Resolving a Conflict Between IT and Cybersecurity | Interview with Jared Leuschen
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, guest is Jared Leuschen. He's the CEO and founder at Blue Tree from California in The United States.
Dejan Kosutic:And this is a company that helps their clients define strategic roadmaps for IT and help with their execution. And he actually operated multiple businesses prior to this company, and this company already exists for ten years. And what's interesting actually is that in this company, he hires former CIOs and CSOs. And actually, this makes Jared a perfect person to actually discuss in today's podcast how to resolve this, I would say, ongoing conflict between IT operations and cybersecurity governance. So welcome to the show, Jared.
Jared Leuschen:Thank you for having me, Dejan. I appreciate it.
Dejan Kosutic:Great to have you here. So, do you think that IT people like security policies and procedures or this is something that they don't really like too much?
Jared Leuschen:I think in my experience, we find two different types of people in IT, those who care about the organization and really want security, but don't want to have a lot of don't want other people telling them how to do, to manage it effectively. And then we have those who think that governance just gets in the way of operations. And both types of people are are not necessarily good for the organization. And and so that it there definitely definitely definitely is a challenge in the in the marketplace and within central IT, especially with trying to implement policies, procedures related to governance and risk mitigation.
Dejan Kosutic:Okay, but why does this kind of conflict really exist? I mean, what are the root causes here that most of the IT people are not really happy with this cybersecurity governance?
Jared Leuschen:I don't think it's something that is a necessity right, in the industry. I don't think it needs to be the case. I think it exists for a couple reasons. One, communication, right? Anytime there's a challenge between individuals, organizations, communication usually plays a role there.
Jared Leuschen:The language we're using, how educated we are, how educated we are helping others become. There's typically a misalignment in the objectives or, you know, our goals as well as in in between those teams. Right? The security teams, the IT ops team, and even with executive or upper management, there's usually usually a misalignment in what we're trying to get done or a belief perspective that there's misalignment there.
Jared Leuschen:And so a lot of times when I or someone on my team engage with a new organization for the first time, we spend a lot of time just having conversations about where those barriers are, where the boundaries are, and what the individual's perception of the barriers are. Because a lot of times what's gonna happen is if we don't find alignment, then any perceived barrier is either going to stop productivity or someone's gonna find a workaround. And then all the investment in time and money and tools and systems just gets depleted really, really fast.
Dejan Kosutic:So are you saying that the way to resolve this conflict basically begins with an analysis of the situation and of these barriers.
Jared Leuschen:Yes. And with people, right? I like to say frequently that most challenges and successes boil down to the human component. And that's my experience with security and compliance. It's no different.
Jared Leuschen:Most IT operations personnel have solid intent. They want to help protect the organization. They're loyal. They care about the company. They care about the people in the company.
Jared Leuschen:But more often not, they don't understand why, the why behind the policy, the why behind the process, the why behind the regulation. So when you have someone come in and say, hey. We need to create all these controls and establish governance, and it's gonna require an investment in time, and you're gonna have to be responsible and own part of this, someone in the IT ops team is has to either accept that, not accept it, right, or ask more questions. And what what we're not doing as as humans within an organization are asking enough questions. And the same thing happens with executive leadership.
Jared Leuschen:A lot of times they don't know what questions to ask because they're not the experts. They're relying on the IT ops team to educate them on decisions that should or shouldn't be made, and they're relying on their security or compliance individuals responsible for risk to educate them on decisions so that they know how to move the business forward in a safe and responsible way. And what we see is more often than not, those individuals are just not talking to each other enough. They're not asking each other enough questions. They're not trying to, or they don't care enough about understanding the why.
Jared Leuschen:And so they're just receiving information and then doing the best they can with that, oftentimes seeing it as a barrier.
Dejan Kosutic:How to actually enable that these people understand the answer to the question why?
Jared Leuschen:Yeah, well I have found a lot of success with starting with first having conversations, Interviewing people as to what their role is, what their perception of security and compliance is in the organization for them, how it plays a role, if it is a blocker, if they're open to it, why they're open to it. Right? We do that individually and then we bring people together. And it's very successful once we have enough information from the siloed organization, siloed teams, siloed people to come bring everybody together and say, Hey, this is my perception. Or if it's a team based approach, right, this is our perception of what we've seen, what we've heard.
Jared Leuschen:It's not pointing the finger at anybody. It's saying, hey, there is a breakdown in communication here. What we know is the organization needs to be protected, and here's why. Right? And the organization sits in a regulatory environment that has mandates not controlled by them, and here's why.
Jared Leuschen:Right? And there are ways to mitigate risk based on those factors, and here's how. And so we just have these conversations and we bring executive leadership in so that they can talk about the vision of the business and how they're trying to move forward and their perception of compliance and security as a blocker to that, while also talking about their fears around being breached or IP being stolen. We have a couple clients right now that have experienced that. There's a lot of real fears that are valid.
Jared Leuschen:But when we bring everybody together to talk about the why, what's important to them, then we start actually having productive conversations in a collaborative environment that allows all parties to understand not only the importance, but how to move forward in a productive way, how to help support each other because we remove the barriers of language, We get everybody on the same page so that the incentives align.
Dejan Kosutic:From your experience, is this actually enough? I mean, this kind of, let's say, a series of interviews or conversations, is this really enough to resolve this problem? It's enough to get started on the right path, but the work never ends.
Jared Leuschen:We need to keep having these conversations and we need to make sure that the people that actually have responsibility have the authority to act with what they've been handed. But the work never ends.
Dejan Kosutic:I mean, for example, let's say that there is some critical, let's say, the patch that needs to be installed. And since on one hand you have the IT, which is kind of reluctant to do this too quickly because they want to enable the IT systems to be available. On the other hand, you might have security that wants to do this ASAP, right, as soon as possible. So, I mean, these kind of practical situations, you know, how do you actually enable these people to come to an agreement?
Jared Leuschen:Yeah, so I'm going to go back to what I shared previously, right? We start with conversations and we find alignment through Once alignment is identified, we document what that alignment is. We document the ownership for the various components of that. And then we put someone typically, right? We want to put someone responsible for the administrative oversight of accountability.
Jared Leuschen:Right? We need a central figure that is responsible for risk management for the organization that is holding security accountable, is holding IT accountable, is holding executive leadership accountable to the to the things that were agreed upon during that effort. And regular consistent meetings, clearly defined success criteria and KPIs, metrics that align to the business vision and the goals set out by executive leadership, and clearly defined milestones, objectives, so that as we move and make progress or as new conversations come up, new information or new concerns, new challenges, we can go back to the plan that was developed and documented and say, hey, how does this fit in? Is this something that's gonna impose risk? Do we need to bring in outside help that has more expertise, more information than we do?
Jared Leuschen:Right? Or do we have enough that we can clearly see how this new this this new thing that we have to deal with fits into the current plan, the current model? We update, we modify, and the cycle continues.
Dejan Kosutic:Okay, so are you saying that there needs to be kind of a third function there that kind of mediates between IT and security? I think you mentioned risk function or something.
Jared Leuschen:Yes, and this is a critical component to success with most organizations, not all. Some smaller organizations can get away without putting someone or a team in this position. We satisfy this for a lot of our clients. There's a lot of third parties out there that do and some do it well, some not so well. A lot of organizations will hire someone internally to fill this role.
Jared Leuschen:Or again, in smaller organizations, sometimes we'll tack on the responsibility to someone that's already within the organization that has extra capacity to do so.
Dejan Kosutic:Okay, great. And let's say that if this dialogue between IT and cybersecurity, let's say, goes in good direction and if you, let's say, view IT as, I would say, positive, so to say, collaborative element here, So how can actually IT teams help build a better cybersecurity? So how can they actually be proactive in building a better governance of cyber?
Jared Leuschen:That's a really good question. I will. I don't have all the answers. Probably that's the case for most, but I would say that where I've seen success is the utmost successes when we give space to the individuals within IT to actually put thought into this, to to be proactive, to be creative on how to help the organization. One needs one needs time, the space to actually put thought in.
Jared Leuschen:And what we see more often than not in most organizations, there's IT, you know, and and more so within IT than other business units, they are they are scrambling. They are always under resourced. They are always underfunded. And so they are constantly constantly juggling multiple priorities and rarely rarely feel whether they do or not, rarely feel like they have the time to just stop what they're doing, take a moment, maybe 10, and and think about what they're doing, why they're doing it, and how it could be done differently. When we are in reactive operational mode, just trying to keep the lights on, put out fires constantly, which happens within IT more than not, then it's really difficult to stay ahead or start or be thinking about the future and what happens when the business changes.
Dejan Kosutic:Yep. Yep. What I find useful is that, let's say, when IT people actively get involved in, let's say, reviewing of various drafts of policies and procedures, because they know the best actually how the processes are running in their departments. When you come to them with a draft of, I don't know, a backup policy, they will know the best, you know, actually if it is a good fit and what needs to be improved there. And yeah, I think this definitely contributes actually to the better procedure, but also to their commitment.
Jared Leuschen:Yes, yes, I'd love that. Well, and earlier on, not later, like we don't want to be handing a fully developed policy or a process to the person who's going to be operationalizing it right after it's done. We want their input early on. I think that's what you're saying is bring them in early proactively and allow them to contribute to the process of the development cycle so that when it's time to operationalize it, they're ready, they're aligned and motivated to do the job.
Dejan Kosutic:Yeah. And to come back to this point that you made earlier about not having enough time in IT teams, and this especially, you know, it's true for people that are, let's say, on the lower level of IT teams, they simply don't have time to think about governance or to, I don't know, participate in these things. So how do you actually resolve this problem of, you know, asking people to deal with the governance, to follow these policies and procedures where actually they don't have time, other than they are on top of what they are already doing.
Jared Leuschen:I think there are two components to this. One leadership is, and the importance of upper management to educate personnel and why it's important for them to take the time to do so and also educate middle management on how they need to make sure that their their personnel are are able to take the time and making the time. And then there's a tactical component, which is which is actually educating you know, helping and collaborating with those folks that have responsibility on how to how to properly manage their time to to make these things a priority, how to prioritize tasks, how to block time off from their calendar, how to educate the people that they are responsible to coordinate with, communicate with on their day to day basis on when they're not available and how that's sacred to them and why it's important to the business. And this all comes back down to communication, communication from the top down and from the bottom up.
Dejan Kosutic:Okay. But from what you're saying, it's also time management and maybe some training in time management from what I understood.
Jared Leuschen:Sure. Sure. Yeah. We can all improve and a lot of times the tools that we're using, mental, emotional, physical, right, is based on our experience, our expertise and that alone. And so it's always helpful to, in my opinion at least, to bring in outside help on occasion or to be open to receiving help from those around us that may have a different set of experience and expertise that we can lean on.
Dejan Kosutic:And from your experience, what type of help is the best one actually here to resolve this conflict? So, are these, let's say, typical, I don't know, cybersecurity or IT consultants or maybe other type of other profile of external help can be sought here?
Jared Leuschen:That's a great question. I don't think it's a one size fits all scenario. I think what is helpful first is to understand where the gaps are capability within any organization and then identify individuals or teams that can fill those gaps. More often than not, we see success with making early on progress by bringing outside help in to make rapid progress, fill immediate gaps while we're looking for long term solutions by either training internal employees and or hiring new employees to come in. But the the where we see most organizations suffer from an actual role fulfillment standpoint is someone responsible for the process.
Jared Leuschen:Right? We don't usually have a gap in technology expertise for security functions, right? We don't usually have a gap in someone responsible for procuring. We frequently and more so now than ever before have individuals like CSOs and other experts that can help with developing strategy. And then we have project management teams that have technical expertise now that have expertise.
Jared Leuschen:But we very rarely walk into an organization and see anybody that's actually has sole ownership for the process itself. And so that's usually where the the breakdown occurs over time. And and just updating the process, even if it's implemented successfully, is not a recipe for long term success because eventually they'll end up in the same place.
Dejan Kosutic:So, from what you're saying, it seems that there is an opportunity for consultants actually to help companies fix these processes and actually help them with all these other problems that we're speaking today.
Jared Leuschen:Yeah. And on the security and governance side of things, this is typically not a full time job, right? This is a fractional job and a consultant that has experience, expertise, and has capacity to provide fractional support to help organizations maintain, update, develop new policies and procedures, there's a huge opportunity in the marketplace for that right now.
Dejan Kosutic:And when speaking about these opportunities for consultants, do you think that these consulting jobs should be, let's say, one off, or should they be kind of continuous on a fractional basis?
Jared Leuschen:I think it should be continuous. The need never goes away. Businesses who not just survive, but thrive are always changing, right? And so the need for updating existing policies is always there. Most organizations don't have people in house that have expertise in developing workflow processes.
Jared Leuschen:So it's not just in the technology and security and governance sector, it's everywhere, but especially in risk management, risk mitigation, the landscape of threats is ever changing. And therefore the tools and the way we approach mitigating those risks is ever changing. And so the need never goes away. It's constant. It's daily.
Jared Leuschen:Having someone on the pulse that is talking to executive leadership, talking to the people responsible for risk management, talking to IT ops, and bringing those individuals and those conversations together to keep the flow, keep documentation updated, make sure everyone understands new roles, new responsibilities as things change, role is a necessity for success and more so today than ever before.
Dejan Kosutic:And are these arrangements typically in a way that these consultants actually act as VC, so kind of fractional CISOs, or do they act actually as, let's say, an external help to an existing full time CISO within the company?
Jared Leuschen:I think it could be both. The responsibility of a CISO is broad and wide and complex. So depending on who's actually employed by the organization, who has responsibility today, whether it's insourced or outsourced, there's usually there's usually not one individual that that is a is a is an expert in every in every aspect of the role that they're fulfilling. So having augmented support to take on some tasks that maybe don't, maybe a CISO doesn't enjoy as much, or maybe they just don't, maybe they have capacity restraints. They just can't get to it.
Jared Leuschen:That's often the problem. And so individuals or teams of consultants that can provide fractional assistance is a huge value to CSOs. But especially for organizations that don't have an in house CSO, Right? Yeah. Yeah.
Jared Leuschen:They they are needed by executives in that case far far more because they have nobody right now.
Dejan Kosutic:And probably this this also depends on the size of the company. Right? If you have a couple of 100 employees, probably would have a fractional CISO.
Dejan Kosutic:If you're a couple of thousand, then probably full time CISO for a plus, let's say, an outside consultant.
Jared Leuschen:The larger the organization, typically the larger the risks are and the more complexity. And so it it warrants having someone devote more time or a team of people sometimes devoting more time to governance and security.
Dejan Kosutic:Yep. Okay. Going going back to the discussion about IT and security. So very often, I mean, the risks related to the supply chain are larger and larger, obviously. And usually the people that are the most in contact with these suppliers are people from IT teams.
Dejan Kosutic:So how can actually members of the IT team help increase the level of security of these suppliers?
Jared Leuschen:So in in simple format, where we're seeing success is a, someone, whether it's in IT or under the risk management department, someone needs to have ownership for holding vendors accountable. Right? One person. We've seen success where multiple people, more than one individual have responsibility for different vendors providing services where security comes into play, but it's not as successful because they have to be pretty tight at the hip if we're going to maintain consistency for a singular organization. Having having clarity and confidence in what our policies are related to vendors, vendor management, vendor security controls, most organizations don't have that defined.
Jared Leuschen:Right? And if it is defined, it's not defined in the contract. Right? So making sure that we are auditing our contracts with our third party support providers, our suppliers, and updating our security policies within those contracts so that we have a mechanism for holding them accountable, that's step one. Step two is auditing on a consistent basis, asking them to fill out the right questionnaires, doing that quarterly or annually at a minimum, and and asking them to to partner with us to make sure, you know, internal IT with our company, with our organization, make sure that we are holding them to the standards that we need to be met, not the standards that they feel need to be met.
Jared Leuschen:This starts early on though, right? If we're doing this for the first time, we don't have a vendor management structure today and we are implementing one, then we need to review what's already in place. Ideally, this happens before we even move into a procurement cycle or issue a request for a new proposal for a new software or a new service that is being delivered by a third party. And so that's a whole beast in and of itself is making sure that we're doing our due diligence to evaluate market options and evaluating our vendor, our competitive vendors appropriately so that when we get into negotiations, we have all that predefined and it's in writing and everyone's confident that they're gonna be able to deliver. And then we put hooks in there to make sure that what happened we know what happens when they don't deliver.
Jared Leuschen:And how do how do we hold when there are third parties involved, how do we hold them and ourselves accountable and who's responsible for the accountability and monitoring the metrics that are set forth. This is not easy. This is this when it comes to third parties and vendors, it's it's very complex, something we you know, my team spends a lot of time on because most organizations, it's an afterthought. They just we we wanna trust other humans. We wanna trust other companies that they're gonna they're gonna have our best interest in mind because that that feels good.
Jared Leuschen:It feels nice, the idea of that. Right? But reality is the first organizations, yeah, they're looking out for themselves.
Dejan Kosutic:Yeah, this is true. And I assume when dealing with vendors, there always has to be, let's say, a team of people, including security and IT, and of course, purchasing professionals and others. So, it's to actually make this work.
Jared Leuschen:Yes.
Dejan Kosutic:When speaking about this, again, conflict between IT and security, would it make sense actually to merge the functions of CIO and CISO to actually make this conflict go away go away?
Jared Leuschen:That is a great question. I have thought about this before. I haven't come up with a solid reason to do that because I can see value in both. I think it is possible to have technology as a whole roll up, you know, under a single business unit, so to speak. The challenge is that risk for a business is not fall solely under the responsibility of technology.
Jared Leuschen:Right? There's a human component to that. There's other business units. There's manual efforts being done today that don't involve technology that still pose risk. Right?
Jared Leuschen:So the education on how we we manage risk and the policies and procedures put in place has to has to incorporate technology. Technology needs to support it and be aware of it and help protect it, it it's not the sole responsibility of technology. So if we have a CISO and a CIO in one organization, they they both need to be sitting at the executive table with the business leaders, with other business leaders. They can't be downstream. They can't be reporting to a CEO alone underneath this higher level of executive C suite leaders.
Jared Leuschen:Right? They need to be at the table with the CFO, with the CMO, with the CRO, with with with everybody else, with an equal voice. Right? So that that could be very successful. What is not successful is trying to put someone in place that is a CIO and a CISO.
Jared Leuschen:I feel like those are two very different skill sets that require focused attention that in a bifurcated way.
Dejan Kosutic:I absolutely agree with you. Think it would be a bad idea to try to merge them. And by the way, most of these regulations nowadays actually forbid this kind of they actually require CISO to be independent from the technology function.
Jared Leuschen:It's a great point.
Dejan Kosutic:And when speaking about this, actually having the CISO and the CIO actually at the the board level, so how do you actually align, let's say, IT and security with, let's say, finance or the CFO function. So how do you make this happen?
Jared Leuschen:Yeah. So typically want to see committees be developed for any decisions related to buying decisions or significant shifts in strategy or policy process. But most most organizations outside of those those strategic decisions being made, most organizations already have typically, in my experience, right, when we walk in is they already have a a team environment set up where the where the executive leadership team is meeting on a consistent repeated basis, you know, frequency, a cadence, whether it's weekly, monthly, quarterly, etcetera. And and so there's some education required on why we're pulling new people into that environment. And there's some expectation setting on how we need to expand the agenda to incorporate this in.
Jared Leuschen:But it's usually not that difficult to to get the people into the seat. What's difficult is is is helping to educate everybody on why it's important and making sure those barriers are down as they enter in so it doesn't cause constraint. Doesn't It cause people to be defensive or not share information. The only way this is successful is when everyone's come to the table transparent, somewhat vulnerable, willing to show up for the business and how they can help support the other leaders and be supportive themselves.
Dejan Kosutic:I mean, CFOs are usually numbers people, right? So what kind of numbers can I actually show to a CFO to do, you know, to display the value of of, let's say, or security and IT? Yeah.
Jared Leuschen:That's a great question. I don't have the answer for that. Where we typically get involved when there's a breakdown in communication between like a CISO or CIO and a CFO is typically in in buying decisions for new new developments, new products, new services that we we haven't allocated budget to before. Right? And justifying the why.
Jared Leuschen:So that does happen a lot, and it's it's usually not as as easy as just developing a a TCO for the new thing. And and it it usually requires a lot of market intelligence to support, you know, data from the outside world to support the why we need to find find money to to spend towards these new things that we didn't have to before. And and that and oftentimes, what we end up doing is bringing in third party experts from analyst firms like Gartner, like Forrester, etcetera, who study the market, study the landscape business, you know, the landscape from a security standpoint on a regular basis. If it's regulatory, that's a little bit easier. If we have a mandate coming from an outside source that we have to comply with so that we don't get fined, that's an easier conversation.
Jared Leuschen:We don't wanna get fined. But when it comes to protecting us, protecting our employees, protecting our IP, protecting our customers and their IP, that's a little bit more challenging. It takes open mindedness and it takes collaboration. It's not a simple numbers game.
Dejan Kosutic:Okay. And usually at this top level, you know, I mean, the executives very often see security as something that slows the business down, right? It's something that, you know, they're not very happy about it. So how do It actually can. Know.
Dejan Kosutic:Yeah. In fact, it really can. And how do you actually overcome this problem?
Jared Leuschen:I think this is related to kind of our earlier conversation where we started talking today, which is similar to the barrier between security and IT. Business leadership has a responsibility and obligation to to share the vision, right, to to to pull and align the the personnel and especially leadership team into into why we are doing certain things to grow or or change the business. They they also have an obligation to to listen to the leadership team that they've put in place to counsel them on where there are potential risks there. And the individuals, especially a CISO, right, has should have a large voice and potential risks that perhaps the CEO and CFO and other leaders don't don't aren't aware of or or can't foresee. And creating an environment where there can be open dialogue without fear of repercussion is step one.
Jared Leuschen:Like, we need to create forums where people can feel comfortable and confident that they can talk openly and freely to share their concerns with the assumption that everybody is working in the best interest of the company as a whole. But that's always step one. Where we go from there, it it it can be challenging. Right? Because because regulation and security measures often do slow things down.
Jared Leuschen:But it's it's it's it's not about putting walls up for the sake of pulling walls up. If we're if people are educated and we're talking openly about the risks, then we know why these things are necessary, why the policies are necessary, why there needs to be processed, why there needs to be tools, there needs be new people to manage those tools because we didn't have anybody before that was doing this. Right? So we have to bring that expertise in there. Those conversations are easier when when we're not when we're not trying to force leadership to do everything overnight.
Jared Leuschen:Right? We need to talk about the risks of the business and then and then identify what's the least amount of of of gates that we can put up while while still protecting the business in a way that needs to so that we're we're we're not creating more slowdown than necessary.
Dejan Kosutic:And unfortunately, very often the the security is also to blame because they're very often imposed too high security levels, actually are really slowing the business down. And very often this is not needed, right? Very often they think in security terms only because of security and not in terms of, let's say, supporting the business, which is sometimes exactly the problem, because then it becomes a burden.
Jared Leuschen:Yes. Yes. I agree with that 100%. Yes. And sometimes that can be from a place of like really caring about the business and wanting protect the business and reduce as much risk as possible.
Jared Leuschen:Sometimes it can be from a place of ignorance or lack of education. Someone is not as informed as they could be on what is actually necessary for the business versus what is optional and unnecessary at this point in time in the life cycle of the organization.
Dejan Kosutic:Yeah, which actually brings us back to your initial point of actually communicating within the company of all the goals and agreeing internally on what needs to be done.
Jared Leuschen:Yes, and not being so prideful to where we were not willing to bring in outside help that have more expertise than us. That's important. That's important. Consultants have a big role to play here. If the people within an organization are not willing to let outside expertise in to educate them on what others are doing, their peers or competitors, it's going to be really difficult for the organization to succeed.
Dejan Kosutic:Yep. Okay, great. Let's then wrap up the discussion for today. So as the last question, what do you think would be, let's say, recommendations for security officers to communicate better, to work better with the IT teams?
Jared Leuschen:Yeah. Well, step one, I would say, you know, as security professionals, it's not our job to eliminate risk. It's our job to educate everyone in the organization, everyone from top down on what they can do to help protect the organization and what we need to do as a company, right? At a minimum level to ensure the organization is protected, understanding that we don't want to slow down progress.
Dejan Kosutic:Great. So thank you for this insight. So I've learned a lot about IT security teams, so thank you for these insights, Jared.
Jared Leuschen:I enjoyed talking with you today, Dejan. Thank you for having me.
Dejan Kosutic:Yeah, thanks again and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients.
Dejan Kosutic:The white label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today, Stay safe.
