ISM 2025 Explained: What CISOs, Devs and Security Leads Need to Know

Cole Cornford
Hi. I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today, my guest is Toby Amodio. He is a head of professional services at Fujitsu Cyber, and previously been the chief security officer for the Australian Parliament and for the Australian Taxation Office. Today we’re doing a special episode, as I like to do with him, about the updates to the ISM.

Now, I think I said it a couple of times in the episode. I am not the most governance risk compliance-y person, so I get the best governance risk compliance-y person I know and they come in and talk about these changes. But in particular, this episode, what I’m excited about is that there’s a tremendous amount of changes to software security as part of the latest ISM updates. So if we go in, we talk about the general updates and some of the controversies that Toby’s been able to find, but also go deep into why those changes to the ISM are going to be challenging for teams to implement as far as software security goes. Enjoy the episode and I’ll see you all soon.

And thanks for being here, Toby. It’s an absolute pleasure to have you back on Secured. I love having my policy wonk because I’m a bit of a policy gronk when it comes to the ISM.

Toby Amodio
Thank you for having me, Cole. Thank you for having me. It’s always good to see your face.

Cole Cornford
Thanks. So the latest update, there’s a lot of changes in it. I know they said June 2025, but it did come out in July, so I’m a stickler for that kind of stuff. But I am obviously super excited because of the software development part of the ISM changes, but I’m not the smartest when it comes to the governance-y stuff at the very top, which has changed. So I was hoping that you could spend a bit of time to cover those updates to the cybersecurity principles at the top and tell me what your general thoughts on those changes are.

Toby Amodio
Yeah, 100%. Thanks, Cole, and it is always a great quarter for cybersecurity nerds when the ISM comes out, and it is a blessing from the gods that the June update magically came out in July, but better late than never. And as you mentioned upfront, there’s a lot of changes around the cybersecurity principles, and I like to think of the cybersecurity principles in the ISM as the Temu version of the NIST cybersecurity framework from the USA, which is great, but you can have it at home. And so for me, it’s a weird fit at the top of the ISM. And so they’ve restructured the way that they’re doing the principles. The principles that they choose is govern, identify, protect, detect, respond, but not recover, so they’ve randomly dropped one from the NIST framework. And the way that they’ve rejigged the wording is to align with the security-by-design, security-by-default principles, which is interesting.

But the challenge for me is, and it stems into what we’ll talk about, I presume, in some of the space around the software development, they’re easy to say, hard to do, and it’s really hard to track how this overarching principles framework, which is lovely, great, gives you high level themes to think about, which they call principles and functions, how do they actually relate to then the controls and then the E8 strategies? And so they constantly tell us it’s simple, just do these things, but these things then map to these things, which map to these things, and it becomes, and we’ll talk to it later, a babushka doll of controls where one leads to another to another to another, and it becomes, “Oh, just do these five things,” which leads to 60 things, which leads to 900 things, and suddenly you’re drowning in things.

So yeah, it’s one of those great moments in life where you go, conceptually, the principles are awesome, but in operation it would be better, in my opinion, if we could split them out into their own beast, separate of the controls framework, as a principles document. And in this update, they actually removed the maturity model, which I thought was a good thing for small entities to go, “What’s my maturity against these simplified principles?” But instead, we’ve dropped that to make it easy to put into the 900-control tome of the ISM. So yeah, it’s a beast. I appreciate the intent of it, but sticking the landing is hard, and I’m also not sure how it’ll actually be implementable. And that’s what I constantly think about, which is how does public service or the private entity look at this and go, “Oh, I can do that”?

Cole Cornford
I mean, it’s a little bit insidious on the top, isn’t it? Have you ever heard of the term yak shaving? Do you know what that is?

Toby Amodio
No.

Cole Cornford
So yak shaving, it’s a term in software development where basically you say, “Cool, I need to go to bed, but my bed’s not that comfortable, so I need to go off and then do something else.” And then after you do 30 different things, eventually you’re like, “Why am I in the middle of the Himalayas shaving yaks just to get fur to put into my pillow so I can go to bed?” So it feels like with those principles, exactly the same thing is happening, because you’re like, “I need to comply with this one. Oh, to do that, I need to do that and then that and then that.” And then eventually you’re like, “Wait a second. What was I doing in the first place?” So we commonly tell people to try to identify when you are shaving a yak and then take a step away and ask, “Is this the right thing that I should be doing with my time right now?”

Toby Amodio
Yeah. Correct. Correct. And removing the maturity model, ironically, and this is stretching a friendship of an analogy, but you don’t even know when the yak shaved, let alone which yak you should be shaving, because you shouldn’t be shaving a yak. You should be focusing on MFA. And again, that’s a massive stretch, but it’s indicative of a lot of the controls. They go so prescriptive they shouldn’t even exist. There’s a great update to the cybersecurity roles, which literally says that the CISO, the chief information security officer, should make sure that they have a cyber team that knows cyber. And I was like, “If you’re at the point that you’re writing that down, we’ve got serious problems, because if you haven’t done that, then you’re not meeting any of this. You don’t need to have a control that says: do the thing that enables you to do the things.”

Cole Cornford
It reminds me of that guy from the Simpsons. Do you know that episode? He’s like, “Oh, why did I think of that?” That’s exactly the situation. “I’m a CISO. If only I just had the idea that maybe it’s worthwhile to invest in security capabilities and resources and live technologies. I just thought all I had to do is just put ticks next to 900 controls and then that was secure at that point, right?” That’s what ANAO said, yeah?

Toby Amodio
Correct, correct. And it’s yeah, to me, the accuracy, it’s the old joke. You can be right and still lose. And I think things like that where it’s right, but it’s not practically implementable, becomes almost the bane of its own existence and it dies under its own weight. And getting into solutioneering and how I think that they could actually improve it, I think that there’s a really strong argument for having cybersecurity principles just using the US standard. If you can’t use the US standard and create your own, have a reason for creating your own, and I would really like to see a pivot towards one that’s simplified, just protect, detect, respond, because it’s easier for execs to understand that you need to put the protections around the systems, then detect when those protections fail and have the ability to respond and recover in those failures.

Cole Cornford
I’m always a fan of protect, detect, respond, because that’s just taking a step away from cybersecurity and moving a few levels higher to just general security principles. You could talk to anybody that you need a protective capability, a detective one and a response. And then anyone who disagrees with that, I think, is usually techie nerds that don’t understand just general business security. They just try and focus on IT shit.

Toby Amodio
Correct. Correct, because once you’re getting into the weeds, especially… I used to have a joke, and I say this as someone who was a senior executive, but senior executives can’t understand more than three things. And so when you get into five principles with each having their own five sub-principles, it goes out the window really quickly. And then they’re like, “How does this map to the Essential Eight? What does this mean for the PSPF? What does this mean for the ISM?” And they’re like, “I don’t understand how to square this circle.” And it just spins the wheels and gets you nowhere.

Cole Cornford
Yeah. Just general company strategy, just business strategy, I like the idea of having those guiding principles, but you need to diagnose what the problem is, and then you need to have an operational roadmap to actually address each of those. And where any operational activity falls apart, then you go back to the guiding principles. But what we’ve got here is we’ve commingled all of those together, and also not actually even in the updates specified why they’ve made these changes. I would love to know from ACSC or ASD, where did they come up with the idea of the CISO needs to actually do security? What was the driver that made that the update that was cried? And I would love it if it was someone’s email who they sent in and went, “I need a control to justify my expenditure,” and then ASD’s like, “Put it onto the list,” and then the grad has to write it in.

Toby Amodio
That’s it.

Cole Cornford
That would make my day, where someone’s listening to the podcast and they’re like, “I sent that email. That was me. No one took me seriously. It needs to be the draw line item.” Yeah last time when we did this. What was it? There was one ISM control about you must have a break-glass thing to get into your accounts, because if it’s too complex and you got to get into your cloud environments, that’s a bad thing. And we were just joking about someone’s fat-fingered and then said at the ASD and being like, “Yeah. I locked myself out of AWS, so I’m really smart.”

Toby Amodio
Yeah. Security at 100, availability zero. Yeah.

Cole Cornford
Who knows about what goes on in that dark building? But also, missing the maturity model is confusing for me as well because I look at what’s changed on recently on, say, the ASVS which for those who don’t know, OWASP has this quite detailed standard called the Application Security Verification Standard, where it previously would have these style of problems where it would be mixing design and architecture and good practices with auditability and maturities. And they just scrapped all of it, rewrote it from scratch, and basically said, “This is meant to be an auditable standard at this point.” And now, top to bottom, it’s either a yes or no for every single question. And I wonder now with a lot of these kind of things, they’re all in the gray, and then the principles mix it all up. So it’s like, why are OWASP and ASD swapping…

Toby Amodio
Yeah, they’re going the opposite way, and you’re a hundred percent right. It’s saying it’s risk-based and then having the maturity model, and I understand how they don’t want one or the other, but it’s worth recognizing for an executive audience, as you said, having a maturity lens where you can say, “I’m for cybers out of five,” is super helpful for articulating it to the exec, as long as you can also make sure that you’re mapping that to what your priorities are.

And this is my other piece there, which is it treats all the principles as the same level of importance, but it depends on your business lens. You may want to go, “Hey, I’m not going to focus on my protection layer. I’m just going to run a really good detect and respond.” And there are business reasons why you may choose to do that. Or similarly, you may invest so much in protections, you go, “I’ve got a light on detection layer, but I’ve got a really good response.” And the argument for that is the Ukraine War, where Russia might take out Ukraine’s infrastructure. They’ll rebuild it in 45 minutes. And so the recovery capability is phenomenal and they recognize that the value they can spend on that offsets the value on locking it down to an inch of its life so they can’t use it themselves.

And so I think just treating it as a blanket, they’re all as important as each other, is the nuance that’s lost. And I think that, as you said, revisiting the maturity model, or making it a compliance model with a yes/no and a framework, makes it easier for small enterprises to consume what’s the 900-control ISM tome into a more—

Cole Cornford
I was like, has it expanded to be more than one bible? Now there’s like 50 versions of it. So that was terrifying.

Toby Amodio
Correct.

Cole Cornford
900 pages. I can’t wait to… It’s the Wheel of Time, but the Wheel of Cyber.

Toby Amodio
Correct, correct. And for me, I look at it in the holistic picture, where you go, “The ISM is a subset of the PSPF for Australian government,” and the PSPF in its own right is hundreds of pages. I think it’s 156 pages or something like that. And so I’ve got to read through 156 pages, which links me down into the ISM, which is 900 controls, ish. And so again, it’s a babushka doll of controls within controls within controls, which is probably a good pivot to your sphere. And I know that I’m not the software development expert here, but there is a massive amount of changes here in software development. I was wondering if I could get your takes on that change and the pieces they’ve introduced because it’s pretty fundamental.

Cole Cornford
I mean, I feel like my entire career has been justified and validated at this point, which is really, really nice. For the longest time, I think, even three or four years ago when I did that speech at [inaudible :32] house, I was like, “Hey guys, we need to probably move to doing software security and having better digital experiences and all of that jazz.” It’s nice that it’s finally come full circle and people are realizing that this is a space that we need to address and start dealing with, instead of just focusing on end-user compute. And why are we still not doing application white-listing anywhere?

I mean, overall, I’m happy to see these controls, but I think that they’ve been written without terribly much insight into software security. And it’s a lot of things that I have big question marks in my heads about. One thing I think is good is that they actually deleted the babushka, because the previous standards is they said, “Guys, you need to do OWASP.” That was the extent of software security. Now, what is OWASP? That’s a good question. Is it the top 10 project? Is it the input validation project? Is it the API security project? Is it the ASVS? Is it SAM, the governance project? And each of those also probably has sub-components and sub-maturity models and sub… So they’ve instead started to be a little bit more explicit and said stuff like, “Use HTTP only on cookies.”

Although, that being said, there’s a lot of controls in there, which if anyone uses browsers based past 2000, same-site cookie attributes are already natively that. So you know what? For all your auditors out there, if people are doing end-user compute correctly and have Google Chrome or Firefox to a reasonable one instead of IE6, good chance that you’re secure by default, so woo.

But anyway, speaking of secure by default, I think that that’s a cop-out, to be honest. I rail against the concept of the paved road, which has just infatuated everybody in Silicon Valley, because when you’re a company like Google or Netflix, it’s great. Just hire a thousand software engineers. They don’t need a line saying, “Hey, maybe you should have an adequately resourced cybersecurity team.” That’s table stakes for them.

Toby Amodio
Well, also, I joke. We say that there’s a line item that says you have to have an adequately resourced cyber team, but now they need a line in here that says you have to have an adequately resourced DevSecOps team and dev team, so it’s not just the one dude getting pounded by his own bugs into oblivion.

Cole Cornford
Can you imagine sticking all of this onto one person?

Toby Amodio
Yeah. Correct. Correct. And I know multiple departments where that would be the case.

Cole Cornford
I do consulting a lot of time for start-up/scale-up UK systems. Typically, if you are not producing where DevSecOps doesn’t enable revenue outcomes, so I need to be complying with PCI DSS 4 or I need to be doing a secure software delivery so that I can be procured by the US government, then it usually gets thrown away until it becomes a problem. But at those stages, it’s usually one AppSec person for about a hundred headcount, and for those more sensitive FinTechs or whatever, it’s usually one per 40 to 50 headcount. And then we go into the government and it’s one AppSec person for 10,000 headcounts. Who are we doing?

Toby Amodio
Yeah. Correct, correct. It’s just [inaudible :42] to that one poor person who then has to prioritize in their own life. And you were mentioning the Babushka doll, and it is great, because previously it was, “Here’s one control that references all of that.” They brought them in locally. And then now, orderly, they’ll just tune them into oblivion and hopefully within three years we’ll have a decent posture on sector controls.

Cole Cornford
So go back with the secure by default thing and why it… Because I just started trashing on big tech, but the reason that I am not a fan of it is it ignores the facts that we don’t always build software where we get to start again and choose technologies of inherent security benefits. I know there’s a lot of people that I’ve spoken with who say PHP, and then they laugh inside and then just say, “Huh, that’s horrific. Why would you ever consider using PHP? Look at all of these the last 25 years of WordPress vulnerabilities or whatever.” And then I point them to Symfony and Laravel, which have some of the best security frameworks available, and I was actively supported by big technology and eradicate [inaudible :42] import validation. You just don’t have to think about these kinds of things anymore. But guess what? Most government agencies don’t say, “Hey, you know what I need to do. Build a new product.” They say, “Wow, when did we last work on single-touch payroll and myTax? I wonder how long ago that was.” Right?

Toby Amodio
Well, also, they’ll probably go, “Let’s build a new product,” but that’ll sit right next to the old Cobalt system that’s been there since 1981 and no one touches, because Greg who retired in his 80s five years ago isn’t there anymore and they don’t know how to use it anymore. And so I think it works for a greenfields approach, which some startups can achieve, but really, is that the case in any mature organization that’s existed for a long time? And so you run into that. How do you then prioritize within it when you’ve got so much legacy piece? You go, “That’s great. That sounds awesome. But I need to be able to crawl before I can run like that.”

Cole Cornford
I disagree when I keep seeing all of that. The other one that I don’t like is the focus on all of these small little piecemeal controls. And if there’s something I know about government it’s that you get mogged quite regularly, and every time you get mogged, you end up with challenges in two capacities. One is integration and the other is incentive, because people who’ve had to change agencies, they lose the institutional knowledge from the first agency and bring it over to another one. And sometimes agencies merge, sometimes agencies get split apart, and then that creates integration challenges, accountability challenges, responsibility challenges.

And so when you start to say stuff like, “Oh, you need to have an asset ownership of all your software assets and the bill of materials and these need to be held by an accountable authority,” it’s like, wait a second. So is the developer responsible for it? But that dev’s now over at this place over here, or they’ve left. Or is it the contracting agency? And the integration piece is really challenging too, because this is a cyber manual and you’re going out now to all of these different parts of the business that have not had to cybers all that much at all and ask them to cybers. They’ll be like, “Why?”

Toby Amodio
Correct, and it’s actually an interesting tangent because for me, one of the pieces I had when I was a CISO is I’d often say to people, “I don’t do cyber security. I assure all of your ability to do cyber security.” And then it’s me coming from a mount and telling them how to do their jobs, and this is a perfect example of now a whole heap of cyber people across government in the private sector will be going, “Well, ISM now says this is how you need to do DevSecOps,” and so they’ll be coming from their cyber mount where they’re not the SMEs. And it’s a relationship and it’s an ongoing conversation and all that, but it’s non-trivial, and as you said, it’s the people in the process that makes it hard. Cole and I were on a conference recently and we were on a panel talking about is shift-left dead?

Cole Cornford
Oh, God. Shift to the far right guys. Shift to the far right.

Toby Amodio
And Cole led with, “We should shift to the far right,” and so we had conversations about not like that. But it is. It’s the same thing in the sense that shift-left is inherently dead, because it’s a concept, and it’s great if everyone could do it, but no one can do it, so the reality is that we’re always halfway in between. And it’s like all things in cyber and life. I have this saying, which is only the Sith deal in absolutes, because Star Wars gives you the best life philosophy, which is nothing’s ever perfectly good or perfectly bad. And this takes us a step forward, but the impracticality of implementing it will be the biggest thing that challenges it, and that’s the absolutism of it.

So yeah, it’s going to be interesting. My additional meme on this, and it very much made me think of you as soon as I read the updates, is not only does it bring ISM AppSec into the 20th century, but it makes code reviews great again, because nothing’s better for code security than individually reading line by line through code, because that’s not resource-intensive at all and doesn’t require any specialized skills.

Cole Cornford
Honestly, there’s so many aspects to this where the APS just doesn’t have the capability built, because they’ve never needed to invest in having a software security capability. And in Australia, all of the product security and software security professionals tend to move into financial services or telcos, and then moving into either Australian-based tech or American-based tech, and they just vacate the country. And so we actually have a tremendous talent and pipeline issue for being able to do basic activities like code review. I even think about that one. How do you get people to, A, be excellent software engineers, B, be awesome at interrogating, reading and understanding disparate technologies to find security bugs in it, and then C, communicating with people that don’t necessarily want to work with you about solving those problems?

Toby Amodio
And triaging them. And yeah, correct, because then they’ve got to triage that against a new Feature X, or do I fix random hanging comma in million line of code?

Cole Cornford
Random comma? No, mate. All you write is paragraphs and sentences, right? Because that’s how Cobalt works.

Toby Amodio
It’s all vibe coding.

Cole Cornford
No, no, no, no. That’s all Cobalt, if you go look it up. I’ve done a lot of Cobalt code reviews. It’s paragraphs and sentences and they don’t use semicolons on it. They use full stops. So you can tell that I have hurt insight from having to read Cobalt in 2025, but I tell you what, it’s beautiful. It makes me happy. It’s very understandable, clear language, and I’ll fight people, same with PHP, if they don’t like it.

Toby Amodio
That’s fair. That’s fair. But it is one of those pieces where it really clearly articulates why we need to invest more in supporting secure development where we do development, because increasingly… And we should centralize it as much as possible to have centers of excellence for that and outsource to the private sector where that’s appropriate. And shameless plug for Galah, but Galah Cyber is one of the best in Australia for application security, and this is a really good sales pitch for why Galah exists, because we don’t have a broad depth of people who can do code reviews, who can do even pen tests with the lens towards application security. And so having that built into that pipeline and then enabling entities, whether they’re government or private sector, to be able to call out to that, is super helpful to contextualize this, prioritize this, and build that framework and do AppSecs as a service.

Cole Cornford
Yeah. When I built Galah four to five years ago, the biggest thing that I felt was that the conversation was always about products. It was, do I need to choose between Snyk or Fortify or Veracode? What’s the most effective on a capability-versus-coverage front? It was never about, “Cool, how do we now incentivize people to use these products?”, or, “How do we integrate the right products into our workforce?”, or, “How do we win over the hearts and minds that people are going to be resistant to doing secure coding?” Like I said, this is all forward-thinking, big-tech stuff that are bringing back to Australia, because my experience here is very much buy a product and enforce it onto people and then no one likes it. And now I’m reading this standard and I’m seeing all of these things that are hard aligned to vendor capabilities instead of having to do the real change needed in your DevOps workflow or your engineering ways of working. So you did see that there was a DevSecOps that needs to be adequately resourced, which is hilarious to me.

Toby Amodio
I’m actually going to now bring it back full circle, which is we were trashing earlier the fact that they had the requirement around the CISO should make sure they have enough cyber people. But ironically, what we’ve just said there, and we’ve full circled ourselves, which is buy less tools and make sure you have people that understand the process. So maybe they’re right to include that, because everyone was just buying tools. So maybe we do need more people who know what they’re talking about, and instead of saying, “Have the right people,” we should have a control that just says, “Buy less tools that go bing, and make sure you have the people that can drive the tools that you currently have.”

Cole Cornford
Tools that go bing is one of the biggest issues in the sector by far. You’re going to laugh. Last week I was standing in World Square Level 45 at 8 PM at night recording a bunch of Metareals videos while being annoyed at a cleaner who kept opening and closing doors. And one of the pitches I was doing to sell out to people for my training course was, “Hey, guys. Do you love Christmas? Me too, except for my AppSec tools. I don’t want to see red, amber and green lights fucking constantly. Mate, don’t be a Grinch. Make Christmas once a year.” So look at me. You could tell that’s such an influence. I reckon that this campaign is going to be either super successful, or it’s going to pan terribly.

Toby Amodio
Correct. The challenge in cyber is not getting red, green, amber. It’s being able to go, “What do we focus on first? What actually is important?” Because having seven machines giving you red, green, amber across 900 controls becomes, as you said, a Christmas light session that is very overwhelming and not easy to consume. I think that that summarizes how we feel and the latest ISM updates. I really, though, and I do jest, and I know I said this last time, but I appreciate the work they put into it, and it does improve itself as it moves forward, even if it’s one step forward, one step back, or two steps forward, one step back.

Cole Cornford
I was going to say, look, I admitted at the very beginning, I am a policy gronk, not a wonk, so I’m happy to admit and take that label. And so when people are out there writing standards and policies, I know it’s a really challenging job. I’m not very good at articulating what is a good AppSec program as far as those governance artifacts go, but I’m very good at walking in and interrogating and telling you what you should do. So it’s great that we’re seeing this, and the thing about the ISM is the scope of it is to cover literally the entire federal government sector. So having something that can be applicable from an agency like the Sports Commission to the Department of Defense, it’s not easy.

Toby Amodio
Yeah.

Cole Cornford
Yeah, agreed. Look, I really appreciate you being able to come on today and have a bit of a whinge, and also share your insights with us about what’s happening in the ISM. Thanks for coming, and it’s just been a pleasure to speak with you.

Toby Amodio
No, my pleasure. Thank you so much, Cole, and good luck to all the CISOs out there trying to implement it. We appreciate you all.

Cole Cornford
Especially the ones that now have a stick to hit people with, saying, “I need people.”

Toby Amodio
Yeah, correct. Use it as your funding stick. That should be your immediate, like, “I applied for 10 FTE because of this ISM control.” Just quote the control. Don’t even put the text in there.

Cole Cornford
100 FTE. Thanks, Toby.

Toby Amodio
Thanks, Cole.

Cole Cornford
Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.