Role of EU Cybersecurity Bodies and How to Cooperate With Them | Interview with Brian Honan
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, we have a very, very interesting guest.
Dejan Kosutic:His name is, Brian Honan, and he's the owner and CEO of BH Consulting from Ireland. And so he has grown his consultancy from basically zero to more than three fifty clients in in 15 countries. And he was an adviser to to Europol and he's a member of advisory group to ENISA, cybersecurity agency. And, you know, has given lots of interviews amongst others to to Newsweek, Forbes Magazine, and so on. And so today, in this podcast, you'll learn about the role of various European bodies in charge of cybersecurity, but you'll also hear many tips on how to build a successful consultancy. So welcome to the show, Brian.
Brian Honan:Well, then thank you very much for having me here. It's a pleasure and I've been an admirer of your work for many years. So it's a it's an honor to be here. Thank you.
Dejan Kosutic:Well, thank you, and great to have you here. So I I think you started, like, in in back in 2004 or something like this. Right? You know? And back then, there were, you know, not many cyber security consultancies offering this kind of advice.
Dejan Kosutic:So what inspired you actually to start this business and how did you see actually evolve this consultancy and cyber security market in the past twenty years?
Brian Honan:Yeah, I suppose BH Consulting, as you said, Dejan has been around since 02/2004, but obviously my career started much earlier than that. I started working in IT back in the late 1980s, working for Ireland's largest life insurance company. And at that stage, I was responsible to look after these new compute these newfangled technology things called PCs that were coming into the business and would never catch on. And but we we we know now that's not not not what happened, that over the years, PCs became more prolific amongst the business, and we moved away from many systems away from the mainframe systems we had onto PCs. And part of that migration always always felt security was a key a key part of of the success of of moving away from these traditional secure enclaves of assistance we had in the mainframe now scattered across many networks and many computers and PCs.
Brian Honan:So, you know, throughout my career, then I moved to different job different companies, etcetera. And I always worked for companies and had a big responsibility for security there. And early two thousands, I was kinda looking around and thinking to myself, you know, if you're a business owner or you run your own company, there really nobody to come to to you can go to to get independent advice about cybersecurity. Back then, we called it IT security Mhmm. And information security.
Brian Honan:But, yeah, you you'd know about to talk to you you if you talked to your IT supplier who was your natural person you talked to, they would go, oh, yes. Security. No problem. Here's this shiny box that we can sell you, or here's this this software we can sell you. But there was no approach to looking at information security, cybersecurity as a how can we do this to support the business?
Brian Honan:How what what do I really need? You know, what does the business really need to to to solve this? Yeah, 02/2004, I set my business up thinking that, you know, being an independent advisory firm that would give companies and businesses advice on what they need to do to protect their business and their systems is is is what was there. And Mhmm. I always remember a piece of advice that a mentor gave me at the time.
Brian Honan:He says, Brian, that sounds very interesting, but when you're setting a business up, you have to make sure there's a niche in the market for that business. But more importantly, make sure there's a market in that niche as well. So, you know, for many years at the beginning, it was tough because people still wanted to to buy solution to the to a problem. And often the solution was a piece of software or hardware. Advice was not really seen as solution.
Brian Honan:But yeah. Started off 02/2004. Started off using BS seven seven nine nine, the precursor to ISO 27,001 as as as the framework for helping companies develop their security programs. Yeah, that's we are where we are now today.
Dejan Kosutic:Mhmm. Great. So you're going to write 30 employees, right, if I if I understood well. So it's it's already a very, very sizable firm. It's it's a congratulations on on your success.
Dejan Kosutic:Thank you. You. Let's switch a little bit to these European organizations for cybersecurity. There are numerous organizations like ENISA, C CERTs, like CERTs, I don't know, European, this EU Cyclone and others. So can you just briefly, you know, explain to to our audience what is the role of each of these agencies and the government bodies?
Brian Honan:Yeah. Look. It's it's it's very interesting you asked that because if you look at the evolution of these bodies, it it actually maps neatly with how cybersecurity or IT security has gone from being this niche thing in IT. You know, twenty years ago, twenty five years ago, cybersecurity was an IT problem. It only impacted IT computers.
Brian Honan:Only impacted IT and computers. But over the years, we as our lives, both personal and social and business lives have become more and more rely reliant on the Internet and computers, we've seen the importance and the the dependencies we have on technology grow and these bodies have evolved. Funny enough, ENISA, the European Agency for Cyber security, was founded the same year as BH Consulting. So last year was our twentieth anniversary, and we had ENISA celebration as well, and we joked that we'd have a joint party for both organizations to celebrate two decades of business. But, you know, so it UNISA has evolved over the years to know that its its role is to to advise the EU and and and subsequently then member states on Mhmm.
Brian Honan:What measures should be taken to enhance the security and protect the the the online lives of European citizens and and and businesses. Mhmm. So it's playing a much more important role. We can see that in how it's grown and and its growth over over the years as well. C CERTs, a computer emergency response team or computer security instant response teams have have also grown over the years.
Brian Honan:Back in 02/2004, for example, when I set up BH Consulting, Ireland had no cert. You know, one of the great things are probably one of the bad things. It's a it's a double edged sword. It's and and you're probably familiar with us with with yourself, Dean. When when you have your own business, you can decide what you want to do.
Brian Honan:And so you get you know, all the good ideas are yours and all the bad ideas are yours and, you know, you take responsibility for that. And when I set up BH Consulting, it also meant that I was able to talk and try and lobby the Irish government to set up a computer emergency response team. But Mhmm. Again, the importance of cybersecurity was not appreciated either at national level or company level in in in in in many bodies. So in 02/2008, I set up Ireland's first computer emergency response team, and we're still running.
Brian Honan:But it's a not for profits voluntary organization to to help protect small businesses Uh-huh. Here here in Ireland. But subsequently to that, we've seen many member states many, you know, many member states in the EU are similar to Ireland. They had no formal computer emergency response teams. But now we're seeing that with you know, since 2012, EU mandated that every member state had to have a a national computer emergency response team.
Brian Honan:So Croatia has one now. Ireland has one. Every member state has one. And we're seeing those becoming more effective. You know, we're seeing better funding coming along for them, better cooperation as member state levels, and that's what Cyclone is all about.
Brian Honan:It's it's it's a network to help those national certs coordinate and work better. So if there's ever a major attack against the EU that we all as members of the EU can all work together to to protect each each each other from from from those cyber attacks. And, you know, we're seeing new legislations come in. GDPR being a big, I think, step in 2018. We we had NIST.
Brian Honan:Now we've got NIST two, and that's putting a lot of, responsibility and requirements on businesses, who provide critical services to society to ensure they've got proper security in place. And likewise, now we're seeing DORA coming in for the financial sector. Mhmm. And we've got the cyber resilience act. It's gonna bring more more more security in place.
Brian Honan:So we're seeing cybersecurity information security become much more critical to the EU, and these EU bodies are responsible for ensuring that these regulations, directives and mandates are carried out of that.
Dejan Kosutic:Yeah, certainly. How about this cooperation group that is mentioned in the NEIS two and also single point of contacts, competent authorities, all of these things are really mentioned there. How do they fit into this, let's say cybersecurity architecture of
Brian Honan:Yeah, well, I suppose the advantage we have as being members of the EU is that we're all members of the same body and we all have the same goals. We all want to have the the rights and of EU citizens protected, and we have our values that we want to maintain and protect as as EU citizens. But we also are individual member states as well. Croatia is a proud country in its own right, where where you're based. Ireland is a proud country in its own right.
Brian Honan:So, it'd be very hard for to there to be one EU body that's going to be responsible for every individual member states because, you know, each member state has its own laws. It has historically, we've developed our infrastructure in ways that were appropriate to each member state, but are are slightly different as well. You know? So that's where you have, you know, the a a directive likeness to
Brian Honan:Stating that each member state has to assign its own supervisory authorities or or responsible bodies, and it's up to each member state to decide then what's suitable for for for themselves. But they will all you know, there will always be a national body responsible for that member state. So in Ireland, for example, the National Cybersecurity Center is the overall body responsible for NSTU in Ireland. But we do have, you know, a telecommunication sector, in our financial sector, there are bodies responsible for this too Mhmm. In those in in in those sectors, and they Mhmm.
Brian Honan:Are supervised if you like by the National Cybersecurity Center. And it'd be similar in other EU member states as well.
Dejan Kosutic:Now from consulting consultant point of view, how can actually ENISA or is there a way for ENISA actually to help consultants? Are there some, let's say, materials that are published for consultants or is there any other way that consultants can learn or maybe grow their business related to ENISA?
Brian Honan:I think ENISA is probably one of the best things we have from from cybersecurity in the EU, but it's probably one of the least known things we have from from cyber not many people understand ENISA or even I I've had experience, Dan, of of here in Ireland or even working with clients throughout the EU and mentioning these, some people go, who? We've never heard of them. And so Yeah. Yeah. And I I don't think that's an ESA's fault.
Brian Honan:It's just that, you know, people aren't aware. I think we all tend to to look towards America as as the center of where information comes from when it comes to to to cybersecurity, but we have excellent resources here in the EU, and and ENISA is one of the best bodies there. So from a consultant's point of view, there are a lot of excellent papers, and tools up on the ENISA website that are all free. So for example, if you're a consulting firm and you need to do you know, learn more about instant response, there there are papers and exercises and tools available on the ENISA website for free that you can use and adopt for your own business. You know, a tool that we use, for example, in in our data protection team for advising clients and GDPR is that ENISA have produced a tool on how you measure the risk of a data breach to to data subjects.
Brian Honan:And it's a it's a format that you can use. So if you as a consulting firm are advising your clients on how they measure the impact of a breach, a data breach on their their data subjects, If you're using a tool that's been produced by an EU body like ENISA to estimate that breach, it's very hard for the supervisory authority to come around and tell you you you estimated it wrong. So Mhmm. You know, they're using a tool from the ENISA who's who's gonna question that. And that's available for free as well.
Brian Honan:Mhmm. From an awareness raising campaign point of view, ENISA has a lot of great material up there with videos and posters. They have a a tool called awareness raising in a box, which is actually an interactive game that you can use, in businesses or with your clients to to get them to to understand cybersecurity threats and and hopefully spot them as well. So there's a lot of excellent material up there for free that as a consultant consultant, you you can use in your business or adapt in for your business to use as well. Great.
Dejan Kosutic:Okay. This is great to know. And is there a way for consultants to engage directly with Anissa in some kind of activities?
Brian Honan:Thank you for that question, Lejan, because I actually meant to say that as well. Yes. So from regularly, Anisa, you know, they don't produce all this material by themselves. They they actually put together what are called ad hoc working groups Uh-huh. Where they they get experts throughout the EU to take part in these groups to help them develop that material.
Brian Honan:Mhmm. So, you know, you represent you don't represent your business or your company, whether you're working for your own small consulting firm or a large multinational. You're there rep as an individual. But working working with an ad hoc working group gives you many advantages in that. One, you're getting you're working with other experts throughout the EU, and you get to learn from them.
Brian Honan:I've learned so much from working on ad hoc working groups from the colleagues I've met over the years in the different groups. You you learn not not just technical stuff about cybersecurity, but different viewpoints in cybersecurity, both from a, you know, like, I'm from private sector, but you might be dealing with experts from academia or experts from legal or experts from government bodies. So you appreciate their viewpoints, and you get to appreciate things from a a cultural point of view. You're dealing with people throughout the EU. So what might be acceptable to in an Irish context might not be in a Finnish or German or Italian content.
Brian Honan:You learn how to better cooperate in in internationally. And, of course, it's something that you can use yourself when you're talking to clients saying, look. I've I've supported and helped Denise. I've been on this ex an expert on the ad hoc working group on this particular topic, and and that can help your profile as well. But to me, that last part, the profile part is the is not the most important thing.
Brian Honan:It's the opportunity to network and and and learn from others that these these working groups provide.
Dejan Kosutic:Mhmm. Well, this is a great advice. It's it's certainly something that cybersecurity consultants should should go after.
Brian Honan:Oh, absolutely.
Dejan Kosutic:Now since you worked also with with national bodies, what is your experience with, you know, when speaking with national authorities as as a private consultant, you know, when basically asking them for advice on how to interpret certain law or regulation and so on, especially in the in the view of of NIS two, which is, you know, basically, you know, different. I mean, there are local laws for each country. So how do you actually see this cooperation between private sector, especially consultants, and and these government cybersecurity bodies?
Brian Honan:Yeah. I think it's a it's a it's a very good question because I'll be honest, it can be quite challenging to deal with government bodies. Mhmm. And people often say, oh, government agencies are very slow and, you know, they don't respond as quickly as private sector. But when you look at it, the government agencies have to be very careful what they say and what they recommend and what they do.
Brian Honan:So that's why it takes maybe a government agency longer to give you advice or guidance on what needs needs to happen because they have to interpret the EU directive. They have to translate it into you know, so for example, you mentioned NIS two. So NIS two came out. The Irish NCSE, National Cybersecurity Center, which is responsible for NIS two in Ireland, would have to take the directive, understand what it actually means, translate it into the Irish context. You know, are there existing laws in Ireland that cover parts of NIS two or not?
Brian Honan:And if there's not existing laws in Ireland, well, then that's we have to create a a new bill, and then that bill has to be reviewed and go through parliament and be approved by parliament. So it can take a much long time where us working in the private sector, we're going, we want the answer now. How can I my client wants to know what they need to do for this too? Tell me what I need to tell my client. And the government body's going, well, we're working on it.
Brian Honan:We we we'll we'll produce guidelines next month or six months down the road. So it can be frustrating, and I'm sure anybody, yourself, and anybody else in this podcast can probably appreciate that with with your own clients going. Tell me what I need to do to to be compliant with this too, and we're all gone. We don't you know? And we don't like to say we don't know because that can come across to your clients as this, well, why am I paying you to do this to do this work if you don't know?
Brian Honan:So what I actually do is no matter what the framework is is that, you know, even GDPR or DORA and and this to look at an international standard as a way to build your security framework with those clients because these international standards, you know, the regulations often for you know, cover a lot a lot of stuff. So if you look at this too, they talk about you need to have risk management. You need to have policies, and then they talk about the technical controls you need to have in place. Same with Dora. They talk about risk management policies, technical controls you have in place.
Brian Honan:Even GDPR from 2018 is a risk based approach to data to to data protection. So if you use an international stand on, the one that we use a lot is ISO 27,001. And that is very much focused on risk management and policies. And, indeed, even the latest version 2022, there's a a huge focus on vendor management and managing security in your supply chain, which, again, NIST two, DORA, etcetera, all all focus on as well. So what I would suggest, if if if you're worried about how do I help my clients comply with NIST two or DORA or whatever other regulation or directive is gonna come down either at a level or at a national level is to stick to well known and trusted and robust international standards. As I said, we used ISO 27,000 for Coilola. So far, it's worked.
Dejan Kosutic:Yeah. I mean, in my experience as well, ISO 27,000 is a perfect, I would say, baseline, so to say, upon which you actually build these building blocks to reach compliance with either DORA, NISTOR or some other frameworks. With regards to this communication with government bodies, is there a way to speed things up? Are there any suggestions from your end, how to help or how to facilitate communication with them?
Brian Honan:Obviously, can only speak from my own experience and that's been dealing with Irish government agencies and some EU agencies as well is again, I don't think it can really speed things up. I think what you need to do is just to learn to be patient and to maybe understand, for want of a better phrase, the rules of engagement. You know, a government body has to be very careful that it's not seen to be influenced by a private sector Mhmm. Company or companies. You know?
Brian Honan:Like, they have to stand independent because, you know, the law of the country, the law of the EU has to be independent and and equally just across and applicable to everybody in the in the same way. And running in and saying, I've got the answers for you. You should be doing it this way is is not gonna speed things up. It's your best way to do is just to to engage. And, you know, many countries will have, from their publishing or looking for input on how to implement an EU directive or regulation or how to develop laws.
Brian Honan:They they look for consultation. They they will send out a request for consultation and, you know, rather than try and engage with individuals and engage with politicians because, again, you know, politicians, they're not they may not be around forever. The politician you're working with today may not be there after the next election, and that could be four years from now. It could be a year from now. So work within the frameworks and and and and the consultations, and and maybe try you know, if if you're a small consulting firm or an individual is, yeah, contribute your own thoughts into a consultation, but maybe get involved in your local business groups.
Brian Honan:If you've got a a representative body at a national level for for small businesses or for for the industry you're in, become a member of that. And and through that, try and help, you know, you using the influence that body might have to try and make sure the things are done. But Okay. Yeah. I think the big thing is is learn to be patient.
Brian Honan:These things don't happen very quickly. Yep.
Dejan Kosutic:Great. And speaking of these industry bodies, right? You're the chairman of CyberArland, chairman of the advisory board of CyberArland, right?
Brian Honan:Correct.
Dejan Kosutic:So what is the really purpose of this association and how does it work? How does it help its members?
Brian Honan:Yeah, so Saipa Ireland is a cluster body. So basically what that is, it's a body that has been established between various agencies of the Irish government. So they provide funding, and it's it's a way for us to try and get Ireland to be recognized as one of the top countries in the world for cybersecurity. So it's it's it's we we facilitate cooperation and collaboration and knowledge sharing across private sector, government sector, academia, and research. So we try and, you know, find out what businesses want, and they'd be that multinational business that are bay based here in Ireland, you know, there there are quite a few, have the headquarters here in Ireland from local Irish businesses, be they're larger and smaller as to what they need from to to to to promote their their services, their products, and and, you know, that could be we we need we need to have more people qualified at third level in cybersecurity in these particular areas so we can then work with academia to try and design courses, university courses to to to match that or maybe credential courses to match that.
Brian Honan:Or we need research done in certain fields so that we can develop products and services around that. And we as an industry see these are the challenges that are common, so we need help. And, you know, a small business, small cybersecurity company may not have the financial resources to hire a researcher, but through collaboration could engage with a third level or other type of research body to do that. And also talking to government about grants and ways of support. So for example, last year and this year with NIST two, the Irish government has has has been able to set up a grant program for for small businesses to help them put in place cybersecurity initiatives to to make them compliant with with NIST two.
Brian Honan:And Cyber Ireland has been a we we we've we've worked as a coordination body to try and, you know, advertise and push out these grants to SMEs, in Ireland, but also let them know, well, these are companies that can help you improve your your cybersecurity and give guidance and advice on how to apply for the grants, etcetera. So I'm working with government, feeding back to the government how the grants teams are working, promoting cybersecurity companies in Ireland that can provide these services, and then promoting the grants out to small businesses to say, look. There's money here available from the government. If you need a security assessment or and to invest, you know, the investment could have been you know, the brand was up to €60,000 to to improve your cybersecurity. So, you know, it's it's it's a good sum for a small company to to to get.
Brian Honan:So that will be one example, Dejan, of how we do that. And we run that you know, we run regular events and conferences to try and promote companies and promote topics and get engagement as well.
Dejan Kosutic:Yep. Well, this definitely seems like good way to to engage, let's say, indirectly with the government and and basically, he's certainly to learn as a as a consultant. So, I would say that a consultancy in each country should look for these kind of bodies to to kind of get get more information about this whole thing.
Brian Honan:And, actually, it's it's a good point you make there, Damian, because come back to the last question you asked me about how can a consultant help influence what the government does with NIST two or other regulations. So CyberArland with with the the Irish bill that was coming through to support NIST two, we consulted all the members to say what what their views are were on the bill. And then I, as chairman of Sarplan, was brought into the the Irish parliament into a a body that was reviewing the the committee that was reviewing the bill to question and and, you know, make sure the bill doesn't impose our on individual rights or or cause and, you know, that the bill is fit for purpose. So I was able to represent Cyber Ireland and feedback from the various companies, be they consulting firms, manufacturers, etcetera, to say this is our view as a group. This is our view of the bill and this is what we should be.
Dejan Kosutic:The discussion must have been interesting there in the parliament. Right? It is. Did they really understand? Did they really understand what you were saying there?
Brian Honan:Some did and some didn't. It was interesting. Some some of the questions you got, you're going, oh, yeah. This is this is like my grandfather asking me. Well, not my grandfather.
Brian Honan:He's he's gone, but this is like somebody who doesn't understand, you know, who who who who has used a computer but doesn't understand cybersecurity is asking me questions, but other people are. It it depends on on you know, the committee is all politicians. Some of them are better brief than others. Unlike the that type of committee, you're actually you're you're sworn in as a as as a witness. So Mhmm.
Brian Honan:It's it's a very serious experience. You have to make sure you answer questions correctly and that you're
Dejan Kosutic:Yeah, yeah. And I'm asking you this because you also mentioned earlier that this, I would say speaking about cybersecurity in business terms so that, let's say, the business side can understand you is very important, right? So how do you actually achieve it? I mean, how do you actually translate this cyber or IT language into a language that a business can understand?
Brian Honan:Yeah, I think we have, well, first of all, you have to appreciate and understand the business you're engaged with. So as a consultant, we have clients that are in the public sector, so government bodies, we have clients who are in retail, have clients who are in hospitality. We have clients who are in health care. We do a lot of work with charity companies. We've companies that are software, IT technical companies, and each of those businesses have different goals.
Brian Honan:You know? So if we're if we're working with a government agency, we don't talk about profit because government agents don't make profit. And similarly with a charity, we don't talk about profits to charities because that's not what they're they're concerned about. Healthcare or maybe if they're a private if they're a private health care provider, yes, profit is part of it, but ultimately, it it's their their interests are making sure they're looking after patients. So it's understand you know, you have to understand the business and translate into into their key concerns.
Brian Honan:So, you know, a charity, for example, most charities rely on donations, so you need to talk about, you know, protecting their information they may have about the people who use the charity, because some of that could be quite sensitive, particularly if you're dealing with charities who deal with people in, you know, in tough situations. If if if you're dealing you know, so that's the information you need to protect. They're worried about donors, and then they're worried about reputation. You know? So from their point of view, if they have a cyber attack, yes, there could be GDPR implications if if personal data is lost, but also maybe loss of confidence in them as an organization that people won't donate money anymore or some charities actually will have people who donate money and they might be famous people or or well known people who do not want it to be known they've been given money to charities, and that that information can't need will be worrisome.
Brian Honan:So it's understanding that to to get there. So, yeah, understand the business. Try and you know, don't talk about firewalls or cyber attacks. You know? I I remember, you know, one client and the the CSO in the business was present his his his his his presentation to the board, and he was going, oh, we we get 2,000,000 cyber attacks against our firewall every day.
Brian Honan:And Mhmm. You know, you could see people on the board that, a, didn't understand what he meant, and, b, they were going, 2,000,000, that's a lot. Don't need to be worried about that. You know? And, like, he should the the language should be more, you know, we are obligated under GDPR or NIST two or DORA to have this in place.
Brian Honan:These are the risks identified that we need to address, and you don't talk about the you know, and have proper risk statements. I I don't know, but I'm sure you've seen it as well, Dejan, where you go in and somebody says, oh yeah, we've got a risk register and you go, okay, can I see that please? And they go, yeah. And there might be one line and hacking is the risk. And you go, that's not a risk register.
Brian Honan:And that's not even a risk. That's just a word, you know? Yeah. You know, the risk is we could face fines on the GDPR if we were to have unauthorized access to customer data. That's the risk and and business understand that.
Brian Honan:You know? So it's speak in terms of risk. Speak in terms of what they can do to support the cybersecurity function. So you have to go with your your your ask, the, you know, the ask you have. You have to co coach that in a language that they understand and, you know, whether it's money.
Brian Honan:And you have to say, we need €25,000 for this investment because otherwise, this will happen. But do coach it in in in language they understand. Don't say we need €25,000 for a state of the art next generation firewall that's using AI intelligence to to stop the hackers. They won't care about that.
Dejan Kosutic:Not going to work. No.
Brian Honan:Not going to work. Exactly. And then, you know, using maybe maturity framework. You know, there's there's quite a few of them around. You can use a maturity framework and say, you know, a business this size in this industry should have on average a maturity score of three out of five.
Brian Honan:Your score is 1.8. This is what we need to do to get to three. And once you're at three, we need to maintain that program or continue to be above average if you want. And that's a way to get non business, non tech technical people, non cybersecurity people better engaged in cybersecurity in my opinion.
Dejan Kosutic:Oh, This definitely makes sense. Mean, this understanding the business, this risk management approach, this benchmarking. But did you ever try to, let's say, think about how to achieve a competitive advantage through cybersecurity? So is there any, examples maybe of using cybersecurity in that way?
Brian Honan:Yeah, absolutely. Even before NIST two came along and started talking about securing your supply chain, I I I was saying to to to boards and and customers, you're going you know, as you engage new customers, you're you're probably gonna be getting supplier questionnaires, and we've all seen them. These are, you know, a hundred, two hundred questions. You know, do you have antivirus software in place? Yes.
Brian Honan:Is it installed on all computers? Yes. Tick. Tick. Tick. Tick. And you you then have to provide a whole lot of additional information. So I always use the argument that having a mature cybersecurity framework in place means you can answer those questions quickly. You can ask them effectively and truthfully, and you can provide evidence quite quickly when when when asked upon. I always take the next step and say, if you're certified to a standard like ISO 27,001, this means that you as a business can become can be confident that you're following the industry good practice from cybersecurity.
Brian Honan:It's not a guarantee you won't be hacked, but it means you you you can be have confidence that you're doing the right thing. It also means you can project to your customers and potential new customers that you have the you you have good cybersecurity in place. So if they're looking for a partner or somebody to sell to buy services or products off, the fact that you can reassure them that you've you've got good security in place to an inch to to to the level of an international standard probably means you're gonna be have a better chance of of of winning that business than a competitor who doesn't. Nowadays, it's probably even more important with NIST two and Dora all now putting the foot a stronger focus on the supply chain and that company regulated by those directives that they need to have that they need to prove their management, their risk, the the cyber risk in their supply chain. And, yeah, so so they're gonna get tired of sending out questionnaires to everybody.
Brian Honan:So being able to talk to a company in business that can demonstrate they've got good cybersecurity in place will be a positive step.
Dejan Kosutic:Yeah, basically on both NIS2 and DORA actually require suppliers of these companies in scope to be compliant with a standard. They don't stay 27,000 and per se, but I mean, 27,000 on is probably the most popular standard around.
Dejan Kosutic:And from consultancy point of view, what would you say is a bigger opportunity? Is it NISTU or DORA?
Brian Honan:It's a very good question. I've actually never thought about it. I wouldn't split the two because if you examine them, they're very similar. It's just that they apply to, you know, they they can apply to to niche areas. So on this too, actually covers the majority, you know, covers financials, the sec sector as well.
Brian Honan:Dora is very focused on financial sector, but maybe has a broader scope, to take in fintech and, other type of bodies as well. So, yeah, look, we we we we have, you know, we have services that we've developed for this too and we've certainly developed from DORA. There's not a huge difference between them. There are there are specific requirements that you need to be aware of that that are slightly different. But, that's a good question.
Brian Honan:I'll probably need to ask that question of my chief commercial officer and ask him where he sees the opportunities. Actually,
Dejan Kosutic:might be more like a marketing question because obviously, NS2 is intended for these critical infrastructure companies, Dora for financial industry. So the question is really where do we have a better entrance to which of these industries have better channels to penetrate, right?
Brian Honan:I actually would turn it around and think, if you focus on those areas, right, so look, we're a small consulting firm. We're 30 people. And many people into this are probably similar size or smaller, maybe slightly bigger. But the regulated entities will probably go for the the big traditional consulting firms to help them Mhmm. Become too because nobody they all say nobody gets fired for for for buying IBM.
Brian Honan:You know? Like but for the my belief, the opportunity is in the supply chain. Mhmm. Yeah. So it's not just those regulated bodies.
Brian Honan:What DORA and this too is doing is putting focus on supply chain, and it's requiring companies outside the those the scope of those directives and regulations to to to improve the cybersecurity. And that to me, I think, is the is the for the bigger opportunity is because if you want to do business with those comp those organizations, you have to be able to to demonstrate and progress.
Dejan Kosutic:Yeah. And there is a multiplier of what? Let's say x five or x 10. I mean, there are as many suppliers to one company. Right?
Dejan Kosutic:So it's definitely, this is a much bigger opportunity.
Brian Honan:We have one client who has 3,000 suppliers. Wow. Now how many of those are in those cybersecurity risk register? Probably not all 3,000 because but there'll be a significant number there. You know?
Brian Honan:And as you said, we multiply that by other number of other bodies, banks, financial institutions, government agencies, telecommunication companies, and their suppliers, you know, that that chain is Mhmm. It's big, and there's lots of Very big. Yeah. Lots of scope. Yeah.
Dejan Kosutic:Okay. Now from consultancy point of view, there are other regulations that are now coming out EU AI act, of course, cyber resilience act. What do you think? Where where are the biggest opportunities for consultants?
Brian Honan:I think the big big opportunities are is traditionally, if you like, the IT security, the cybersecurity sector has been a very technical focused area, you know, like you and I, Adrian, are probably, you know, we've both been the ISO 27,000 world a long, long time. And, you know, we've we've observed maybe lots of other companies specialize more and more on the technical aspects of cybersecurity because that's where the cool stuff is. The hacking and the configuration and social engineering and all that sort of stuff. That's where the that's where the fun is. You know?
Brian Honan:Writing policies and doing risk registers is not exactly the most exciting stuff to me. Unfortunately. You know, but if you want to grow your business and you want other, you know, more clients to engage with you, I do think you need to you either specialize in a technical area. You know, you become a a company that's very good at penetration testing, and you work at that and maybe you partner with other companies who specialize in governance and risk and all that, and they can use you for for their clients. Or you you do specialize in governance and risk because Mhmm.
Brian Honan:Cybersecurity is becoming a bigger and bigger business issue. Yep. You know, when I set the business up in 02/2004, the people I was talking to were IT people. It was the head of IT. It was an IT manager who wanted a penetration test on his firewall or Mhmm.
Brian Honan:Etcetera. You know? Now we're we're talking to CFOs, CEOs, boards, risk committees, you know, people who are not technical, but who who want the this risk to their business to to to to be managed. So the opportunity is spreading. Mhmm.
Brian Honan:But if if if all you're selling is technical services, it's only gonna be the technical people you're gonna be talking to. Yeah. If whereas if you're talking governance and risk and compliance, so you can demonstrate, improve, you have expertise in these areas and you can advise your clients in those areas. But I think you're going to have a broader market to target. Now, key thing is prove to prove and demonstrate you've got expertise in those areas.
Brian Honan:Everybody can turn around and say, yeah, I'm now an expert in AI. I'm an expert in in the AI act or an expert in CRA. And I do think as an industry, that's something that we we do have to address. You know? I don't know what's like in in in Croatia, but here in Ireland, as a business owner, if I was to hire if I have a problem with the electrical wiring in my in my office, I have to hire a certified electrician who has who's registered with a government body.
Brian Honan:And if that person doesn't do the job to certain standards or to a certain way, they they can lose their license. And same with a plumber. I wanna hire somebody to do, you know, to set up my firewall or do a penetration test.
Dejan Kosutic:Anyone can do it.
Brian Honan:Anybody can say they're an expert. And it's it's down to me as the buyer to be able to to prove that. So I do think we will probably see some, and we should maybe encourage some sort of scheme that people can demonstrate and prove that we are experts in this area and that we are licensed to practice in this area. But more importantly, there's accountability. So that if you're saying you're an AI expert, but you've only just read a white paper on the AI act and now you're gonna advise some clients on it, There has to be accountability for when you give those clients the bad advice or or or you know?
Brian Honan:So but, yeah, I think that's that's something that it's not very popular when I say that, but I think it's something that we have to address.
Dejan Kosutic:Yeah, but this is definitely an important thing, this kind of a licensing of this whole industry and then consultants within it. Yeah, certainly something that needs to be needs to be put forward. Okay, so let's let's wrap up the the this discussion today. So, what would you say are kind of top things that consultants should keep in mind when building their, let's say successful career?
Brian Honan:Well, that's a very good question. I often joke is have a plenty of coffee and and for when to keep you going and and and keep things things go down. Maybe some plenty of whiskey in case things things go bad. You know, often when we talk about setting up a business, people think, oh, suddenly you're gonna be a millionaire or suddenly you're gonna make loads of money and things are gonna be successful. But it's a very and I'm sure you've the same experience as well, and and everybody on this podcast is the same.
Brian Honan:It's it's a very bumpy ride. It's like a roller coaster. You have periods of time where you're very, very busy and things are going great, and then you you zoom down to where things can be a bit scary and maybe not gone as well as you think. So my advice would be, a, have patience. Believe in your mission, you know, have faith in your mission, but also have good mentors and good advisors.
Brian Honan:And that's either people outside the business who you can rely on for good advice or people in your business, you know, colleagues that you can give you good advice. And when you're making a decision and it's a wrong decision that they are they're able to tell you you're wrong, and you should be able to admit you're wrong as well. So it's it's it's it's it's surrounding you with with surrounding yourself with good people, having patience and yeah, lots of coffee.
Dejan Kosutic:And whiskey.
Brian Honan:And whiskey. But hopefully more coffee than whiskey because one thing will be addicted to caffeine, but addicted to alcohol may not be so good for your business.
Dejan Kosutic:Okay, great. So thank you very much for this insight, Sense. It's been a pleasure talking to you.
Brian Honan:Likewise. Thank you very much for having me.
Dejan Kosutic:Thanks again, Brian. And thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, can check out various tools that can help your business.
Dejan Kosutic:For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you create all the required documents for your clients. Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients' workforce.
Dejan Kosutic:Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today,
