ISM 2025 Explained: What CISOs, Devs and Security Leads Need to Know - with Toby Amodio

Episode SummaryThe Australian Information Security Manual (ISM) just got a major update, and not everyone’s thrilled. In this special episode of Secured, Cole Cornford is joined by Toby Amodio (Head of Professional Services, Fujitsu Cyber) to break down what’s changed, what’s missing, and what it all means for CISOs, AppSec teams and public sector security leads.From the new cybersecurity principles (and why they feel like yak shaving) to the long-overdue expansion of software security controls, Cole and Toby navigate the mess of frameworks, missing maturity models, and babushka-doll-style mappings that have left many teams overwhelmed. They also reflect on what “secure-by-default” really means in a world of legacy codebases, overstretched resources, and one-person AppSec teams.Timestamps01:02 – Why ISM Updates Matter (Even If They’re Late)02:32 – New Principles: Nice Idea, Hard to Implement04:08 – Yak Shaving and the Complexity Cascade07:48 – Mapping Mayhem: PSPF, E8 and Governance Overload10:25 – Losing the Maturity Model: Who Does That Help?13:46 – Secure-by-Default and the Problem with OWASP-as-a-Proxy18:13 – Integration, Incentives, and Cyber vs. Business Silos20:34 – The Talent Gap and Why Code Reviews Still Matter22:58 – Galah Cyber, Capability Building & Doing AppSec Right23:57 – Why Buying Tools Isn’t the Same as Building Capability25:21 – What Red, Amber, Green Tools Really Miss26:01 – One ISM to Rule Them All… If You Can Implement It26:52 – Final Thoughts (and a Funding Stick for CISOs)Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

There are no comments yet.

Please log in to write the first comment.