Unlocking Business Value From NIS2: The Consultant’s Role | Interview with Philippe Cornette

Dejan Kosutic:

Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today my guest is Philippe Cornette, he's an interim CISO and the founding partner at Digisoter, a consultancy company focused on cyber security, IT and risk management. He works with various frameworks including ISO 27,001, GDPR, DORA, NIST Cybersecurity Framework, CMMC, and others, but in this interview today we will focus on what kind of an impact NIS 2 will have on companies and on consultancies.

Dejan Kosutic:

So in today's podcast you'll learn about opportunities with NIS 2 and other cybersecurity frameworks, but also how to run a successful consultancy. Welcome to the show, Philippe.

Philippe Cornette:

Welcome. Good

Dejan Kosutic:

to have you here. So how did you actually become a consultant? What triggered you actually to start working as a consultant?

Philippe Cornette:

It's a long story because first I worked during twenty two years as an employee. And after more or less twenty years, I start to think about creating my own company. It took me a while before I decided to do the big jump because I worked for a nice company. My last job was at ING where I was director. And so also my family was not they were supporting the idea, but they were a little bit stressed by by by the fact that I will change my my status.

Philippe Cornette:

And then one day, I decide to do the big jump. I wanted to use my experience of twenty two years working with smaller company. My first customer was a very large company. I did not manage to start immediately to work for a smaller company. And okay, I learned also a lot during the first few years as a consultant because it's quite different than a normal employee.

Philippe Cornette:

And I wanted to focus more on bringing value, less bureaucracy, less administration, really to be every day in in more hands on with with customer. That's why I decided to to move to the consultative job.

Dejan Kosutic:

Okay. Are you still happy with this decision or did you regret it?

Philippe Cornette:

I regret not to have started before. Oh. No, no, I'm really happy. There are a few customers that proposed me to become again an employee when I did a mission in their company, but I always say no, sorry. I prefer to stay a consultant and then to grow my company with other consultants.

Philippe Cornette:

And yeah, I've never regretted to move to that status.

Dejan Kosutic:

Great. It's a great story. You. Okay. On LinkedIn, I noticed that you've said that you are Chief Troubleshoot Officer.

Dejan Kosutic:

So what does this exactly mean?

Philippe Cornette:

Well, I'm an engineer. I study engineering and computer science. And I always say that I remember only two things about my study because it's a long time ago. I learned to learn. That's the first thing.

Philippe Cornette:

Because when you work in IT and in cybersecurity, you cannot stop to learn. You continuously need to learn new things. And the second thing that I learned during my study is to resolve problem. And that's really what drives me also. It's, you know, to have challenge, to say, okay, there is a business problem here.

Philippe Cornette:

What can I do to help my customer today? Before it was to help my employers. And so I like to work on problem. I like to have everyday repetitive tasks. That's what drives me.

Philippe Cornette:

And as a consultant, you have even more opportunity to solve problems because you have more customers each time they are different. Even if they work in the same sector, they have different problems. And that's what I like in my job. That's why I'm the chief troubleshooter officer, just to mention that, okay, I'm there to help to resolve problem.

Dejan Kosutic:

And I can imagine that with cybersecurity, there are lots of potential problems, if not existing ones. Great. Now let's speak a little bit about NIS too. So you're, I imagine heavily involved in this new directive. So what do you see as biggest challenges for companies that must be compliant with NIS two?

Philippe Cornette:

The first thing in Belgium, I will not say for the first time, but we are quite busy with NIS two already for a few years because I did my first NIS2 gap analysis for a customer in October 2023. And Belgium was one of the first countries to put NIS two in our local law. It was last year, the beginning of last year. And I think that even if most of the companies in Belgium have heard about two, the main challenge, and it's not specific to NIS two, it's more specific to any cybersecurity project, it's to convince customer and sometimes the management of the customer that doing this too will bring value to the business. And it's not just a legal project.

Philippe Cornette:

It's not just to be compliant. And often, the the the CISO or IT people understand that, but not always the business because they only see the budget needed. And so the the the main challenge is to explain that, okay, you don't need needs two, at least it's what I think. You don't need NIS two to be compliant and avoid paying fines. That's the wrong approach to NIS two.

Philippe Cornette:

You do NIS two because you want to guarantee that you can still deliver your service or your product to your customer, that you protect their data. And at the end, if you do that and if you promote that, it will bring value for your company. But it's also a good marketing message that you will give to your customer. If you say, okay, I'm a secure, I secure your data, I will I will protect you also. That's a business value.

Philippe Cornette:

It's not just to be compliant with with a directive. And that's that's true for other cybersecurity regulation. It's true for the GDPR, even for GDPR. A lot of businesses say, okay, it doesn't bring value. You see at the end that you can guarantee that you protect sensible data from your employee, from your customer that can bring value.

Philippe Cornette:

And but I think for NIS two, that's really the the the basis. And sometimes I have some funny discussion with legal people because they don't always approach NIS and it was the case also for GDPR, same way because for them, they they take the directive and they check box. And if all the box are checked, they are fine. They are not trying to decrease the risk. They are not trying to protect the data.

Philippe Cornette:

They just want to avoid to have to pay penalties if an incident happened. So the challenge is really to explain that and to show what it will bring to your customer. You need to have a pragmatic approach. The goal is not to be perfect. And that's not what NIS two is asking, by the way.

Philippe Cornette:

And it's not what the CCB, so the Centre for Cybersecurity in Belgium is asking for NIS two. They want a pragmatic approach to manage the risk. And if if you talk business with business people, they will understand. If you talk IT or cyber security to the business, then they will have a problem because they will not understand why you want to implement a privileged access management, a SOC or whatever technical solution you can find. They don't care.

Philippe Cornette:

What they want to see is the business value it will bring to their company.

Dejan Kosutic:

And how do you actually achieve? I mean, the things that you're saying now make sense to provide this business value through cybersecurity. But I mean, how do you overcome this resistance from the senior management and how do you actually make them understand this connection between business and cybersecurity?

Philippe Cornette:

But first, the funny thing is that more and more today we are contacted by the management of company, the CEO or even the board, and not the CIO or the CISO. So there are many of them that understand the value. Sometimes it's not always for the good reason. Sometimes it's just because they want to give that message to their customer. So it's a kind of marketing campaign that they want to do.

Philippe Cornette:

And it's not about cybersecurity. So it's not always the, let's say, the best approach. But more and more, we offer contact within company, it's not IT or it's not the CISO. Sometimes it's also the CISO that is calling us to say, Okay, I need help to convince my management that we need to do a project. It's not always a dream situation.

Philippe Cornette:

And there you need to talk with these people, you need to explain. And again, we don't take the directive and go point by point. Prepare a lot in advance. We very often know what they will say to try to avoid to do the project. So we come prepared and we talk business.

Philippe Cornette:

We don't talk technical stuff. Does not work. You also need to find people that can help you with companies. In one hospital where we have done gap analysis, for example, the HR VP was very concerned by Ms. Tu because she saw that it could really create major issue if data from patient would be exfiltrated from the hospital, for example.

Philippe Cornette:

And so she helped us. So you need to try to find your ally in the company. And sometimes there are people that are more concerned than others. But very often we go the first presentation to XCOR, to the management committee or even to the board. Because very often the CIO or the CISO, they are convinced that they need to do something, but they need help to pass the message.

Philippe Cornette:

And it's sometimes easier when somebody external that come to pass this message. And there is no magic. It's communication, communication, communication and try to find, what's the value that it will bring to them? There are always costs and sometimes it's a lot of costs because we can still see that many companies are far behind in terms of cybersecurity. But NIS two also helps us pass the message because at the end it's also their responsibility.

Philippe Cornette:

And in NIS two, the governance and the management responsibility is very, very important. It's not an IT project. I always repeat when I do a presentation, NIS2, it's not an IT project, it's a business project.

Dejan Kosutic:

Mean, ISTU is quite clear that all the major decisions and the responsibilities for cybersecurity is upon the senior management, not IT or someone lower in the organization. When you do this kind of cybersecurity projects, do you analyze also the business side of company in order to help them, let's say, align this business with the cybersecurity? So do you also this do this kind of business analysis also as well?

Philippe Cornette:

It's it's always the first step. Always ask first interview with the business people. Why? Because we need to do a risk analysis and we need to start from the business risk. If you start asking IT what are the risks, they will come with very technical risks that they think are very important for the company but very often they are not the most important risks.

Philippe Cornette:

So what we do, we do interviews and we don't talk about cybersecurity. We don't talk about NIS2. We just ask them, okay, what are the pain points? What are the fear events? What are the business risks that could significantly impact your company?

Philippe Cornette:

And it could be anything, not related to IT, not related to cybersecurity. And when we have done that, then we can link these business risks to cybersecurity risk, IT risk, operational risk. And also by doing that and by talking with the business manager, not only we understand their problem, so it's easier for us after that to tune the message about these two. But the second thing is that very often they are very happy to discuss and to raise their concern. And to have somebody that understands their risk and can pass the message after that to their colleagues from the management committee or from the board.

Philippe Cornette:

So we always start from there. Also, we are working a lot in the manufacturing industry. And then OT, it's a very big part of this too. And unfortunately, many, many companies, IT and OT are still completely separated. Even in some companies, we can see convergence between IT and OT because at the end the technology are moving more and more in the same direction and the OT devices are most of the time connected to the same network.

Philippe Cornette:

So the IT and the OT people need to talk. But still the management sometimes is different. OT is very often less centralised. You can see different technology used in different plants. And so it's very important to talk also with the operational people, with the plant manager, with the people that are really responsible of the operation.

Philippe Cornette:

And the head of operation, it's a key person when we do the interview for these two because we also need to cover the OT part. So we always try to start with the business. It's not always possible, but it's very important for us.

Dejan Kosutic:

And when you make your deliverables as a consultant, do you always in your deliverables, do you also make this connection on how cybersecurity will improve the business?

Philippe Cornette:

Or I mean don't redefine the strategy, the business strategy of the company, but we try and especially with ISO 27,001, very often that can be used when you have the certificate, even if the scope is not the full company but in one area. We explain that they can use also with their customer to explain that they are better than their competitor because they invest in cybersecurity to protect the service, the product, the data. Also the other thing that we are always doing when we do a gap analysis for cybersecurity, we always look also at IT processes. We use COVID for that. And we always try to, even if it's not as detailed as the cybersecurity part, we always try to make recommendations to improve the way IT support the business.

Philippe Cornette:

Because we have talked to the business people and very often they express some concern or frustration about IT. And then we talk with IT that very often express concern and frustration with the business. So we have the sides of the view and that's also our role, even if it's not just about cybersecurity, to try to propose a recommendation to improve the way the business and IT work together, not just to protect the assets but also to be more efficient. And now that's also my background because I've been CIO in the past when I was an employee. I worked as IT during more than twenty years even if I was also working in cyber security.

Philippe Cornette:

But I was more IT than cyber security when I was an employee. And when I moved to consultant, I moved more to cybersecurity than IT. But I still have the Yeah, I like to be able also to review the way IT is working.

Dejan Kosutic:

Okay. This sounds like a very important, let's say, experience that you have, being really on this CIO side, right? And how much do you think this is important for any cybersecurity consultants? Is it really, let's say, necessary to have this IT background or IT experience within companies to be a good cybersecurity consultant?

Philippe Cornette:

But first, what do you mean by a cybersecurity consultant? Just if you say a doctor or you know, there are so many specialties now. You can be a cybersecurity consultant, but only focus on very technical subject. You can be the Mhmm. Privileged Access Management Consultant or the SOC analyst consultant.

Philippe Cornette:

So you have different type of consultants in cybersecurity. I'm working more on the TRC side. So for example, when we need consultant to look at all the firewall or set up, review the rules or Office three sixty five configure, I'm not doing that. I don't have that expertise anymore. I'm not technical anymore.

Philippe Cornette:

We use some consultant that can do that. If you and there, if you are very technical, you don't really need to be very familiar with the business. It's always better, but that's not so important. Though if you work more on the GRC side, if you need to do some risk analysis, if you need to interview the business people, then it's better to have that expertise to have worked with the business. And when I was working in IT, I was also working a lot with the business people.

Philippe Cornette:

So I learned also how to interact with them and how to speak their language. But they are different type of consultants and so there is no profile that fits with all the type of consultants I think.

Dejan Kosutic:

Let's go back a little bit to NIS two. So besides this, let's say finding it hard to align business with cyber security, are these companies that need to be compliant with NIS two, do they usually find the most difficult, for example, to align their technology with the regulations or maybe their internal processes or let's say policies, procedures or maybe, I don't know, human resources? So which kind of areas do they find the most difficulties with?

Philippe Cornette:

I don't think it's the technical part because the technical part, okay, there are many solutions on market, it's not new, even if there are some changes, very often access management, incident response, it could be difficult to put in place the right solution. But I think it's more on the processes about the documentation. There are many companies that have implemented a lot of technical solutions, but nothing is documented. They have no process in place. And with NIS two or ISO 27001, it's always the same problem.

Philippe Cornette:

You can have everything in place, but if you cannot show that you have some policy, procedure and evidence that it's done, it's just like, at least for the certification, it will be very, very difficult. But also, it's also more difficult to explain the value of data because people say, yeah, we are working like that for the last years. We didn't have documentation. It's still working. So most of the time, that's the area of processes and documentation that are the most difficult to change.

Philippe Cornette:

And also because it's linked to other departments when you do NIS2 or ISO 27,001 in manufacturing companies, very often they have ISO 9,001 certification. So you could say, okay, good. We will just reuse what the QMS said and it will be easy. But then you find that, yes, in some business area, they have documented everything. But IT was not involved because it was not seen as important as part of the real business.

Philippe Cornette:

And then when you want to put everything together, it's not always always easier. For example, I had the case with one customer just about risk management. They had a different approach and they were so high level in their risk analysis that we had to go in another direction for cyber security because it was too high level. We need to go to the operational level to define what are the measures and controls that we have to put in place. So, but the technical part, I don't say it's easy, but I think it's easier than the process and the documentation.

Dejan Kosutic:

Yeah. So, what do you think is then the biggest, let's say, where can consultants make the biggest impact for these two companies? Okay, besides this alignment with the business. So, is this really on the process side or something else beyond this?

Philippe Cornette:

Well, we say the first thing is there is a lack of resource, lack of people. So, the first thing very often is that the consultant is seen as a resource that it's the only one that can contribute because there is nobody else. And I'm sure it's like that in many countries, but in Belgium it's quite tough to find the right people. And the internal people, they don't have that expertise in cybersecurity for the technical part or for the more GRC part. So very often the consultant is seen as the one that will unlock the situation.

Philippe Cornette:

I'm sorry, don't remember what was the first part of your question.

Dejan Kosutic:

The question is really where can a consultant actually add the most value? Is this really helping them with the processes or as you were saying simply being an extra pair of hands? Or is there anything else that consultants can really add value for these two companies?

Philippe Cornette:

Well, think it's really the expertise today that I see in Belgium. Our consultants know not only the framework that we use, but they have done similar projects even before NIS2. They have done ISO 27001 project. And they can save a lot of time because when you need write a policy, you need to come with an approach, a methodology within the company in order to write the documentation as fast as possible. But then the change management part is very important.

Philippe Cornette:

That's I think also what the consultant will bring is the change management part. Because when you have done that a few times, sometimes it's very difficult to be able to change the way people are working and to be able to involve everybody. So for me, GRC consultant needs also to be a good change manager, a good communicator. And that you do not always have in companies, especially when people say, yeah, this too is an IT project. When you go in the IT department, you you don't always have the people who can communicate and do change management, define process and so yeah I think that's why consultants can really help there.

Philippe Cornette:

And not all the cybersecurity experts like to do that. Very often I meet people that say, yeah, well, GRC NIS2 project or ISO 27,001 project, I don't like that. I want to have my hand in, you know, doing the real stuff. I found that I'm more, yeah, a security analyst. You still have a lot of geeks that are doing cyber security, which is good because you need these people.

Philippe Cornette:

Need to have people who really understand the technology. But that's not what we are doing. We are more trying to manage the project, the change management and improve the way the company is working.

Dejan Kosutic:

Yeah, definitely. These are the areas where consultants can certainly add a lot of value for clients. Now, since an ISTU is a directive, each EU country have to publish their own laws and regulations based on these two. And from what I've seen, let's say Belgium has a different approach to, I don't know, Croatia or Italy or, I don't know, Latvia, Lithuania, all the other countries that already published. So what is your really, let's say, suggestion here?

Dejan Kosutic:

If a company operates in several EU countries, how do they actually align their needs to projects? I can't say one project because they probably are different from one country to another. So what is really the way to to handle this kind of complex, project with several laws and regulations to be compliant with?

Philippe Cornette:

First it's a nightmare because there are still a lot of countries that have not even implemented the local law. So you don't even know what you are supposed to do. And when you do project for a multinational company, you cannot wait. You need to take some decision. Some of our customers, they say, okay, we don't care.

Philippe Cornette:

We use an internal framework and very often based on international standards. So we will use that and we will adapt if needed. For example, NIST CSF, which is probably a very, very good idea because at least in Belgium, if you look at the framework developed by the CCB, it's really based on this CSF with a little bit of ISO 27001 and a few other frameworks. In Belgium, there are other companies that say, okay, we will do ISO 27001 because it's a way to do it in Belgium. You have to choice between ISO 27001 or CyFun, Cybersecurity Fundamentals.

Philippe Cornette:

And we can even do it not for the full scope first. We start in 2025 with part of the company, then we expand. And as it's a European standard, we will continue to do that in other countries. And we will see. But it's not easy and you need to make a choice.

Philippe Cornette:

You cannot wait. I think if you take a stand up like IO point seven zero one, NIST CSF, any way you can map later and if something is missing, you will add it. Anyway, you need to start doing a risk analysis, whatever framework you use. But it will be nice when every country will have decided and I hope that some country will not go in a different direction. I don't know why it's a directive, by the way, because

Dejan Kosutic:

Yeah, it would a very easy issue.

Philippe Cornette:

Why for these two they decided to do a directive. I don't know. It would have been easier for everybody, I think, to have a regulation. Regulation. Same everywhere.

Philippe Cornette:

Because today there are a lot of uncertainty for large multinationals. And but they cannot wait because they are very often already late.

Dejan Kosutic:

Mhmm. Yeah. So, I mean, this whole thing seems like a very good opportunity for consultants. Right? Consultants that would focus on these two.

Dejan Kosutic:

And in your opinion, is this something that is going to be a good business opportunity only for let's say one or two years for consultants or is this opportunity going to last five maybe ten years for this particular directive?

Philippe Cornette:

I don't know for NIS two probably I suppose that it will never end, but NIS two is just the first of many other directive for regulation. Have already customers that are working on CRA, Cyber Resilience Act. After that you have AI Act where you also need to look at the protection of your data. There are many, many regulations. And I think when I see the situation for smaller companies today in Belgium, I think they are work for the next fifty years.

Philippe Cornette:

I think I will retire a long time before the demand will decrease because I mainly work with large companies and medium sized and fintechs. And all these companies, even the small fintechs, they are regulated by the National bank. So they need to invest in cybersecurity. They need to comply with other regulations like Dova, for example, in the financial industry. But the other company, they have a big, big challenge.

Philippe Cornette:

And with two, they start to feel it because NIS two, you need to guarantee the security of the supply chain. And so a small company or company that are not directly in the scope of MIST two that have not invested in cybersecurity will be very, very, very much impacted. And I know some companies that lost already some contracts because they could not guarantee that they took cyber security seriously. And so their customer that are in the scope of this too say, sorry, but I cannot take the risk. So I will only work with supplier that can show that they've put in place a cybersecurity project.

Philippe Cornette:

And so it's not just NIS two for the company that are directly in the scope of NIS two, but I think the impact is even bigger for the other companies. They have customers that are in the scope of NIS two because this company, until very recently, they did not invest often in cybersecurity. So there are a lot of work I think for the coming years.

Dejan Kosutic:

Lots of work for consultants. And what do you think? How will this consulting, let's say role or business evolve over the next, let's say, ten or twenty years? Okay. We discussed the the Cyber Resilience Act, the AI Act.

Dejan Kosutic:

Okay. But these are, you know, frameworks that that the consultants need to, let's say, consult upon. But how will their actual job change because of, let's say, globalization or because of AI itself? What do you think? How would it look like in ten or fifteen years to be a consultant?

Philippe Cornette:

I don't know because things are moving so quickly and you mentioned AI. It's true that we are using more and more AI just to work quicker. AI is used also in more and more tools for cyber security and by hackers also. So if you look, when I started to work a long time ago, 1990, I was already doing security. We were not calling that cybersecurity at that time.

Philippe Cornette:

And the focus was more on the RFP and BCP at that time. It was to ensure that in case of big problem, we can resume the situation. That was more than thirty years ago. If you look today, there are still many companies that have exactly the same issue. So I think if you have asked me thirty years ago what I would thought about consulting in 2025, I would not imagine at that time internet, AI and things like that.

Philippe Cornette:

But still some major problems are still there. So I don't know in thirty years if we will still have the same problem. Perhaps they will have changed. We see a lot more people moving to the cloud and to have other solutions, even if I see also some customers that do the opposite move and move from the cloud to on premise for security reasons. I think there are things that in thirty years you will still have risk.

Philippe Cornette:

You will still need people that can analyse the risk and make the link between the technical part of the company and more the business side. For the rest, it's difficult to imagine what will be the world in thirty years.

Dejan Kosutic:

Yeah, I mean, there will definitely be the pain or the needs for, let's say, cybersecurity and for, let's say, some kind of services, but if AI takes a part of it, some simpler things like writing documents maybe or or these kind of things. What is then left for consultants? I mean, is this this specific thing that consultants or people will be able to do, but not machines?

Philippe Cornette:

Well, I think it's true that already today AI helps us to be quicker to to write reports and collect data. So that that will that will speed up in the in the future. But I think the change management part and the communication and the interview with the people, we can see, you could say, okay, today you can send a questionnaire to people and then collect all the questionnaire and ask AI to analyze that. But you will not get the same result if you speak with the people. And the change management part, if you want to convince people that what you are doing is the right thing to do.

Philippe Cornette:

I'm not convinced that today. I don't know in thirty years, but today AI will help us just to be better and quicker. And in some area, yeah, you will need less people for sure. But it just I still see it as a tool that helped me to improve the way I'm working. And I'm using testing.

Philippe Cornette:

I'm passionate about AI for a long time, even not only generative AI, but I worked in the past when I was in IT on predictive analytics and that kind of project. I was always interested by AI and see how AI could help cybersecurity. And it will continue and it will solve problems. It will also create other problems because the hacker will also be able to use this technology. Perhaps we will need less people in the future because everything will be better, but I think it's not tomorrow that we will disappear and be replaced by

Dejan Kosutic:

But as you were saying, probably AI will not be able to change things in the companies. It will be humans, I mean, consultants that will be instrumental here, important here actually to convince, well, senior management to change things and this is probably an area where consultants will keep their edge over AI. Yeah. Okay. So if we can speak a little bit about your consultancy.

Dejan Kosutic:

So, I noticed that you all offer also this CISO as a service. Can you speak a little bit about this? How does this work?

Philippe Cornette:

Well, as I mentioned, when I decided to become consultant and create my first company, my objective was to bring the knowledge that I learned in very big multinational companies and apply that in smaller companies. It didn't work like that at the beginning because I continued to work with large companies. But I still had that in mind. Still today, as I mentioned, when you look at small companies, very often their situation is worse than a larger company in terms of cybersecurity. So now we're today we are only five in the company, so I cannot support all the SME of Belgium with five people.

Philippe Cornette:

So I thought, okay. What could we do to to end this company? They cannot afford afford a full time CISO. It's too expensive for them. They don't need a full time CISO most of the time.

Philippe Cornette:

And if they have a CISO coming one day per week, for example, in their company, what will happen if the day after they have an incident? You cannot say, oh, oh, you need to wait next week when the CISO will come back. So to have part time CISO that are just be present one day or a few days per month in a company that does not help really. And so that's why I say, okay, let's offer a service. So you have somebody who will come to the company time to time, once a week, a few days per month.

Philippe Cornette:

But on top of that, we will provide provide a service. So when he's not there, if there is a problem, the customer can still call the team to get some support. And then we will also package a few things like, for example, policy, best practice, just to help them to apply that quicker. And that's what we are trying now, is to offer CISO that is available as a service. And we do that for other things like cybersecurity awareness as a service.

Philippe Cornette:

So we can train the company. Don't have the internal resource to do it. So we define their annual training plan for cybersecurity. We run the campaign. We run the phishing exercise as a service.

Philippe Cornette:

Large company, they will have some people in HR or in IT who will manage that. Smaller company, they don't have the resource. They don't have the time to spend to do that. That cost them a lot of money if they need to train people to work only on this task a few days per month. So we try to offer as a service different aspect of cybersecurity, risk management, awareness, and CISO as a service.

Philippe Cornette:

Now CISO as a service can also cover everything if the customer want the full package, but we can also just deliver a part of it.

Dejan Kosutic:

This sounds very interesting. And so from let's say, again, from a consultancy business point of view, is it better to have this kind of compliance projects which are one off, like, you know, needs to compliance or, I don't know, 27,000 on compliance? Or is it better to have this kind of CISO as a service or security awareness as a service which are more continuous?

Philippe Cornette:

Very often our consultants work on both. For example, they work three days or four days on a big project, and then one day per week they are working as CISO as a service. Now even in bigger company, very often we offer CISO as a service during the project because they don't have CISO. And sometimes it's very strange because they have some very large company or hospital I will not say bank or insurance company because most of them have a CISO. But sometimes even large companies in manufacturing, they don't have a CISO.

Philippe Cornette:

And they have also some budget constraint. So we also offer sometimes CISO as a service part of the NIS two project. And so the project manager of the NIS two project is playing the Caesar role. So when he's there and he's working, if he's working three, four days per week, he's officially the Caesar. And the day where he's not there, the customer can call the rest of the consultant if there is an incident.

Philippe Cornette:

So we don't have people that are specialized in CISO as a service and people that only working on project. It's also for the consultant. They like to have different type of activities and not always the same thing, not always the same challenge. And also very often they like to work for different customers at the same time. So they could work on a project a few days per week and the rest CISO as a service.

Philippe Cornette:

So a mix of the two things very attractive for some of the consulting.

Dejan Kosutic:

Okay, sounds great. And are you afraid actually of the competition? I mean, consultants, are you afraid of actually staying or getting I mean, they will put you out of the business because they simply get more your customers. So how do you actually compete with other consultants and what makes you actually competitive there?

Philippe Cornette:

We are a small company. They are bigger company than us in Belgium. You have the company that are in the, let's say, 100, three hundred, four hundred number of employees specialized in cybersecurity. Then you have the large IT service company that do a little bit of everything. And then you have the big four that are also present in cybersecurity.

Philippe Cornette:

And we have competition, that's for sure. But we have one big advantage. It's that we are small. And so it means that we are flexible and we are cheaper. Because we don't have large team.

Philippe Cornette:

We don't have salespeople in my company. Because perhaps one day we will need somebody doing the selling part. But today, people or customers are talking to each other and very often there are companies that call us and say we want to work with you. And then we ask, okay, or do you know us? And they say, ah, but because I spoke with other company.

Philippe Cornette:

And sometimes it's very large company. I remember a few years ago, a very big company called us and say we want to work with you. And I thought it was somebody making a joke because I say, yeah, but why us? You know? Because they heard that we are very flexible.

Philippe Cornette:

We are pragmatic. We don't come with very complex solution. And so today, yes, we have competition. Sometimes we lose contract for sure. But for the moment, we have enough work and we are trying to grow by recruiting additional people, which is the biggest challenge.

Philippe Cornette:

It's more difficult to find good consumption Yeah. Than to find customer today due to Nestor, due to Doha, due to CRA, and that kind of thing. So for the moment, they have competition. But it happened in the past that a competitor called me and said, Okay, I have a customer. I want to please him.

Philippe Cornette:

I cannot do the mission. Could you do it? No. I don't say that it happened often, but it happened to us a few years ago. Mhmm.

Philippe Cornette:

Just because at that time, he had too much work and he preferred to make a good recommendation to his customer than to say, no. We we cannot help you. So I think the the the size, I think when you become bigger, probably it's it's also more complex because you need to you need to start to hire sales guys, HR, all the supporting function. But we are too small for that. So for the moment, yes, there are competition, but we are not really suffering from that.

Dejan Kosutic:

Great and obviously you have a very good word-of-mouth marketing which promotes you actually. This is great. Okay, great. So let's try to wrap up the interview today. So what would you say are kind of, let's say, top things that consultants, cyber security consultants in this governance area?

Dejan Kosutic:

So what would you recommend as, let's say, the most important things that such consultants have to bear in mind?

Philippe Cornette:

But first, you need to like the work of consultant because, you know, not everybody ready to be a consultant. So you don't become a consultant because you ever heard that it's a wonderful job and things like that. You really need to like that because it's true that there are a lot of challenges, that all the customers are not always easy. And then also in cybersecurity many, many consultants are independent and you need to like that kind of status. Since I became independent, I didn't have one day without job.

Philippe Cornette:

Probably due to cybersecurity. There are IT consultants that have more challenge because, okay, if you work in a very niche, in a small niche, sometimes it's difficult to find another mission. Just not the case for me. So first you need to like the job. The second thing, you need to like you need to learn every day.

Philippe Cornette:

So you need to like to follow some training, certification and things like that because things are moving so quickly. And if you don't learn new things in a few years, you would have to do something else. So that never stops. And then you need to interact with people. It's mainly people to people job.

Philippe Cornette:

At least in you are not spending hours to configure firewalls or setting up server or things like that. You are mainly working with people, talking with people, challenge them. And so if you like to do that, I think there are plenty of opportunity today. Even if you are a junior, you don't need to have twenty years of expertise. You you You will learn with more senior people.

Philippe Cornette:

And again one thing that I personally do not want to do with my company is to do body shopping. Because body shopping is not consult. Body shopping is find a resource and push it in a company. And very often we have customer that ask, oh, do you need do you have a cybersecurity consultant that can come to work for us? And I say, yes.

Philippe Cornette:

But I will not propose him to you because then you manage it and and it just freelance working for you. Mhmm. And that's not a consultant. Consultant need to to exchange for the peers. He needs to work for different customer and we always take the responsibility of the deliverables.

Philippe Cornette:

That's the work of a consultant need to take the responsibility responsibility of what he deliver. That's also there are people that prefer to say, okay, I have my job though in my company, even as an independent. And I know that during five years I will do the same thing every day and I have a secure job, and that's fine. We need people that like to work in the operation, for example, to run infrastructure. But okay, that's another type of job and there are people who prefer that, there are people that prefer to work as a consultant.

Dejan Kosutic:

Okay, great. So again, thank you for these insights, Philippe. It was very, very It's been a pleasure talking to you and I believe that there is a lot of information and I would say new things that consultants will be able to learn from you. So thank you again.

Philippe Cornette:

Thank you.

Dejan Kosutic:

Thanks, Philippe. And thank you everyone for listening or watching this podcast and see you again in two weeks time in new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, can check out various tools that can help your business.

Dejan Kosutic:

For example Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.

Dejan Kosutic:

If you like this podcast, please give it a thumbs up. It helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today. Stay safe.

Unlocking Business Value From NIS2: The Consultant’s Role | Interview with Philippe Cornette
Broadcast by