Information security is not directly regulated in Australia and is instead subject to a patchwork of different legal and regulatory frameworks. How Australian information security practitioners construct and action information security therefore becomes important to the overall operation of a fragmented regulatory framework. How then do Australian information security practitioners understand information security and make compliance-oriented decisions? Our exploratory interview research examined how nine Australian information security practitioners understood and constructed their role as delegated regulators of organisational information security processes. Participants expressed a number of concerns that reveal a very different world to that traditionally portrayed as the discipline and practice of information security. We examine these concerns and discuss what they mean in the context of the Australian environment.