Episode Summary
The Protective Security Policy Framework is meant to guide how government manages security risk, but constant updates make it harder to implement than to understand. In this episode of Secured, Cole Cornford is joined by Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services and former senior cybersecurity leader across Australian government, to break down what actually changed in the latest PSPF update and why it matters in practice.
They examine the growing focus on personnel security and foreign interference risk, the inclusion of AI guidance that adds little beyond basic risk assessment, and the long overdue recognition of Secure Service Edge and SASE as compliant gateways. The conversation also explores why deny lists and centralised risk sharing sound sensible on paper but are far harder to enforce in reality, and why most security failures still come down to behaviour, accountability, and how technology is actually used rather than what policy says.
Presented By
Chapters:
00:00 – Intro
01:18 – What the PSPF is and why it exists
02:49 – Annual updates, directives, and policy advisories
04:19 – What actually changed in the 2025 PSPF update
05:36 – AI in the PSPF and why it adds little value
08:14 – Tool hype vs implementation risk
10:32 – The AI policy advisory and trusted vendors
14:25 – Directive 3 and clearance disclosure risks
17:21 – Personnel security and enforcement reality
19:41 – Secure Service Edge and SASE recognition
23:39 – Commonwealth Technology Management directive
25:28 – Deny lists, transparency, and security through obscurity
28:05 – Centralised risk sharing and assessment overload
29:52 – Policy wonk or policy gronk
31:12 – Final takeaways and closing
