Toby Amodio:

My number one tip would be AI is just another system. The two things that you need to worry about is the security of the system and then how people are using the system. Your main concern is more how people are using it than the security of the system.

Cole Cornford:

If things are happening so quickly, how are we even going to have a detection capability and then response capability?

Toby Amodio:

Yeah, it's going to be bot versus bot and we're definitely heading into bot first bot on a global scale. In the end, there's way more positive bang for your buck here and the way that I've seen it utilized has been providing significant benefits for entities to streamline and make efficient the drudgery work in letting them focus on the things that matter most.

Cole Cornford:

I'm Cole Cornford and this is Secured, the podcast where I chat with developers, security pros, and the folks with story is worth telling. We talk about what really happens in AppSec, the good, the bad, and the bits that people usually leave off the slide decks. Open source now powers over 90% of the software we build, but it's also where attackers increasingly strike. Chainguard closes that trust gap with hardened, secure, production-ready open source builds, so teams can build faster, stay compliant, and eliminate risk. Get your free CV reduction report at dayone.fm/chainguard and start shipping software with confidence. And welcome back to another episode of Secured.

This time, again, it's our usual segment of policy wonks and gronks. I've got my resident policy wonk, Toby Amodio, and myself, the gronk, because I am not particularly intelligent when it comes to these ISM updates. So, Toby, hit us away with what's changed this time around.

Toby Amodio:

We've got a great update to the ISM for March 2026. And whilst I'd love to talk about all the intricacies of it, realistically, there's some pretty simple control updates, and the main theme behind it is the way that we use risk and engage with risk around AI in a strategic way. And so, I figured we can use this session to really get into the weeds around what AI means for us as cyber professionals, both from the positives perspective and the negative perspectives. You comfortable with that?

Cole Cornford:

Yeah, absolutely. I'm happy to. AI has been, I know, dominating basically every single thing I've ever been to. RSA last week, all of my friends who are CISOs and my practitioners just went around and they counted, I think every single vendor was an AI vendor of something. So, even if it's a traditional security company, like a Checkpoint or a Fortinet or something, they're like, "I'm AI Fortinet now." It's like, but we do need to talk and bring it back to what's actually real instead of just AI marketing hype and fluff. And for the longest period, I was very skeptical because I've seen us go through so many of these things.

And I like to be someone who sits on the fence and see how things play out a bit. And this genie's not getting put back in the bobble. There are very real things that I'm doing at Galah that I think are going to fundamentally change software security, pen testing, code reviews, like security operations. I'm sure that you're seeing lots of stuff in the government sector as well.

Toby Amodio:

Oh, a hundred percent. It's funny because it is the AI so hot right now, the old Hansel quote. But the reality is is that it's not everything or nothing, but it is making meaningful changes. And I think both on the governance and the operations side, it has legitimate use cases to improve your business processes from a cyber professional perspective. And if you're not using it and if you're not leveraging it, you will get left behind. Despite all the hype from all the vendors, there is practical uses. And I'd love to chat to you about some of them.

I know specifically for me in that governance risk and compliance space, I'm seeing the repeatability of outputs and the streamlining of our ability to generate content for audits and ensure that they're done at scale is inextricably improved by AI. It's just made it so much easier and it's made the output of our seniors, even our mids to be almost 2X times their capability just because of the way it can augment our capabilities of the resources. What are you seeing in that governance space?

Cole Cornford:

Yeah, I see people who are using it incorrectly. There's people who say, "Okay, I've got to write policies. I'm just going to get it to generate a policy for me." And then they'll just take it at face value. And then they get burned when the suggested, the training material or the policy that was generated on is relevant for an enterprise context, but not relevant for a small business. So, why are you going out and doing MDM, DLP, and all of these crazy things and wasting time, right? However, I'm also seeing it do some really awesome things.

One of the things that I'm building internally at Galah is to help me with vendor assessments because as a consultancy, one of the most frustrating things is that no one trusts SOC 2, no one trusts ISO any more because of all of those fucking idiot scam companies that just pay to buy my SOC 2 certificate place.

Toby Amodio:

Pay to comply. Yeah.

Cole Cornford:

Yeah. Pay for compliance as though you can get into regulated industries. That's not going to go badly at all. But anyway, CISOs don't trust that shit anymore. So, they all build their own bloody questionnaires that have no correlation or overlap whatsoever because they're contextually relevant to their business, which makes sense to me, right? However, that means that I now have 700 different ways to have to answer questions. And so, what AI lets me do is have an existing knowledge base of answers or at least collect evidence on a regular basis. And then when those questions come in, or look at the knowledge base and just pre-populate everything.

And yes, going to make some mistakes, but the fact is I've gone from needing to effectively have a full-time compliance person to manage the volume of vendor assessment stuff or investing in a product that does this for me, to now just having a system that just looks at what's in GitHub, says, "Hey, this is where you're at and this is where the gaps are against what they're asking you." And you just do a sanity check as opposed to having to go and source hundreds of screenshots of evidence. It's kind of scary because there's a lot of the work that I did early in my career.

And I'm sure it would've been the same for you, was logging into systems, getting screenshots of evidence, reviewing, because that's how you get the exposure to all the different things. I remember early on, I was like, "I've got to know what the red cable is, that's top secret information, and the black cable is like this." And never relevant at any point. I'm sure it's changed, but that's how I learned, right?

Toby Amodio:

Yeah, you're 100% right. And it's a really good use case for it. If you're in a business or you're a cyber professional, building an agent that can then take compliance attestations and then map them to the clients requirements or various compliance baselines just saves time. And shamelessly linking back to the ISM, when those compliance baselines are changing on a quarterly basis, you don't have to do the drudgery work of mapping those changes and then understanding how it impacts your compliance states. You can have that done for you and then sanity check it. And given that those changes are happening on such a frequent basis, it then removes the need to have someone manually doing that.

And you automate that drudgery work and you move into the, as you said, that value add space, which has its own benefits, but it also has its own risks and downsides, as you said, because we can end up with the position where there's not juniors teaching the next generation coming through. How can they get that base level of knowledge of the systems if we're effectively outsourcing to AI their roles?

Cole Cornford:

I still think there's a lot of value because we're old VATs who know how things were in the old world and people can come in and say, "This is how this should be in the new world." And I anticipate that there's a lot of people who've learned how to do their accounts payable and accounts receivable systems or how to do audits or how to do a penetration test or how to review log files who now there's going to be people who have learned how to use this technology and can architect a series of skills to do that kind of task. Whereas previously, you might be fearful to do that because why have I learned this 10 to 15 years of specialized capability if I'm just going to go give it to a machine to do?

So, one of the biggest barriers that I'm trying to get ahead of, at least inside of Galah is reticence to adopt the technology and fear of the technology displacing skillsets. How do we get people to understand that it's not there to reduce headcount, it's to make it so I can do two or three times as many penetration tests, right? And I know that I'm seeing this even with a lot of professional services firms. The bigger ones is that the graduate pools are not really decreasing, because they need that labor to go ahead and systematize and build processes because the partners are too busy doing sales. It's just that the model's getting a little bit thinner.

Toby Amodio:

Yes. Yeah, yeah, yeah. Agreed. And it's interesting you mentioned pen testing. How have you seen it on that operational side or on that operational validation side of your business?

Cole Cornford:

Yeah. The thing about pen testing is that where most of the effort goes is either on trying to get the environment set up and all the credentials tested and validated and then on the other end to decide what's the report writing, how are we retesting? How are we helping people validate things? And I find that that's where the majority of the effort goes in a lot of our engagements from just pure overhead because I want pen testers to be focusing on delivering the pen test. And so, if in the system with Burp Suite Open, doing hacking, doing a great job, that's great. But the things where I'm finding a lot of value is that the report writing is getting a hell of a lot easier.

Customer experience is getting a lot easier because instead of us having to begrudgingly ask testers, "Hey, can you please tell someone what you've done for today?" We're able to just effectively look at things like your Burp blogs and then from the summary of the Burp logs, then understand, "Hey, this is the type of endpoints or attack vectors or things that we've been thinking about." It's not perfect, but the fact is that you suddenly now have an automated, consistent brand and voice for applying to customer experience. Your reports can be generated instead of having to be bespoke written. It's excellent in that way.

And I'm spending a lot of time on figuring out how do we deal with the front of the engagement, which to me is things like building a statement of work, which I know is not the easiest thing to do because it's bespoke and every single engagement is going to be quite unique. And we've got to a point where we've been able to get that down to a couple of minutes now, which normally you need a full-time operations manager to be delivering that kind of stuff. So, I'm quite bullish on what we're going to be doing in that space. I just want my pen testers to focus on novel and interesting activities.

Toby Amodio:

Amen. We all want our pen testers to be cracking shells, not to be writing reports. And the Lord knows that people don't get into pen testing to make sure they can write a 40-page document.

Cole Cornford:

Because that document's the value though, because every-

Toby Amodio:

Oh, agreed. Agreed.

Cole Cornford:

... person who wants it, they're going to say, "Hey, I need this because I need to acquire a certification or I need to have assurance that my system is reasonably secure." So, that output is the thing that the customers really care about, but this allows us to make sure that this document in the end, instead of spending half the test on fucking around on corporate shit, it means you have nine and a half days on testing and that gives you either the ability to do tests for people that otherwise couldn't afford them because you can now... This gives you a question.

Toby Amodio:

Democratize, yeah.

Cole Cornford:

It democratizes a service that otherwise you couldn't have people participated, right?

Toby Amodio:

Yeah, agreed, agreed. And I find as well, it helps those pen testers who may not have those English skills or have the writing ability to then almost have a translation layer to present it in a consistent, as you said, way and a way that the... I know I've said it before, but I often think of them as dolphins because they're clearly intelligent. They just can't communicate. And it's the translation layer of a dolphin to the normal client language, which is really critical.

And I've seen it not just happen in that pen testing space, but across everything from that ops managerial space, especially we're seeing the increasing utilization of it within the SOC and the monitoring context enables us to get people into more higher value work. And then it also, as you said, it automates that drudgery work of pulling logs from disparate sources to present it to the SOC engineer or the SOC analyst to help them do their job in a more timely way to then quickly validate whether it's a false positive or a false negative. So, I think it's super helpful. I think it does come though, even though it's got these great use cases, there are a number of risks.

And one of the risks that I get worried about is as we outsource that knowledge, it's going to lead to slot being passed on. And so, it's that awkward piece where, as you said, we still need it to be and add an addition to us. So, it's meant to compliment our capability, not replace it. And when people let it replace their capability, it's often just pumping swap out that's not contextual and can't inform. Are you seeing that same challenge?

Cole Cornford:

Oh yeah, especially people who are busy. So, they've got a lot of things on and then they use AI as a way to just try to get something out, whether it's a proposal or whether it's a GRC document, or a policy, whatever, they think that I'll just get chat to generate, I'll make a couple of tweaks, it'll be fine. And what ends up happening is that that final product, the customer feels like, "Well, why did I pay for a service if I could have generated it myself?" And what expertise do you even bring into the table if you've just taken something straight out of Claude, right? So, I'm seeing a lot of consultancies who are doing that, but there is a way to bring your expertise into that.

And I find that the way that I do it is I have a bit of a maturity model, where we move people from having reticence and aversion to using artificial intelligence to learning to be assisted by it and then documenting whatever process that they're doing while using AI, eventually converting that into a skill. And then that skill gets augmented by their expertise to change things. And so, that's the ultimate model I want to get to is having everybody the augmented layer rather than at the end goal, which is where all the CFOs want to go to, which is AI solves everything we don't need people anymore.

Zero is the perfect number of... But then if the machine's going and doing a lot of things like who's to blame, ultimately it's the directors of the company or the directors and the government and there's no oversight or understanding about why it's made these decisions.

Toby Amodio:

You can't outsource accountability and you definitely can't outsource accountability to a BBOP. But you're 100% right. It's funny, even just recently I was using an LLM to augment some of our research around data retention policies within a government context and it put out, "Hey, quite confidently, you need to retain this for 25 years." And it's funny because I looked at it and went, "Well, that's wrong because I know it's wrong because I've been doing this for so long." And then I looked at the source and even the source that it had linked me to didn't say what it had told me.

And again, it's a perfect example of if I hadn't had that knowledge or I hadn't checked the source, I probably would've pumped forward really bad advice, which would've put the entity in a non-compliant state with the government standards. And so, it is that you can't outsource entirely, you've got to trust but verify and you've got to make sure, as you said, that what's the value add that we're bringing into that engagement and that should be augmented by AI, not replaced. And then you should be making sure that you're passing and across what you're providing to the client and the reason why. It's like we used to have this saying for SASOs, which is the only thing that's important is knowing what's important.

And the only thing that's more important than that is being able to communicate what's important. And your real value add is those two elements. And so, if you are in that process chain of just getting slop and passing slop, you're not sourcing what's important and you're not being articulating what's important. So, definitely use those lenses to validate what you're doing and the value it's bringing.

Cole Cornford:

Yeah. For me, I think this is why I force people to go along this journey of being along the maturity model, where they start with just doing things entirely manually and then they slowly move up. I don't want them to skip steps because when you skip steps, that's when all of the little edge cases that come about from your expertise, because you can build a lot of guardrails around how the agent works where you can build ways to validate whatever the content is. You just find as many ways that you're going to foot gun yourself and mitigate those in advance, right? Have a lot of test criteria. Use deterministic tools, use manual tools like GREP, have manual processes in there.

But by doing it in following that very specific order of improving your capability, it means that your expertise is really shaping a very battle hardened way of achieving the outcome that you're looking for. And I think that a lot of people jump straight to augmented or native and then it just crashes and burns and just does stupid things and they misunderstood the scenario very well. So, yeah, it's people who are so worried about losing their edge and their capability, it's true. If you do just decide to just say, "Hey, now the machine's going to make all the decisions for me."

Yeah. But if you're sitting in a Waymo as opposed to being a taxi driver, you got to accept that, yeah, you no longer need to worry about driving, you've got to figure out what's going on there. But I think fatigue is the big thing though. That's what I'm thinking is the problem because as someone who does a lot of secure code review, I know that reading code is a lot harder to do than writing code. And I think that a lot of people who are busy doing the activity, reviewing the activity is all harder than doing it in a lot of cases. And I think people are not easily making that switch.

Toby Amodio:

I concur. And it's like for me, this is one of the challenges for cyber people that's not really caused by cyber people. But if we end up vibe coding and slop coding, then we end up vibe assurance and slop assurance and it kind of just expands out by scale. And then it just creates more and more fatigue both for the consumers, but also if you scale out, as you said, you're twice as productive, you've got that only scale so far before you're doing too much context switching, you're going to miss things. As we mentioned, you're not going to end up verifying and it's going to fall over at some point.

And so, I think, as you said, to ensure that you are giving yourself the space to think through problems and have the capacity to think through problems will reduce your fatigue on it, but you should also work with your entities to make sure that they understand the scale impacts of having an equivalent piece like if you've got vibe coders pumping out code left, right and center that you have to assure, or if you've got vulnerability scanners that are AR enabled that are scanning the whole environment and you've got the outputs, you're scaling your work to that and not just creating more and more and more and more impact onto your wet wear because your people can't scale like your AI.

So, you need to make sure that you're working around that fatigue and scalability.

Cole Cornford:

I find if you eliminate one bottleneck or you just get extremely efficient in one way and then you find the next bottleneck and then eventually like, oh, I found the next bottleneck. And so, it's just turtles all the way down. And you end up also, the other thing is just having a mental map of how all of these processes and stuff sits together. I have to sit there drawing circles and lines and just being like, "This is the steps." Are you familiar with finite state machines? Yeah. Effectively, that's what I'm doing is I'm creating business process maps or finite state machines of how I'd be anticipating that everything would work end to end.

At some point though, it's too much context window for myself to understand what's going on. And that's what scares me is like when I'm running a small business, I can understand what's happening from sales, like marketing into sales into delivery of specific activities and the customer experience and then back into marketing. And then as soon as my business goes from say 15 headcount, which is where we're at the moment, to like 30 headcount or maybe 60 or 600 or 6,000, then that's not possible whatsoever. And that's where I think that you're going to end up with all of these disparate pockets that are doing the same types of activities, slightly incorrect or slightly different than one another.

And so, I reckon it's got huge amounts of rework and people doing the same thing or creating their own new bottlenecks. It's going to be messy.

Toby Amodio:

Well, and I often think as well about the advent of AI agents in SOAR, like orchestration from the security context is great, but to me, they're just macros on crack and we're going to have to be doing these guardrails on the agents and then it'll be agents watching agents. And again, it's that fatigue piece about making sure you can keep your mental model across what's going on and you're not automating to the point of obscuring. So, then you're just creating more pressuring yourself. But I think in the end, there's way more positive bang for your buck here.

And the way that I've seen it utilized has been providing significant benefits for entities to streamline and make efficient the drudgery work and letting them focus on the things that matter most. But obviously that's hard in every entity to work out what matters most because there's a lot of noisy competing elements. And I think that it'll be a continued piece as it evolves rapidly around how do you use it, how do you use it to compliment your core elements and how do you use it to ensure that you're driving security within your entity?

Cole Cornford:

I do wonder if we're going to have to get to a point where we have a centralized skill repository that people kind of draw from as a baseline in every organization, rather than them creating their own processes. Because that's what I want to do. I'm calling it bird brain because I don't know, hive mind, bird brain, it's a bird business, whatever, I'm funny, ha ha. But the other places that I've seen trying to do it, you end up with a lot of citizen developers who've built something and that process works for now, but is it going to work in the future? Is it going to work if you give it to other people to follow, it's a big question.

Toby Amodio:

Yeah, no, I totally agree. And I feel like there's a space in Australia for government or big businesses to start to generate agents where you can go, "Hey, this agent provides this service and this is the guardrails." And it shouldn't be every single agency or every single business doing that themselves. They should be able to develop once and then leverage at scale and use, as you said, the community to help tune that piece would be the best place to be. But in reality, probably just end up with sprawling rot like we have with all IT, which is great and not depressing at all.

Cole Cornford:

I mean, we're just going to have so much more legacy. We're going to have a tremendous amount of AI...

Toby Amodio:

Legacy agents that we have to take out. It'll be the matrix where we're trying to take out agents left, right?

Cole Cornford:

All I could think about is all those video games where robots are walking around near automator and stuff where they're just like, "What is my purpose? Why am I here? What's going on? I'm obsolete," just all Future Armor even. So, that's the kind of vibe which I'm thinking about. It's just rusty buckets that have a specific purpose and we're like, "I'm here to connect Jira to Confluence." And they're like, "Oh, we don't do that anymore. What a nose."

Toby Amodio:

I go until we have a SOC agent who becomes self-aware and then wants to be an ethical hacker and wants to be a pen tester like every other grad. It's the AI agent that wants to be a pen tester.

Cole Cornford:

They don't even say no, that's the other thing. They'll just go ahead and try to do things badly. I mean, it's not that different from a grad really because a lot of grads will just give it a crack and then be like, "Oh, whoops so well." So, that's probably one of the risks I think is going to come up a lot as well actually is that if things are happening so quickly, how are we even going to have a detection capability and then response capability because overwhelmingly, we've had time to generally identify and respond to something, but if you just do stupid shit really fast, you're going to have to relearn these machines to find a stupid shit and response.

Toby Amodio:

Yeah, it's going to be bot versus bot and we're definitely heading into bot first spot on a global scale and the outcome of that will be not only additional pressure for us to ensure that the bots are doing the right things and not accidentally nuking your own capability, but we're going to end up with this dead internet scenario where most of the activity on the internet from a networking perspective as well as the actual content is AI generated AI to AI to AI to AI. And so, you can get into a really risky position, but I guess we can't solve all of the world's problems here.

And the core of it is that whilst the ISM focuses on understand the risks around AI and try and leverage the benefits, it's easier said than done, and it requires you to really know it. And as you said, we really need people to make sure they're engaging with it. You can't be the Luddite on this. It is not going away, and if anything, it's going at scale. So, you really need to understand what it is, how it can augment your people, and then engage with it appropriately.

Cole Cornford:

Yeah. The thing that scares me is that we don't have a foundational model or a capability to produce foundational models in Australia. And so, sovereignty is a real big challenge that worries me for the government sector. And the open source models are traditionally Chinese. And while I'm not someone that's going to throw too much shade over there, the fact is we just don't control them. We don't know how they're trained. We can use technology like Obliteratus to reduce the weighting within them, but still we can't be a hundred percent confident that they haven't been poisoned or customized to the context of Australia, right?

And so, that's going to be a problem over the longer term, and especially for the federal government, because then it's going to do stuff in a way that's relevant for America because that's where all the AI training is going to, really.

Toby Amodio:

Yeah. Yeah, agreed. Agreed. It's non-intractable, especially with the scale that's required for the compute. And I see a lot of the models now just saying, we're not even going to try and do non-regional compute in the sense, sorry, regional compute in the sense that everything goes back to America because that's where we've got the massive data centers. And obviously America's such a reliable ally at the moment that I have absolutely no concerns with America and their leadership and I for one appreciate our orange overlords. And so, yeah, it's problematic, especially for a small country like Australia on how do you understand that capability? How do you maintain sovereignty?

Or if it's not direct sovereignty, how do you maintain the security of your elements with your sovereign interests in mind? So, yeah.

Cole Cornford:

I also worry about are we also having... I mean, we've traditionally had a software brain drain to America because that's where the capital is and where the businesses are and the opportunity space to be able to build the software businesses. And I worry about whether we're going to be having that AI capability also brain draining over there as well. I've already seen a few good promising Australian startups try to get in the Y Combinator and move across. And that's going to be really disappointing as a country if we're losing such good talent to go and build overseas. And I don't know, I'm just Team Australia.

So, my company's Galah, so I want people to build good businesses here. We just need the infrastructure to support it, right?

Toby Amodio:

I concur and I think that there could definitely be some investment. And I think that to support that, I feel like we're too small of a country to do this decentralized, and I think that there needs to be a rural government lean in on how do we facilitate and do almost a wide combinator thing piece centrally to then drive that innovation because we're too small of a country to decentralize it. It just doesn't work. We can't get the economies of scale here. So, how do we support that? And then again, how do we leverage AI to support that development and innovation?

Cole Cornford:

So, going back to the original topic, which was ISM changes, for a government CISO or accountable authority, what would you say would be the number one tip as Mr. Wonk that you would give to them to be able to protect themselves from AI?

Toby Amodio:

My number one tip would be AI is just another system. So, the two things that you need to worry about is the security of the system and then how people are using the system. And my main tip to CISOs will be your main concern is more how people are using it than the security of the system. Most of them come with certifications, you can put guardrails on it. But with probabilistic computing, if people get a bad output and trust it and say it's repeatable, that can lead to really bad outcomes, especially in the government sector. If you're using it to inform a decision, how it is used becomes really critical.

So, despite the ISM changes and talking about risk and risk being sitting with the system owners, you have to be really clear that they understand how those AI systems are being used, what are they being used for? And you're helping the users to understand the difference between deterministic computing and probabilistic computing and what that means for the outputs and how they manage the outputs. We don't want to end up with a robo debt times V2 because they've just allowed the AI to choose who to audit. That would be a terrible outcome because it will be non-repeatable, it'll be a black box, and it will lead to drudgery terrible outcomes.

Cole Cornford:

I was going to say robot debt, it's not like we've just had a magic box where we've just let it made decisions before without having any scrutiny of it. But for those who don't understand it, the problem with robot debt was that they basically annualized people's salaries based on a single point of basically one paycheck. And they figured that, "Oh, if you got paid $5,000 in one paycheck, therefore your salary is 400K." But oftentimes, people might work for a gig for a week or two and then be largely unemployed for the rest of the year. So, I think students or university casual academics or people with shift work, et cetera.

Toby Amodio:

They basically sent debt notices to people based on probabilistic modeling of their income. And it turned out that most of those were wrong. And so, they probably shouldn't have sent debt income on projected earnings and done it off the real piece. So, yeah.

Cole Cornford:

I just love projected earnings. It makes me so happy with my bloody childcare payments.

Toby Amodio:

Exactly, exactly. But I think that like any other system, we've got really good people who can manage it. And I think that following the standard ISM PSPF approaches to systems and then being forthright with your AI committees around how they're being used, you can stay ahead of it and you can leverage it appropriately. And more pressingly for us, as you said, how do you make sure you can use it to optimize your services? I think we've had a good chat today around different ways that they can use it to improve cyber services.

Cole Cornford:

As the gronk, I think that the biggest thing that I see problematically is Shadow AI, where people are just using whatever and you have no visibility of it. So, I would just be looking at your DNS logs and seeing what random SaaS service or AI service that your guys are going and talking to and because you probably don't know what Shadow AI systems that you're actually making calls out to because I feel like that's the biggest issue is just people say, "I need to get on top of this. Let me just start using things to get better at my job." You now have a proliferation of technology that you don't understand.

Toby Amodio:

Yeah, correct, correct, correct.

Cole Cornford:

Hey, Toby, thank you for coming in today. It's been absolute pleasure. Another episode of Policy Wonks and Gronks. Until the next ISM update.

Toby Amodio:

My pleasure. Thanks, Cole. It's always good to see your face, mate. Be safe.

Cole Cornford:

Thanks a lot for listening to this episode of Secured. If you've got any feedback at all, feel free to hit us up and let us know. If you'd like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.