ISO 27001

It's a pleasure to have you as well. For those who don't know, Tania and me know each other for a long time. It goes almost 15 years. We did an RMBA together. We've been in touch. We are in the board of ISACA Belgium. In fact, she's the one who nudged me into that board. And I'm very happy and grateful for her. And in ISACA we usually talk about digital trust. And digital trust is also a very hot topic or hot conversation point these days. So, Tania, why don't we start with, how would you define digital trust? 

Tania 02:18
I love definitions. So, let's start indeed with a basic definition. The digital trust is the confidence users may have and transactions, experience, reliability, privacy of a tool or a platform they are using. And now let's take a little bit more down to earth example. Have you been to Cuba any time in your life? 

Punit 02:48  
Not to Cuba, but I've been to Mexico. And I know where you are going because when I was in Mexico, we were in a town called Tijuana, which is supposed to be or ranked as one of the top three places with highest crime based on which ranking you pick up. So, I know where you're going because it was scary and it was like, is this person right? Is this person right? So there was a real trust issue. 

Tania 03:17 
Yes. And yet my example is slightly different.  

Punit 03:25 
Sure.  

Tania  03:25 
So, what happens in Cuba is that they have 2 different exchange rates. So, we have just talked about the fact that digital trust is a confidence users may have in transactions within some kind of a platform. And here we're talking about money transactions. And we have two different exchange rate. For the same currency, one which is being government official exchange rate, and another one being what you can get on the streets. And when you are coming with as a tourist with your dollars or with your Euros, you have different exchange rate, whether you exchange them with the official low government rate. Or whether you exchange them on the street in the restaurants with the street exchange rate. And this shows certain disparity. You may have different trust, and you may have different levels of that trust. And first of all, let's touch upon very unpopular subject. When we're talking about trust, are we talking rather about something very rational or something which is emotional? How do you think? 

Punit 04:54 
I think it's perceptional. It's neither rational nor emotional. It's a perception of risk, which is based on your other experiences. You are here to say stories about this website or this place or the product, and it's a combination of that which generates some emotion, and you think you are thinking rationally. 

Tania 05:14  
So yes, and we are coming to a very interesting phenomenon. Actually, two of them. First of all, there is a large part of non-rational. Rather emotional in trust in general and in digital trust in particular. I know this is not a popular opinion, but we'll come back on that later on. And second of all, just because you might be having a disparity in exchange rate, you might just as well have that disparity in implied. And perceived digital trust because me as a company, I might want to look up good and I try to project to external world something like I am innovative. I am secure, and I do my best to keep my assets available. All the information confidential and so on, but what clients perceive, and this would be a perceived level of digital trust, might be that street level of exchange rate, which may, which will be completely different, and then it may be true or not true. Because up to now it still stays in emotional subjects and we do not have tangible things, tangible data that would allow us to say, we can indeed have that trust in one or another platform. We can indeed feel absolutely secure by dealing with one company. And so on. So, we can have those levels up to now, those absolutely non-rational because we don't have any data and that disparity may generate a lot of problems to the companies and even to the industries.

Punit 07:26 
That does make sense, and I fully agree with you. A lot of the digital trust is about. The perception and all the actions we take in privacy, security, compliance, risk management, audits is more about ensuring that we have made all the rational technical arrangements, process governance arrangements so that perception is enhanced or improved. And then there's an emotional connection, but it's a customer experience that we are talking about. And in that context, you want to add something right? 

Tania 08:01 
Yes. Maybe just add a little bit of drama to the subject. Have you noticed that there are different companies with board members who complain that they do not have clarity of what is information security, or what is data protection or basically any other governance subject. Have you seen people like that?  

Punit 08:59 
It's common to see in some companies these experiences, because some people really don't understand this because these are complex fields and some people don't believe in it, and some people are there who are playing around this. I don't understand. So that the expert has to simplify and use the business specific language to make them understand and they also want to test us saying.  How ingrained or how business centric is our philosophy or expertise. 

Tania 09:02 
So you see there is a part of people who are decision makers. Who are still, and I don't say all of them who are still taking the decisions based upon some often single-minded meaning a single person issuing opinion of an expert that they believe. 

Punit 09:29  
Yeah. And I think it's also to do with their, the way this psychology want to play this game, because sometimes it's not to create mistrust. It's also sometimes to create anxiety amongst the expert. Are they really understanding? Are they really going to give me budget?  Do they really know what I'm asking?  And that game is played at the psychological level. Some people do that. 

Tania 10:00
Okay. But then when you know what are the building blocks of your trade or what you're building or what you're bringing as a service, as consultant, you have the possibility to explain those building blocks easily to the board members, right? 

Punit 10:19 
Yes, we do. I think you do. I do. Every one of the good privacy consultants, security consultants, audits, auditors, we have those clarified.

Tania 10:29  
So it suddenly becomes tangible or slightly more tangible when we find the way to explain the building blocks of what is being built. So 

Punit 10:44  
Yes  

Tania 10:45  
We're moving a little bit more to rational rather than emotional. 

Punit 10:52  
Yeah, I agree with you. And then as it becomes rational, what role does an auditor play in making, let's say, digital trust or the perception of digital trust real? 

Tania 11:11  
The role. My God, there is so much to tell about that. So there is a concept of which is called Fail Fast Fail forward. 

Punit 11:21  
right? 

Tania 11:22 
Which is often used by IT startups which says that you need to be able to install a feedback loop. Which will give you enough information to update, innovate, improve and so on. And every time if there is a mistake you prefer or if there is a weak chain link, you prefer to find it out as soon as possible correct. And move forward. So one of the feedback loops that we can install. Within information security and digital trust is using auditors because those guys, they have a structured approach to everything documented, so they will be able to define what are the building blocks, what it is. That is important for us for ISMS implementation, IMS being information security management system or for privacy implementation projects and so on. And by refining those building blocks. They will be able to compare them to best practices or to any other adequate benchmark, and they will be giving you a very detailed state of things. So that first level of feedback loop, which will allow you to get things better, more structured, improve on them, and go forward. 

Punit 12:57 
Absolutely. And I think in that context, when we talk about making things structured, making things rational, putting in a standard, there is a standard that we can talk about, which is ISO 27700, no, ISO seven 27001. 701 is for privacy, but 27001 is for security aspects, information security specifically. And let's talk about that. How does that information security standard help or what is it all about? 

Tania 13:33 
Thank you for that question. It is very dear to my heart. We have just talked that we need a feedback loop. We also talk that we need to have a rational approach to information security and not just. Somebody telling us that you can trust me, it's all fine. So we need something which is standardized. We have a family of standards. We in regards with information security, which is the family of 27000, including 27001, which tells us how to manage things. And then when we're talking about management, we say. Here is a strategy where we would like to arrive as a company, and here is the ecosystem with within which we operate. And this ecosystem may have certain impact on us. And then we say, and by the way, here are the things that we would like to protect. Which are crucial to the objectives that we have defined in our strategy. And by doing this, you are not only capable of saying, oh look, I have a network. I will put in place a firewall. I have my servers. I will do my best to touch them regularly. What is regularly, we don't know. So finally, with that, you have a framework. Which you can adopt, which will push you to think what it is that I would like to protect and how I would like to protect it in the best possible way to reach my objectives as a company. 

Punit 15:23 
Yep. So essentially, ISO 27001 is a standard which allows you to structure your information management systems practice. Within the organization, and it's now for the audience who are wondering, why is it dear to your heart, or why do you love talking about it? Because you are a Certified Trainer on that topic. 

Tania 15:48 
Yes, indeed. I'm a Certified Trainer and I do talking about that and teaching it. And this is not the primary reason. The primary reason is that we talk about systematic approach in creating business. We talk about systematic approach monitoring governance. For pretty much everything, including marketing. And we suddenly forget that information security is part of the business. It is the way how you are nowadays reaching to your business objectives, and suddenly we come to this point. When we realized that, first of all. Information is the blood of the business. Second of nobody is or at least close to nobody is doing business on paper nowadays. And thirdly we need a strategy for that. And strategy is obviously the key word for both of us because we're both illumine of an MBA and we know that if you. Fail to plan, you plan to fail. 

Punit 17:04 
Yes, we do. And I think that's very rightly said. And let's maybe talk about the ISO 27000 training that you do. What is this training all about? What is included in an ISO 27001 training? 

Tania 17:20 
First of all. Before I say that, it answers the major requests of all sorts of businesses in regards with information security. Let me ask several questions. You may have something which is information security of a small company or of a bigger company. You have something which is information security of a company in financial sector. In digital services or in water production or a corner restaurant close to your home, and all of them are dealing with information in one or another way, and. Some of them may suddenly realize that they don't want to find themselves in the press. Recently Elon Musk saying that was a massive, huge attack that X platform has survived recently. For those who haven't heard that the, there was an outage for X platform and hack a group called Dark Storm Team claimed the responsibility for that. And then what was communicated, and it was well communicated to all the users is that it's been dealt with and that it is indeed a massive attack, which was the case. What was perceived by people with technical knowledge, they say, yeah, but did also happen every day. What's going on? The reason along the official storyline, and I haven't done any research of forensics on the subject myself, so I don't take either party, but there is an official side that said that was a massive attack. Rather emotional. And there is another side that said, look, guys, they do attacks on service happen pretty much every day. Implying what were exact measures that you have taken to identify your primary assets and to protect them. So, when you are coming to the course and I'm finally arriving to the answer to your question, when you are coming to the course, you are not learning about one or another specific control. You are learning how to build a decent framework, which will be workable for either for your specific company or if you are coming as a consultant to be able to, recycle your knowledge and immortal away and build a robust information security framework to pretty much any company being a restaurant on the corner or being a hospital or being an next platform, which is not yet ISO 27001 Certified. 

Punit 20:31 
Makes sense. And now, in your view, who would benefit the most from a training of ISO 27000, let's say a lead implementer or a foundation training? 

Tania 20:43 
I would say there are three types of potential clients. First type of potential clients is obvious. You have technical professionals and suddenly they realize that they're missing the helicopter view. What was happening 15 years ago when we were doing RMBA, those guys were joining the RMBA program and during two years, or at least 18 months, they were trying to develop that. Strategic overview of the subject. I don't promise you to have the strategic overview of any business with the course of several evenings, but what I can give you is the way to build a strategic path. From objectives of your company or your client to how to reach those objectives for information security specifically. And this is the first type of clients that we may have technical professionals. Second one, which is less evident but will become more evident as I speak in the beginning. We talked about board members, executives that are not always having that clarity. And now let's imagine they call one technical specialist, which is, which has competence in networks. And he says to them, it's all fine. It's fine for you, but then protecting the perimeter might not be the only issue because you might be having something outside of you perimeter in DMZ, or you might be having completely different primary assets. That you suddenly don't protect and you might be having back doors with them. So in order to be able to assess the situation for their own company, executives with already good strategy perspective talking governance language, they may join the course to be able to finally understand if their consultants are bullshitting them. Or they're quite okay. So that is another type of clients. Those two are major, but nevertheless there is a third one. And the third one risk professionals less frequently IT audit professionals that would like to take a look. How is it going on implementation side? And then obviously it creates, both experiences for them, they're becoming more agile in doing their job as a GRC Professional, within technical subject or as an auditor. And at the same time they would be capable of taking a side look at the things. And this would obviously facilitate communication with businesses. 

Punit 23:58 
That's wonderful. So it's relevant for many people or many kind of people, whether you want to become an expert in security, cybersecurity, or security, or information security, or you want to have a good overview or you want to understand the risks, or you want to understand from management perspective, how is it set up or structured? What are the key components so it can help any one of them. And with that, I think the question comes if somebody wants to get in touch with you. Say we want to speak with Tania. We want to ask a question to Tania. What would be the best way to get in touch with you? 

Tania 24:33 
Aside from all the possible ways you know me, which means somebody who wants to talk to me may firstly address you. Secondly, I am not hiding in a cave, so I am easily easy to find on LinkedIn. I have on my website with all sorts of trainings in regards of information security, which is called makes sense, GRC. Makes sense. Stands there for a reason because information security should make sense. And otherwise just join ISACA Belgium events and most probably you will have to see me there and mingle. 

Punit 25:19 
Good so with that, I would say Tania it was wonderful to have you. Thank you so much and I hope the course that you will deliver in towards the end of the year you deliver many times, but this end of the year you gets a lot of people. And we have a full house for the ISO 27001 training. Thank you so much. 

Tania 25:42 
Thank you so much for having me. I appreciate a lot of being your guest and I'm truly saying it because having meaningful discussions gives rights for rise for valuable thoughts. And having you as an interviewer is just a pure voice and joy from that perspective. 

Punit 26:07 
Thank you so much. We also try to make sense of GRC. 

Tania 26:13 
It's necessary, right? 

Punit 26:15 
Yeah. 

About FIT4Privacy 26:16 
Thanks for listening. If you liked the show, feel free to share it with a friend and write a review if you have already done so. Thank you so much and if you did not like the show. Don't bother and forget about it. Take care and stay safe. Fit4privacy helps you to create a culture of privacy and manage risks by creating, defining, and implementing a privacy strategy that includes delivering scenario-based training for your staff. We also help those who are looking to get certified in CIPPE, CIPM, and CIPT through on-demand courses that help you prepare and practice for certification exam. If you want to know more, visit www.fit4privacy.com. If you have questions or suggestions, drop an email at hello@fit4privacy.com.