Secure & Simple — Podcast for Consultants and CISOs on Cybersecurity Governance and Compliance

Dejan Kosutic

“Secure & Simple” demystifies governance and compliance challenges faced by CISOs, consultants, and other cybersecurity professionals. The podcast is hosted by Dejan Kosutic, an expert in cybersecurity governance, ISO 27001, NIS2, and DORA. The episodes present topics in an easy-to-understand way and provide you with insight you won’t be able to find elsewhere. To provide comments, suggest topics for the next episodes, or express your interest in participating in the show, contact us at podcast@advisera.com. Learn more about ISO 27001, NIS2, and DORA at https://advisera.com.

  1. 30 июн.

    How CISOs Should Talk to Corporate Boards | Interview with Michelle Drolet

    In this Secure and Simple Podcast episode, host Dejan Kosutic (Advisera) interviews Michelle Drolet, CEO and founder of Towerwall, about communicating cybersecurity to corporate boards. Drolet says boards often don’t know what questions to ask, so CISOs should drive the agenda by focusing on incident impact, business risk, and alignment to strategic initiatives rather than vulnerabilities or technical tools. She recommends concise, ROI- and compliance-oriented metrics tied to dollars-and-cents outcomes, limiting “blast radius,” and protecting critical data, while avoiding overly detailed dashboards. She emphasizes having a cybersecurity advocate on the board, running interactive tabletop exercises, addressing cyber as a business enabler affecting sales, insurance, and vendor risk, and using frameworks and regulations as measurable KPIs. The discussion also covers AI adoption with guardrails, CISO reporting lines, and future pressures like quantum planning. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining  (00:00) - Interview with Michelle Drolet (00:55) - Driving The Board Agenda (02:31) - Build Program Around Strategy (05:06) - Tabletop Exercises For Engagement (08:01) - Finding A Board Advocate (09:34) - Cyber As Business Enabler (13:36) - Security Reporting and Metrics (19:39) - Answering Are We Secure (26:01) - Frameworks And Compliance As KPIs (34:18) - Future CISO Quantum Planning (36:10) - vCISO Lessons And Board Comms (40:26) - Resources for Security Professionals

    42 мин.
  2. 16 июн.

    Why Conventional Cybersecurity Won’t Protect AI? | Interview with Hugo Huang

    In this Secure & Simple Podcast episode, host Dejan Kosutic (Advisera) talks with Hugo Huang, Product Director at Canonical and author of a Harvard Business Review article, about why conventional cybersecurity tools and patching alone are insufficient for AI systems. Huang shares research conducted with Canonical, IDC, and Google Cloud, highlighting leaders’ concerns about shadow AI usage, opaque and costly AI agents, and securing new hardware like GPUs, IPUs, and TPUs. They discuss AI-specific threats such as data poisoning, adversarial prompting, and model inversion attacks. Huang argues for hardening architecture with confidential computing (e.g., Intel TDX, AMD SEV, Nvidia H100) and for managerial changes, including CEO-level ownership, HR planning for scarce AI-security talent, supplier strategy to avoid vendor lock-in, and using frameworks like NIST’s AI risk management framework to guide policies and governance. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining  (00:00) - Interview with Hugo Huang (04:34) - Three Executive Fears (07:58) - New AI Attack Types (11:59) - Patching Is Not Enough (14:33) - Confidential Computing Basics (17:00) - TPUs Market Shift (19:46) - Management Must Change (28:26) - Security Protects Brand (33:34) - Suppliers Vendor Lock-in (41:31) - Advisera Resources

    43 мин.
  3. 2 июн.

    ISO 27001 Certification: What Will the Auditor Look For? | Interview with Aron Lange

    In this Secure & Simple Podcast episode, host Dejan Kosutic (CEO of Advisera) interviews Aron Lange, founder of GRC Lab and an ISO 27001 certification auditor, about what auditors look for in certification audits. Aron highlights common nonconformities and explains how auditors gather objective evidence through interviews, document review, and observation, emphasizing execution over paperwork. The conversation also covers auditor interpretation, challenging unsupported findings, risk-based control auditing, management-system vs security-posture certification, continual improvement, and the difference between nonconformities and opportunities for improvement. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining  (00:00) - Interview with Aron Lange (01:09) - Top Nonconformities in Audits (04:20) - How Auditors Gather Evidence (11:55) - The Limits of Tools Based on SOC 2 (14:05) - Challenging Auditor Interpretations (16:48) - Disputing Nonconformities (19:38) - Problem with Generic Controls (23:07) - Certifying Management System (27:02) - Nonconformity vs Improvement (29:58) - Auditing vs Consulting (32:24) - Auditor Mindset and Trust (35:03) - Prep Tips and Wrap Up (36:30) - Resources for Consultants and CISOs

    38 мин.
  4. 19 мая

    Anthropic’s Mythos and the Future of Vulnerability Management | Interview with Thom Langford

    In this Secure and Simple Podcast episode, host Dejan Kosutic (CEO at Advisera) speaks with Thom Langford, CTO for the EMEA region at Rapid7, about Anthropic’s new AI model “Mythos” and its impact on cybersecurity. Langford argues that the fundamentals remain the same - discover, risk-contextualize, and patch - but the speed, scale, and volume of findings will surge, exposing immature vulnerability and patch-management programs. They explore continuous vulnerability monitoring tied to the SDLC, potential increases in breaches for less-prepared organizations, governance and arms-race concerns, changes to CISO scrutiny and responsibilities (including AI governance), impacts on budgets, and resilience as a differentiator. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining  (00:00) - Interview with Thom Langford (01:01) - Mythos Hype or Reality? (04:42) - Speed Scale and Patch Basics (06:48) - Maturity Gap and Risk Context (10:16) - Continuous Exposure Management (12:19) - Unprepared Firms and Breach Risk (14:43) - Release Governance and Arms Race (18:29) - CISO Role Under Scrutiny (27:36) - Strategy, Budgets, and Resilience (33:49) - Industry Shifts and Human Loop (38:08) - CISO Prep Recommendations (40:04) - Resources for CISOs and Consultants

    41 мин.
  5. 5 мая

    What CISOs Must Do Now About Quantum? | Interview with Andrew Gault

    In this Secure and Simple Podcast episode, host Dejan Kosutic (CEO of Advisera) interviews Andrew Gault (CEO of ZeroTier) about how quantum computing could impact cybersecurity, especially encryption and identity. They explain key terms like post-quantum cryptography (PQC), Q-Day, cryptographically relevant quantum computers, and main threats, “harvest now, decrypt later” and “trust now, forge later.” Andrew outlines shifting timelines, citing U.S. CNSA 2.0 requiring quantum-resistant cryptography for new acquisitions after Jan 1, 2027, and broader conversion targets around 2029–2030, plus EU guidance aiming for critical sectors to be quantum resistant by ~2030 and others by 2035. They note PQC algorithms are standardized (e.g., NIST FIPS 203, ML-KEM), but the challenge is operational: inventory systems (“quantum bill of materials”), prioritize crown jewels, engage vendors, budget, and manage upgrades or mitigations for legacy systems, potentially using overlay networks. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining  (00:00) - Interview with Andrew Gault (01:14) - Why Quantum Matters (04:05) - Quantum Terms Explained (06:05) - When Q Day Hits (07:00) - Deadlines and Industry Shifts (11:34) - NIST Approved Algorithms (14:35) - New Threat Models (16:34) - Why Companies Delay (20:30) - Quantum Bill of Materials (23:08) - Executive Priorities (28:49) - Vendor Roadmaps (30:31) - Customer Messaging Strategy (34:02) - CISO Role and Influence (35:37) - Modernization Opportunity (38:59) - Consulting Market Opportunity (40:47) - Action Plan and Wrap Up (42:23) - Resources for Consultants and CISOs

    44 мин.
  6. 21 апр.

    Continual Improvement, Nonconformities, and Corrective Actions | Interview with Carlos Cruz

    In this Secure and Simple Podcast episode, host Dejan Kosutic from Advisera interviews Carlos Cruz, founder of Metanoia and an ISO 9001/ISO 14001 expert, about continual improvement in ISO standards and how the concepts apply to cybersecurity. They explain continual improvement through the PDCA cycle, using data and Pareto analysis to focus on key issues, then performing root cause analysis with tools like the fishbone (Ishikawa) diagram and the 5 Whys to avoid stopping at “human error.” They define nonconformities, clarify the difference between corrections (e.g., restoring operations) and corrective actions (i.e., removing root causes to prevent recurrence), and discuss when root cause analysis is warranted, including high-impact or recurring cybersecurity incidents. They also cover documenting and tracking nonconformities via approaches like ticketing systems, consultant do’s and don’ts, and practical ways to motivate management by translating issues into business impact. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining  (00:00) - Interview with Carlos Cruz on continual improvement (01:27) - PDCA and Continual Improvement (05:52) - Improvement Beyond Problems (08:22) - Nonconformities Explained (11:47) - When to Do Root Cause Analysis (15:19) - Pareto and Fishbone Methods (17:39) - Using the Five Whys Method (21:27) - Building Root Cause Culture (25:00) - Who Reports Nonconformities (29:27) - Corrections vs Corrective Actions (34:25) - Documenting Without Bureaucracy (40:32) - Consultants Do and Don'ts (47:02) - Selling Improvement to Management (50:00) - Top Tips for Continual Improvement (54:39) - Resources for Consultants and Security Officers

    56 мин.
  7. 7 апр.

    Cyber Ranges, Attack Simulations & AI: Proving Cyber Readiness | Interview with Lee Rossey

    In this Secure and Simple Podcast episode, host Dejan Kosutic (CEO of Advisera) speaks with Lee Rossey, CTO and co-founder of SimSpace, about why much cybersecurity training is becoming outdated as AI accelerates both threats and defensive stacks. Rossey explains “train like you fight” through realistic, hands-on, team-based cyber range exercises that emulate an organization’s environment, tools, background traffic, and real attack scenarios such as ransomware and lateral movement. They discuss how cyber ranges complement tabletop exercises, what must be most realistic (security tools, attacks, and traffic), who should participate (SOC, IT, business owners, and leadership), and what typically breaks first under pressure. The conversation covers metrics like time to detect/respond/recover, ROI, and tool rationalization, evolving ranges for cloud/OT and AI, and the need to validate and govern AI-infused security tools with trust and oversight. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining  (00:00) - Interview with Lee Rossey (01:18) - Why Training Is Outdated (04:56) - What Is a Cyber Range (07:53) - Building Realistic Attacks (12:40) - Leadership Value and ROI (15:49) - Who Should Participate (19:53) - Senior Leaders in the Hot Seat (23:41) - Lessons From Debriefs (25:04) - Ranges Evolving With AI (30:33) - Preparing For A Cyber Range (32:15) - Measuring Exercise Results & Reporting (34:43) - Turning Findings Into Change (38:33) - AI Governance And Trust (41:39) - Regulations And Standards (45:41) - Resources for Consultants and Cybersecurity Professionals

    47 мин.
  8. 24 мар.

    AI Agents vs. AI Agents: The Future of Security Operations | Interview with Monzy Merza

    In this Secure and Simple Podcast episode, host Dejan Kosutic from Advisera interviews Monzy Merza, co-founder and CEO of Crogl, about how cybersecurity is shifting to an “agent versus agent” world where attackers task AI agents to run fast, low-cost, sophisticated campaigns without human approvals. Merza outlines core security operations activities—preparation/tooling, alert investigation, and response—and explains how AI is changing each, including AI SOC agents that automatically connect to multiple data sources, enrich alerts, run MITRE kill chain analysis, and produce investigation reports, as well as AI-driven response actions and documentation. They discuss when humans must remain in the loop for high-impact decisions, how organizations build trust through phased adoption with measurable use cases, why roles may shift from analysts to more security engineers, and governance needs like flexible integrations, model choice, and transparency in AI security tools. Links from the episode: - Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits - Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account  - Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining - Crogl company https://crogl.com/- 2026 State of SecOps Report https://www.crogl.com/newsroom/state-of-secops-ai (00:00) - Interview with Monzy Merza (00:58) - Agent vs Agent Threats (03:22) - Three Phases of SecOps (05:53) - AI SOC Investigation Example (08:41) - Autonomy vs Human in the Loop (12:48) - Human Only Decisions (16:43) - Building Trust and Maturity (19:07) - Future Security Roles (24:24) - AI Change Wave (27:08) - Testing AI Maturity (29:25) - Governance Framework Gap (31:15) - Policy Meets Hallucinations (34:50) - Business Alignment Example (37:14) - Governance Requirements (41:57) - SOC Roles Reshaped (47:26) - Resources for Consultants and Cybersecurity Professionals

    49 мин.

Об этом подкасте

“Secure & Simple” demystifies governance and compliance challenges faced by CISOs, consultants, and other cybersecurity professionals. The podcast is hosted by Dejan Kosutic, an expert in cybersecurity governance, ISO 27001, NIS2, and DORA. The episodes present topics in an easy-to-understand way and provide you with insight you won’t be able to find elsewhere. To provide comments, suggest topics for the next episodes, or express your interest in participating in the show, contact us at podcast@advisera.com. Learn more about ISO 27001, NIS2, and DORA at https://advisera.com.

Вам может также понравиться