ISM 2025 Explained: What CISOs, Devs and Security Leads Need to Know - with Toby Amodio

Episode Summary

The Australian Information Security Manual (ISM) just got a major update, and not everyone’s thrilled. In this special episode of Secured, Cole Cornford is joined by Toby Amodio (Head of Professional Services, Fujitsu Cyber) to break down what’s changed, what’s missing, and what it all means for CISOs, AppSec teams and public sector security leads.

From the new cybersecurity principles (and why they feel like yak shaving) to the long-overdue expansion of software security controls, Cole and Toby navigate the mess of frameworks, missing maturity models, and babushka-doll-style mappings that have left many teams overwhelmed. They also reflect on what “secure-by-default” really means in a world of legacy codebases, overstretched resources, and one-person AppSec teams.

Timestamps

01:02 – Why ISM Updates Matter (Even If They’re Late)

02:32 – New Principles: Nice Idea, Hard to Implement

04:08 – Yak Shaving and the Complexity Cascade

07:48 – Mapping Mayhem: PSPF, E8 and Governance Overload

10:25 – Losing the Maturity Model: Who Does That Help?

13:46 – Secure-by-Default and the Problem with OWASP-as-a-Proxy

18:13 – Integration, Incentives, and Cyber vs. Business Silos

20:34 – The Talent Gap and Why Code Reviews Still Matter

22:58 – Galah Cyber, Capability Building & Doing AppSec Right

23:57 – Why Buying Tools Isn’t the Same as Building Capability

25:21 – What Red, Amber, Green Tools Really Miss

26:01 – One ISM to Rule Them All… If You Can Implement It

26:52 – Final Thoughts (and a Funding Stick for CISOs)

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/