The Protective Security Policy Framework is meant to guide how government manages security risk, but constant updates make it harder to implement than to understand. In this episode of Secured, Cole Cornford is joined by Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services and former senior cybersecurity leader across Australian government, to break down what actually changed in the latest PSPF update and why it matters in practice.
They examine the growing focus on personnel security and foreign interference risk, the inclusion of AI guidance that adds little beyond basic risk assessment, and the long overdue recognition of Secure Service Edge and SASE as compliant gateways. The conversation also explores why deny lists and centralised risk sharing sound sensible on paper but are far harder to enforce in reality, and why most security failures still come down to behaviour, accountability, and how technology is actually used rather than what policy says.
Transcript Synced · click any line to jump ▾
Cole Cornford: So many folk are focused on the wrong thing, which is where like there's conversations about polluting training data, about bias in the model, about, you know, supply chain risks. And almost all of the issues that I see are just people using it incorrectly.
Toby Amodio: It's like saying a car is safe, but it depends on who drives it and what they're driving to do. And so going Anthropic and OpenAI are safe, like are okay to be used. But then for me, as you said, the use case is the more interesting piece.
Cole Cornford: I'm Cole Cornford, and this is Secured, the podcast where I chat with developers, security pros, and the folks with stories worth telling. We talk about what really happens in AppSec, the good, the bad, and the bits that people usually leave off their slide decks. Open source now powers over 90% of the software we build, but it's also where attackers increasingly strike. ChainGuard closes that trust gap with hardened, secure, production-ready open-source builds so teams can build faster, stay compliant, and eliminate risk. Get your free CVE reduction assessment at dayone.fm/chainguard and start shipping software with confidence. Hey everybody. Today I'm joined by Toby Amodio, who is the practice lead at Fujitsu Cybersecurity Services and has previously held government cybersecurity leadership positions at the ATO and the Australian Parliament House. Hey Toby, how are you doing on this fine episode of Policy Wonks and Gronks?
Toby Amodio: I'm great, thank you, and it's good to be back. I always appreciate having a chat with you, sir.
Cole Cornford: Thank you. So it's this one, we're talking a little bit about the PSPF updates, which are rather confusing for me as the gronk in the room. So would you be able to at least explain to my audience what PSPF is the PSPF is and like the difference between like ADOC directives, policy advisory, and annual updates is?
Toby Amodio: Yeah, perfect. So the PSPF, or the Protective Security Policy Framework, is effectively the overarching north star for every government agency within Australia around security. And it's not just cybersecurity, it's personnel, physical, cyber, and cybersecurity governance writ large. The cyber in that is actually technology and risk, but I'll just call it cyber for the purposes of the pod. Now the great thing about the PSPF is it's mandated that every agency follow it as a part of getting their money. And so every agency then has to really follow the updates to it. So it's, I'm glad that we have a chat about it. And it's also a dynamic document because inevitably the controls aren't static. And so it's constantly being updated. They have at least one annual update. And so today we'll talk through that update that occurred in the middle of the year in July. And then we'll talk through some of the other minor updates that occur and they have things called PSPF Directives, which are emergency ad hoc updates to the PSPF, which include specific directives, shockingly with the name, and the actions required for agencies to implement. And then those get rolled into the next annual update as the next annual update's released. But we've also got a new one this last 3 months, which was a policy advisory. And whilst I'm the wonk for the policy section here, I don't actually know how an advisory differs from a directive. I think it's just a hot take from Home Affairs, but— Yeah. We will talk through that as well. It's not confusing at all that we've got multiple different ways that it updates, but it always keeps us on our toes. And I'll say as well, to complement that update, it's, I really do appreciate the Australian government leads in on this and that Home Affairs are so diligent in their updates and are good at what they do, even if that makes our lives hard as we're constantly chasing that moving bar.
Cole Cornford: Yeah, I was gonna say, yeah, hot takes, we should actually appreciate the government agencies that put the effort into doing these things. So good work, guys. I'm excited. Excited to see what future updates are for our future editions for Policy Gronks and Wonks. But anyway, let's start with, uh, just the annual update. What's, what's the, the main thing that like they've been able to change on it? There's a couple of things like adding a governance section and a few extra directives. Like what, what do you, what are the highlights for you?
Toby Amodio: Yeah, so the highlight for me was it's a pretty sensible update where they incorporated the directives from over the last kind of, uh, financial year into the update, which is, which is fine. Uh, the overarching theme from it, if I had to summarize summarized it was kind of 3 things, which is the Persec and the foreign intelligence risk is increasing. And because of that, we have to be more aware of it. So there's more, there's a greater focus on personnel security controls, on foreign, foreign control and ownership threats. And how do we assess it? How do we manage it as entities, both from a technology perspective, but the personnel that manage that technology? They've introduced an AI 'cause AI is sexy and everything has to be AI at the moment. We'll talk a little bit more about that in a second. And they've also finally relented, and it's been one of my bugbears, but they've finally allowed Secure Service Edge or SASE products, virtual gateways, to be counted as a gateway. And I've been kind of pushing for that for years 'cause I helped roll out the Secure Service Edge at one of the agencies I was at recently. So they're the kind of like, whilst there's core themes and small mining updates, they're the kind of 3 things that I would take away that people need to focus on if you're implementing the PSPF. Do you want to talk about AI?
Cole Cornford: No, I never want to talk about AI, but unfortunately I have to because it's just this constant, it's everywhere. And unfortunately for me, as much as being an application security company, everybody is investing so heavily in just AI anything. I was talking to people today and they were like, "Oh, do you do AI security?" And I think I've come around to realizing that AI security is just white-labeled application security. So of course I do it. Yeah, why not? It's fine. You want to talk about your MCP? Server. That's just API security. You want to talk about producing heaps of really low-quality, vibe-coded applications? Oh, let's just get some static analysis tools. Like, it just annoys me that that's where all of the capital is going to, and people are so hyped on it, and I still have yet to see all that much, like, benefit out of it. I just see a lot of people— I just see people talking about it a lot, and, like, these updates are a bit, bit of a meme in the PSPF, actually, from, like, What was it? All it said is like the same thing that you would apply to literally every other technology out there, which is that, hey, we are adopting a technology. Maybe you should consider where the technology is hosted, the type of data going into the technology, and maybe have compensating controls in place. Oh, shock horror. It's like, I've done a threat model before.
Toby Amodio: Correct. It's one of those things where it's like when they first released cloud computing and then they had a whole section dedicated what cloud computing, and then they realize cloud is just another technology and you assess it the same way you would risk assess any technology. And I feel like that's what they've done where they're like, hey, it's AI, but you've just gotta risk assess it the same way you'd risk assess any technology. And I get really frustrated with it. And as you mentioned, I feel like it's, the technology itself is less interesting to me and the authorization of technology. Inevitably they say the things like make sure the data stays onshore, which with the internet becomes extremely hard. With processing for AI, it's almost nonexistent. They say things like, hey, you have to make sure the personnel working on it. Validating that for a heap of these vendors is nearly impossible. The thing for me is it doesn't say how are you going to handle the outputs to make sure that they're trustworthy and look at things like the OWASP generative AI top 10 or those kind of elements that actually have the trust in the output and the quality of the output and validating the output logic that got it there is reliable so that you can make a decision based on that output, action based on that output. And so for me— Yeah. They're fine controls, but they don't literally add any value, uh, as I see it. And then the real value will come down the line as we start to work with people to be more intelligent about the outputs of AI and how we handle it, so it doesn't just scale your job into infinity as people vibe code their way into oblivion.
Cole Cornford: Look, I, I'll be honest, if people like scale my job into infinity, that's really good as one of the sole sovereign application security providers in the country. So please make as many rubbish applications as possible, and then hit me up for pen test code reviews. I promise I won't gouge you, I'll just gouge the HR, AI, okay? So.
Toby Amodio: That's so funny.
Cole Cornford: Do you think that is, it's so bad, man. Like the, I was like, I'm just so disappointed that there's so many people have just like put all of their eggs into this basket and think it's gonna be a transformative technology. And that like, you know, they, you can't put those security controls in place without like really hampering innovation. And so I think the government's quite reluctant reluctant to like come in and stop things from occurring. And it's like, but at the same time, we have effectively no governance. It's Wild West. Like, I don't know if it's going to go the way of crypto where it took like 10 to 15 years before we decided that, hey, maybe it's a good idea to like treat crypto exchanges like, I don't know, a place that people store.
Toby Amodio: Banks.
Cole Cornford: Yeah, like banks. And like you can have traceability of funds, know your clients and all that. Yeah. Know your customer. What a concept. Imagine being able to like track where money's going and seeing it all ends up in North Korea. It's like, hang on a second, isn't that like part of the PSPF directives is to not ship money to like nations that we're like actively hostile against? Like, I, I, it's, it's a bit silly to me.
Toby Amodio: Yeah, I, I couldn't agree more. And it's, and it's made even more of a farce— not farce, it's, it's made even more, um, funny by the PSPF team at Home Affairs then released a policy advisory. And I mentioned at the start, I don't really know how a policy advisory sits in. I presume it's somewhere between a PSPF update and a, and a directive, more as a vibe feel. But after their release of the PSPF update, they've released this policy advisory on AI, which talks to the fact that— And here's an oversimplification, but basically if an entity uses a generative AI product that's running on our infrastructure, is OpenAI or Anthropic, then they don't need to do an assessment of the foreign control interference because Home Affairs has already done one, so trust us. But also you should still authorize it yourself. And it's this weird, like, juxtaposition where it's like, hey, these two specifically, they're good, but still check it yourself. Lol. And I'm a bit— it's just, it's jarring, I won't lie, because I go, hey, again, you've said this is generically, you should just assess them any other thing, but these two we like. And I know that every business exec is only going to read the first dot point that says these two are good, not the second dot point that says, but make sure you check it yourself.
Cole Cornford: Make sure it's good for the context that you're operating within. Like, check yourself before you wreck yourself. Now, it's, um, and the other thing is also that like accountable authorities have the ability to kind of override and just like choose what they want anyway. So, and like, that's going to be a real big issue because like Even if you've listed the two safe technologies, which I, I guess they're safe, there's going to be people who say, I can't use those for various reasons, so I'm going to go off and just try this other stuff. And there's probably very little governance around it because there's so much hype around innovating and trying to do stuff, you know. And the other thing that irritates me a bit about AI security is that so many folk are focused on the wrong thing, which is where like there's conversations about polluting training data, about bias in the model, about, you know, supply chain risks. And almost all of the issues that I see are just people using it incorrectly. And that's it. It's like implementation issues. The same with like cryptography, you know, it's like, oh yeah, AES is very secure, but if you use like a key that's just literally all zeros, it's probably not going to help you encrypt things, even if you get a checkbox on your ISM Control 922.
Toby Amodio: Yeah, I couldn't agree more because it's basically like, yeah, sure, going that, it's like saying a car is safe, but it depends on who drives it and what they're driving to do. And so going Anthropic and OpenAI are safe, like are okay to be used for this purpose. But then for me, as you said, the use case is the more interesting piece. And agencies really need to think about not just the tool, but then the use case that business is going to use it for and how they put controls around that use case. Because it's very different if you want your AI to generate a funny meme that's going to be your logo for the next month, or if they're going to choose who the next clients are for Robodirt. And so those use cases have very different assurance requirements. And so whilst I'd say to agencies, whilst this is in there, make sure you're really clearly capturing from the business teams what they want to use it for and the guardrails they'll put around it, because that's going to be the thing that will bite you. As you said, it's not going to be the tool per se, it's going to be the way that you're using the tool. The last thing I'll say is it's absolute whack-a-mole to stop the use of these pieces, as you would know. So having a way to go, Hey, use this one because we like this one and use it for this reason really helps the users and empowers them. Too often just saying the security says no will just lead to them going around you like the rock in the ocean. And so make sure you've got the pathway for them to get onto a solution that meets their needs, if that makes sense.
Cole Cornford: Yeah, the, um, I've got a simple rule at Galah, which is like, um, if it involves people, be a person. And so it's extremely simple policy. It's very straightforward though, where like if you're sending an email to someone because it's involving a the report's being given to someone who's involving a person, you're having a sales conversation. If you outsource that to a robot, then you're immediately creating a horrific customer experience for that person. And I think that you should— I know people talk about human in the loop, and I think that's a bit overused as a term. But to me, I think it's exactly the same. It's like, yeah, we can be using artificial intelligence to help us, you know, maybe process lots of information and try to understand things better and make some decisions. But like, ultimately, the accountability can't rest with the machine. It has to, like, rest with an individual. So—
Toby Amodio: Yeah, no, I completely agree. And that, that focus on people is a perfect segue into the first of the PSPF Directives for this financial year, and that's the PSPF Directive 3, which is requiring entities to manage the rising risk from personnel disclosing information that identifies their clearance. And so inevitably we have someone who put top secret in their LinkedIn profile and then got a date from a whole heap of interesting people from interesting countries to thank for this requirement. It's one of those great pieces where they basically have a problem of people behavior and they're trying to policy it out, which I always find is challenging. And one of my challenges with this is a PSBF directive, as an agency, you get asked how you've implemented it. And pieces like this, which is like a mix of policy and enforcement, becomes really interesting to me. And we'll talk about it more in the next directive as well, where enforcement becomes extremely hard. It can be very jarring for the people trying to implement that. What did you think of the concept?
Cole Cornford: I just thought it was really good for my mates John, Rob, and Sam, who've just had nothing but amazing dates for like the last 6 months. You know, it's just to me The world's going so much better, like, it's great for them. I've never seen them happier in their lives disclosing as much information as possible. So, but like, jokes aside, it's— I think that there's not really all that much you can do because to me, if you're working in like, say, defense industry or intelligence, there's a very good chance that people can identify that you work in one of those sectors, either from the fact that you have to probably apply via a recruitment agency or some kind of way. Like go to some kind of event. So if anyone's doing any genuine human, they can just sit in the car park outside of Belco and then probably have a good chance of working out that you work for Home Affairs. Like, I, I don't think that— that we, we definitely have domestic people who are spying living in Canberra, and that's okay. If you don't think that's the case, then I don't know, you got rocks in your head, mate. So like, yeah, I, I don't see what the— like, in this, if you have to apply for positions, they have to advertise that the position requires the clearance, right? And so you just, you have to demonstrate that you've got the clearance as part of the application process. Like, I don't, I don't see, you know, like, how is the recruitment agency going to be able to hire people?
Toby Amodio: Like, yeah, I, I agree. This, this feels like a, uh, we had an incident, so we have to make sure we write something to remind people of their obligation and make sure every agency explicitly has the policy. Um, and as you said, it's, it should be common sense, but the problem with common sense is it's not common and doesn't make sense to some people. Uh, and so if you have a high-level security clearance, please don't blast it all over the, over LinkedIn or any social media. That is, as you said, just a great way to attract attention from people we definitely don't want you to have attention from. But it's, it's a wicked problem in the sense that it's impossible to not have some level of linkage because roles require it, and then people apply for those roles and then say that they've won those roles, and you can do that correlation. And so it's worth just recognizing if you're in a high-risk position within in the government or in the private sector, but you still hold a high-risk clearance, a high-risk position clearance, please make sure that you are aware of the people interacting with you and what their motives and intentions would be. And if you're concerned, you can always reach out to our colleagues at AGSFO or ASIO and seek advice. And they recommend you do that if you have anything unusual. They call it the SOUP, where it's like suspicious, ongoing, unusual persistence. So if you have anyone interact with you in that way, it's reportable. But also just use the baseline of don't be dumb. But I always love to think about, hey, we have to tell everyone that they can't put it on any online web services, but I find it impossible to understand how any agency is going to monitor all of that to ensure compliance. And that's where I get down to that directive. Like, no one's going to monitor LinkedIn, have some keyword monitoring for all their staff, for all of their clearances and all the rest of it. It'll be responsive when someone gets dobbed in, But, um, but yeah, this, this feels to me like it'll be impossible to properly enforce apart from just writing some milquetoast policies, but it'll be the stick that you'll get hit with should you not comply with it. So at its core, make sure you're aware of it if you, if you're in government and you've got a clearance.
Cole Cornford: Simp— simplest thing you can do is probably just like turn your LinkedIn profile while off while you have the engagement of that government like thing. Like there was, um, a person who works at a telecommunications place now, but previously worked in intelligence, and I think he's got 30 connections on LinkedIn., and that's, but before that, he spent 16 years at one of our intelligence agencies, right? So guess what he wasn't doing over 16 years? Connecting with random people from Ethiopia. So just don't, if you're doing that, you're probably not doing the best thing by D. U. Komarov. Okay. So, so of course to that bloke, I don't want to name him. Yeah. Yeah. Yeah.
Toby Amodio: But yeah.
Cole Cornford: Yeah. Yeah. Moving on to SSEs, mate. I'd like, what, tell me why you like SSEs. I don't actually. You really get it because I'm not a NetSec person, I'm an AppSec person.
Toby Amodio: So— I mentioned up top, but one of the changes they did to the core PSPF is adapt the definition of the word gateway to include secure service edge or— Secure Access Service Edge. Yeah, which is basically virtual gateways. And the reason why I'm fully interested in this is I helped to implement one of the SASEs at one of my previous entities, and It was to me, aside from Windows Hello for Business, it was the best possible increase to security and productivity because it allowed split tunneling in a secure way from people's edge devices. When they were working from home, they could access their Microsoft services directly in a secure way rather than having to trombone back through on-prem through a gateway. And it's basically the gateway drug to getting zero trust for me. And so whilst it's not a sexy thing and it's definitely not for the, the gronks, the general gronks, it's one of those pieces that I recommend if you're in an entity, whether it's private or public, and you haven't gone down the pathway of a virtual gateway to manage your access to your cloud services or just the internet writ large, then you're really missing a trick. And it's now finally properly endorsed by the government. And so you can do it with their blessing and that'll lead to good things in the long run. So yeah, that's where I sit on the SASE piece. And it inevitably gives us that additional layer of security that previously if you had implemented SSE, it wasn't in line with the government requirements because it wasn't a traditional gateway. And so this shift is finally realizing where we should be and catching us up with the 2010s.
Cole Cornford: Yeah, it's really challenging to get policy to reflect 'cause technology changes so quickly. And whenever we put something into legislation, like, 'cause like ultimately PSPF is not legislation, it's government policy, but like, like, it takes so long to even get policy changes because it's like death by committee because there's a million people arguing over what needs to be there, what's the language, what's the terminology. So whereas tech changes really quickly, like, I mean, like, as much as I dislike artificial intelligence, over the last 2 years it's like gone from suggesting people eat rocks to being able to do like, you know, complete transcriptions of meetings, like, to like summarizing random texts that are completely out of there, having agents do things. I wouldn't say they're doing smart things. I sales agent called me up the other day. It was beautiful, mate. Told me I needed executive coaching. And I said, oh, my stroke length is not quite long enough and I need to focus on my breathing technique. So I'm really interested in coaching. Can you tell me how to do it? And they're like, well, mindset coaching for executives is in fact the best way to get better at swimming. So how about I book a meeting with you and my boss?
Toby Amodio: So, um, at least like focus on the meeting never went ahead. At least like focus on the core directive. I would have thought that they'd just full pivot and give you swimming coaching. So—
Cole Cornford: No, no, no, they were just like very much like kept going back to like, I'm just, 'cause I kept asking, can I have more swimming coaching? And they're like, no, can you, do you want mindset coaching? 'Cause mindsets make you better at swimming. And I'm like, I think just doing swimming makes you better at swimming, but that's okay. Maybe it's just my mindset. That's a problem I have, you know? So—
Toby Amodio: Actually, 100%. Yeah, no. So yeah, it's one of those base, but And it is hard, as you said, for the policy directions to keep up with technology. So I'm glad that they make those adaptations to keep that pace. The last one that I wanted to chat on is that technology change, and it's the fourth directive for the updates in 2025 and the latest so far. And it's named Commonwealth Technology Management, which is appropriately obscure and At its core, it requires all departments to remove products, applications, and web services that are on the deny list of the Commonwealth Technology Standard. And I'll talk about the other pieces in a second, but it goes on to say some other interesting things that are tangential. But two fun facts of that is that the Commonwealth Technology Standard doesn't have a deny list at the moment and it hasn't been articulated. In the document specifically when it'll be provided and how that's managed. And I believe that the intention for this is really set up that they got a lot of heat for their previous directions on TikTok and Deepseek, and instead they just want to have a running list that they can update in the backend without having to release new directives, which makes sense from a Home Affairs perspective, but not necessarily from a transparency perspective. Perspective.
Cole Cornford: Yeah, 'cause like, it's good to have in policy that you like must follow the standard, and then the standard lists all the things you need to do and just update the standard regularly rather than like having an extremely long explicit policy. 'Cause the PSPF specifically had a section called TikTok, which I thought was a bit dumb, but it was TikTok application actually. So, but anyway, I don't know what to think about having a private deny list. And also, shouldn't it be like quite trivial to also identify applications that are on the deny list anyway, like, because all you need really is for some yoho who's working at any of these, like, places to just, like, start willy-nilly trying to install a run or, like, interact with these kind of applications and seeing if he just gets blocks. And then any nation-state actor can then, like, ascertain what the deny list is, right? So I don't really see how it's like that trend, like, you know, is it keeping it— it's like, um, what's that security term?
Toby Amodio: Security through obscurity.
Cole Cornford: Yeah, like, I don't I don't see it being particularly useful in that way. So to me, it's not a wonk decision, it's more of a gronk. But what do you think?
Toby Amodio: I agree. And like, I get the intention. It's just fraught with danger in implementation. And as you said, if that information then becomes non-releasable in some way, you get into these weird games to implement a control without talking about the system that you're blocking in the control, which becomes hard for enforcement. I'd also just say that whenever we have to block web services, For agencies, that's non-trivial, and I think it gets treated as trivial, if that makes sense, because a lot of agencies allow users to have BYOD devices, and they don't necessarily manage the internet on those BYOD devices. So shameless plug back to SSE, but it means that most agencies now will have to buy SSE licenses deployed to all their mobile devices to do enforcement of mobile access to those web services, which will have significant increase in costs for licensing. And control implementation complexity. And it's one of those things that's easy to say but hard to do on two fronts, because you don't want the information to be made large, and just practically implementing controls like that is really hard. If it was easy, everyone would already be doing it.
Cole Cornford: So, so what you're telling me is that having a completely homogenous IT asset estate that is on the perfect versions and just never changes, and that every staff member is fully aware of their obligations under the PSPF is the way we get to security utopia.
Toby Amodio: Great, great. Yeah, just do that. Just do that. Get rid of all your legacy and just make sure it's all up to date.
Cole Cornford: The other hilarious— Also, I have a bridge. Do you want to buy this nice bridge I have over here? Like, it's very good.
Toby Amodio: The other thing I love with it is, of course, it says, hey, you need to block everything on this list. But if you've got a legitimate business reason, you can still use it. And then it lists the reason why, what are the legitimate business reasons. And I just always feel like, hey, you should do this. But if you don't want to, that's cool too, as long as you tell us why. Which I find jarring as well. If it's important enough to block holistically, then it's important enough to block holistically. I just feel like it all comes down to, you know, risk assess and make your own choices, kind of similar to, not the directive, the policy advisory around AI where it's like, use these two, but also make sure you do your own assessment. It's like, hey, you should block these things, but make sure you do your own assessment.
Cole Cornford: Just give everybody a get out of jail free card and just tell them that it's okay. Just do whatever you want, mate. It's all right. Just, you only get one of these, though. So, but I imagine that with AI, Just make your choice, pick your product, and it's going to be fine. And if you choose like Kaspersky or whatever, then that's on you. You are the accountable authority.
Toby Amodio: And I will say, and I jest about this, but there is one absolute gem in this random directive, which is that all entities must implement a policy to consider sharing risk assessments through the Department of Home Affairs centralized risk sharing capability. And there's a couple of pieces just in that sentence. I really like this idea. I think every agency should centralize their assessment of tools so that we don't have 199 different assessments of tools. That would be— that's silly the way that we currently do it. We need to have a common risk language, common sharing of that so that we assess it once, use many across the Commonwealth. But the fact that in a directive they've made it optional by making it consider sharing the risk assessments is a little bit hilarious. I would thought you would just mandate it and then deal with it. But also, I would hate to be the Home Affairs centralized risk-sharing capability because you're about to get wrecked by a lot of risk assessments.
Cole Cornford: I was going to say, look—
Toby Amodio: And then you're going to be comparing apples with oranges with grapefruits. It's going to be mental. I'm there for it, but better them than me.
Cole Cornford: I was going to say, like, don't we already have this whole, like, digital transformation agency thing that should, like, have centralized capabilities that we lease out to other agencies? Like, wouldn't that be a good idea for them to own technology? Like, I don't know. And it's like having, um, like, I feel like there is like some kind of government policy standard thing that tells people what to do. It's the PS— the FP— FPSSPM thing, IRAP, right? So if we just use that and then we'll be okay. So, but like, I don't know, man, I'm, I'm feeling that it's a little bit gronky today. So like, I guess to sum up our episode, um, let's start with the overall PSPF updates. Are you it's policy wonk or gronk?
Toby Amodio: Uh, look, I think, I think it's a, it's very much a policy wonk. It's a very sensible update that, um, has a few key inclusions, even if AI inclusion is a bit gronky.
Cole Cornford: Yeah, I'll say AI is gronky, and I think unless I see the deny list and see Glass Fiber on there, I'll say that's wonky until I get cut off.
Toby Amodio: Okay, so indeed. And like, and we said it at the start, but, um, there's a lot of really good intention in here, and the direction is pretty clear that that entities in Australia are in an increased threat posture. So we should be considering the tools that we use, both from a foreign interference risk perspective and then the nature of the tool risk perspective. The pieces I would tell people to take away with is we should share common risks between government agencies. Make sure you've got those community practices in place. If you're a— if your agency or private sector is deploying AI, really focus on how the business is using it because there'll be dragons. And lastly, if you're going to move down the path of trying to enforce blocks of web services, you're gonna have to go down the journey of SSE and SASE and have management on your mobile devices. And that is a big task. So please make sure you don't trip into that easily and reach out to people like Cole if you need assistance with deploying Shameless Tag, or I'm more than happy to have a chat.
Cole Cornford: Or Roby.
Toby Amodio: Exactly. Exactly.
Cole Cornford: Exactly. All right, Toby, absolute pleasure to have you on today, and I'll speak to you next time.
Toby Amodio: Indeed. Thanks, Cole. Be safe.
Cole Cornford: Thanks a lot for listening to this episode of Secured. If you got any feedback at all, feel free to hit us up and let us know. If you'd like to learn more about how Galar Cyber can help keep your business secured, go to galascyber.com.au. If you're new to the show or a seasoned veteran, I want to hear from you. I'm always looking to do better as a podcast host and as a person. So tell me about what I can do better. Tell me about the types of people you want on my podcast. Tell me about if the format's working for you or styles need to be switched up. Do I need to interview differently? So on and so forth. I appreciate you sticking with me for almost 30 episodes at this stage, and I hope I can keep learning and you can keep learning and being entertained for many more episodes to come. So please shoot me feedback. I want the good, the bad, and the ugly to pod@galaxycyber.com.au. you. And if you don't like email, hit me up on LinkedIn. Quick update, I'm launching a new course for 2025. It's Foundations of Application Security. It's a 2-day bootcamp covering everything you need to become a well-rounded AppSec practitioner. There's both public and private courses available, and the best part about it all is taught by me. So So if you're interested, just send me an email, cole@galaxycyber.com.au, or say hi on LinkedIn. If you can, have a chat about it.
