Secure & Simple — Podcast for Consultants and vCISOs on Cybersecurity Governance and Compliance

Cyber Ranges, Attack Simulations & AI: Proving Cyber Readiness | Interview with Lee Rossey

Dejan Kosutic — Tue, 07 Apr 2026 15:29:17 +0200

In this Secure and Simple Podcast episode, host Dejan Kosutic (CEO of Advisera) speaks with Lee Rossey, CTO and co-founder of SimSpace, about why much cybersecurity training is becoming outdated as AI accelerates both threats and defensive stacks. Rossey explains “train like you fight” through realistic, hands-on, team-based cyber range exercises that emulate an organization’s environment, tools, background traffic, and real attack scenarios such as ransomware and lateral movement. They discuss how cyber ranges complement tabletop exercises, what must be most realistic (security tools, attacks, and traffic), who should participate (SOC, IT, business owners, and leadership), and what typically breaks first under pressure. The conversation covers metrics like time to detect/respond/recover, ROI, and tool rationalization, evolving ranges for cloud/OT and AI, and the need to validate and govern AI-infused security tools with trust and oversight.

Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account
- Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t
- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining

(00:00) - Interview with Lee Rossey
(01:18) - Why Training Is Outdated
(04:56) - What Is a Cyber Range
(07:53) - Building Realistic Attacks
(12:40) - Leadership Value and ROI
(15:49) - Who Should Participate
(19:53) - Senior Leaders in the Hot Seat
(23:41) - Lessons From Debriefs
(25:04) - Ranges Evolving With AI
(30:33) - Preparing For A Cyber Range
(32:15) - Measuring Exercise Results & Reporting
(34:43) - Turning Findings Into Change
(38:33) - AI Governance And Trust
(41:39) - Regulations And Standards
(45:41) - Resources for Consultants and Cybersecurity Professionals

AI Agents vs. AI Agents: The Future of Security Operations | Interview with Monzy Merza

Dejan Kosutic — Tue, 24 Mar 2026 13:30:00 +0100

In this Secure and Simple Podcast episode, host Dejan Kosutic from Advisera interviews Monzy Merza, co-founder and CEO of Crogl, about how cybersecurity is shifting to an “agent versus agent” world where attackers task AI agents to run fast, low-cost, sophisticated campaigns without human approvals. Merza outlines core security operations activities—preparation/tooling, alert investigation, and response—and explains how AI is changing each, including AI SOC agents that automatically connect to multiple data sources, enrich alerts, run MITRE kill chain analysis, and produce investigation reports, as well as AI-driven response actions and documentation. They discuss when humans must remain in the loop for high-impact decisions, how organizations build trust through phased adoption with measurable use cases, why roles may shift from analysts to more security engineers, and governance needs like flexible integrations, model choice, and transparency in AI security tools.

(00:00) - Interview with Monzy Merza
(00:58) - Agent vs Agent Threats
(03:22) - Three Phases of SecOps
(05:53) - AI SOC Investigation Example
(08:41) - Autonomy vs Human in the Loop
(12:48) - Human Only Decisions
(16:43) - Building Trust and Maturity
(19:07) - Future Security Roles
(24:24) - AI Change Wave
(27:08) - Testing AI Maturity
(29:25) - Governance Framework Gap
(31:15) - Policy Meets Hallucinations
(34:50) - Business Alignment Example
(37:14) - Governance Requirements
(41:57) - SOC Roles Reshaped
(47:26) - Resources for Consultants and Cybersecurity Professionals

Zero Trust as a Mindset: Identity, Governance, and Access | Interview with Andrew Gault

Dejan Kosutic — Tue, 10 Mar 2026 13:30:00 +0100

In this Secure and Simple Podcast episode, host Dejan Kosutic (CEO of Advisera) interviews Andrew Gault (CEO of ZeroTier) about Zero Trust as a strategy and mindset rather than a single technology, shifting away from perimeter-based security to “default deny” with continuous verification. Gault outlines core layers such as identity for users and devices, policy-based scoring, encryption, and ongoing monitoring to reduce lateral movement when breaches occur. They discuss extending zero trust principles to suppliers by issuing vendor identities managed centrally, governance needs like documented access policies, change management, and least privilege, and challenges such as shared credentials and the ongoing effort to keep permissions current. The conversation also covers non-human identities for AI agents, service accounts, ownership and lifecycle management, audit expectations under SOC 2 and ISO 27001, vendor lock-in tradeoffs, and using inventories and exception reduction as practical KPIs.

(00:00) - Interview Andrew Gault
(00:47) - Strategy Not Perimeter
(02:40) - Core Layers Explained
(03:53) - Vendors And Suppliers
(07:37) - Risks Reduced And Limits
(12:24) - Non-Human Identities
(16:04) - Managing Machine Accounts
(18:34) - Governance And Policies
(23:35) - Who Owns Zero Trust
(25:40) - Building Security Culture
(27:20) - Measuring Zero Trust Impact
(30:08) - Compliance vs Real Security
(34:35) - Avoiding Vendor Lock In
(38:33) - KPIs and Legacy Exceptions
(44:25) - Resources for Consultants and Cybersecurity Professionals

Responding to Ransomware Attack [Case Study] | Interview with Yannick Hirt

Dejan Kosutic — Tue, 24 Feb 2026 13:30:00 +0100

Dejan Kosutic interviews Yannick Hirt from ODCUS about his experience with a real ransomware attack on an international industrial company. They discuss likely phishing entry via a privileged IT account, overnight encryption, and setting up a war room. The company restored critical systems from verified cloud backups without paying, while briefly negotiating via a Dutch specialist as the attacker threatened data release. Key lessons include tested backups, detection and provider SLAs, privileged access controls, BIA/process mapping, strong documentation and forensics, communications, insurance coordination, and regular training.

(00:00) - Interview with Yannick Hirt
(00:54) - How the Attack Started: Cloud Transformation, Gaps, and a Phishing Entry Point
(04:06) - Day Zero Response: Disconnecting Systems and Standing Up the War Room
(07:54) - Early Critical Decisions: Recovery Streams, Stakeholders, Police & Insurance
(09:08) - Restore vs Rebuild: Mapping Critical Apps and Validating Backups
(11:11) - Talking to the Attackers: “Service Desk” Negotiations and Typical Ransom Size
(14:09) - To Pay or Not to Pay: Strategy, Data-Leak Risk, and Criminal “Reliability”
(16:12) - Recovery Timeline & Aftermath: Dark Web Leak, Employee Calls, and Government Response
(21:20) - Who Decides the Recovery Order? IT + Business Alignment
(23:47) - PR in the War Room: Internal Updates, Guidelines & External Liaison
(25:06) - Senior Management’s Real Job During Recovery
(27:38) - Working With Cyber Insurance: Support Now, Paperwork Later
(30:37) - Forensic Report Deep Dive: Entry Point, Lateral Movement, and Tradeoffs
(32:25) - Consultants in a Ransomware Crisis: Networks, Pragmatism, and Calm
(41:30) - Resources for Consultants and Cybersecurity Professionals

What Should the Board Ask the CISO? | Interview with Clar Rosso

Dejan Kosutic — Tue, 10 Feb 2026 13:30:00 +0100

In this episode, Dejan Kosutic talks with Clar Rosso, CEO of Rosso Strategic Advisors, board member of Excelsior University, and the former CEO of ISC2, about the evolving role of boards for cybersecurity. They discuss the increasing importance of cyber governance, the impact of AI, the concept of digital resilience, and the interaction between cybersecurity professionals and boards of directors. Claire shares her insights on how to better integrate cybersecurity into business operations and enhance board members' understanding. Tune in to learn how a strong cyber posture can help businesses achieve their strategic goals and mitigate risks.

(00:00) - Interview with Clar Rosso
(00:21) - Introducing Today's Guest: Clar Rosso
(01:18) - Cybersecurity as a Business Issue
(03:54) - Board Members' Role in Cybersecurity
(05:19) - Cyber Resilience vs. Cyber Defense
(07:59) - Cybersecurity's Role in Business Growth
(09:13) - Effective Communication with the Board
(19:56) - Compliance and Risk Management
(25:00) - The Future of Cybersecurity Audits
(31:19) - Board's Role During a Cyber Breach
(35:44) - Resources for Consultants and Cybersecurity Professionals

The Crucial Role of Management Review in Cybersecurity Governance | Interview with Carlos Cruz

Dejan Kosutic — Tue, 27 Jan 2026 13:30:00 +0100

In this special first-year anniversary episode of the Secure and Simple Podcast, host Dejan Kosutic from Advisera welcomes back Carlos Cruz, founder of Metanoia Consulting and ISO expert. They deep-dive into best practices for conducting effective management reviews, covering not just ISO 9001 and ISO 14001 but also ISO 27001 and other cybersecurity frameworks. The discussion highlights the importance of top management’s involvement, the process of converting raw data into actionable insights, and setting future objectives. Ideal for consultants, CISOs, and cybersecurity professionals aiming to enhance their governance and compliance strategies.

(00:00) - Interview with Carlos Cruz on management review
(00:21) - Guest Introduction: Carlos Cruz
(01:46) - Understanding Management Reviews
(07:34) - Effective Management Review Practices
(12:34) - Management Review Process
(23:35) - Frequency and Importance of Management Reviews
(28:40) - Setting and Reviewing Objectives
(33:05) - Auditing and Performance
(37:50) - Common Pitfalls in Management Reviews
(41:25) - Consultant's Role in Management Reviews
(49:28) - Integrated Management Systems
(55:04) - Resources for Consultants

Resolving a Conflict Between IT and Cybersecurity | Interview with Jared Leuschen

Dejan Kosutic — Tue, 13 Jan 2026 13:30:00 +0100

In this episode of the Secure and Simple Podcast, host Dejan Kosutic, CEO of Advisera, discusses the ongoing conflict between IT operations and cybersecurity governance with Jared Leuschen, CEO and Founder of Blue Tree. They delve into the human component behind security and compliance issues, misalignment and communication gaps within organizations, and practical solutions for aligning IT and cybersecurity efforts. The discussion also covers the importance of risk management, the role of consultants, and effective communication strategies between IT and cybersecurity teams.

(00:00) - Interview with Jared Leuschen
(01:12) - The IT and Cybersecurity Conflict
(03:21) - Finding Alignment Through Communication
(06:05) - Proactive IT Involvement in Cybersecurity
(15:19) - Time Management and Leadership in IT
(17:38) - The Role of Consultants in Cybersecurity
(23:46) - Vendor Management and Supply Chain Security
(30:33) - Aligning IT and Security with Business Goals
(40:17) - Resources for Consultants

Penetration Testing & Threat Intelligence: Enhancing Cybersecurity | Interview with Sasa Jusic

Dejan Kosutic — Tue, 30 Dec 2025 13:30:00 +0100

In this episode, host Dejan Kosutic interviews Sasa Jusic, a board member at Infigo IS and a cybersecurity expert. They delve deep into penetration testing and cyber threat intelligence, explaining their roles in enhancing cybersecurity. Learn about the differences between offensive and defensive security measures, the importance of DORA and ISO 27001 frameworks, the critical steps for preparing and executing successful penetration tests, and the elements of threat intelligence. Sasa also shares insights on the collaboration between IT and security teams, as well as the role of consultants in this evolving landscape.

(00:00) - Interview with Sasa Jusic
(01:41) - Penetration Testing and Threat Intelligence Relationship
(06:23) - DORA and Its Impact on Cybersecurity
(08:22) - Types of Penetration Testing
(10:33) - Preparing for a Successful Penetration Test
(13:07) - Reporting and Translating Technical Findings
(15:56) - Acting on Penetration Test Reports
(19:52) - Understanding Threat Intelligence
(22:11) - Tools for Threat Intelligence
(29:01) - Common Misconceptions About Threat Intelligence
(31:58) - Opportunities for Cybersecurity Consultants
(36:42) - Key Recommendations for Security Officers
(40:13) - Resources for Consultants

Simplifying ISO Standards: Insights and Best Practices | Interview with Jim Moran

Dejan Kosutic — Tue, 16 Dec 2025 13:30:00 +0100

In this episode of the Secure and Simple Podcast, host Dejan Kosutic, CEO of Advisera, welcomes Jim Moran, founder of SimplifyISO, to discuss the importance and methods of simplifying ISO management systems. Jim, with over 30 years of consulting experience, shares valuable insights on how overly complex management systems can hinder employee understanding and implementation, leading to higher costs and minimal return on investment. Key topics covered include the benefits of simplification, principles for effective ISO implementation, and the use of visuals and flowcharts. The episode also explores how consultants can leverage simplification to build stronger relationships with clients and scale their consulting businesses efficiently.

Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account
- Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t
- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining

(00:00) - Interview with Jim Moran
(01:20) - The Importance of Simplifying ISO Implementation
(03:34) - Key Concepts in ISO Simplification
(08:47) - Using Visuals and Flowcharts for ISO Processes
(11:49) - Simplifying Documentation and Internal Audits
(24:18) - Visual Aids and Risk Assessment in ISO
(31:42) - Microlearning for Cybersecurity Awareness
(36:26) - Automating Document Control in ISO Standards
(38:51) - Balancing Complexity and Simplicity in Software Tools
(47:26) - Simplification Strategies for Consultants
(56:40) - Resources for Consultants

Mastering Internal Audits for ISO Standards | Interview with Carlos Cruz

Dejan Kosutic — Tue, 02 Dec 2025 13:30:00 +0100

In this episode of the Secure and Simple Podcast, host Dejan Kosutic, CEO at Advisera, welcomes Carlos Cruz, founder of Metanoia Consulting and a seasoned expert in ISO standards. Carlos and Dejan share best practices for performing internal audits across various ISO standards, including ISO 27001, and other cybersecurity frameworks such as NIS2 and DORA. Key topics discussed include the importance of internal audits, how to prepare effective audit checklists, and the role of AI in the future of auditing. The episode also explores the differences between internal audit programs and plans, the significance of audit objectives, and offers practical advice for consultants looking to expand their services into internal auditing. Carlos provides a deep dive into ensuring compliance and effectiveness while offering practical tips on maintaining independence and delivering valuable audit reports.

(00:00) - Interview with Carlos Cruz on internal audits
(01:38) - Importance and Best Practices for Internal Audits
(04:55) - Audit Objectives and Their Importance
(09:38) - Creating an Internal Audit Program
(13:31) - Audit Plans and Internal Audit Checklists
(27:06) - Conducting the Main Audit
(30:10) - The Importance of Evidence in Auditing
(36:43) - Preparing the Audit Report
(42:13) - Consultants and Internal Audits
(49:29) - Remote Auditing: Challenges and Opportunities
(57:17) - AI in Internal Auditing
(01:04:34) - Resources for Consultants

Exploring Cyber Warfare: Risks, Strategies, and Solutions | Interview with Steve Winterfeld

Dejan Kosutic — Tue, 18 Nov 2025 13:30:00 +0100

In this episode of the Secure and Simple Podcast, host Dejan Kosutic, CEO of Advisera, welcomes Steve Winterfeld, a seasoned security consultant, fractional CISO, and author of the book 'Cyber Warfare Techniques, Tactics, and Tools for Security Practitioners.' The discussion revolves around the relevance of cyber warfare for companies, the different types of cyber threats, and strategic ways to address them. Steve shares insights on cyber warfare's impact on various sectors, from espionage and sabotage to operational tactics. He emphasizes the importance of risk assessment, the utility of frameworks like the MITRE ATT&CK framework, and approaches to security hygiene. The conversation provides a comprehensive look at how businesses can enhance their cybersecurity measures to safeguard against advanced threats.

(00:00) - Interview with Steve Winterfeld
(01:10) - Understanding Cyber Warfare
(05:41) - Impact on Commercial Sector
(13:01) - Strategic, Operational, and Tactical Perspectives
(17:27) - Risk Management and Mitigation
(25:48) - Securing Supply Chains and Crisis Management
(30:36) - Validation Exercises and Technical Debt
(34:47) - Cybersecurity for Smaller Companies
(36:49) - Consulting Opportunities in Cybersecurity
(51:41) - Resources for Consultants

Bridging the Cybersecurity Gap: From Tech Rooms to Boardrooms | Interview with Paul C Dwyer

Dejan Kosutic — Tue, 04 Nov 2025 13:30:00 +0100

In this episode of the Secure and Simple Podcast, Dejan Kosutic, CEO of Advisera, interviews Paul C Dwyer, founder and CEO of Cyber Risk International and president of the ICTTF. They discuss digital resilience from a business and strategic standpoint, the role of company boards in cybersecurity, and how to effectively bridge the communication gap between technical experts and business leaders. Paul shares insights from his extensive 30-year career across military, law enforcement, and business sectors, emphasizing the importance of aligning cybersecurity and business strategies, understanding the core business, and enhancing communication skills among cybersecurity professionals to engage effectively with board members.

(00:00) - Interview Paul C Dwyer
(01:55) - Communication Gaps in Cybersecurity
(03:00) - Importance of Leadership in Cybersecurity
(07:17) - Building Trust and Rapport
(09:47) - Soft Skills and People Skills
(18:09) - Connecting Cybersecurity with Business Strategy
(23:58) - Understanding Resilience and Cybersecurity
(28:07) - Disaster Recovery and Business Continuity
(33:05) - Integrating Cyber Risk into Enterprise Risk Management
(39:21) - Supply Chain Security and Resilience
(44:58) - Effective Communication with the Board
(49:38) - Resources for Consultants

Mastering Integrated ISO Management Systems | Interview with Jim Moran

Dejan Kosutic — Tue, 21 Oct 2025 13:30:00 +0200

In this episode of Secure and Simple Podcast, hosted by Dejan Kosutic, we are joined by Jim Moran, founder of Simplify ISO and member of the ISO Committee 280. With over 30 years of experience in consulting and various ISO standards, Jim shares his insights on the High-level Structure (HLS) of ISO management standards and the integration of various ISO standards into a cohesive management system. This episode covers strategies for merging ISO 9001, ISO 27001, and other standards, the benefits of HLS for integrated management systems, the importance of executive involvement, and recent updates to ISO 9001. Ideal for consultants, CISOs, and cybersecurity professionals, this episode provides practical tips and expertise on effectively implementing integrated management systems.

(00:00) - Interview with Jim Moran
(01:49) - Understanding High-Level Structure (HLS)
(11:30) - The Role of Annexes in ISO Standards
(15:22) - Integrated Management Systems in Practice
(22:38) - Documenting Integrated Management Systems
(27:07) - Integrating Management Reviews
(35:42) - Starting with One Standard vs. Multiple Standards
(39:12) - Changes in ISO 9001 and Other Standards
(43:17) - Future Trends: AI and Cybersecurity

Volunteer Work in Cybersecurity Nonprofits | Interview with Aruneesh Salhotra

Dejan Kosutic — Tue, 07 Oct 2025 13:30:00 +0200

Join Dejan Kosutic, CEO of Advisera, on the Secure and Simple Podcast as he delves into the importance of cybersecurity NGOs with expert guest Aruneesh Salhotra. Explore the impact of organizations like OWASP and the Eclipse Foundation on global cybersecurity standards, the benefits of volunteering in these NGOs, and the influence of these nonprofits on government policies. Learn about Aruneesh’s involvement with projects like OWASP AI Exchange and AI BOM, and gain insights on how consultants and CISOs can leverage these organizations for professional growth and thought leadership.

(00:00) - Interview with Aruneesh Salhotra
(02:42) - Differences Between Cybersecurity NGOs
(04:55) - Governance-Oriented Cybersecurity NGOs
(06:19) - Educational Initiatives in Cybersecurity
(06:54) - OWASP AI Exchange and Its Impact
(13:51) - Volunteering in Cybersecurity NGOs
(25:45) - Aruneesh's Involvement in OWASP Projects
(34:43) - Resources for Consultants

Building a Business-Aligned Cybersecurity Strategy | Interview with Thom Langford

Dejan Kosutic — Tue, 23 Sep 2025 13:30:00 +0200

In this episode, Dejan Kosutic, CEO at Advisera, chats with Thom Langford, CTO of the EMEA region at Rapid7 and a director at (TL)2 Security. Thom shares invaluable insights from his 30-year career in cybersecurity, focusing on creating a business-aligned cybersecurity strategy and building a cybersecurity culture. Learn why understanding your business is crucial for effective cybersecurity, how to integrate security without hindering business operations, and ways to leverage cybersecurity as a competitive advantage. Thom also discusses the importance of risk management and how to effectively communicate cybersecurity needs to senior leadership.

(00:00) - Interview with Thom Langford
(01:18) - Understanding Cybersecurity Strategy
(04:00) - Implementing Effective Cybersecurity Measures
(08:56) - Risk Management in Cybersecurity
(17:02) - Cybersecurity as a Competitive Advantage
(28:31) - Security Professionals' Role in Business
(30:13) - People-Centered Security
(33:58) - Effective Training Strategies
(37:49) - Creating a Security Culture
(42:01) - The Power of Storytelling and Humor
(51:53) - Resources for Consultants

Demystifying Corporate Governance With ISO 37000 | Interview with George Kesteven

Dejan Kosutic — Tue, 09 Sep 2025 13:30:00 +0200

In this episode of the Secure and Simple podcast, host Dejan Kosutic interviews George Kesteven, CEO of Frontex, who shares his experience in corporate governance. They discuss the critical importance of proper documentation and knowledge management in organizations for effective governance and compliance. The conversation covers the fundamentals of ISO 37000, how it helps organizations meet their governance objectives, and the distinctions between governance and management. They also explore how consultants can leverage ISO 37000 to assist organizations in achieving well-defined and structured governance systems.

(00:00) - Interview with George Kesteven
(01:14) - The Importance of Governance and Compliance
(04:05) - Corporate Governance Management Systems Explained
(07:18) - ISO 37000: Principles and Applications
(14:26) - Governance vs. Management
(18:21) - Consultants' Role in Governance
(22:41) - The Value of Proper Documentation
(32:00) - ISO 37000: Starting Points for Consultants
(36:18) - Measuring Governance with ISO 37004
(38:44) - ESG and Corporate Governance
(42:13) - Resources for Consultants

U.S. vs International and European Cybersecurity Standards | Interview with John Verry

Dejan Kosutic — Tue, 26 Aug 2025 13:30:00 +0200

In this episode, host Dejan Kosutic, CEO of Advisera, welcomes John Verry, Managing Director at CBIZ Pivot Point Security consulting company. With over 25 years of experience and managing more than a thousand clients, John shares his immense expertise in various cybersecurity frameworks, including ISO 27001, CMMC, HIPAA, and HITRUST. The discussion delves deep into the complexities and opportunities within cybersecurity governance, the nuances of different frameworks (especially ISO 27001 and HITRUST), and the impact of AI and privacy regulations. Whether you're a consultant, CISO, or cybersecurity professional, this episode has valuable insights to help you navigate the ever-evolving landscape of cybersecurity compliance.

(00:00) - Interview with John Verry
(00:15) - Meet the Guest: John Verry
(01:10) - Comparing Cybersecurity Frameworks
(05:12) - The Impact of AI and Other Frameworks
(07:46) - HITRUST and Its Market
(12:00) - HIPAA vs. HITRUST
(14:45) - ISO 27001 vs. SOC 2 in the US Market
(17:27) - Working with European Clients
(24:35) - Navigating Privacy Laws in the US and Europe
(29:20) - The Role of AI in Consulting
(40:13) - Resources for Consultants

Best Practices for Writing Policies and Procedures | Interview with Carlos Cruz

Dejan Kosutic — Tue, 12 Aug 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic interviews Carlos Cruz, founder of Metanoia Consulting in Portugal. They discuss essential best practices for creating and managing policies, procedures, plans, and other documents for compliance with ISO standards and cybersecurity regulations. Carlos shares insights on the distinction between procedures and work instructions, the importance of writing clear and concise documents, and the challenges of getting employees to adopt new procedures. They also cover the importance of templates, techniques for ensuring documents reflect current practices, and strategies for addressing resistance to new documents. This episode is a must-watch for consultants, CISOs, and other cybersecurity professionals looking to streamline their documentation process.

(00:00) - Interview with Carlos Cruz
(01:55) - Types of Documents: Policies, Procedures, and Work Instructions
(11:51) - The Importance of Short and Focused Documents
(21:46) - Structuring Documents for Clarity and Compliance
(33:34) - Adapting Documents to Client Needs
(39:31) - The Importance of Templates for Writing Documents
(43:58) - Deciding What to Document
(45:50) - The Roles in Document Creation
(01:15:04) - Common Mistakes in Document Writing
(01:21:39) - Resources for Consultants

The Journey and Insights of a Successful Fractional CISO | Interview with Terry Ziemniak

Dejan Kosutic — Tue, 29 Jul 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, we sit down with Terry Ziemniak, an experienced fractional CISO with over a decade in the field. Terry shares his unique career journey from traditional cybersecurity roles to becoming a trusted fractional CISO. We discuss the key differences between full-time and fractional CISOs, how to balance multiple clients, and the importance of aligning cybersecurity with business goals. Terry also provides valuable insights on the essentials of well-written security policies, the crossover between AI governance and cybersecurity, and tips for aspiring fractional CISOs. Join us for a deep dive into the world of fractional cybersecurity leadership and learn how to navigate and succeed in this growing field.

(00:00) - Interview with Terry Ziemniak
(02:28) - The Value of Business Alignment in Cybersecurity
(11:20) - Understanding the Role of a Fractional CISO
(18:29) - Educating Stakeholders on Cybersecurity
(23:13) - Finding Allies in the Organization
(25:42) - Importance of Well-Written Security Policies
(29:48) - Market Opportunities for Fractional CISOs
(31:26) - Challenges and Strategies for Fractional CISOs
(38:24) - AI Governance and Cybersecurity
(45:05) - Future of the CISO Role
(48:34) - Resources for Consultants

ISO-as-a-Service and AI: Innovation in Consultancy | Interview with Alexander Jaber

Tue, 15 Jul 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic interviews Alexander Jaber, CEO of Compliant Business Solutions GmbH, a consulting company from Germany. They discuss ISO 27001 as a service, an innovative approach that combines consulting, policy writing, software, and certification into a cohesive package. Alexander shares insights on the consulting business, the importance of building client trust, the impact of AI on consultancy, and the future of compliance. Tune in to learn about the challenges and advantages of this unique service model and how AI could transform the industry.

(00:00) - Interview with Alexander Jaber
(05:01) - ISO 27001 as a Service Explained
(12:57) - Customer Collaboration and Trust
(19:26) - Importance of Using Software
(20:39) - Service Relevance for Different Company Sizes
(22:16) - Pricing Model
(25:51) - Impact of AI on Compliance
(29:23) - Future of Consultants in an AI-Driven World
(34:17) - AI Agents in Compliance
(39:39) - Resources for Consultants

Role of EU Cybersecurity Bodies and How to Cooperate With Them | Interview with Brian Honan

Dejan Kosutic — Tue, 01 Jul 2025 11:11:00 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic interviews Brian Honan, the CEO of BH Consulting, to discuss the evolving landscape of cybersecurity and its governance, particularly in the EU. Brian shares insights on the role of European cybersecurity bodies like ENISA and the importance of cybersecurity in business operations. The discussion covers how to effectively communicate cybersecurity concerns to non-technical stakeholders, tips for building a successful consultancy, and the potential impact of new regulations like NIS2 and DORA on the industry. Learn about the resources and tools available for consultants on the ENISA website and how collaboration with national and EU bodies can enhance cybersecurity efforts.

(00:00) - Interview with Brian Honan
(05:21) - European Cybersecurity Organizations and Their Roles
(12:49) - Consulting and EU Cybersecurity Resources
(18:11) - Engaging with National and EU Cybersecurity Bodies
(25:38) - The Role of Cyber Ireland
(27:54) - Government Grants and Support
(29:50) - Consultant's Role in Government Policy
(31:40) - Translating Cybersecurity for Businesses
(37:15) - Competitive Advantage Through Cybersecurity
(43:52) - Opportunities in Cybersecurity Regulations
(51:04) - Resources for Consultants

Coaching as a Service for Human-Centric Cybersecurity | Interview with Dominic Vogel

Dejan Kosutic — Tue, 17 Jun 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic sits down with Dominic "Dom" Vogel, president of Vogel Cyber Leadership and Coaching. Dom shares his unique journey from traditional cybersecurity consulting to a more human-focused coaching approach. He emphasizes the importance of building strong, empathetic relationships within tech teams and improving internal branding. Dom also discusses the value of integrating cybersecurity strategies with business goals and how a human-centric methodology can lead to more meaningful and sustainable change in organizations. With insights into his coaching methods and client success stories, this episode provides actionable advice for cybersecurity professionals, IT leaders, and consultants looking to enhance their leadership and coaching skills.

(00:00) - Interview with Dominic Vogel
(02:40) - Human-Centric Approach to Cybersecurity Coaching
(04:25) - Coaching Success Stories
(14:55) - The Importance of Internal Branding
(19:46) - Cybersecurity Leadership in Small Organizations
(24:08) - Aligning Cybersecurity with Business Goals
(29:33) - Building Sustainable Client Relationships
(31:26) - Value-Based Pricing in Consulting
(34:47) - The Importance of Saying No
(37:20) - Opportunities in Small and Mid-Sized Businesses
(40:13) - Leveraging Speaking Engagements for Leads
(43:23) - The Role of AI in Consulting
(47:31) - Resources for Consultants

Next-level Consulting: Marketing & AI Governance Opportunities | Interview with Tudor Galos

Dejan Kosutic — Tue, 03 Jun 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, we delve into the secrets of becoming a subject matter expert and thriving as a consultant. Our special guest, Tudor Galos, shares his transition from a marketing role at Microsoft to establishing his AI and GDPR consultancy. We explore the power of providing valuable content, maintaining positive client experiences, and navigating the growing field of AI governance. Packed with insights on marketing strategies, building trust, and dominating your niche, this episode is a must-watch for cybersecurity (and other) consultants.

(00:00) - Interview with Tudor Galos
(01:11) - Transition from Corporate to Entrepreneurship
(03:40) - Offering Free Consultations to Build a Brand
(07:48) - Focusing on Small and Medium-Sized Clients
(12:20) - Building Trust and Securing Clients
(20:45) - The Importance of Specialization
(24:37) - Expanding into AI Governance
(35:05) - Pricing Strategies for Consultants
(37:45) - The Future of Consulting in the AI Era
(42:23) - Advice for Aspiring Consultants
(44:42) - Resources for Consultants

How to Scale Cybersecurity Consultancy | Interview with Bevan Lane

Dejan Kosutic — Tue, 20 May 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic speaks with Bevan Lane, CEO of InfoSec Advisory Group. Bevan shares his journey from starting as an independent contractor to building a successful cybersecurity consultancy with offices in South Africa and London, and clients across five continents. Learn about his approach to scaling the business, including hiring passionate young talent, leveraging automation, and adapting to industry changes. Bevan also discusses the importance of balancing work and family life and provides valuable advice for aspiring consultants. Stay tuned for insights on the future of cybersecurity consulting and more.

(00:00) - Interview with Bevan Lane
(03:11) - Hiring and Training the Right People
(06:26) - Mentorship and Structured Training
(09:34) - Challenges of Retaining Talent
(10:55) - CEO's Role and Company Growth Strategy
(14:22) - Impact of AI on Consulting and Auditing
(17:49) - Finding and Partnering with Clients
(22:45) - Leveraging LinkedIn for Business Growth
(27:02) - Challenges in Consultancy
(30:29) - Balancing Work and Personal Life
(35:23) - Future of Consulting and Auditing
(40:27) - Advice for Aspiring Consultants
(42:54) - Resources for Consultants

Unlocking Business Value From NIS2: The Consultant’s Role | Interview with Philippe Cornette

Dejan Kosutic — Tue, 06 May 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic interviews Philippe Cornette, an interim CISO and founding partner at DigiSôter consultancy, to discuss the challenges and opportunities in cybersecurity consulting. They delve into the importance of aligning cybersecurity projects with business value, the evolving nature of cybersecurity frameworks like NIS2, and the critical skills consultants need to succeed. Philippe shares his journey from working as an employee for over two decades to becoming a consultant and offers valuable insights into how consultants can make a significant impact in this ever-changing field.

(00:00) - Interview with Philippe Cornette
(03:33) - The Role of a Chief Troubleshoot Officer
(05:15) - Understanding NIS2 Directive
(09:35) - Aligning Business with Cybersecurity
(13:38) - The Importance of Business Risk Analysis
(15:44) - Challenges in IT and OT Convergence
(17:02) - Consultant's Role in Cybersecurity Projects
(26:41) - Expertise and Change Management in Cybersecurity
(29:22) - Navigating EU Regulations
(33:04) - Consulting Opportunities in Cybersecurity
(36:05) - The Future of Consulting with AI
(41:40) - CISO as a Service Explained
(47:35) - Competing in the Consulting Market
(56:23) - Resources for Consultants

Understanding the EU Electronic Evidence Package | Interview with Cristos Velasco

Dejan Kosutic — Tue, 22 Apr 2025 13:30:00 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic welcomes Cristos Velasco, an independent consultant and associate professor specializing in cyber law, cybercrime, cybersecurity, and AI. They discuss the new EU electronic evidence package published in August 2023 and its enforcement in 2026, diving into the regulation, the directive, and its implications for law enforcement and service providers. Cristos shares his journey into consultancy, the significance of electronic evidence and digital forensics, and the challenges presented by rapidly changing technologies and legislation. They also explore the benefits for companies preparing for these new regulations and offer advice for aspiring consultants in the cybersecurity field.

(00:00) - Interview with Cristos Velasco
(01:05) - Cristos Velasco's Career Journey
(03:10) - Understanding Electronic Evidence
(06:11) - Challenges in Preserving Blockchain Evidence
(09:01) - Upcoming EU Electronic Evidence Package
(11:55) - Preparing for the New EU Package
(18:48) - Digital Forensics vs. Electronic Evidence
(20:57) - Freezing Digital Evidence: Importance and Challenges
(22:35) - Legal Complexities in Data Retention and Preservation
(24:35) - Technical and Organizational Aspects of Evidence Preservation
(31:51) - Chain of Custody in Digital Evidence
(38:40) - Consulting and Training in Cybersecurity
(45:02) - Resources for Consultants

Leveraging Online Courses for Consulting Success | Interview with Richea Perry

Dejan Kosutic — Tue, 08 Apr 2025 22:23:33 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic welcomes independent cybersecurity consultant and Cyber JA podcast host, Richea Perry. Richea shares his journey from facing job loss during COVID-19 to becoming a successful consultant by leveraging online courses on platforms like Udemy. He discusses the importance of building a personal brand, creating valuable content, and how networking on LinkedIn and other platforms can lead to consulting opportunities. Richea also provides insights into the use of AI in course creation, effective communication skills, and the future of online education in cybersecurity. Tune in to learn best practices for building a portfolio of online courses and using them to support your consulting practice.

(00:00) - Interview with Richea Perry
(01:10) - Journey to Becoming a Consultant
(04:15) - Transition from Technical to Consulting
(06:25) - Starting with Udemy Courses
(10:43) - Developing Course Content
(20:18) - Using AI in Course Creation
(23:24) - Recording Courses Efficiently
(26:25) - Editing Tools
(28:13) - Promoting Your Courses
(31:50) - Monetizing and Business Model
(34:40) - Choosing the Right Platform
(36:35) - Future of Online Training and AI
(41:04) - Essential Skills for Consultants
(45:22) - Final Recommendations
(48:28) - Additional Resources for Consultants

Promoting Consulting Business Through Content Marketing | Interview with Punit Bhatia

Dejan Kosutic — Tue, 08 Apr 2025 22:05:31 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic interviews Punit Bhatia, founder of FIT4Privacy Consulting Company, author of 4 books on GDPR, and host of the FIT4Privacy podcast. Punit shares his journey from working at a bank to becoming a leading consultant in privacy and AI governance. He discusses the importance of content marketing, personal branding, and consistency in building a consultancy business. Punit also provides insights into how creating expert materials, publishing books, speaking at events, and maintaining a presence on platforms like YouTube and LinkedIn have contributed to his success. Tune in to learn best practices for promoting your consultancy and establishing a strong professional network.

(00:00) - Interview with Punit Bhatia
(01:02) - Starting a Consulting Career: Punit's Journey
(03:47) - The Freedom of Being an Independent Consultant
(04:36) - Building an International Clientele
(07:33) - Visibility and Content Marketing Strategies
(13:02) - Effective Use of Social Media Channels
(18:14) - The Podcast Journey
(23:21) - Leveraging Content for Business
(25:49) - The Role of Books in Brand Building
(27:39) - The Importance of Consistency
(34:53) - Expanding Expertise to AI
(36:45) - Future of AI and Privacy Standards
(39:56) - Final Thoughts and Recommendations
(41:13) - Useful Resources for Consultants

Trends in ISO Standards: Certification Body Perspective | Interview with Tom Wheat

Dejan Kosutic — Tue, 08 Apr 2025 17:38:26 +0200

In this insightful episode of the Secure and Simple Podcast, host Dejan Kosutic discusses the evolving landscape of standards with Tom Wheat, UK Country Manager at PJR. They delve into the importance of ISO 27001 as the benchmark for global information security, the internal processes within certification bodies, and the value certification bodies can add beyond just issuing certificates. The discussion also covers the role of consultants, the competitive certification market, the impacts of AI, and key recommendations for consultants preparing clients for certification. Tune in for valuable insights on ensuring continuous improvement, compliance, and the future of cybersecurity certification.

(00:00) - Interview with Tom Wheat
(02:10) - Tom's Journey: From Consultant to Certification Manager
(05:36) - The Importance of ISO 27001
(07:51) - Trends in Certification and Compliance
(13:52) - Behind the Scenes of Certification Bodies
(22:18) - The Value of Certification Bodies
(24:55) - Auditors and Best Practices
(28:07) - Consultants in the Certification Process
(30:14) - Handling Non-Conformities and Appeals
(32:41) - Competing in the Certification Market
(36:42) - The Future of Certification Bodies
(39:13) - AI and the Future of Compliance
(43:13) - Top Recommendations for Consultants
(45:22) - Conclusion and Resources

How to Combine ISO 27001 and GDPR | Interview with Luigi Viscione

Dejan Kosutic — Tue, 08 Apr 2025 17:22:14 +0200

This episode features Luigi Viscione, CEO and Founder of Micsar, a seasoned consultant with a decade of experience in IT security and data protection. Luigi discusses the intersection of privacy and cybersecurity, the challenges and benefits of being a consultant, as well as the importance of integrating multiple security frameworks like GDPR and ISO 27001. Gain insights on how to streamline processes, secure client buy-in, and manage large-scale implementations effectively. Don't miss Luigi's experiences on the future of AI in consultancy and how it can influence the cybersecurity landscape.

Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertize to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account

(00:00) - Interview with Luigi Viscione
(01:27) - Starting a Consulting Business
(03:10) - Combining Cybersecurity and Privacy
(05:16) - Implementing ISO 27001 and GDPR
(07:07) - Integrated Risk Management
(10:47) - Handling Security Incidents
(12:27) - Client Reactions to Integrated Approaches
(16:23) - Gaining Senior Management Support
(28:41) - Balancing Implementation and Maintenance
(33:31) - Managing Multiple Frameworks
(40:28) - Future of AI in Consulting
(47:14) - Consultancy Evolution and Key Takeaways
(50:24) - Conclusion and Resources

Trends with ISO 27001, NIS2, and Supplier Security | Interview with René Matthiassen

Dejan Kosutic — Tue, 08 Apr 2025 16:54:51 +0200

In this episode of the Secure and Simple Podcast, host Dejan Kosutic is joined by Rene Matthiassen, a senior security consultant and partner at Front Door Security. With 30 years of experience in cybersecurity frameworks, Rene discusses the importance of tailored security frameworks, particularly ISO 27001, and how they benefit companies and suppliers under NIS2 scope. They delve into Rene’s journey from network engineering to consulting, the process behind developing security standards, and practical steps for managing cybersecurity among suppliers. The conversation also touches on the increasing importance of operational technology security frameworks like IEC 62443 and provides a forecast for the evolution of cybersecurity compliance in the digital decade.

(00:00) - Interview with René Matthiassen
(00:19) - Meet Our Guest: Rene Matthiassen
(02:35) - Transitioning from Technical to Governance
(04:38) - Developing ISO 27001 Standards
(06:15) - The Democratic Process of Standardization
(07:53) - Transposing NIS2 in Denmark
(11:10) - ISO 27001 and NIS2: A Symbiotic Relationship
(18:07) - Supply Chain Security and Compliance
(24:25) - Handling Supplier Disruptions
(26:56) - Creating Effective Security Contracts
(30:10) - Supplier's Perspective on Compliance
(36:40) - Navigating the Competitive Consulting Market
(39:39) - Operational Technology Security Standards
(42:26) - Future of Cybersecurity Compliance
(46:34) - Conclusion and Resources for Consultants

How to Become a Successful Consultant | Interview with Carlos Cruz

Dejan Kosutic — Tue, 08 Apr 2025 16:10:41 +0200

In this episode of Secure and Simple Podcast, host Dejan Kosutic interviews Carlos Cruz, founder of Metanoia and ISO 9001 & ISO 14001 expert at Advisera. Carlos shares his journey in the consulting business, starting from the 1990s, and provides valuable insights on the do's and don'ts of building a successful consulting career. Learn how Carlos used writing, training, and strategic connections to grow his business, and how the consulting landscape has changed over the decades. The discussion also touches on the role of AI in consulting and offers practical advice for new consultants. Don't miss this opportunity to learn from Carlos's extensive experience in the consulting field.

(00:00) - Audio 1001 Interview Carlos Cruz
(00:19) - Meet Carlos Cruz: A Veteran Consultant
(01:42) - Starting a Consulting Business in the 1990s
(03:20) - The Importance of Writing and Blogging
(06:07) - Connecting Quality Management with Strategy
(12:01) - Differentiation and Client Satisfaction
(28:12) - Promoting Imperfect Competition
(29:59) - Understanding Customer Perception
(31:41) - Finding Your Niche as a Consultant
(33:43) - Working with Japanese Companies
(37:44) - Lessons from Bad Consultants
(44:23) - The Role of Training and Auditing
(48:25) - The Evolution of Consulting
(51:15) - Future of Consulting with AI
(54:34) - Top Tips for Consultants
(58:34) - Conclusion and Resources