Trends with ISO 27001, NIS2, and Supplier Security | Interview with René Matthiassen
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, and other cybersecurity professionals. I'm Dan Kosutic, and I'm the host of Secure and Simple podcast. So today we have a very interesting guest. This is Rene Matthiassen.
Dejan Kosutic:He is a partner and senior security consultant at Frontdoor Security, a cybersecurity compliance consultancy based in Denmark. He has thirty years of experience with the various security frameworks, including ISO 27,001, NIS2, DORA, PCI DSS, ISA 62,443 and so on. And is also involved in, I would say, various nonprofit activities like ISO organization participating in a committee there and also in helping developing frameworks like an ISTO transposition in Denmark and also working with Resilience Act. So in this episode today, we'll discuss how he manages to combine various cybersecurity frameworks, especially how ISO 27,001 is helpful for companies or for suppliers actually that supply companies that are in an ease to scope, but also how all these frameworks are being developed. So welcome to the show.
Rene Matthiassen:Thank you so much and thank you for having me.
Dejan Kosutic:Great. So let's start with the first question. How did you actually start with the consultant? What triggered you actually to go into the consulting career?
Rene Matthiassen:So actually I'm coming up from a networking background from the mid-90s as a network engineer and did that for quite some years and moved more into design of networking architecture and security architecture. That led into more kind of advisory kind of roles. And I really liked that. So that was just a way that I pursued to help other companies. Understanding what and how they could do stuff.
Rene Matthiassen:So going into the ad advisory part of it, I think that was what's kicked me in that direction actually.
Dejan Kosutic:Okay, great. Was it hard to transition from this, let's say, technical point of view to this more governance point of view when speaking about ISO standards and so on?
Rene Matthiassen:When we did the back in the days when we did network designs or infrastructure designs, there wasn't really many standards to use really. When they came, actually, it wasn't so difficult to understand. I realised pretty soon that I could understand what, what the objective was and how we could tailor that with into the solutions that we did. And for me, actually, I think it was everything was so obvious for some reason. So it was pretty easy for me to to to make that transition into the standard, utilizing the standards when when when doing the work I did.
Dejan Kosutic:This is great because sometimes the technical people have a very good understanding of the technology, have a difficulty understanding how this fits into business processes and how this needs to be adapted for, let's say, business use and business objectives. Sometimes this kind of step is hard to make.
Rene Matthiassen:Yeah, true. Yeah, For me, I mean, the rationale behind the requirements, so to say, the design frameworks where, I mean, they weren't too far away from my own way of thinking. And I remember I thought that a lot of it is just, you know, best practice. Why don't we just do it? Okay.
Rene Matthiassen:Right. So, yeah.
Dejan Kosutic:Great. So, if you're on technical side and you have this inclination of understanding these things, then you might actually be a good prospect for a consulting career.
Rene Matthiassen:Well, yeah, I've done that for thirty years, so somehow I managed to get afloat.
Dejan Kosutic:Okay, great. Let's speak a little bit about this engagement that you have. If I understood well, you participated in developing ISO 27,001, One or two revisions of the standard. So can you tell us a little bit about this?
Rene Matthiassen:Yeah, so I joined ISO and the National Standardisation Organ Danish standard back in 2011, I believe October '11, around that time. And that was at the time when they were looking into the 2013 version. Actually, the way was because I keep calling them once a week or twice a week and asking questions about the 02/2001. And I think they somehow eventually get fed up with me calling every time and they just ask me, Why don't you come and join us? And if you're so interested in, into these things, why don't you come and join us and help us develop?
Rene Matthiassen:And I wasn't surprised because I wasn't even aware that you could do that. So yeah, of course I would like to do that. And that was, yeah, that was in '10 or '11, around that time for the 2013 that came out and lasted for almost ten years. And then there was a new version with some, changes from the old 114 controls down to the 93 and the new structure of that one. Was involved in that too.
Rene Matthiassen:So yeah, I just been lucky to be part of that. I really like that.
Dejan Kosutic:Great. Yeah. And how does this really look behind the scenes? I mean, how are these decisions on and on? What will change in the standard?
Dejan Kosutic:How is this made?
Rene Matthiassen:So usually how it works is that for each country has their own sort of, should we call it expert group, right? I was a part of the Danish one. And so we are looking into to the current standard and see what works and what does not work and what do we need, has the technology emerged, the, if thing has new things, technology kind of come into play. And so we're starting by setting some new requirements that we feel and we think could be beneficial, and the same does the other countries' organs. So we're going to send it around to all of us and say, Yeah, okay, this is our suggestion for this one, and then we receive the ones from other countries, and at the end of the day, we do it in a ballot, really.
Rene Matthiassen:So we are trying to narrow things down to just, you know, a few new requirements or suggestions, and then we do a ballot and the ones, the requirement that gets the most elected, you can say, wins, so to say. But that's usually how it's done.
Dejan Kosutic:Great, I mean, people actually don't know how the standards are really created, so to say, and yeah, it's basically a democratic process, right? Where everyone can have some kind of a say. Okay. And is this similar to your work that you did for NIS2 transposition in Denmark? Does it work in a similar way or?
Rene Matthiassen:No, not quite. The NIS2 transposition was more into, so that was the directive, right? So, so when we received that in Denmark and, and there was an organ in Denmark that looked into what should be the requirements, so to speak, what should be put into the law. Our part, or my part especially, what to look into the suggestions they have made from the NIS2 direct to outline, you can say, to what they would like to be into the law or come into the law. And so, it's also a democratic process, but it's more into what would, I think, what we think would make sense to have into the law and what would not make sense.
Rene Matthiassen:Are there any, you know, ambiguous requirement, so to say, or should we maybe focus on emphasise this because we really think that is important to have into our law. It could be everything from, you know, scope into requirements, into the emphasis on using international standards and so on. So it's more down that line, really.
Dejan Kosutic:Yeah. And I've noticed that there are, let's say, different approaches between different EU countries. For example, Belgium basically said that you can go with this CyFund, the Cybersecurity Fundamentals from their authority or you can simply take ISO 27,001. It's basically a more relaxed approach, so to say. Whereas Croatia has published a very strict, not only law, but the regulation that followed.
Dejan Kosutic:It's very, very detailed and it's actually the most detailed from the ones I've seen
Rene Matthiassen:so So
Dejan Kosutic:yeah, it's very prescriptive. How does actually a country decide in which direction it wants to go or what was the, let's say, case in Denmark?
Rene Matthiassen:Yeah, that's a good question. Because what we did in Denmark was to, you know, see if we could utilize what's already existed out there. And when I say out there was also what was in the industry directive for international standards. We do not want to have, you know, this is Rene's security framework and we should use that. We want to have a standard that can be used and which is well known, tried and tested for for a lot of companies already.
Rene Matthiassen:Also because, I mean, we have to have to audit this one at a later stage as well. So so let's make it easy and let's make it best practice. And that was the reason why we thought that, Okay, let's go with the with the '27 series, which is also what's coming into the law now.
Dejan Kosutic:So twenty seven thousand and one will be included in
Rene Matthiassen:the initial, right? Seems to.
Dejan Kosutic:Very well. You're obviously a very good person to discuss this relationship between twenty seven thousand and one and these two. So how do you think that twenty seven thousand and one why do you think it's important and and how do you think twenty seven thousand and one can help companies that go for needs to that actually are in NIST two scope, but also how is this important for their suppliers?
Rene Matthiassen:So when you're looking into the NIST directive and you see a lot of these requirements, yeah, the requirements are coming in the articles, for example, in this too. I mean, you can see where they're coming from. I mean, it's not a top secret thing, this one. They've definitely been looking at ISO 27,000 So, in that case or with that angle, you can say it makes a lot of sense to say, okay, if we want to achieve this one, which is the, what this directive is really about, this could be a tool for you to adopt and to comply with this one. So, I think we used to say here that if you are implementing an ISO 27,001, for example, you might be 75, 80 percent compliant.
Rene Matthiassen:There will also definitely be some specifics for your organisation that you need to look into. But for the vast majority, you will have maybe, yeah, 75% compliance already, right? And we have, at least in Denmark, been working with ISO for, yeah, ten, fifteen years. A lot of companies knows about this. We have some certified companies as well.
Rene Matthiassen:So it's not it's not an alien to us.
Dejan Kosutic:When a company that is in the NIS two scope and when it needs to comply with the NIS two, are you suggesting that they follow the steps or the approach in twenty seven thousand and one or do you suggest some kind of a hybrid approach?
Rene Matthiassen:Hybrid to what?
Dejan Kosutic:Hybrid something between twenty seven thousand and one and local or you go purely with twenty seven thousand and one as, let's say, the
Rene Matthiassen:Right. So of course you have to apply to the local law for sure. That's the most important part of it. But adapting to the, to the 02/2001 and using that as a framework for compliance is definitely what we see in Denmark, what the companies are doing and the direction they're going to. I mean, you have other frameworks, security frameworks as well you can use.
Rene Matthiassen:But we just see that the majority is looking into ISO 27,001 for sure. So I think that would be the recommended recommended approach to pursue a certification down that line, down that direction.
Dejan Kosutic:Okay, great. From your point of view, what is then, let's say, the part that is missing, so to say, in 20,001? So what needs to be added on top of 27,001 to be compliant with the NIST two?
Rene Matthiassen:Yeah, I mean, I'm one of the coauthors for the twenty seven thousand one, so maybe I'm not the right one to comment on what is missing because I really, I think it's comprehensive, of course. But what is missing is I think one of the challenges, maybe I should put it like this. Some of the challenges we see more are into the competencies and resources or the lack of it, you can say, of skilledness within this area.
Dejan Kosutic:I
Rene Matthiassen:think, but I mean, a lot of what is inside the 20 is best practice anyway, right? So, it shouldn't be too different for what you are doing already in your company. Of course, there are some areas that twenty seven is not diving into that much, only scratching the surface like software development or whatever.
Dejan Kosutic:Especially incident reporting, I mean, reporting is more and more precise.
Rene Matthiassen:Exactly, exactly.
Dejan Kosutic:Yeah. Yeah. And I've noticed in some of these regulations, in some actually laws across Europe, some of them actually specify much more clearly the role of the security manager and especially, let's say Lithuania, Latvia, these kind of countries, they actually specify these roles pretty clearly, which of course is not specified in twenty seven thousand and one nor in ISTO, but some local legislation actually go in these roles and responsibilities much more clearly. What do you think about this commission implementing regulation twenty twenty four-twenty six-ninety? Basically the one that focuses on digital infrastructure companies.
Dejan Kosutic:How does this fit into, let's say, the idea of NIS two on one end and 27,000 on the other end. So how do you combine all
Rene Matthiassen:these things? I think it fits in very well, actually. I mean, I think all the standards, all the regulations, which we could start there, the regulations fit each other very well into different sectors, different areas of society. If we look into the requirements in these regulations, I mean, we have some of the same requirements in all the regulations, right? It's about resilience, it's about having processes in place, it's about having the adequate resources in place, it's about having updated inventories and do risk management and keep track of your suppliers as well, so we can ensure that the whole chain is as strong as possible.
Rene Matthiassen:So I think actually it fits very well to each other, even though that is going into different sectors or industries.
Dejan Kosutic:Now what I like to explain to myself and to our clients is that if NIS 2 is parallel to 27001, then this CIR 2690 is parallel to 27001 And 2, right? It basically describes in more detail how the things need to be implemented, so it's a kind of a parallel there. By the way, this commission implemented regulation is kind of closer to what DORA specifies and DORA of course goes into much more detail. Okay, can we discuss a little bit now how will NIST two have the impact on suppliers and basically what the suppliers should be doing?
Rene Matthiassen:Yeah, definitely. And I think this is, I mean, this is where especially in these two comes into, I mean, it's very strong because it's, it requires you as an entity to keep track of your critical supplies, right? I think that is somehow an area which has been neglected for many, for many years. It's a very important one. I mean, we're looking into this digitalized world we live in, and we are depending on maybe a few big suppliers or maybe many smaller suppliers, but we want to ensure that we can resist whatever comes in our organisation and that includes also to ensure that we have the right suppliers and the suppliers have the same kind of maturity in terms of security levels in their own organisation, right?
Rene Matthiassen:Everything from stock to, yeah, digital deliverables. So I think this one is an important one to have on which is, I believe, one of the most important ones to have track of in this too.
Dejan Kosutic:Yeah, and I mean, funny thing about NIST two is that it doesn't really prescribe any details. However, when it comes to suppliers, it does provide more, I would say, two additional paragraphs where it does specify just a little bit more about suppliers and checking the quality of service and their secure development procedure, these kind of So in practice, how do you see actually these companies in the needs to scope, how do you see actually them handling this supply chain security and how do you see them actually enforcing this security towards their suppliers?
Rene Matthiassen:Yeah, so so what we see a lot is the companies try to assess and rank the most important assets they have in the company, right? When they have a kind of an inventory of the updated inventory for your assets, what is critical and important for you delivering the service into the society, then we link them up to the suppliers and we rank the suppliers in one, two, three categories, for example, which one is most important for you and which one is delivering the most important assets or support for you in order for you to have your service running. We also see that there is a, we look into alternative suppliers for your most important critical assets to try to see if we can avoid to have one supplier delivering everything and what happens if this supplier goes out of business. And so that also talks into a exit strategy from the customer sides, for the entity sides as well. What happens if your critical suppliers go out of business or what happens if they're not able to deliver your service within the right time or whatever it could be?
Rene Matthiassen:And I think the last thing is to perform these risk assessment for our third party critical suppliers, taking all the threats to the suppliers but also the vulnerabilities and because it forces you to see how vulnerable you are as an entity with these suppliers and the services they're delivering to you. And I think that's a very important area to be on top of.
Dejan Kosutic:And how do you actually assess these? I mean, do you suggest to your clients to assess the risks related to suppliers if they actually do not know the details and the, let's say, structure of their supplier?
Rene Matthiassen:So usually the way it is done is that, I mean, you have different categories or levels of suppliers, right? Some suppliers might be forced to come up with some sort of an ISO 27 certification, for example, right? They need to provide you with adequate policies and ensure you that they have the maturity in place for the whole governance part of their doing regular risk assessments and so on. Some suppliers might be much smaller and they have a challenge sometimes. But I mean, this is this is a partnership you need to go into.
Rene Matthiassen:You're not interested in bullying your supplier and say, If you don't do that or this, then you're out. You want to work with your suppliers, right? And especially in some sectors, some of the regulated sectors, if we're talking about utilities, energy and that kind of, yeah, these sectors, some of the suppliers there, the maturities maybe not the highest because they have not historically looked into security and yeah, in that matter or that level we're talking about. So it's also about, you know, to try to build a partnership with your suppliers and help them to help you essentially, right? Because at the end of the day, you will be accountable for it, but you need to ensure that your suppliers can help you to stay compliant to these ones, right?
Rene Matthiassen:Well, there's different approaches depending on the size and the maturity of your suppliers.
Dejan Kosutic:Yeah, but it's obviously not something that you do one time. It's, as you were saying, this is an evolving partnership. And obviously this is the best way to increase the level of security. You also mentioned these exit strategies. So what are these exit strategies and how to develop them?
Rene Matthiassen:So an exit strategy is about when you have a critical supply from one of your suppliers. What will happen if somebody breaks a contract, supplier goes out of business or something else happens? What would that mean to your business? You're still compliant. You still need to maintain your compliances.
Rene Matthiassen:So you need to see for other alternatives. It could meet suppliers, for example. So you can move from one to the other. Sometimes we also see that we have a regulated contract for a customer. And within the contract, let's say a five year term contract, the last year, the last transfer of the supplier is enforced and obliged to provide knowledge transfer and so on to the new suppliers, for example, so you can make a smooth transition to the new one.
Rene Matthiassen:But I mean, like you do with normal procurement, when you are looking and assessing the supplier in terms of doing a due diligence or you're doing a financial risk assessment for them, the same should do for the security part of it because you want to ensure that you can stay in business and stay afloat if you don't have your supplier widgets. So where it's possible, see if you can find other alternatives. There's various ways to do this. It could be parts you have on stock or your premises, for example, to support your business running. But if it's a service, a cloud service, especially, and we have a few huge cloud providers in the world, it could be maybe to have double cloud strategy, for example, But
Dejan Kosutic:of course, all this needs to be done only for the most critical suppliers, not for every supplier, And this brings back to your point that you actually have some kind of list or register of all the services and suppliers and making sure that you actually know how critical
Rene Matthiassen:you Exactly, you need to know what's important for you, right, and how they're going to be delivered too.
Dejan Kosutic:Yep. Okay. Now, once actually an East two company goes into, let's say, a contractual relationship with the supplier, how do you suggest to your clients actually to create these agreements, these contracts and how to create these security clauses to actually be effective? So what is the best approach in your approach?
Rene Matthiassen:So we need to work with the market suppliers and our suppliers. So we need to have in our procurement contract, in our tender, whatever we're talking about the processes, we need to have our security requirements already in that phase. So it could be everything from asking the supplier to provide a copy of the information security policy and or tell us about how they perform in risk management or these kind of things that we need to assess when taking in a new supplier. What we see back in the days, we used to just, you know, put a lot of requirements in or just squash in the whole '2 thousand '7 hundred and '1 or IC sixty two thousand four fifty three and take compliance with the whole or nothing, right? But that's not the way we should do this.
Rene Matthiassen:We need to work with suppliers. So let's take it step by step. And again, coming back to how mature your supply market is. Of course, some of the more digitalized supplies, they're probably more digitalized, oh, sorry, they're probably more mature than some of the others. They might have assurance report like 3,204, I say 3,000 and ISO 27,001 certifications or whatever it could be.
Rene Matthiassen:Right. But we need to start already in the procurement phase when we assessing the suppliers to ensure that we are delivering security requirements to them from the beginning.
Dejan Kosutic:Yeah, okay. And are you in favor of more, let's say, strict and detailed security clauses in the agreements or is there some more alternative, let's say, approach which would be more flexible or more effective than this?
Rene Matthiassen:That's a good question. I think that depends from company to company. Again, I think I've seen both. I've worked with both. Some are very strict, depending on what they're delivering into.
Rene Matthiassen:Some of them more, you can say liberal or flexible, definitely. At the end of the day, you need as a customer, as an entity, to be aware that you are the accountable part here. So the approach you are taking to your suppliers or to your market is back on you at the end of the day, right? It could also be that you have some suppliers that can, I mean, they are mature, they can deliver what you were asking directly one on one or one to one, but some others don't because they're not simply there yet? So you need to work with them if you find them they're still critical for you to to have.
Dejan Kosutic:Okay. Okay. Very good. Let's let's take a a different perspective now. So from the supplier point of view, and so if you're if a company supplier to a critical infrastructure company, what is the best way actually for this company to, let's say, keep its clients?
Dejan Kosutic:What does it need to do?
Rene Matthiassen:So actually, what we see a lot is a demand from not only the NIST two entities, but even more from the suppliers to the NIST two entities because suppliers feel the requirements or the push from the NIS-two entities saying that you need to have some sort of formal maturity. That could be an ISO 27 certification. If you provide us with the certificate, we are happy, right, because it will ensure that you have an adequate level of security and governance in place. So we see that actually as a more or bigger demand, I would say, these days, because also, at least in Denmark, the entities in Scofen is too, let's say, is limited to, let's say, a few thousand, right? But the suppliers to these few thousand entities might be more massive, So we see that and we also see, I mean, we get customers in saying that, Can you help us with getting certified?
Rene Matthiassen:Because we have customers we have had for several years, but now they are asking us for having this certification in place, for example. So we see that more and more definitely as a push from the market side of it.
Dejan Kosutic:And what is your opinion? Is ISO 27,001, let's say, the only or the best standard out there or could companies also go for, I don't know, SOC two or PCI DSS or these kind of other standards?
Rene Matthiassen:Yeah, I mean, I'm not married to ISO 27 just because I have my background with it. I mean, what is best, what is fit for purpose, right? So, I mean, I have worked with many different frameworks over the years and I mean, I'm not the one to judge if it should be a CSF, NIST CSF or it should be a SIS 18 or ISO or whatever. So whatever makes the boat flow at this specific company, would say. They all kind of providing the same at the end of the day.
Rene Matthiassen:I'm very aware of the detail level of the ones. And what you don't want to come into is a situation where you take a completely new kind of security framework and just put that on top of this company and will just drown into it because the system don't understand what to do and how to work with this. Right. So, but I will say that the ISO 27 survey is definitely the leader. We also see Cis-eighteen coming and we also see the cybersecurity framework for some sectors as well.
Rene Matthiassen:We definitely also see the ISA or the IAC sixty two thousand four hundred forty three into the OT part of the landscape definitely. But at the end of the day, mean, they're kind of, you know, overlapping each other in different ways. So whatever is right for this company, it's difficult to answer which one we should use as a scenario question.
Dejan Kosutic:Yeah, okay. If I understood well, your company is focused really on helping companies with various frameworks, but especially with the 27,001 and especially the suppliers of these two companies. So what is your perspective as a consulting business on how do you actually approach this market and this task of actually helping suppliers for, let's say, you know, achieving these expectations from these two companies?
Rene Matthiassen:So, yeah, so the NIST two would come into force in Denmark by July 1 year, 2025. And we see we've noticed that some companies was kind of waiting for the date because the date has been pushed. They were waiting for the date and they were also waiting for the government to to sign the law. Right. That leaves us now with four months of of of time before the July 1.
Rene Matthiassen:And we see definitely massive push right now for these ones because now they all want to be compliant by by July 1. And that comes back to lack of resources in the market. I mean, not only in my company, but also in other companies providing advisories and providing projects for these ones. Because there's a limited pool of resources and limited pool of available resources, right? And they all have to work on different clients at the same time because all have the same day to work out with.
Rene Matthiassen:So that's definitely going to be a chance. Another thing is one of the biggest, you can say, challenges or changes maybe to the law is that the Danish government decided to have the Danish communities in scope. In Denmark, we have about 100, I believe it's 98 communities, and they're now into scope of these ones, and they're going to have a serious chance in reaching this deadline. Back to what I was just describing before, right? So yeah, it's gonna be interesting spring, busy spring, I guess for all of us.
Dejan Kosutic:When you mention communities, do you mean the local municipalities? Yes,
Rene Matthiassen:exactly. We have 98 of Yeah,
Dejan Kosutic:it's a large number. So, you operate in consulting market which is typically very competitive, right? There are many consultants. So, do you actually compete? How do you make sure that you have, let's say, that you stay on top and that you always have enough clients that your business is growing?
Rene Matthiassen:Yeah, I think this has to do a lot with the competencies at the end of the day, right? We used to I mean, when companies call us, they call us because, I mean, there's actually two reasons. One of the reasons is that they have heard about us from some within the network saying, okay, who has helped you with this, or that has been front door security or whatever. Okay, so kind of a referral, you can say. The other one is that, I mean, we get invited to attend or we get invited to a meeting with a customer, a potential customer, I should say, and we just described the model of the approach we're taking.
Rene Matthiassen:Have in front of security, we have developed a, I wouldn't call it a fast track or maybe you will, it's a four and a half months approach to, from start to certification. So we take in a company and from the day we start to the day where they're waiting for going for the certification, we do that in twenty two weeks. So that's four and a half months and that's pretty, pretty fast. Now, the reason we can do this so fast, and I don't think anyone else is doing that at the moment, at least. The reason we can do this is because we have vast experience with a lot of implementation products, dos and don'ts and everything.
Rene Matthiassen:So everything is cut very, very thin. The other thing is that we have some software going that can help us through that process as well. So that really benefits not even, not only us as they implement this, but also the customers to come up and develop all these processes, policies, whatever. Right? So it's a pretty strong engine we have for this one.
Rene Matthiassen:We can see that a lot of the suppliers really I mean, they don't want to have a project running for one year with an exorbitant amount of money and everything is out of control. So if you could do that on a fixed price for limited time of firm and they can get compliant to this one, they really like that, you see that.
Dejan Kosutic:Great. So a combination of your expertise and experience and probably some kind of a software and also this methodology which has a concrete, let's say, timeline and concrete cost, it's something that is a recipe for success.
Rene Matthiassen:At least for us it is, yeah, definitely, absolutely.
Dejan Kosutic:Great, okay, excellent. Good, so since you also work with these other standards, you mentioned that you're working also with this standard for operational technology, And I noticed that there is increased interest, especially for these two companies, operational technology. So can you tell me a little bit about it? So which standards do you prefer and how is this really related to NIST two?
Rene Matthiassen:So, yeah, I'm the I'm serving as the president for ISA Denmark section. I've done that for a couple of years now. And ISA are the ones that develop the it's actually called the ISAIEC sixty two thousand four hundred forty three series consists of framework of 14 standard. Not all of them are published yet. But we see a lot of companies because when we're talking about ISO 27,001, we're talking about should we call it office IT, so to say.
Rene Matthiassen:When we're talking about production IT, manufacturing IT, we're talking about other kinds of infrastructure, legacy system protocols and everything. We are using the the IC 62,443 series. What that does is it gives us a structured way to how we should approach risk assessment, for example, how we should do the designs when we're talking about conduits and zones, how we should split our assets into areas with different protection levels. And it gave us requirements into how we should develop software, develop systems and it also gave us requirements into if we want to have some products certified according to the standard as well. So we see that a lot to be used in the industry of utilities, oil and gas manufacturing, production, and general, where the 2,701 series is more used into also in these companies perhaps, but more into the office part of it, where this one is more into the production part of it.
Rene Matthiassen:And that fits each other very well. So it's it's actually very nice to work with both in Coherent.
Dejan Kosutic:Great. Yeah, and I noticed that these cybersecurity incidents that are actually manufacturing industry is more and more affected. Actually, it came very close to the top of industries that are affected by these incidents. Obviously this operational technology security is becoming more and more important there. Okay, so how do you see this whole compliance, let's say, environment is evolving?
Dejan Kosutic:So where do you see actually cybersecurity compliance in, I don't know, five, maybe ten years from now?
Rene Matthiassen:So we have this, should I say, the European Commission have this vision of the digital decade for the 2020s, right? And they are pushing out a lot of cyber security regulations. The NIST two is one of them. Cyber Resilience Act is another one. And there are others as well.
Rene Matthiassen:So they are pushing these ones out to the market. So we are not in any way seeing an end of this one. We just see more and more regulated and yeah, regulated stuff coming out that companies need to comply to. I also think it's very fair to say that in some sectors or areas, whatever, at least the maturity has been very low. There has been no coherence between what they had delivered into the market.
Rene Matthiassen:But it seems that the European Commission has grabbed it by the rule this time and say now we need to be structured and more resistant, definitely. So at least when we're looking at it and when I'm working with these requirements on a European scale, just see them coming down the line.
Dejan Kosutic:So good time to be a consultant, right?
Rene Matthiassen:Yeah, yeah, it is. If you are into that kind of stuff, yeah, definitely. If you want to advise and help other companies and people, whatever, within this, yes, you should definitely be consulted within compliance.
Dejan Kosutic:Great. Okay, to try to wrap it up, what do you think are kind of top, let's say, things the consultants should be doing? I mean, cybersecurity compliance consultants should focus on in the next, let's say, couple of years?
Rene Matthiassen:So it's down to knowledge again. So I would just say that, I mean, if you want to provide value to your customers, I mean, you need to be on top of your game, right? You need to excel within the fields you are doing. So get as much knowledge you can within these areas. I mean, it's like when I have problems with the law going to an attorney, right?
Rene Matthiassen:I have problems with Matija going to a dentist, right? So I want to go with the best dentist and not the worst dentist, right? So it's a little bit the same here. So it's about providing value to your customers and the value as a consultant is by knowledge. Also, there's personal skills as well and so on, but it's about knowledge at the end of the day, right?
Rene Matthiassen:So stay on top of your game, get you certified within these ones because that's what also ensures a company that you are the right one, you have the right level of expertise. Get involved with standards as much as you can to get a feel and understanding for not only how they are developed, also the rationale behind the requirements. Why did we choose to set this requirement? So I think that would be my takeaways here. And I will do the same, continue to do the same, definitely.
Dejan Kosutic:Great, so this was really a great conversation with you and thanks for this insights Rene, it's been a pleasure.
Rene Matthiassen:Yeah, likewise, absolutely. Thank you again for having me and yeah, it was a pleasure.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisor website you can check out various tools that can help your business. For example, Conformia software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. White label documentation toolkits for NIS two, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients.
Dejan Kosutic:Accredited LEAD auditor and LEAD implementer courses for various and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, Dora, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up. It helps us with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today, stay safe!
