capability.

His career spans executive leadership in IT, cyber security, and Defence, where he has applied his expertise in governance, compliance, and operational oversight to deliver sustainable outcomes. Known as a “strategic activator”, Stuart combines visionary thinking with a decisive, action-oriented approach, ensuring ideas are swiftly transformed into practical results. This skill allows him to navigate complex challenges, drive innovation, and inspire teams to deliver on long-term strategic goals.

Stuart holds a Master’s Degree in Management, a Graduate Certificate in Business Administration, and is a Graduate of the Australian Institute of Company Directors (GAICD) and the Australian Centre for Business Growth. Currently completing his MBA, he has also served as a non-executive board member for several organisations and associations. With his blend of technical insight, governance expertise, and strategic activation, Stuart continues to guide WorkSec in delivering Trusted Workforce solutions that align with Australia’s national security priorities.

Connect with Stuart