How CISOs Should Talk to Corporate Boards | Interview with Michelle Drolet

Dejan Kosutic:

Welcome to Secure and Simple Podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple Podcast. Today, my guest is Michelle Drolet, and she is the CEO and the founder of Towerwall, a cybersecurity company. And she's the author of numerous articles in the Forbes, SC World, CSO, and others, and she recently published an article called Six Tips for Talking More Effectively to Corporate Boards.

Dejan Kosutic:

So in today's podcast, you'll learn how CISOs should communicate with their boards. So welcome to the show, Michelle.

Michelle Drolet:

Nice to be here. Thank you so much.

Dejan Kosutic:

Great to have you here. So tell me, what are kind of, let's say, key questions that CISOs can expect from to be asked actually by the board?

Michelle Drolet:

So a lot of times the board doesn't know what the questions are. Right? So as CISOs or ISOs, we need to walk in there and be able to not talk vulnerabilities, but really talk about impact on what could happen inside of an incident. And it's not if, but when, and how to help them understand that you're actually building a program based on their strategic initiatives.

Dejan Kosutic:

Okay. So, what you're saying is that basically CISOs should somehow drive the agenda when it comes to cybersecurity rather than the boards.

Michelle Drolet:

Absolutely. Absolutely. Having an advocate on the board is really important too. But coming in and not having this huge dashboard that has all these green check marks and things like that is not it's it's gonna put everybody to sleep. So having key metrics on, you know, what's happening across the board, no pun intended, to to help them understand that, you know, the board, we're talking dollars and cents from a catastrophe happening, and so not just, you know, vulnerabilities.

Michelle Drolet:

Does that make sense?

Dejan Kosutic:

Yeah. Definitely. And you mentioned that CISOs should, let's say, paint the picture that they are building a security program to the board. So how do you actually do this?

Michelle Drolet:

So the metrics are are based on ROI. Right? It's not just going in and saying, I need a SIEM or I need a SASE product. They don't they don't care. It's how are you going to limit the blast radius by actually putting repeatable processes and a program in place to actually then show that if something bad were to happen, it's going to limit what the impact is gonna have from a reputational perspective, from a dollar and cents perspective.

Michelle Drolet:

And, hey, by the way, now your board is being held accountable as well. So, you know, going in and having that, saying, here's where our data is. Here's who has access to the data. Because what we always say as CISOs, as ISOs, you're all stewards of the data, but you're not owners of the data.

Michelle Drolet:

So helping them understand that so that everybody is held accountable and that the programs are put in place.

Dejan Kosutic:

And if we can, you know, drill a little bit deeper into into, you know, building a security program. So does this mean that CISOs should basically explain what are all the elements of this program or should they focus only on the on the matrix and dollars and cents? Or or what is the best way to do it?

Michelle Drolet:

So we look at what are the strategic goals in the organization and then build a program around that. I don't think that boards care about the details of the program. They really care about how you are protecting their information. The customer information, the vendor risk profile, vendor risk management, all of those types of things. If you can go and say, these are some of the salient points that we're doing, but not getting into the minutiae and the detail.

Michelle Drolet:

Because then the CFO is gonna be on his phone or the CEO is gonna think about lunch. Right? So we don't wanna shut them down. We want to engage them. And so by engaging, it's actually getting them to be part of the program.

Michelle Drolet:

Right? And so we do a lot of tabletop exercises with the c suite as well as boards now so that they understand the different elements of a threat, of a ransomware attack, of insider threats, all of those types of things that they don't understand. And if you can bring that knowledge to them, you know what? That's half the battle.

Dejan Kosutic:

But these kind of exercises, are they actually part of the, really, the board session, or or this is done something that is outside of the the formal board session?

Michelle Drolet:

It's typically outside the board session, and they run about an hour. And it just it just makes a lot of sense. And it's it's it's scenario, but it's also really about knowledge transfer so that this when you go into that board meeting, that they're understanding what's what's going on and what they need to pay attention to.

Dejan Kosutic:

Yeah. If that makes sense. The meetings are there much smoother if if they have some kind of a a pre knowledge already. And you mentioned that disengagement is really important. So from your experience, what kind of, let's say, facts or what kind of, let's say, discussions are engaging for a CEO or a CFO?

Dejan Kosutic:

And, I mean, what kind of things the CISOs should should really focus on?

Michelle Drolet:

So when when we're doing these board exercises and the c suite exercises, it's really coming in and doing, you know, what are some of the threats that are out there? What what type of data does your organization have that needs to be protected? And then going through some scenarios, like a ransomware attack or an insider threat or different things like that. So it's scenario based. So then it's very, very interactive, and it really helps them get an idea of what you're trying to accomplish.

Michelle Drolet:

And it can go back to that dollar and cents and, you know, just risk and risk mitigation, if that makes sense.

Dejan Kosutic:

And and what you're saying is that even though these are cybersecurity topics, right, the ransomwares and and all these, they're still interested in in if you actually present them as kind of what scenarios, if I understood well.

Michelle Drolet:

Absolutely. And and it's very engaging, and there's a lot of good conversation during the session as well as after the session. It's it's really, really good.

Dejan Kosutic:

You mentioned also that the CISOs should have I mean, the boards should have someone as as an advocate of of cybersecurity as part of the board. So who is typically this person? I mean, what is the pro the best profile of the person who can who could be an advocate on on the board?

Michelle Drolet:

It would be someone like your audience, actually, somebody that sat in the CISO position or ISO position or CIO position, you know, that has had security reporting to them. Right? Mhmm. So that that they can they can help the other members of the board really understand that cybersecurity or information security isn't a cost center. It's not a cost center.

Michelle Drolet:

And if it's thought of as a cost center, it's never gonna be taken seriously. And so it really needs the information security or cybersecurity team or CISO needs to really come in and help them understand that, you know, if they don't have a good, strong information security program, you know, the the liability to the organization, the threats, the exposure, they could be down not just for a couple days, but weeks or months and out of business, reputational damage, all of those types of things.

Dejan Kosutic:

Okay. But, I mean, still, most companies are still considering, you know, the cyber as a cost center. Right? How do you actually then make a case that this is something more?

Dejan Kosutic:

And do you actually go in this direction resilience, or are you making some, let's say, other arguments that positions the cyber.

Michelle Drolet:

So resilience is is perfect also to business performance.

Michelle Drolet:

Right? So looking at, you know, if we don't do this, this could happen. Or if we don't do this, from a regulatory and compliance perspective, you know, we like CMMC, for instance, right now. Yep. I mean, you you can't do work with the government unless you are CMMC certified.

Michelle Drolet:

So there is business impact to that. And so being able to to sell that not just as a checkoff box, but actually make it programmatic so that they understand that you're mitigating risk and and business exposure across the board.

Dejan Kosutic:

So on one hand, there is the resilience. On the other hand, there is a compliance. But you also mentioned business performance, if I understood well.

Dejan Kosutic:

So how could actually cybersecurity improve a business performance? I don't know. Sales, profitability, margins, these kind of things.

Michelle Drolet:

That's that's a great question. So you think about, again, it's not a cost center. How many of you all are answering questionnaires right now? That your salespeople are getting questionnaires from their prospects. And if you don't have a solid information security program plan and can answer that you have an incident response plan, a disaster recovery plan, a name it, you know, that that you're not gonna be able to, answer that questionnaire, and they're not gonna be able to make that sale.

Michelle Drolet:

Well, that has impact, and now it's gonna have impact on the CEO. It's gonna have impact on the CFO. And so having that strong information security program with those repeatable processes now, again, goes back into business, not just a cost center. Does that make sense?

Dejan Kosutic:

Yeah. And are you saying that CISOs should bay basically build their security program based on on expected, let's say, requirements from future customers?

Michelle Drolet:

I it I don't know if it would be a 100% that, because there's a lot of aspects, right, from the people, the processes, the policies, and the the partnerships. Right? Mhmm. But they do need to think about or you do need to think about, what are the elements and making sure that everything if you come in and get audited by one of those clients, that you're gonna be able to show. And so we're actually hired every once in a while to come in and go in and audit those those questionnaires and say, okay.

Michelle Drolet:

Show me. We just did it for a a very, large bank, and we audited them for a a financial institution. And and we took out of a 180 questions, we took 12 and said, okay. Show us how you're doing this stuff.

Michelle Drolet:

So, you know, just thinking about that. And then also, you you add that vendor risk management component too, and the insurance component. So doing all the different things and building out your programs and being able to show, it's gonna keep your cyber insurance premiums lower too.

Dejan Kosutic:

Lower. Yeah. Mhmm. Mhmm. Now if, let's say, a CISO wants to kind of, anticipate what are the business needs, how then should CISO be, let's say, positioned in the organization to to actually better understand what is the business strategy?

Dejan Kosutic:

So how would that work?

Michelle Drolet:

So my my thought forever is that the CISO does not report to the CIO, but in a true and I need to say this cautiously. But in an organization where the CISO reports to either the CFO or really realistically the CEO or the president of the organization, then they have a real place at the table, and information security or cybersecurity is is taken very seriously. Because sometimes if you're reporting to the the CIO, it's hard to call their baby ugly, so to speak. So different things can happen, and so your hands get tied.

Dejan Kosutic:

Yep. You mentioned also the board accountability. I assume that you're mentioning this from a cyber perspective. So, how can actually CISOs enable boards to understand their cyber obligations in a better way?

Michelle Drolet:

I think it goes back to that awareness component.

Michelle Drolet:

Alright. And doing those those tabletop exercises and helping them understand, providing, you know, articles and going and just having a place at the table, not on a annual basis, but at every board meeting. Right? You need to be there at every board meeting, and it could be just a five minute conversation. But tips and tricks and things that are happening out in real world and then what's happening inside your organization.

Michelle Drolet:

And it's not about technology, but, again, it goes back to business risk. And if you don't get this or get that budget, it's gonna have impact from a sales perspective as well as a liability perspective.

Dejan Kosutic:

Now let's speak a little bit about matrix. Obviously, this is what the boards are always obsessed about. So in your view, what what are the best matrix CISOs should present, okay, on one hand to the board, but also to to other executives in the company?

Michelle Drolet:

So I think the matrix is tied to compliant like, compliance matrix. Mhmm. Also, dollars and cents when you're talking about strategic impact or or board impact. And so what if if you don't do something I'm gonna give an example. So our CISO at Tower Wall was a customer for twenty four years before he joined us two years ago.

Michelle Drolet:

And what he says to our clients now is that we don't want to have something that just shows all of this stuff, you know, from, again, from that people, from the policy, from the processes, from the partnerships. It's three three salient points. Okay? So we're doing this. We're doing that.

Michelle Drolet:

We're doing this, and it's tied into our strategic plan. And that's different for everybody. But if you can do that he said he actually had that, and he took it away and didn't show it at one of the his board meetings. And the CFO said, where is it? So if anybody wants to see that, we can we can show it at some point.

Dejan Kosutic:

Okay. Can you give some, let's say, different examples? Of course, without any company names, but let's say different examples of what kind of matrix can work for, let's say, one type of a company and what, let's say, other matrix, the security matrix can work for a different type of a company.

Michelle Drolet:

So it could it could be on third party third party risk. It could be on access. It could be on critical data.

Michelle Drolet:

It could be on the matrix of of sales impact. There's a whole bunch of different things. The blast radius. You know, protecting that critical data. I had somebody the other day say, we don't know where all our critical data is, so we just try to protect everything, and that doesn't necessarily work.

Dejan Kosutic:

Yeah. It's too too ambitious.

Michelle Drolet:

Did that answer your question?

Dejan Kosutic:

Yes. And and they usually I mean, when when you show this kind of a matrix, do they usually show them in in in a in a monetary a in terms or are using some other KPIs as well?

Michelle Drolet:

It it could be monetary terms. It could be other KPIs as well. So, again, that blast radius. And it's not vulnerabilities because they don't care about vulnerabilities.

Michelle Drolet:

What they care about is that connection into the strategic strategic initiatives. And if there's certain specific elements of that strategic plan that they can tie into to say, we're gonna do these three things Mhmm. To protect this, say, IP or whatever it is, then that's gonna help the business grow and thrive.

Dejan Kosutic:

Great. Now, how should I mean, obviously, board members can ask various questions. And I assume that board members are asking, you know, questions like, are we secure? Now how should, you know, CISOs handle this kind of a situation, this kind of a, well, generic question?

Michelle Drolet:

So the answer to that would be or secure as your your budget provide or fight. But, no, that was tongue in cheek. I apologize. But, really, it's it's about repeatable processes. So when a board member asks, you know, are we secure?

Michelle Drolet:

You know, with all the challenges and all the threats that are out there, you know, it's nobody's a 100% secure. There's phishing. Right? There's vishing. There's smishing. There's, you know, links that people are clicking on.

Michelle Drolet:

You know, that user awareness is a big component because we want our our team members to be, you know, part of our information security team. Right? They're the they're our first defense, but you can't stop necessarily people from clicking. And now with AI and the bad actors getting way badder and way more sophisticated, that happens more frequently than not. And and now the ransoms, the the average is $4,400,000.

Michelle Drolet:

That's average. Yeah. So when they ask, are we secure? It's like we're as secure as I possibly can make us with the budget that we have.

Michelle Drolet:

And so, you know, thinking about that, I go back and and say that to them because you can't protect everything. We recently had a client, and I don't understand why they did it, but they were moving to the cloud. And they had an MDR solution on prem, so they had everything being monitored on their servers on prem as well as in the cloud. And for some reason, they decided to remove the MDR solution from the servers on prem and just in the cloud. And somebody clicked on somebody something, and a bad actor got in there.

Michelle Drolet:

And they sat there for it was over a hundred days and watched how the CEO communicated with the CFO, and the CFO communicated with accounting. And they exfiltrated $13,000,000 in thirty days because they had no idea.

Dejan Kosutic:

So what you're saying is not if, but when. Right? It's not I mean, I mean, incidents will happen.

Dejan Kosutic:

Right? And, I mean, from that perspective, how can actually CISO ensure the boards that what is being done is actually being done enough, especially from the perspective of, let's one day an incident will happen. So how do you actually then say that you were diligent enough with your security before the incident happened?

Michelle Drolet:

So one of the things we always say is that, you know, if somebody if the bad actor really wants to target an organization, they're gonna target that organization. But if it's kind of a pray and spray type thing, if we can lock our doors and lock our windows and maybe shut the shutters so that when the bad actors are knocking or trying to pry open the door, it's not easy. They'll go to the next house. And so if you can do that, that limits the the target or the access. Right?

Michelle Drolet:

But that's not gonna stop from an absolute targeted attack where they're going out and they're doing the research on the CEO or the CFO or, you know, an accounting person that they know potentially could get to click on something or even an IT person that, you know, has admin rights and now they're in. So it just all always depends on what the organization's doing. And so just do your due diligence and try to lock things down as much as possible. Put guardrails.

Dejan Kosutic:

I agree with you. You know, the I'm just wondering, you know, if there is a way for a CISO to present to the board that you are really doing the maximum that you can. Right? Because, I mean, if if the board is reasonable, they will say, okay. You can't have a 100% security.

Dejan Kosutic:

This is not possible. But are you doing the best you can, or is there some, let's say, room for improvement? This is, you know, what I'm wondering. If if the CISO can present this effort and how to present this effort to to to the board.

Michelle Drolet:

So there's always room for improvement, and there's always more budget needed. Needed. Yep. And so when we think about that, we don't wanna we don't wanna sell on scare tactics, but we do wanna sell on risk based security. And so if we can do that, that's gonna go a long way.

Michelle Drolet:

That if we don't do this, this could have this impact. And and that's not selling fear, uncertainty, and doubt, but selling, you know, true impact to the business. And that's what you need to do is if you don't do these things. And, again, it's not it's not the widget that they care about. It's the protection of the data or the assets or the people or your customer list.

Dejan Kosutic:

Okay. Makes sense. Now you mentioned also CMSE, but there are other security frameworks out there like NIST Cybersecurity Framework, ISO 27,001, and so on. So should the CISO really present any of these to the board, or is this kind of irrelevant for the board level?

Michelle Drolet:

I personally think that regulatory requirements are the CISOs friend. Right? Because you have to I mean, with GLBA, for example, higher ed right now, they're getting audited by the federal government. And if you are not GLBA ready and something were to happen, there's huge fines attached to that. So if we can utilize those regulatory requirements or compliance requirements, but not just as a checkoff box, but truly as a measurable metrics, just like what we were talking about to show you don't need to get into, you know, the minutiae of what is in CMMC.

Michelle Drolet:

But to talk about that we are CMMC compliant or we are GLBA compliant or we're PCI compliant or, you know, GDPR compliant, now all these states have all these privacy regulations like CCPA in California. I'm in Massachusetts. MIPSA is coming out. And so that's gonna be, you know, a privacy and security regulation that is it's gonna go up against GDPR. Yeah.

Michelle Drolet:

So there's a lot there there. Mhmm. But to utilize that to their strength, not just as a checkoff box.

Dejan Kosutic:

Yeah. And to utilize them as as you were saying as a KPI kind of. Right? The level of compliance for each of those. Yeah. Okay. We touched upon a little bit of on AI and but how what do you think how is AI changing the job of the CISO, especially when it comes to communication with the board?

Michelle Drolet:

With AI, and I just I just read an article actually, and it's it it stated that if we do not embrace AI and agentic AI and all of those different things, it's going to be like email back in the nineties where the CEO said, I don't need email. I don't need email. And those people are not in business any longer. So Yep. We have to embrace AI, but we need to embrace it with guardrails on it. And we need to have the use cases, and the board needs to understand what those use cases are, instead of just we have some clients right now that are just saying the board and the c suite are saying, we wanna use AI. Just go do it. And it's like, okay. You know, as as stewards of the data, the CISOs and the ISOs and the CIOs actually, you know, need to understand, you know, where that where that data is, who has access to the data, and then what is AI doing.

Michelle Drolet:

Because we know AI lies, and it will it will change. I just listened to a a presentation on quantum computing and AI, and just the the changes that that's gonna have across the board, but that's a whole different topic.

Dejan Kosutic:

And, I mean, yeah, it's interesting this I mean, really to handle AI in in a responsible way and try and make AI trustworthy, companies will have to introduce

Michelle Drolet:

I don't think it's ever trustworthy. Sorry? I said I don't think it's ever quite trustworthy.

Dejan Kosutic:

Yeah. Right now, not, but I hope that we will be able to drive AI towards trustworthiness, so to say. And if if I mean, obviously, CISOs will have an important role, as you were said, as as data stewards there. But do you think that CISOs should be actually the main person in charge who should who should actually drive this AI governance effort, or should they only be the part of the team to actually drive AI governance?

Michelle Drolet:

I think that CISOs have a definite place at the table. I think risk and compliance, if the company has a risk and compliance team, I think that they need a place at the table as well. And then the, the CEO, CFO, HR, all all of the the folks that are going to be utilizing it in their team, they need to, to really think about what are the use cases, but what are the guardrails and the access and and what AI tool is being utilized. Right? So it's Claude or Copilot or ChatGPT or AgenTic, you know, AI.

Michelle Drolet:

It's it's all all the different things, and they're all leapfrogging each other right now. And what we don't wanna do is be the voice of no because then people are going to figure out how to use, and then they're not gonna go and and utilize it with the guardrails across the board. So, yes, the CISO and ISO definitely needs to have a voice of what can be utilized and what can be accessed.

Dejan Kosutic:

Yeah. So, again, security as enabler. Right? Not as as a disabler.

Michelle Drolet:

Yeah. Right. Exactly.

Dejan Kosutic:

Definitely. And, I mean, obviously, the CISO CISO role is is changing a lot. And and okay.

Dejan Kosutic:

As we discussed, it goes also in this direction of enabling more secure AI. But how do you see actually I mean, you're you're long in this business. How do you see that CISOs role has changed in the last, I don't know, ten or twenty years? So what kind of major changes have happened in the CISO role during this period?

Michelle Drolet:

So I think what I have seen in the past, yeah, ten, fifteen, twenty years is that the CISO, you all have a place at the table way more than you ever have had before. The impact to the business that if an information security program is not in place can be detrimental. Right? 4,400,000 may be small to some of your organizations, but in others, in SMB, somebody gets hit with a ransomware attack. Six months later, sixty percent of them are out of business.

Michelle Drolet:

So that's serious stuff. So, you know, having having seen the CISO actually have a place in a conversation and being in that boardroom, is is huge. And, you know, bringing in an organization like a tower wall to actually present to the board. I'm actually presenting to one of our clients' boards. We did a pen test for them, and then they had a risk assessment done.

Michelle Drolet:

So I'm combining all that and doing just a five minute quick presentation on impact, the vulnerabilities, but very, very high level, and, you know, what they need to pay attention to. And if you could do that on a quarterly basis or a monthly basis, if that's when the board meeting is, you know what? They'll be way more informed, and you will have a way bigger budget.

Dejan Kosutic:

Yeah. I mean, what I also noticed is is that people are now much better understand what security is and actually are willing to to have someone from the security team or the CISO actually as part of the senior management, which is great. And looking into the future, okay, beyond this, what we spoke about AI, what do you think will change in the future when it comes to the role of of CISO?

Michelle Drolet:

So we used to be able to go and say, we're doing a three and five year plan. You can't do that now, especially with quantum. I mean, I was in a presentation, like I said, and the CSO, the CIO all need to start doing their quantum plans. They said they needed to start doing the planning by 2027, 2028 because it's gonna start rolling out in 2030. And so it's everything's moving so fast that, you know, trying to keep up with the technology, the the policy changes, the regulatory requirements, those are those are tough things.

Michelle Drolet:

So surrounding yourself with knowledgeable people and getting outside of your four walls is really, really important. Having conversations, walking the hall. Yeah. Think the CISOs that walk the hall and really understand so that they're invited to all conversations and not have doors shut are going to be the most successful.

Dejan Kosutic:

Yeah. I agree with you. Yeah. And by the way, did a podcast episode about Quantum a couple of episodes ago. And basically, yeah, 2,030 is kind of the latest prediction for Quantum to become effective.

Dejan Kosutic:

But actually, it could happen even a year earlier. So it's very close. It will happen very pretty soon. Okay. You mentioned that you work also as fractional CISO to other companies, if I understood well, right?

Michelle Drolet:

Yes. vCISO. Exactly.

Dejan Kosutic:

So do you see or better to ask, is it harder to be a vCISO and basically work as a CISO from the outside rather than working as opposed to someone who is a full time CISO from the inside. So do you see that there is a kind of harder to do as an outsider?

Michelle Drolet:

The answer to that is depends. So we are virtual CISO to a retail a a retail chain. And they have a very solid IT director at the organization. But he needed, you know, that overlay of information security. And so they didn't need a full time person.

Michelle Drolet:

And so coming in, you know, fifteen or twenty hours a week, sometimes it's just ten or ten a week, a month, and putting together a project plan and saying, okay. These are the things that we're gonna do. These are the trainings that we're gonna do and really walk alongside him is has been really beneficial. We also go and sit on the outside of a CISO themselves. So we actually we had a a client that started a new position, and he didn't realize when he started the position that they needed to get ISO certified.

Michelle Drolet:

They had a contract. They were contractually obligated to get ISO certified. They had had, like like, twelve to eighteen months. But he got there, and they had six months to get it done. And he called, he said, Michelle, we don't have anything.

Michelle Drolet:

What are we gonna do? So we actually brought in four very, very senior consultants and helped build the whole entire program. And while we didn't do it in six months, we did it in nine months, and they got certified. And now they're going on their fifth year, and they don't need us anymore. So we came in for the first two years, really walked and ran alongside of them.

Michelle Drolet:

And so that makes a big difference. But having a trusted adviser from the outside is so important because my team or other organizations, you know, see, you know, that that crowdsourcing, you know, what's happening. And that really helps our customers really stay ahead from a threat landscape perspective. Did that answer your question?

Dejan Kosutic:

Yes. Yes. Okay. So, obviously, this has pros and cons. Right?

Dejan Kosutic:

And okay. When you're a VCSO, is there something else when you have to communicate to the company's board? Or, basically, all the things that we already mentioned during the interview are valid also for vCISOs?

Michelle Drolet:

It's it's all the same for vCISOs or CISOs. The communication doesn't change. And the boards the boards still need that information, but at a very high level.

Dejan Kosutic:

So let's wrap up the call. And what would be your top suggestions for for CISOs? How should they handle the board? How how should they handle the communication with the board?

Michelle Drolet:

So simplify, be realistic, you know, provide really good data, and then, you know, tie it to business performance and, you know, keep the guardrails on and help them stay informed.

Dejan Kosutic:

Great. So thanks for these insights, Michelle. It's it's been a pleasure talking to you.

Michelle Drolet:

Thank you very much. This is awesome.

Dejan Kosutic:

Thanks again, Michelle. And and thanks everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple Podcast. Thanks for making it this far in today's episode of Secure and Simple Podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website you can check out various tools that can help your business.

Dejan Kosutic:

For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. White label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And the learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.

Dejan Kosutic:

If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!

Creators and Guests

person
Host
Dejan Kosutic
CEO at Advisera & Cybersecurity governance expert
How CISOs Should Talk to Corporate Boards | Interview with Michelle Drolet
Broadcast by