CLIENT TESTIMONIAL

1- Could you briefly introduce yourself: your company, your position and your responsibilities?

​

"I'm Mathieu Dreyfus, Group Quality Manager for the Technidata group. The Technidata group is made up of a software publisher, Technidata SA, the parent company, which distributes its software using an indirect sales model. We use a distribution network made up of our subsidiaries and external distributors.
We manufacture, develop, design, validate and release software solutions for managing medical information. We also provide technical support for our products.

Our customers are medical analysis laboratories, and often large, often public, organisations.

Technidata software is used to manage information. From the moment a patient enters an analysis laboratory, we offer the ability to manage the information linked to this patient, the examination requests, the performance of the examinations, we retrieve the results, generate a report, enable the doctor to validate it, and support its availability and/or consultation.

We are present in North America, Europe and Asia.

​

I'm Quality Manager for the Group. I'm in charge of the company's management system, which is unique in that it combines quality management, traceability (for medical devices) and an information security management system, as we have been ISO 27001 certified since last year."

 

 

​

2- For what type of need did you call on CyberSecura? What was the trigger?

​

"We called on CyberSecura to help us roll out the requirements of the 2017 version of ISO 27001. We quickly realised how difficult this project would be.

At Technidata, we have 30 years' experience in management systems, from a quality point of view, and with very specific business expertise in quality management and traceability, linked to medical affairs and medical devices.

So we deal quite a lot with the general requirements of a management system. But when we went to work a little more specifically on implementing the controls in Annex A of the ISO 27001 standard, we realised that there were some very specific features, and that the 27001 standard is difficult because it requires quite in-depth expertise in very different core businesses.

You need quality specialists to set up a management system. You need engineers, systems and network administrators and IT managers to manage the infrastructure. You also need to train your software developers, because software development security is a key concern.

So there was a period during the project when we needed an outside perspective, and we were looking for two things. The first was to provide us with expertise in subjects that we were less familiar with, and because cybersecurity is a business in its own right. And the second was to save us time.

One of the things that really struck us about CyberSecura's support was that we were able to move quickly, and in particular because Saghar was able to provide us with document templates that already contained a large number of expectations, and in which we were able to do a bit of shopping around. The frameworks were fairly general, so we were able to adapt them easily to our business, rather than building everything from scratch.

So I'm convinced that we saved a lot of time on this project, because CyberSecura was involved, and Saghar in particular.

So we had this need for standards, this need for certification, but we very quickly realised that we would need help.

I really want to emphasise this point: the ISO 27001 standard includes a number of controls that call on expertise that we don't always have in-house.
And I think that being able to manage in three stages is also one of the great added values of your support.

​

The first step is to take stock of the situation through an audit. The second step is to make recommendations and provide templates that will enable the work to move forward and be carried out, because it's also up to the customer to do the work. Finally, the third stage involves proofreading to check that everything is consistent and that all the recommendations have been correctly applied.

We found this project phasing very important, and I think it's a real quality of your work. This division was carried out very skilfully, and without the slightest judgement: and that's another quality of a consultant.
 

A consultant doesn't say that it's a good choice or a bad choice, and that's what I think has also been very winning in the relationship. At times, I sincerely believe that Saghar would have liked to push things further, she would have liked us to go further, and we ended up saying 'no', because we had to reconcile the recommendation we made with our pragmatic, on-the-ground constraints. We had to do a bit of arbitration, or at least take an intermediate position, a position that Saghar respected perfectly, and which she supported!

 

This was one aspect of the service that really impressed me."

 

 

​

3- Why did you choose to entrust these missions to CyberSecura rather than to someone else?

​

"I can see two very clear reasons for this.

The first is the proposal that was made: with this breakdown of the project, with the flexibility that is provided, as well as the possibility of dividing the overall service into several billing periods, which were proposed to us. We're not going to lie to ourselves: money is the sinews of war. So we really appreciated your ability to provide support, while invoicing as accurately as possible for each period.

The support was flexible: for example, we were able to take a break when we needed to.
There was a period when Saghar was producing a lot, but our teams weren't able to integrate all these productions, and they couldn't free up enough time to absorb all these elements properly.

​

At that point, David and Saghar said "Stop, we're taking a break". CyberSecura continued to make progress on other issues that didn't require our involvement, and we were able to resume calmly as soon as we were ready to continue again. I think the flexibility that you are prepared to offer is extremely valuable and should be emphasised.

The second reason why we chose to entrust this mission to you rather than to another service provider is proximity, the fact that you are not far away and that we can meet easily. It's true, we're in 2024, and a lot of things now happen online. However, proximity is something that works, and we very much appreciated this proximity with CyberSecura."

 

 

​

4- Did you have any fears before setting up the project?

​

"Yes, I think there was at least one, but it's a very technical one.

Internally, some of our staff have been trained in the standards and in security techniques.
Some of our staff have taken ongoing training courses, and have implemented the methodologies recommended by the state of the art. I'm thinking, for example, of the EBIOS-RM method for carrying out ISMS risk analysis.

In the end, the question arose: overall, we unfolded the reference methodology, but in the end, we didn't know what to do with it. In the end, it didn't highlight anything.

The risk analysis of an information security management system is a central piece. In any case, we were a bit apprehensive, thinking that we were stuck with this subject.

In the end, we were able to identify a number of recurring dangerous situations, which seemed to be somewhat similar, but in the end, maybe not. We didn't know how to deal with it all!

I don't know if we can really talk about fear, but in any case it was a concern.
In this context, the fact that we bring in outside expertise is to be applauded, as it helps the principal (i.e. the party seeking certification) enormously to correctly assess where there is risk, where there is less, and what sets of risks we are likely to be able to pool.

​

So we weren't really worried, but it was a real bonus to be able to rationalise and pool our efforts, which meant that we were able to put the right amount of energy in the right place."

 

 

​

5- In your opinion, what are the challenges facing your business today?

​

"I can readily identify a central pillar, which is that, as a software publisher, we have a duty to offer our customers the expected state of the art in terms of secure development. We owe it to them to provide the best that the international consensus has to offer in terms of secure development practices. That's our priority. This is an extremely clear need, expressed by all our customers (who, I would remind you, operate in the healthcare sector, a sector that is very hard hit by cyber attacks).

So our responsibility as software publishers is to meet this need and implement best practice in secure software development. So that's the first expectation, the first challenge.

The second major challenge in our sector is to maintain our information system in operational and security conditions. And that can't be invented! To meet this challenge, you need a backup plan that works, an IT recovery plan that works, staff training that works, and documents that work.

Finally, maintaining operational and security conditions is a real job, a real daily challenge. So I would say that this is the second major challenge: guaranteeing compliance and security at any given moment.

​

And to do that, we need to be able to take an honest look at our own practices, so that we can say "OK, we're certified, that's great. But we all know that here, there and everywhere, we still have room for improvement".
And that's why we're still working with CyberSecura after this security service."

 

​

6- How would you describe the work carried out by CyberSecura and its team, in just a few words?

 

" So first of all, I would say expertise. I would also mention the proximity. We embarked on a rather long service, which was spread out over time. We spoke to each other a lot, and we maintained a certain closeness.

So, once again, expertise, proximity and flexibility. I really liked that! I was able to say to Saghar (and this isn't always easy in a contractual relationship) "Saghar, we can't do it any more, you deliver, you deliver, but we're underwater and we need to slow down".

That's something she was able to hear. This way of adapting to our own timetable while taking into account our operational realities was a real added value of this project!"

 

 

​

7- What are the results of this collaboration?

​

"The results are great, as we went for the initial certification audit in June. We weren't all completely relaxed about it, but in the end the hard work paid off, as we were certified two months later!
It's a quality control position, but we can quickly say to ourselves "as long as we're not ready, we're not going". Which is a perfectly respectable approach! I even think that it can lead to initial certification without non-conformity.

We had a radically different approach, which was to say "we want certification in 2023, and we're going to get there quickly". We're simply going to make sure that there are no major non-conformities, because those are an obstacle to certification. However, we weren't afraid of the idea of having a few minor non-conformities to correct, because our priority was to get this certification.

So the best result of this collaboration is this certificate, of which we are very proud, and which provides a guarantee of solidity and seriousness to our customers and partners! CyberSecura took us where we wanted to go: towards ISO 27001 certification by 2023."

 

 

​

8- What did you appreciate the most in the solution provided by CyberSecura?

 

"I'd say the optimisation of the resources we used internally. We really appreciated the fact that Saghar (and therefore CyberSecura) were able to provide turnkey documentation.

But be warned, turnkey solutions are dangerous, they don't suit anyone, it's a bit like the story of the one-size-fits-all garment. It looks great, but it doesn't really fit anyone.

However, because you were able to provide us with a number of ready-to-use documents that just needed to be adapted, we saved a considerable amount of time. ISO 27001 certification consumes a staggering amount of resources: human and material resources, investment and infrastructure modernisation.

And when you see what security costs, we're happy to say that every euro invested brings the right level of return.

So that's one thing we particularly appreciated: the ability to offer us ready-to-use documentation that saves us significant resources. "

​

​

​

9- Conversely, were there any elements that you missed, any solutions that you didn't find in our offerings? How could we have improved?

​

"When you're in consulting, there's a risk, in my opinion, that you end up gravitating "off the ground".
When you're doing consulting, you don't necessarily have both feet and both hands in the cement, in the structure, and our businesses and our deliverables are very different in nature! Your job is to provide support. Our job is to deliver.

I think that sometimes you deliver the ultimate in expertise, the state of the art, the best there is, even though it doesn't really have an operational reality for us.

We can see this, for example, with the document templates you provide: you offer us the very best, but we are obliged to make 'cuts' because many of the elements have no operational reality in our organisation.
If you work for a small organisation, a young organisation, a start-up or a very small SME, which wants to move fast and has no culture of what management systems are: you'd be perfect! You can then offer them a turnkey solution and explain to them: "this is what we need to implement.

 

However, when the customer is a larger organisation, and when the customer already has its own corporate culture, large teams, several departments, etc., there comes a time when you have to adapt, because best practice does not always allow you to integrate quickly into what the organisation has already put in place. There comes a time when you have to adapt, because best practice doesn't always fit in quickly with what the organisation already has in place.

So I think that's something you have to keep in mind. Of course it's your job to bring out the best. But I also think that, as you have done, you need to bear in mind that these best practices sometimes need to be adapted to the context of the organisations you work with."

​

​

10- What advice would you give to companies facing the same problem / having the same project as you? 

 

"The first piece of advice I'd give is that you should never underestimate the time and resources involved in setting up these certifications (I'm thinking of ISO 27001 certification in particular, but this is also true for all compliance and security initiatives).

You have to bear in mind that maintaining security and operational conditions is a considerable investment!
I would therefore advise them not to underestimate the effort involved, and the associated investment.
Complying with the state of the art, whether in the field of security or GDPR compliance, takes a lot of time, a lot of money and very specific skills.

The difficult thing about this standard is that it requires extremely diverse business skills. It means getting everyone around the table to learn to speak the same language, and that's a real exercise in itself!"

​

 

 

​

11- Would you recommend CyberSecura to others? Yes / No, for what reason(s)?

​

"Yes, absolutely, and because it's a great team of people, all as nice as each other. The exchanges with David and Saghar have always been very fluid and pleasant.

Saghar came to our offices several times, met our teams and it always worked very well.
The main reasons why I would recommend CyberSecura are the quality of the support, the adaptability, the ease and the expertise.

I would recommend you because you bring indisputable expertise, while taking into account what your customer expects in terms of its own context, while being ready to adapt to it."