U.S. vs International and European Cybersecurity Standards | Interview with John Verry
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, guest is John Verry, and he's the managing director at CBI's Pivot Point Security, a consulting company based in New Jersey, United States.
Dejan Kosutic:And he has a huge experience. So more than a thousand clients and twenty five years in this business. So lots of lots of things to talk about. And he's actually deeply engaged with various frameworks, including international standards like ISO 27,001, ISO twenty two three zero one PCI DSS, but also US frameworks like CMMC, NIST cybersecurity framework, HIPAA, and others. So in today's podcast, you'll learn what kind of opportunities are out there with various cybersecurity frameworks.
Dejan Kosutic:So welcome to the show, John.
John Verry:Thanks for having me on, Dejan.
Dejan Kosutic:You're welcome. And just to ask you first, so what do you prefer? I mean, out of these many frameworks, which ones do you prefer to work the most, I mean, as a consultant?
John Verry:Good question. Historically, I'm an ISO 27,001 fan. You know, that's, you know, that's originally how I became aware of you back early on. You know, I'm going back to 02/2006, you know, right after the standard had been published, we helped in Oregon, New Jersey get ISO 27,001 certified, and we were starting to put content out there. You were putting a lot of content out there.
John Verry:I read a lot of your content over the years. You you you you've contributed a lot. The reason I'd like 27,001 historically was the fact that it it is a non prescriptive framework. Right? And it gives you the flexibility of managing risk.
John Verry:It gives you guidance on how to manage the risk, but it gives you the flexibility to manage that risk in in in in manners which are most appropriate to your organization. Right? So it provides a lot of flexibility. Mhmm. It's great when you can use the same framework to protect a very sensitive data like, let's say troop movement, and very unsophisticated data like widget, the the formula for a widget that a manufacturer makes.
John Verry:So historically, I'm a huge ISO 27,001 advocate for that reason. I have grown to appreciate some of the other frameworks a little bit, you know, and and Mhmm. You know, because none of them are perfect. I mean, where I love 27,001 for that flexibility, inherently, someone can be 27,001 certified and kind of that flexibility gives them a little bit of wiggle room and it might not be as mature or well executed a program as one that would be validated by a framework which would have more testing of the actual operational controls, you know, the sort of the SOC two, sort of a CMMC, a high trust, something of that nature. So I've kind of grown to still ISO is my favorite.
John Verry:I love the extensibility and flexibility. I love the common management system across twenty seven thousand one, twenty seven thousand seven hundred one, twenty two thousand three hundred one, 9001 for our manufacturing clients, now forty two thousand and one. So I'm still in that camp, but I'm a little bit more appreciative of some of the other frameworks as well. Yep.
Dejan Kosutic:And, yeah, I also see this with these European regulations like DORA and these two basically twenty seven thousand and one gives a very good, I would say baseline, and then you can build on it everything that these other standards, sorry, regulations actually require. And when speaking about these other frameworks that you mentioned, do you think, what kind of, let's say, add on they have on top of 27,001? What do you like in these other frameworks that you mentioned?
John Verry:So historically, was not only not a fan of, I disliked, HITRUSK. But, you know, recently have been more exposed to it. You know, I think some of the things that they do there with not only the extent and rigor of the audit and the depth to which they're validating the operational effectiveness of the controls is a bit more. Mhmm. But they also have kind of some an interesting concept around in order to be certified, you need to not you need to have a passing grade in each of the domains.
John Verry:So there's more of a recognition, if you will, that a recognition that a failure in a single domain can lead to a broader challenge to the overall effectiveness of the cybersecurity program. You know, so so that would be something like as an example in a different framework that I look at and go, you know what, that's kind of a clever and pretty good idea. Interesting one is ISO 42,001, and in 42,001, you know, they introduced the concept of an impact assessment as opposed to just a risk assessment, right? So where risk assessment historically is the risk to us as an organization, and impact assessment is the risk to the users of said system and society as a whole. And it makes me think that that's really kind of a cool concept that we should use in ISO 27,001 as well.
John Verry:Right? Why should we a provincialist like, well, yeah, our tool our tool, you know, it's not a big risk to us, but we could destroy the world. But let's not worry about that. Right? And in that case, another one, you don't need to.
John Verry:So that'd be another example of a place where I've seen something in another framework that I looked at and said, dang, that's a good idea. We should use that more broadly.
Dejan Kosutic:Is there any similarity in this impact assessment for 42001 with the business impact analysis in 22301 ?
John Verry:I'm a super knowledgeable twenty two thousand three hundred one guy, but I don't think so. Because the system impact assessment, right, you know, with AI, right, we have to be cognizant of the fact that if we are a producer or a provider of AI, and our AI, let's say, exhibits bad behavior, whether it's, you know, let's say bias, right? Yeah, we have to be aware of what would be the impact on the subject of this, right? So if I'm producing an AI enabled SaaS application that does employee screening, right, or resume screening, right, if my AI is biased, right, I could have a negative impact on a particular race or creed of people. Right?
John Verry:And if you take this to an extreme, if I was developing artificial intelligence that was part of a a weapons program, right, I mean, I could I could I could launch an attack that could destroy the world. Right? So that that's impact assessment. Assessment, right? You know, where our risk assessments historically are about risk to the company, risk to the end.
John Verry:So, that's what I mean. I don't think 22,301 has kind of done that yet, but I'm not a twenty two thousand three hundred one.
Dejan Kosutic:No, it's I mean, yeah, this business impact analysis from twenty two thousand three hundred one is more focused on, let's say, particular activities or particular departments within the company, and basically how the disruption actually impacts the business. So it's not really the same focus as in forty two thousand and one. And going back to HITRUST, so where do you see the biggest market there? I mean, which companies are actually requiring their suppliers or anyone else to have HITRUST?
John Verry:Historically, HITRUST started with, I think, was the health care. Health care was the age of HITRUST. It no longer is. So what they've tried to do with HITRUST over the years is evolve it from being a healthcare specific framework to being a more general cybersecurity framework. And they're integrating some well implemented within the single framework you can it's flexible.
John Verry:It ranges from, you know, they have three different levels. Right? You know, E, I, and R two. Right? You know, and the E, you know, E starts at like 19 controls, sort of entry level self assessed.
John Verry:44 is first level. And I might be a little off because this is I'm not an expert in this. But 44, I believe, is is the the second, the I one, and that is the one first level of third party assessment. And then if you go to r two, which is the original historic, you know, that that is Mhmm. Hundreds to thousands depending upon all of the different add ins that you can add.
John Verry:Like you know, it's privacy or artificial intelligence and things of that nature. So it's just a very it sort of is combining the best of ISO and the best of SOC two. Right? Because SOC two doesn't have that that the governance, the management system to assess, and so you gotta bang the hell out of the controls, we like to say. Right?
John Verry:You know, you do a lot more control testing, where ISO doesn't rely on control testing because we're relying on the management system, and we put more effort into the assessment of that. Think of it as being HITRUST as kinda like is taking the validation of the management system because it does require system. And then Mhmm. It also beat the hell out of the control. So it's sort of the equivalent of a client having an ISO and a SOC on the same scope.
Dejan Kosutic:Okay. And I mean, SOC two is primarily, let's say, from the market point of view, interesting in in United States.
Dejan Kosutic:Is the the same thing with the HITRUST or or is this more worldwide? I
John Verry:I think it's predominantly at this point, you see more of it in The US. We are seeing indicate with some of our international clients. It still does have, know, the clients that that we have that are high trust tend to be in the healthcare space, right, for either historical perspective or the United Health groups and CIS, CSD, WellPoint and Anthem's tend to be the orgs that are still most frequently requesting it. But we're not starting to see it leak out into other areas. And I think gonna be a viable competitor in the marketplace.
John Verry:I think it's where an interesting shakeout period as to which of these frameworks is it's getting complex and burdensome for our clients. So we have a client we're working with right now. They're ISO 27,001, they're SOC two, and they're HITRUST, and they're looking at me and going, like, do we really need all this? I'm like, no. Okay, what?
John Verry:And now you're going out and you're fighting with your customers to say, hey, I'll give you an ISO or I'll give you a HITRUST. You don't need a SOC two, right? So we're trying to subset down what they actually have. It gets even more complex now with, you know, if you're if you're a healthcare provider, and you're providing, let's say, healthcare services to the VA hospital system. Okay, well, now you've got controlled unclassified information, right?
John Verry:You know, so now you're in the CMMC world as well. So you think about it like, you know, I got one client that wants 27,001, got another one on one SOC two, I got another one on one side trust, got another one on one CMMC. You know, it's nearly impossible if you're a, you know, a 100 person, 200 person SaaS provider, to be able to have the team and dollars to maintain that many certifications.
Dejan Kosutic:Yeah, and how is HIPAA related to HITRUST since both of them are actually basically focused on health providers? So what is the connection between them?
John Verry:Well, obviously is The US requirement, promulgated out of the US government, right, HHS, ECMS, and OCR, etcetera, right? So that's a, hey, if you're going to process this, this is the legal requirement that you have, right, to do that. Where HITRUST is more an ISO equivalent, which is voluntary, and it's a mechanism of providing assurance to a third party that the data in scope is being treated in accordance with the framework, controls they're in, based on the context of the organization.
Dejan Kosutic:Okay, because I'm asking this because in most cases when comes to ISO standards, companies go for ISO standards because they are required by their customer, so by their buyer. So when it comes to HIPAA and HITRUST, if the health providers are obliged to do this because of I mean, if they must comply with HIPAA, why would they then comply also with HITRUST? Is there some additional, let's say, push from the supply chain or something to that?
John Verry:Yeah, it's exactly the same reason. It's an alternative side. Increasingly, you're seeing when you get your third party security assessment, the due diligence that's being done on you as a, let's say, a a a third party service provider. You know, it are you ISO 27,001 certified SOC two attested or HITRUST? Right?
John Verry:And it's, know, and and it's pick one or, you know, and and yeah. And okay. You're gonna that's gonna help you pass their security due diligence and acquire them as a customer. So HITRUST is one of those ones that allows you to do that. Right?
John Verry:And I I would kinda say I would say, like, you know, HIPAA, you know, is more akin to PCI DSS and more akin to New York State DFS 500. I look at ISO as being a mechanism to address the contractual obligation, and then being part of contractual obligation is also achieving requirements, meaning legal requirements, which is the HIPAA or payment card, that PCI is legal, but it's still an obligation. Yeah, for paying providers. And
Dejan Kosutic:you compare, for example, SOC two and twenty seven thousand and one and FITRUST in The US markets, which one is kind of the most popular? Which one because, you know, here in Europe, obviously 27,001 is dominant when it comes to a standard. Right? But in there is SOC two in The US. So which one do you see actually is kind of having the biggest market share?
John Verry:That's a great question, and I don't know that I'm actually the right person to ask that, only because we're known for ISO 27,001, right? If you do a search, you know, you know, you're gonna find, you know, content from Pivot Point Security now to CBIZ Pivot Point Security on the web because they haven't migrated all the content over to to the CBIZ website yet. But, like, we're known for ISO. So the vast majority of our clients are ISO 27,001. That being said, there's a lot of SOC two out there, right?
John Verry:And it's a wide extent. Within The US, there's a ton of SOC two. So what I would say is that I think they're both fairly they're they're both significant in The US. If I had to guess, I'd say there's probably more SOC two than ISO. And it makes sense because, you know, the the companies that are going in like CBIZ, right, because we're now the seventh largest firm.
John Verry:You know, we have a CPA. You know, we're a CPA company as well. You know, the companies are coming in doing tax and finance and ad test and providing, you know, guidance to leadership, on that side, or saying, well, you should have a good cybersecurity program. By the way, we can do SOC two. So I think historically, that's how that stuff got in.
John Verry:Where we saw ISO 27,001 begin to leak into The US was more of those companies that had clients that were either European based or that European operations.
John Verry:Then we saw certain industries begin to adopt ISO specifically. So despite the fact that there is a lot of SOC two, in the legal vertical in The United States, ISO became sort of the de facto, 27,001 became the de facto standard there. It was promulgated by, there's an entity here called the International Legal Technology Association, Ilta, which is a really significant player for law firms. And their legal sec council or committee, I forget what they call it, suggested that ISO 27,001 was a good framework to for law firms to align with. So if you look at the top 200 law firms in the world, the vast majority of them are ISO 27,001 certified.
John Verry:Not sure if I know of any that are SOC two.
Dejan Kosutic:Interesting. Yeah. Do you also work with clients that are in Europe, that are from Europe?
John Verry:Yeah. But but I would say it's not a I would say we are US centric. Now we have, you know, very large car manufacturers, some plane manufacturers, like we work outside of The US, know, some really cool, you know, technology companies, some really good SaaS companies. But I would say we we tend to do I'd say 80 plus percent of our businesses is probably US centric companies. Now many of them have overseas operations, but we do have clients that are, you know, Denmark and Sweden and Great.
Dejan Kosutic:Great. This is a great great success. And do you see some, let's say, differences in in when you work for an American client and when you work for an for a European client? Is there a let's say a different way of how they work with consultants? It
John Verry:depends. I would say that we've had some experiences where it's, you know, I think it depends on the country. I think it depends on the culture. I think it depends on the language. You know, we we you know, there there are there are different norms of business in different countries.
John Verry:Right? I mean, historic I mean, I think people know, like, you know, in Japan, the culture is a bit different, you know, the way that they entertain guests, you know, same with France, right? You know, in France, like I've done business in France and visited France on business trips, and, you know, they feel an obligation in the evening to entertain you. Right? Like, know, every night they want to you know, they also they they also, it's more, common that stretching the truth is sort of accepted business.
John Verry:You know, it's sort of like the way you negotiate. Like, you know, like like, I think most people expect that when you go into a negotiation, you know, that someone might start a little higher than they want, someone might start a little low because you know you're gonna meet in the middle. Like, you know, like in different cultures, in in in in France, like stretching the truth on certain things is just sort of it seems to be more the way that they and we probably just bought all of them customers. But anyway, it seems to be more like, you know, accepted there. Right?
John Verry:It's like, you know, it's part of the way that it's an expectation. So we see things like that that are a little bit different. The other challenge that I think is harder about working in other countries sometimes is language differences. You know, if a customer really would prefer that their documentation is aligned with, you know, their native language, you know, that can be a little bit challenging, can be a little bit difficult. Some of the human resource laws, regulations like that we're comfortable with, they'll do very well here in The US are different in overseas markets, and you have to be cognizant of that.
Dejan Kosutic:Yeah. Because I'm asking you all of these things because, of course, more and more of consulting work is done remotely. Right? And and very often, European consultants are are thinking about penetrating The US market. And I assume also US consultants are thinking the same about European market.
Dejan Kosutic:And I'm wondering, is this really realistic that, you know, you actually start selling your services, you know, overseas? I mean, over the Atlantic? Is this something that can really be done or is this only kind of something that happens every now and then?
John Verry:At least our so first off, anyone who is a European consultant stay out of The US. It's it's horrible here. You don't wanna I'm joking, Sean. I don't want them to compete with us. But what I would that's a really good question.
John Verry:Think in general, if you gave and it's weird, right, because it shouldn't theoretically matter much if I'm virtual. If I'm virtual in New Jersey and you're in England, or I'm virtual in England and you're in England. But I have found that I think most organizations would prefer to work with somebody who's local. So I would say that in general, when we compete with an organization that is local, know, in a country, Europe somewhere. I think that if all things being equal, price, competency, that they would favor the local entity.
John Verry:It's just a higher comfort level. I would say we win when we work and we win projects overseas. I think it's generally because we have a unique characteristic specific to that type of engagement. So it might be that we've done work with many of the largest law firms in the world. And let's say, know you did them, and I know you did them.
John Verry:And they're our peers. We know you got them certified. You'll be able to get us certified. We're going to pick you. We just did a big project overseas where the client wanted to be ISO 27,001 certified, but they also wanted to be CMMC tested.
John Verry:Right? So you are in the defense industrial based supply chain to The US, you know, CMMC comes into play. So they want they want to you know, and we have, you know, we have expertise in CMMC and ISO, and it would be unlikely that a European consultant would have that combination of expertise. So, you know, that would be an example of you know? So I would say if you're listening to this and you're a consultant and you're in Europe and you wanna work in America, you know, look for those opportunities where, so as an example, I think you'd have a natural advantage, right, if client was struggling with GDPR, if his client was struggling with the EUAI act, if a client was struggling with Torah, right?
John Verry:You know, because I think inherently because you spend a lot of your time dealing with those three frameworks and we spend less time in The US dealing with those frameworks, I think that you are going to have a competitive advantage. And I think if you can promote that competitive advantage, you'd have an opportunity to win more work here in The US.
Dejan Kosutic:Yeah. Yeah. So definitely, I mean, if you have a very distinct competitive advantage, if you have some distinctive know how or skills, then you may actually penetrate these markets. Otherwise, it's it's really difficult.
John Verry:Oh, great. The other thing too is, you know, you you careful what you wish for. You might just get it. You know, it's not easy working overseas. Right?
John Verry:You know, when we do, you're working, you know, six or eight hours difference. So there's time zone differences, like you said, there's culture differences and things that you need to get used to. So those would be some of other, I think, challenges of doing that.
Dejan Kosutic:Yeah. You mentioned GDPR, so obviously in Europe, this privacy law is centralized, right, for all the countries in the European Union, whereas in The US, I noticed that basically every state is publishing their own privacy law. So, how do companies actually I mean, companies that operate nationwide in The United States how do they manage this multitude of privacy laws?
John Verry:To be honest with you, Senek. Like so, so first off, we have not in The US advanced nearly as far as you guys have with privacy. Right? So a lot of these laws have come out. Many of them are not yet fully in effect.
John Verry:Even in places where they're in effect, I think a lot of American companies have not yet gotten to a point, you know, they're putting privacy programs in place, but they're not putting truly compliant privacy programs in place. I feel bad for it. Like, we have a we have a client that will a really a client we work with very closely, handle a lot of private information, API, and I think they have 79 different regulations that they're trying to buy with. You know, it's 15 or 20 US frameworks and the overseas ones. So it's a nightmare for everyone because even a European company, If you're doing business in Brazil, if you're doing business in, there are literally many many dozens, probably more than 100 privacy regulations around the world in countries as So they've gotta do something about this.
John Verry:Now the good news is that GDPR, for better or for worse, is exceedingly comprehensive, and laid a framework, a foundation that I think everyone else is built on. So the good news is that they're all built around the same core principles, It's just the the subtleties of this one does require this or doesn't or the reporting period is this or the language that the terminology that they use is, you know, ropa versus data map. You know, it's just if they could just I mean, it'd be great if it was just one framework. In The US, by the way And I mean by the way big guys, like, you know, the Googles, Microsofts, they've gone to the federal government and they're pushing for a single privacy regulation just wanna have to deal with the 20. And then I think I think in the big beautiful act, know, this Donald Trump thing, you know, the law that just passed, he is trying to block state regulations around AI because we have the same problem happening in AI.
John Verry:Right? You got New York City bias act, and you got the Colorado AI law. So the states are starting to regulate AI within their states independently, which is gonna create the same kind of challenge. Right?
Dejan Kosutic:And by the way, ISO 27,701 can also help handle various privacy regulations.
John Verry:And by the way, the client that I was referring to is ISO 27,001, ISO 27,701 and ISO 42,000. So I agree with you, 27,701 helps, but it's still exceedingly difficult.
Dejan Kosutic:Yep. And in The US, is this, let's say, business of helping these companies with regulations, is this mainly on consultants or is this mainly on law offices? So who is actually who are the major players for helping companies out with privacy?
John Verry:Good question. I think it's a combination thereof. Right? Because I I think where even with AI, especially if you look at the EU AI act. Right?
John Verry:There's a there's a a legalese component to it, then there's definitely a legal component to privacy. And there but you can't have privacy without good cybersecurity program, right? So, realistically, I think in a perfectly architected solution, you've got a JDA lawyer that is interpreting what needs to happen, defining that, and then providing those requirements downstream to cybersecurity team, is responsible for ensuring that the implementation of the controls is capable of meeting that. Right? So like if you don't have a good data governance program in place, you're not gonna be able to comply.
John Verry:So I think that IT of course is gonna be responsible for ensuring that you can service a data subject access request. So I think that it's combination thereof.
Dejan Kosutic:Okay. Now, you mentioned AI several times. So do you see, or better to ask you, how much do you see of AI as an opportunity for consultants?
John Verry:I think it's massive. Know, because at the end of the day, think of it this way. Every SaaS application, right, SaaS applications are now what? 50% AI enabled, 60% AI enabled, you know, going towards probably 80 or 90% AI enabled. You know, I was working with an attorney recently, and, you know, I was talking about the fact that they really need an AI risk management program.
John Verry:He kind of was dismissive of it. And, you know, he he happened to be a big m and a guy. And I said, okay. He he goes because I'm we're we're not using. I said, you're using it every day.
John Verry:You just don't realize it. You know, I said, do you use Grammarly? He goes, oh yeah. I said, do you spell check all the M and A documents that you do? Oh, absolutely, of course.
John Verry:I said, have you ever looked at your Grammarly? I said, let's log in to Grammarly. You know, we log in to Grammarly, and, you know, it says in Grammarly's use, what do they call it, licensing, it says, we will use your data to train our models unless you tell us not to. And let's see if you told it not to. Nope, that button is not checked.
John Verry:I said, so just so you know, every document that you've proved in the last n period of time is, data is now sitting in their environment. And and, you know, it's not likely with Grammarly, but with other applications, that data might have came back as a as a response in the Jain AI app. Right? So Mhmm. So I think I think the opportunity is massive because, you know, every client that's got ISO 20 every SaaS client that does has ISO 27,001, you know, they have it because clients ask them about the the their cybersecurity program.
John Verry:We're telling every client, you need to build an AI inventory, you need to know about these use cases, and you need to ensure that the third parties that are providing this AI to you meet the requirements of AI, right? Know, secure, transparent, repeatable, explainable, all the wonderful things that we want, resilient, secure, All the wonderful things that we want. So I think you've got that side of it. Then the other side of it that you've got is you've got the idea that these organizations, you know, if you go into even a mid market firm, mid market firms got what probably 200 AI enabled applications, excuse me, SaaS applications in use. Let's say that 120 of those are AI enabled.
John Verry:Like okay, gotta build an AI acceptable use, you gotta build an AI intake program, you gotta update third party risk management programs to address this. You know, I mean, like, yeah, this is gonna be if you're if you're not yeah. If you're if you're a consultant and you're not becoming knowledgeable on ISO 42,001, the NIST AI risk management Framework and the EU AI Act, yeah, you're hurting your opportunities to be useful to your clients.
Dejan Kosutic:And so what is kind of the relationship between 42,001 and NIST AI risk management framework. So is there a big overlap or or the Yeah.
John Verry:Yeah. They're they're they're they're you know, when we when we like, if someone comes in and asks us to, let's say, do a an AI risk management review, right, gap assess, if you will, you know, we'll do it against one, the other, or a combination thereof. You know, and the combination thereof is you know, there's a significant, significant level of of overlap.
Dejan Kosutic:So are you saying that there is also an overlap between AI governance and cybersecurity governance?
John Verry:That's an interesting question. Yeah. I mean, obviously, AI is a component of cyber and vice versa. Right? I mean, it's sort of like Venn diagrams, I guess you would look at it as. You know, because if you know, it's sort of like saying IT I mean AI is almost becoming like an underlying utility like, you know, like IT has become an underlying utility, right? We no longer think of it as being independent of it, you know, but you know, so but yeah. And and another thing people get lost of this, you know, if especially if you're you know, you're doing AI development or you're a provider or producer of AI. You know, it it's it's effectively an application, right?
John Verry:So it's application security still is, you know, a core component it, right? Ensuring that the systems, the clouds, the servers, whatever it's running on, right, are secured as well. Ensuring that you've got good user access management, ensuring that you've got good logging and validation, that you're metric metric in the application. All of that stuff is is really it's, you know, it's just it's just one more element of cybersecurity that needs to be managed right by 10/2001.
Dejan Kosutic:Yeah. I see lots of cybersecurity consultants that are actually adding AI governance as part of their their offering. Some of them are even thinking about switching completely to AI because they see also a a great opportunity there. So, yeah, I mean, it's it's obviously a very good thing, which actually I wanted to ask you, do you think that cybersecurity consultants are the best positioned to actually move towards AI consulting or or it doesn't really matter. I mean, this cybersecurity background wouldn't matter there.
John Verry:It's a great question. I would say people who have a cyber IT when when you when you look at what AI really is, you know, and we look at the, you know, the underlying you know, there's a there's a core, I mean, understanding machine learning, understanding programming, understanding data normalization, lot of these are understanding application development, right? So I think coming from that technical discipline and then of course cyber sitting on top of that. I think puts you in a advantageous position versus someone that wouldn't come with that. I do think that you could also make the same argument like we did with privacy, right?
John Verry:That coming from a legal perspective, like if you're a JD, a lawyer, that there are probably things you bring to the table. Like, you know, the EUAI act is, you know, is a challenge if you're not a lawyer to kinda interpret and figure out. So I do think that those are probably the two most advantaged skill sets to moving into AI governance and AI risk management.
Dejan Kosutic:Great. Okay. So let's wrap up the the the discussion today with last question. So what would be your, let's say, suggestions to to consultants that are in the cybersecurity and AI space? So what do you think they should do or focus on?
John Verry:The one thing which I think just in general that, you know, when hire someone new, always kind of try to is, you know, we're not here to, you know, implement cybersecurity. We're here to help a business. Right? So and you can't help a business until you really understand the business. Right?
John Verry:You know? Because you wanna make sure that your your recommendations are properly you know, I'm gonna use the term contextualized. And it's funny that you use the term contextualized because what's clause four is context. And to me, if you don't really understand the business, if you don't understand the types of data that they process, if you don't understand their business objectives, or you don't understand what laws and regulations apply to the data, what client contractual obligations they have, what cyber liability insurance obligations they have, where the business is right now, where the business needs to be in two years, where the cyber privacy and AI programs need to be to enable them to get there, I don't think you can be very good at it. Right?
John Verry:Inherent to that, of course, is understanding the risks to the business. You know, risk from a technical perspective, but I think it's you need to also understand that the biggest risks to a business are often business risk. Right? Failure to comply with the law regulation, failure to achieve a client contractual obligation, failure to get time to market, failure to get time to market, right? So you might have to compromise on a control in order to get to the market in a timely basis, right?
John Verry:You might have to, you know, like, for a minimum viable product, security features might not be all the way there, but you've gotta be willing to accept that. And one of the cool things about ISO, one of things I go back to ISO as being still my favorite, right, is within ISO I can rationalize that to an auditor, right? Auditor could say, hey you should have this and you're gonna say yes, we're going to do that. But you know the business has accepted this risk because of this unique business constraint. So I think that's an important part of that as well.
John Verry:And then, you know, part of that, and it kinda speaks to the same thing, is think about security as not only value preservation, right, but value creation. Increasingly that conversation that I'm having with our clients is, not only how do I help you manage this risk right now, but how do I help you create value in the business, right? And that's strategic component. Where do you need to be? What is the business trying to accomplish?
John Verry:What markets are you trying to penetrate? What are gonna be the expectations of those markets? And I need to know that a year, eighteen months, two years before you need to get there, in order to be able to get you there, right?
Dejan Kosutic:Great. So these are really great insights, and it's been a thank you, John, and it's been a pleasure talking to
John Verry:It's been a pleasure talking to you as well, and and and I'll throw a plug in here. Dejan was kind enough to come on the virtual CSO podcast, you know, because he knows a lot more than I do about NIS two and Dora, so I asked him to come on and chat about it. So you guys should listen to that. You know, Dejan's a very, very smart gentleman, and I appreciate his. The fact that I was able to turn the favor is no problem at all. Thank you.
Dejan Kosutic:Yeah, thanks, John. Actually, I forgot to mention during the interview that you're a host also of this podcast, very popular podcast. It's already what, 200 or more episodes, right?
John Verry:It's approaching that. Yeah, it's crazy how fast that goes. How many do you have under your belt?
Dejan Kosutic:Oh, not so much. It's, like, 15 or so. So it's it's still, I would say, a rather a rather new things here. Okay. Anyway, thanks again, and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients.
Dejan Kosutic:Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS 2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up. It helps us with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today. Stay safe.
