ISO-as-a-Service and AI: Innovation in Consultancy | Interview with Alexander Jaber
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, my guest is a very interesting consultant.
Dejan Kosutic:His name is Alexander Jaber, and he's the CEO of Compliant Business Solutions GmbH, consulting company from Germany. Now they're mainly focused on, the German speaking countries, so Germany, Austria, and Switzerland, but they also have customers, around the world, for example, in The United States. And, they already served roughly 200 customers and achieved more than a 100 certifications. So this is a great, success for for a company. So in today's podcast, you'll learn, how their specific innovative approach to consulting can actually drive success for a consultancy.
Dejan Kosutic:So welcome to the show, Alexander.
Alexander Jaber:Thank you, Dejan. It's a pleasure to be here.
Dejan Kosutic:It's excellent having you here on the show. So how did you actually start? How did you get into consulting? What motivated you actually to start with this kind of a business?
Alexander Jaber:That that's a that's a pretty good question. I haven't been a good talker for whole my for for my whole life until I went into the IT business.
Alexander Jaber:And it it might sound a little bit paradox because IT and good talking is are not always aligned. But I but I learned or or had in my my first job after university. Mhmm. I was in a data center for for public services. It was a big one. They had failover clustering and and also all thing all sorts of of security measures and so on.
Alexander Jaber:And they also had a lot of consultants. And when I was talking to them and I was a little bit, yeah, let's say let's say spoiled by by by service desk work. Mhmm. It was it was it wasn't wasn't my main focus. I had been had been doing Windows and SAP administration for for several years, Windows and and DOS since I was eight years old.
Alexander Jaber:So pretty much of of knowledge. And that was the point where I said, okay, I have to get just to find new borders that I could break down for. And so when I was talking to consultants, they told me that they were always learning new things on every project and I love to learn. And so it was the the clear thing to to step into that that part of business.
Dejan Kosutic:Okay. And are you satisfied with your consulting career?
Alexander Jaber:Yeah. Yeah. To be honest, yes. In the beginning, I was consultant in a bigger German consulting company with about 100 consultants. And they were they were like a family. It was was great great working there. Then they came into into a global business where we're bought by Cognizant.
Alexander Jaber:And with Cognizant, with with about a quarter million a quarter million of employees, there came the the part the point when when the person was just a number. And wasn't heard anymore. And that was kind of sad because from the consulting company we came from we had a high quality standard and that was they didn't match to that quality standard And that was the point when I when I said, okay. I want to keep this quality standard, and I founded the compliant business solutions. Mhmm.
Alexander Jaber:Okay. Yeah. So I'm I'm there for about nine years now.
Alexander Jaber:Ten next year in in I think it's March. And I'm pretty happy still.
Dejan Kosutic:Okay. Excellent to hear. So it's it's good to hear this a success story and and actually as someone who is satisfied in this kind of consulting business, this is, I think, very important. Okay, let's switch gears to your services that you're offering. So what I understood is that you're offering ISO 27,001 as a service.
Dejan Kosutic:Can you just explain a little bit, what this is and how this works?
Alexander Jaber:Yeah. Of course. So ISO ISO as a service is a product, that combines everything you need to get certified. So you have consulting. You have someone who's writing the policies for you. You have an a good working software on as as as a basis or as a base Conformio. Yeah. And you have the certification body in it as well, but it's all out of one hand. So you have one point of contact, one single point of truth, and you have the the whole lead through all of the through the whole project over the complete life cycle of the certificate. Mhmm.
Alexander Jaber:So not just half a year or a year until you have your certificate, but all over all three years that the certificate is living. Mhmm. And, of course, we we are accompanying our customers for longer if they want to. Sure. So you go into the next into recertification, we are also on your side.
Dejan Kosutic:Mhmm. Okay. And how long does this arrangement between you and customers last? So is this one year or three years or how long?
Alexander Jaber:It's it's three years Uh-huh. Recurring. So every life cycle of the certification, we can we can part ways if our customers want. But at the moment, we don't have any customers that want to.
Dejan Kosutic:Okay. This is great.
Alexander Jaber:Just just so that there's no misunderstanding. We have customers, but the customers we have don't want to to part ways.
Dejan Kosutic:Okay. So obviously, they see the benefits. So if I understood well, all of these services that you mentioned are actually part of this package. And what was your really why did you actually create this kind of a different service in the consulting market? Because I didn't see really this this kind of a service very often.
Dejan Kosutic:So what's kind of triggered you to to create this specific service?
Alexander Jaber:It's yeah. To say it in short, it's what I hear what I heard from all the company leaders I've been talking to over over the consulting. I'm I'm all I'm often talking to CEOs from from different companies. And especially when you look at small and medium sized enterprises, these companies, especially in Germany, they have special needs. They are very aware of pricing.
Alexander Jaber:They are very aware of cash flow. They are also very aware of what they are able to to deliver and whatnot. And they have the issue that they must deliver, often must deliver a certificate to get in contact with bigger customers, and they don't know how to do it. They are afraid to do it because it's much of work. They for for them, it seems like Mount like like, they they have to climb on Mount Everest.
Alexander Jaber:And on top, they have to buy all the the climbing gear. So it's also very pricey. Yeah. And that's the point where where I got the idea to say, okay, how can we help them? How can we address these needs and pack it all up?
Alexander Jaber:Do it for them because they they don't they don't know how to do it. And in in the way I don't know if you you are still doing work on your car. Normally, I'm putting my my car in the workshop and and let them do their magic. Yeah. And, hopefully, it comes back repaired.
Alexander Jaber:And it's it's the same thing, I think.
Dejan Kosutic:Mhmm. Okay. And how does this service this ISO as a service that you're providing, how does this differ from, let's say, traditional consulting job?
Alexander Jaber:How is it how is it different? It's on the one side, it's different in in the in the complete package. So you have everything you need. You don't have to buy anything in excess.
Alexander Jaber:The other thing is that it's a high highly individualized and standardized product at once. Okay. So on the one side, we try to standardize the process to to get to the goal pretty quick. So we are we are done with a with a certification within three to six months. Mhmm.
Alexander Jaber:What is pretty quick in my my in my mind. Not the the normal way is as at about nine to to eighteen month.
Alexander Jaber:Mhmm. And, yeah, we are also the information secure the the CISO for the for our customers. So Mhmm. We accompany the customer through the whole journey.
Alexander Jaber:And I think it's it's also a thing because the customer can is can can trustfully hand all the work over to us, and we just tell him if he has to adapt something in his in his infrastructure or do some changes in in a software or something like that. And that's all. And we do all the other work.
Dejan Kosutic:Great. So if I understood well, the main difference is, let's say, towards traditional consulting is that first you are including the certification also in the package, right, which is typically not done by other consultants. And the other thing is that you're not stopping at the implementation. You're also working on the maintenance once the client gets the certificate and you package all things up, right? Yep.
Dejan Kosutic:Okay. Great. Sounds great. And why did you decide actually to to, you know, change this? So what kind of or better to say, why do the customers prefer this kind of a service versus a a more traditional service?
Alexander Jaber:Let's answer may maybe maybe I can ask one question as an answer. Uh-huh. How do you want to buy your car? Do you want to to go to the dealer and he is leading to you in into the back, into the workshop? You have to unpack all the all single parts of your car and have to tie to to build it under the eyes of of a consultant who who tells you what to do and how to to build every part, or do you want to get your car already built the way you like it and just drive with it?
Dejan Kosutic:Yeah, understood. It makes sense. I mean, in my view also, most of the consultants are missing this opportunity of actually maintaining the system once it's already in place, once the companies get certified. And I think this is really a a big opportunity that lots of consultants are are are missing, and and I really do like what what you're doing here. Now the question here is, how do you actually ensure that the the quality in this kind of, in in this kind of jobs?
Dejan Kosutic:Because if you actually take over most of these tasks from a customer and do this for customers, how do you ensure that they they actually get get it? Right? How do you ensure that they they really take over the responsibility over the security or whatever standard they're implementing?
Alexander Jaber:Yeah, we are taking them closely with us. So we are not just taking everything and run and some some time at one point of time, throw it all back at the customer and say, go we'll live with it. Uh-huh. We are we we take them with us with us in the in the journey. Mhmm.
Alexander Jaber:So in the beginning, we are doing an onboarding workshop. We are doing a management kickoff. We are doing a team kickoff. So everybody is involved in the in the in the process, but not much. They know it is there.
Alexander Jaber:They get informations. They get trainings Mhmm. And all that. And if the customer wants a CISO on its own, he also then we we are also training the CISO to be able to maintain the system.
Alexander Jaber:So when we move out of the of the maintenance part, the customer is not is not left alone as well. So we also accompany the customer in that part. So if if there are any questions, you can always reach out to us. And ongoing, we also do every internal audit and management review with the customer every year.
Alexander Jaber:So not not just not not like most consultants do it. They accompany you until you have your certification audit. Often they don't don't attend in the in the audit. Mhmm. And then they are out and never to be seen again.
Alexander Jaber:We come back every year, and we also drive that process actively. So we're not waiting until until our customer is asking us to to come for an internal audit. We are making the appointments and we are coming and and have a look.
Alexander Jaber:And tell them if there are some things to do or if some things have gone astray or are left behind or something like that. And also how to heal that.
Dejan Kosutic:Great. So it seems to me that this is a kind of a collaboration or interaction with the customer or active interaction with the customer is what brings this level of quality in these jobs, right? Yeah. Yeah. Okay, great.
Dejan Kosutic:Sounds great. Now, what do you see as the biggest challenges in this kind of service? So, I mean, it's probably not everything ideal, right? Some customers might be, let's say, skeptical. So what are typical challenges that you see in in this kind of approach?
Alexander Jaber:The biggest challenge challenges. The biggest challenges are, yeah, customers that are unsure if if everything is going right.
Alexander Jaber:So the main task we have to do besides the the the professional part is to be to be humans and to give give our our customers the trust that everything will work out as Mhmm. Predicted, as we say that it will work out. Mhmm.
Alexander Jaber:And, you might one one might think that the the main part or the hardest part are people that are that are naysayers, that are that are blocking everything, that don't want any change. But these people aren't the hardest part, to be true. You can always take these people aside, have one on one talk, find out what's their issue, and bring them to your side, even adapt them as main users of the system so that you can turn them into helpers pretty fast and pretty well. The missing trust in the beginning is often the main part. So you have to open up the customer, you have to give him the trust, you have to give him the feeling of company and not to be left alone.
Alexander Jaber:That's the most difficult part, I think.
Dejan Kosutic:Yeah, is there any trick that you can share on how you achieve actually this raising of trust? Anything that you do specifically to achieve this?
Alexander Jaber:Anything specific? Let me think about. I think the main part to give the feeling of trust and a deep feeling of company is to be open, to be honest, to listen what are the issues, what are the thoughts the customer has and to address these, to solve these and to take the customer with you as a part of the journey, to walk side by side through the process, through the questions they have, through the obligations they have, to objections and not obligations through to the objections they have so that they can that they feel they are heard and I think that's that's one of the main parts.
Dejan Kosutic:Great, fully agree with you and I agree that best consultants are the ones actually that can listen to the customer. Very often consultants are not listening, they're simply talking and then they can't fix the problem of their customers. And, yes, so definitely talking sorry. Listening and then actually fixing the problem, this is how we build trust. Okay.
Dejan Kosutic:Great. So I understood that you're using some tools. I know that you're using Advisor as Conformio for also this this kind of a work. So how important are these kind of tools to actually deliver this kind of ISO as a service?
Alexander Jaber:They are I think they are pretty important because we want to hand over a car to the customer. Mhmm. So we go on a test drive. We go we do some drive training, some some security drive trainings with the customer, and then we want to want the customer to drive on its own. And if the underlying software is not supporting this driving process because it has a simple cockpit and it's easy to adapt to it, it's intuitive, then the customer is not able to ride that vehicle.
Alexander Jaber:So if I if I would would hand hand the pretty complex software over to the to the customer, I could as well put them into the cockpit of a plane.
Dejan Kosutic:So the the what would you say? Is this kind of a service more, let's say, relevant for smaller companies or is this something that also could be done with the larger organizations, I mean larger customers?
Alexander Jaber:Yeah. Do you How do you define smaller companies and bigger companies?
Dejan Kosutic:I don't know. Let's say smaller, let's say 50, maybe 100 employees or larger, I don't know, a couple of 100 employees and more.
Alexander Jaber:Okay. Yeah. The tool so the the concept is mainly focused on on companies up to about 200 to 250 people.
Alexander Jaber:For bigger companies, we do some we do, let's say, enterprise solutions depending on what they want to do. So why is that? Because often bigger companies have more complex infrastructure, not on the technical but on the human side. Mhmm. Yeah.
Alexander Jaber:And this often takes more time and more understanding. And it's it's often the the biggest part of work in in projects with bigger companies. So but but also or as well the least planable part. Mhmm. That's why we we kept the the product.
Dejan Kosutic:Yeah. And I assume these bigger companies already have their, let's say, CSOs or security officers so they sometimes they do not need this maintenance part afterwards. Yeah. Yeah. Okay.
Dejan Kosutic:And how do you I I understood that you also have a interesting way to charge for these services. So can you share a little bit how are you charging for this? Because I find this very, very interesting.
Alexander Jaber:Yeah. We're we're charging on a monthly rate. So when we walk walk way together, walk down the road together for three years, we will charge monthly for three years. And so you have you have you don't have much impact on your on your cash flow if you work with us, but it's it's planable. It's fixed. You don't have any extra costs. And yeah.
Dejan Kosutic:So just to clarify what what companies are paying in the first couple of months, monthly, the same price they will pay monthly, I don't know, after eight months or twelve months or fourteen months. Because this is, I would say, very unusual for this consulting business. Most consulting companies are charging a bigger fee in the beginning because they're investing much more effort into this. And also especially if you include certification services, this is also a bigger, let's say, part of the of the price. So how do you actually manage this from the from your cash cash flow point of view?
Dejan Kosutic:Because you have to invest more resources into the job in the beginning Yeah. But you're not charging as much. So how do you handle this?
Alexander Jaber:Yeah. How do we handle this? With a lot of trust. Yeah. To to to to be true.
Alexander Jaber:Why do we why are we doing this? Because we know how SMEs work. Uh-huh. They don't have often don't have that that huge amount of cash flow. Mhmm.
Alexander Jaber:And if we can help them to keep the cash flow steady, we also help them to grow. And that's a point we want to grow together. That's why my decision was to break up the bigger big part of money into 36 smaller parts. Mhmm. That's one thing.
Alexander Jaber:And also to to cap the price. So it's fixed price, and you don't have to pay anything in excess. And regarding the the bigger effort in the beginning, yes, it's there, definitely.
Alexander Jaber:And how how do we cope with it? Also, by good housekeeping with our own resources. So we also have cash flow to manage and I think we are doing this quite well and that's how we can do this.
Dejan Kosutic:Yeah. No but because I find this very very interesting because I can understand how clients are finding this appealing because this is almost the same as if they were I don't know paying for I don't know, for for some kind of an online service. I mean, a a software as a service. Right? Or if they were paying some some kind of, I don't know, accounting, accounting service or something like this.
Dejan Kosutic:So I can understand why they actually come to you because they see from the cash flow point of view, they actually see this as much easier to to convert into customer. So it's it's yeah. And so okay. You probably have to, you know, earn less in the beginning, but earn more afterwards. But I understand that this could be a very, very profitable model.
Dejan Kosutic:Okay. Great. So let's maybe switch a little bit the topic to AI. I understood that you have a big interest in AI as well. And what do you think?
Dejan Kosutic:How will artificial intelligence change this compliance world? So what will happen in the future in your opinion?
Alexander Jaber:Oh, that's that's a great question. Thank you. How will artificial intelligence change that point? I'm I'm playing around with with AI all the time. Currently, with good prompting, I'm able to get, yeah, near senior like answers from AI.
Alexander Jaber:That's pretty tough because I myself would say I'm an expert or a principal consultant to adjust the level and if I look at the quality I'm getting out of AI Where will we have any juniors anymore in the near time? Because every work that is done by a junior consultant can be done by AI and better.
Alexander Jaber:So that's one point. And AI is not not only not only destroying the the places of of juniors, it's also destroying the places of of regular consultants. So people that are in the job for two or three years already. And walking on, I currently read the announcement of Chekipity five point zero. And if if if even old man says it's it's out outgrowing his intellect, I think the the tool will be very capable.
Alexander Jaber:And in the near future, the, yeah, the the market will change in a way that consultants won't have to do junior work anymore in some kind. I think they will still do some of the junior work to learn. Mhmm. But they will have AI as a learning companion. So the AI will help them to get trained to to do the work in a in a in certain quality.
Alexander Jaber:And maybe we are we will be able to to get people to to senior level within one or two years other than before. So before we had had two or three years to get people to a consultant level, to regular cons level. Yeah. And on the attitude to a senior consultant, so somewhere between three to five years of experience made that people became a senior. Mhmm.
Alexander Jaber:And that's one point that will be, I I think, largely impacted by AI. And if you look yeah. If you look if you look further, I think with agentic AI and also with APIs so that AI is able to scan the whole company, maybe the process can be automated.
Dejan Kosutic:Mhmm. And what does this then leave for even for senior consultants? Know, if okay. I understand that that junior consultants will probably be well, sort of say replaced with with AI. But what about senior consultants?
Dejan Kosutic:Are they safe from AI, or will their role change as well?
Alexander Jaber:Just a bit longer. Mhmm. I think it's just a bit longer. Senior consultants, even principals, will be will be will be replaced in a way. Because just just ask yeah.
Alexander Jaber:Let's let's let's take church a bit. Just ask AI how you should lead your company. Give it all the information you have, and the the the the outcome will be at a at a pretty high level, at a pretty good level
Alexander Jaber:Regarding strategy, regarding mid and long term, short term strategy, and so on. It will ask you the the right questions. And since even building a company is is just a recurring process in the end. It's not a big deal for AI.
Dejan Kosutic:No, no, agree with you. I mean, also play around with it and I upload all the information about our company, business strategy, you know, the competitive position, SWOT analysis, you know, financial information, product information, marketing plans. I upload everything into Charge GPT, then then I start asking questions, you know, strategic questions. And, yes, it's it's impressive how actually it understands and how how actually it gives me ideas that I didn't think about before. So this is true.
Dejan Kosutic:And then so the question is now, what is then left for consultants if AI is going in this direction? So let's let's say think about, from five to ten years from now. So if you're if you're an owner of, let's say, a consultancy, what does this leave, for humans to do? And Mhmm. Yeah.
Dejan Kosutic:So what what do you think?
Alexander Jaber:I see. Well, working with humans is always human work. So the human part of the work can't be replaced in a way that you have when you work with a consultant. You have someone that maybe has had the same experiences as you have that can bond with you on another level. And in the end, that is a human. So working with a human is always or will always be part of the deal. Mhmm.
Alexander Jaber:And I think in the next maybe ten to fifteen years, AI will will be a very good partner in consulting. So it will do, I think, pretty most of the work. But since we humans also are curious about things, we want to learn things, even as kids, we will will and have to keep this up and that will be the part where the consultants will also be the ones that will have to learn and keep learning all the time. Even if there is an all kind of felt almighty partner that knows everything because it has the all all the knowledge of of the of the whole human ship of the whole mankind at its its bare hands.
Dejan Kosutic:So I fully agree with you. I think that what AI will not be able to do in the next, let's say, ten to twenty years is deals with deal with people. And especially, you know, all of these AI technologies that are coming into place will change information security, will change, I don't know, our regular operations. This means that, for example, companies that have already 27,001 or 9,001, will also have to manage change because, of AI. Now these changes are the most difficult things to do, and this is something AI cannot do.
Dejan Kosutic:This needs really a person, right? A consultant in this case. So I think that there will be a huge opportunity for consultants who will actually manage change that will happen because of AI, Right? So it's it's I think this is a huge opportunity. And by the way, I I launched recently a course for consultants where I put emphasis on how to manage change in companies because especially because of this effect.
Dejan Kosutic:So it's yeah, it's certainly I fully agree with you here.
Alexander Jaber:Now I can really recommend that, yeah.
Dejan Kosutic:Great. So speaking of AI and AI agents, how do you see actually AI agents changing a compliance business? So can you give a couple of examples on on what do you think will happen?
Alexander Jaber:Oh, they they haven't they haven't have a they can not not yet do, but they can have a huge impact. At the moment, AI is mostly used to to write some policies or some or something like that based on maybe maybe APIs or information gotten from APIs. I think in the in the future, AI will be able to be, yeah, to be connected to the whole company or to all the company systems and to adjust the systems to do customizing in the systems or set new configurations. So not just like a like configuration management database, but also but but far more. So and and like like a person that is able to to see all the systems at once and to to drive out any vulnerabilities of the systems by aligning all the configurations to each other so that they work perfectly.
Alexander Jaber:I think that's one big part where AI will be very helpful. And, yeah, not not just in compliance, but also in in defense. So an AI based SOC or AI based AI based blue teaming and so on, this will be will be a big part. And one one more thing regarding any rig any any requirements coming to the company. So out of contracts, of laws, out of international laws, and so on, AI will be able to have an overview over all requirements dropping out of all this content and it's a main issue in every company no matter how big or how small.
Alexander Jaber:I often see bigger awareness for that in small companies than in big companies. But this will be a big point, a very big point, to have a good overview over all the requirements, to have a good requirement management, to see what requirements have which impact to the company and what can be even a big saving point because you're doing something very expensive for one customer and that customer has already left the company ten years ago.
Dejan Kosutic:Yeah. Yeah. No, I agree with you fully. I think these kind of AI agents will be able to actually analyze your company in real time. So they will be able to, I don't know, analyze your messages in, I don't know, Slack or Microsoft Teams or emails and tell you if you're doing something that is not compliant with policies or procedures.
Dejan Kosutic:It will be certainly a huge, huge it will be a very different world very soon.
Alexander Jaber:Definitely, definitely. There will be a point in one time, so if we drive that further, there will be a point where we will have to decide what we want to do. So everything will be done at that point that AI will be surpassing the human intellect and it will have physical bodies. Have capable robots already. So the bodies are there.
Alexander Jaber:I don't think that Terminator scenario will come up. I think it will in the beginning support the humans
Alexander Jaber:And at one point, maybe with the general AI, but that that's kind of utopian and dystopian in one point one thing.
Dejan Kosutic:Anyway, this might be a good topic for for another podcast. So let's let's wrap up the discussion today. So what would you kind of select as the the most important points that consultants should keep in mind to to build their business?
Alexander Jaber:Consultants should keep in mind to build their business. Talk to the people, listen to them, and help them with all you've got. Then you will be successful. Always.
Dejan Kosutic:Okay. I fully agree with you. Again, these are very good insights. And then thank you for sharing these insights. It's been a pleasure talking to Alexander.
Alexander Jaber:Same to me. Thank you, Dejan.
Dejan Kosutic:Thanks again. And thank you all for watching or listening this podcast and see you again in two weeks time in the next episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisor website you can check out various tools that can help your business.
Dejan Kosutic:For example Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead Implementer and Lead Auditor courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.
Dejan Kosutic:If you like this podcast please give it a thumbs up, It helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today. Stay safe.
