Sign up to save your podcasts
Or
Share PSPF Changes Explained for Security Leaders
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
PSPF Changes Explained for Security Leaders
Episode Summary
This podcast uses the following third-party services for analysis:
Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
The Protective Security Policy Framework is meant to guide how government manages security risk, but constant updates make it harder to implement than to understand. In this episode of Secured, Cole Cornford is joined by Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services and former senior cybersecurity leader across Australian government, to break down what actually changed in the latest PSPF update and why it matters in practice.
They examine the growing focus on personnel security and foreign interference risk, the inclusion of AI guidance that adds little beyond basic risk assessment, and the long overdue recognition of Secure Service Edge and SASE as compliant gateways. The conversation also explores why deny lists and centralised risk sharing sound sensible on paper but are far harder to enforce in reality, and why most security failures still come down to behaviour, accountability, and how technology is actually used rather than what policy says.
Timestamps00:00 – Intro
01:18 – What the PSPF is and why it exists
02:49 – Annual updates, directives, and policy advisories
04:19 – What actually changed in the 2025 PSPF update
05:36 – AI in the PSPF and why it adds little value
08:14 – Tool hype vs implementation risk
10:32 – The AI policy advisory and trusted vendors
14:25 – Directive 3 and clearance disclosure risks
17:21 – Personnel security and enforcement reality
19:41 – Secure Service Edge and SASE recognition
23:39 – Commonwealth Technology Management directive
25:28 – Deny lists, transparency, and security through obscurity
28:05 – Centralised risk sharing and assessment overload
29:52 – Policy wonk or policy gronk
31:12 – Final takeaways and closing
🐙 Secured is grateful to be sponsored and supported by Chainguard.
Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report at https://dayone.fm/chainguard
Mentioned in this episode:
Download your free CVE Reduction Assessment
Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk.
December 2025 - Chainguard
Call for Feedback
This podcast uses the following third-party services for analysis:
Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
View all episodes
By Day OneEpisode Summary
This podcast uses the following third-party services for analysis:
Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
The Protective Security Policy Framework is meant to guide how government manages security risk, but constant updates make it harder to implement than to understand. In this episode of Secured, Cole Cornford is joined by Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services and former senior cybersecurity leader across Australian government, to break down what actually changed in the latest PSPF update and why it matters in practice.
They examine the growing focus on personnel security and foreign interference risk, the inclusion of AI guidance that adds little beyond basic risk assessment, and the long overdue recognition of Secure Service Edge and SASE as compliant gateways. The conversation also explores why deny lists and centralised risk sharing sound sensible on paper but are far harder to enforce in reality, and why most security failures still come down to behaviour, accountability, and how technology is actually used rather than what policy says.
Timestamps00:00 – Intro
01:18 – What the PSPF is and why it exists
02:49 – Annual updates, directives, and policy advisories
04:19 – What actually changed in the 2025 PSPF update
05:36 – AI in the PSPF and why it adds little value
08:14 – Tool hype vs implementation risk
10:32 – The AI policy advisory and trusted vendors
14:25 – Directive 3 and clearance disclosure risks
17:21 – Personnel security and enforcement reality
19:41 – Secure Service Edge and SASE recognition
23:39 – Commonwealth Technology Management directive
25:28 – Deny lists, transparency, and security through obscurity
28:05 – Centralised risk sharing and assessment overload
29:52 – Policy wonk or policy gronk
31:12 – Final takeaways and closing
🐙 Secured is grateful to be sponsored and supported by Chainguard.
Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report at https://dayone.fm/chainguard
Mentioned in this episode:
Download your free CVE Reduction Assessment
Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk.
December 2025 - Chainguard
Call for Feedback
This podcast uses the following third-party services for analysis:
Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/