The author of the idea talks about a solution that relieves both companies and auditors.
Cybersecurity audits should not just be a formal obligation, but a tool that exposes vulnerabilities, gives organisations a clear picture of their security posture, and helps with strategic decision-making. In practice, however, they are often accompanied by administrative burdens, numerous spreadsheets and lengthy processes. That’s why there is a new Slovak system, Cyberman, which guarantees a chaos-free audit.
According to the current amendment to the Cybersecurity Act, the obligation of regular audits applies to approximately 6,000 regulated entities. Nevertheless, audits are still perceived as more of an annoying obligation. The Slovak solution Kyberman – an application that combines asset registration, audit processes and cybersecurity management in one system – responds to these challenges. Its ambition is to facilitate the work of security managers, support auditors and bring a higher level of transparency and credibility to the entire process.
Monika Vilimová talked to ĽUBOMÍR KOPÁČK, our colleague, the author of the idea and an expert in cyber security, about how Cyberman works, what problems it solves and what added value it brings to users and auditors.
Audits are often seen as a “necessary evil”. Let’s be clear: Is a security audit more of an administrative burden or a real benefit to organisations?
We are still in an era where auditing is perceived as something negative, as a mechanism for controlling, finding faults or finding culprits. Unfortunately, this view is deep-rooted and stems from a weak awareness of what audit really is. There is a lack of education, not only of executives, but also of cybersecurity managers themselves. They are not always able to communicate the audit to the organisation so that it is perceived as an asset rather than a ‘bogeyman’. Moreover, even regulators do not present the audit to the public as a tool to help the organisation improve governance and resilience. Legislation is built strictly, which is fine, but communication should be softer. The audit should be something that helps the organisation and should be talked about as such. This is still a big challenge in my view.
In practice, we encounter that organisations have problems with asset records, documentation and evidence of compliance with measures. Where do you think the most common weaknesses arise?
They are surprisingly the same across firms. The biggest problem is clearly the recording of assets. We are still living in the “excel era”. Many organisations – if they have any records at all – keep them in a few spreadsheets that are not consistent, do not work with the same data, have dozens of versions and are not sustainable in the long term. When someone has hundreds or even thousands of assets, it is virtually impossible to maintain records in Excel that are usable for auditing or risk analysis. Unless an organization knows what assets it has, it simply doesn’t know what to protect. And this is a fundamental problem that is constantly recurring. Whenever we come in to do an audit or a risk analysis, we spend the first hours or days putting together an asset database. It’s the foundation without which you can’t move on, and for many organizations it’s still an “unmanageable” task.
An audit report is only meaningful if it accurately reflects the true state of safety. How can digitalisation and automation ensure that audit results are truly accurate, comparable and relevant?
The first thing I’ll say to that is the word consistency. Unless we have a consistent framework under which the audit is carried out, the results will always vary depending on which auditor is doing it. In a gap analysis, I work with what the client tells me, so I do not want evidence from the client, because the aim is to get a quick picture of the situation. But in an audit there is an obligation to work with evidence, the law requires it. And that’s where digital is indispensable: it creates a clear, solid framework within which we move. You can’t get out of the digitised audit set. The system precisely defines control, risk, evidence recording and output. This ensures repeatability and measurability of audits. Crucially, if the regulator receives five reports generated through a single system, it can compare them. As it stands today, with each audit being an ‘original’, comparison is virtually impossible.
That is, we bring order to a world of chaos. The Cyberman app was created with this idea in mind. What was the main impetus for creating the solution?
Let’s face it: it was born out of pure frustration. When I started doing audits on a large scale, I was amazed at how laborious it was and how much it depended on the person. Dozens of documents, hundreds of pages, Excel spreadsheets that didn’t make sense, inconsistent data… It was clear to me that this was not sustainable in the long term. I was also surprised that even reputable audit firms don’t have digital solutions, that everything is built on Excel. It was this practice that made me think how to build it all differently. And so the idea of creating a system that is robust, consistent, professional and usable for both auditors and organisations was born.
How is Cyberman architecturally designed? Which modules form its basis?
The architecture is simple, it is a secure client-server web application. But the modules are essential. The basis of the whole system is asset management, where the organization creates a complete database of assets. On top of this is the audit module, which contains so-called audit sets, i.e. digitised requirements of legislation or standards. The user simply selects what he wants to assess and starts the audit. The modules are interlinked, i.e. we can interlink those sets in the system that are subject to audit control. The output is a printout of the audit report and an action plan of the audit tasks to be solved. Although in this version we do not have a fully developed risk analysis module with weights and numerical models, the system makes it easy to work with risks – we link the identified risks to the assets and work with them by default through tasks. This simplified approach is often more efficient in practice for ordinary users, who are primarily KB managers. The system is intuitive, but at the same time comprehensive.
How does Cyberman help to implement Slovak legislation?
The user works with an audit set that is exactly based on the legislative metrics. Critical Core Service (CCS) providers have a mandatory two-year audit cycle or, in the case of Core Service (CS) operators, a five-year cycle with periodic self-assessment. If the user in Cyberman performs continuous internal audits divided into smaller parts and self-assessments according to the audit set, evaluates them, applies measures, compares the statuses from the audits of previous periods with each other, the organization will be very well prepared for the mandatory external audit at the end of the period. And if they do it really honestly and approach the measures in the same way, they will be close to a high compliance rate. At the same time, by doing so, they will be meeting cybersecurity requirements and also increasing their cybersecurity resilience.
However, the legislation is not only Slovak. How did you deal with compatibility with European frameworks: NIS2, DORA, TISAX, NIST and others?
Very simply: we did not fixate on any legislation or solely on cyber security. We have chosen universal audit principles according to the standard that are common to all audits, regardless of the industry. An audit is essentially a comparison of a condition against a standard. And this principle can be digitized. That’s why we can create sets according to European directives, national legislations or according to the internal standards of organizations. As long as there is a document that defines the standard, we can digitise it. There is even interest from the Czech Republic, which has a new law on cybersecurity – and Cyberman is ready for that.
What exactly are audit kits and how do they work in practice?
The audit set is a digitised standard of Annex 1 of Decree 227/2025 Coll. on security measures. However, it is not just a mechanical rewriting of the requirements. We have also included so-called generic risks, solution suggestions and recommendations, explanations and templates to help the user understand what to check and what risks are typical. The system offers the user a choice of risks, and they can add their own, so the whole audit is done in a unified way. The aim is that even less experienced auditors will be able to work with the system. In the future, we plan to extend the audit suites with AI functionality that will be able to evaluate the controls automatically. This will significantly speed up the entire audit process.
How does Cyberman work with evidence? The integrity of evidence is often an issue.
With each audit check, the user uploads electronic evidence – it can be a document, a photo, a screenshot, an output from the system. Cyberman will automatically create a checksum of the data file when uploaded. All evidence is logged with both a timestamp and a checksum. When the audit is locked, the system creates a large data file containing the entire audit, including evidence and checksums, and this is stored on the blockchain. This way, anyone can verify at any time that the evidence has not been tampered with. Changing a single byte would change the checksum and the system would detect it immediately.
Does Cyberman also use the blockchain to archive the entire audit?
Exactly. It’s the “holy grail” that I wanted to achieve from the beginning. When an audit is locked, its digital footprint is stored in the blockchain. It is immutable. This means that the audit results are valid and verifiable even years later. A regulator, an auditor, a manager, anyone can verify that the audit trail is credible and the data is consistent. It is absolute proof that the audit has not been modified, adapted or changed retrospectively.
Cyberman’s goal is to simplify routine activities and help KB managers and auditors save time. Which are they?
Many. Automation is all about keeping track of what is being done. Within the KB manager’s tasks, the processes are completely automated and he knows at any moment what to do or what is not working where For example, asset management keeps track of end-of-life and expiration dates of assets, when maintenance was performed, what licenses it has. For a cybersecurity manager, the biggest problem is often the overview, and Cyberman solves that too. Everything is in one system: assets, controls, risks, evidence, tasks. It’s no longer a hundred Excel or Word spreadsheets on a disk. Every step has a precise place, the process is automated and easy to understand.
How can Cyberman help from a senior management perspective in strategic security management?
Management receives measurable data. Not guesses, not feel-good assessments. Every check is rated on a CMMI metric from 0 to 5. Only results that are measured accurately can be truly managed. Results can be compared over time. Between audits, between organizations, between areas. So management can see where improvement is happening, where it is stagnating, where the problem is, and where resources need to be shifted. For corporate organizations that have multiple subsidiaries or operations, this is a huge advantage because these components are tidied up in the system. This reduces the time it takes to administer one particular component and gives the organisation absolute visibility of everything in one place.
So we are talking about a multitenant mode. How does it work?
The most senior role in the system is the cybersecurity manager. He or she may manage dozens of companies or organisational units, or tenants. The KB manager has an account and the tenant is activated by purchasing a license. Each tenant has its data, its licenses, its audit cycle. If a manager stops managing an organization, its data is preserved and transferred to another manager. Nothing is deleted. This is very practical, especially when one manager covers dozens of organizations, plus in normal practice managers change in organizations.
How do you think solutions like Cyberman are changing the culture of cybersecurity in organizations?
They allow order to emerge. It sounds trite, but it is crucial. Many organizations have functioned by having everything “somehow” recorded, scattered somewhere, forgotten somewhere. When we come to do an audit, sometimes it’s a miracle that the company operates without incident. Cyberman gives organizations structure, processes, measurement, transparency. It’s a very powerful tool for building a culture of safety. Of course, the system itself won’t save anything, it has to be used responsibly. But if an organization works honestly, Cyberman will give it a very strong framework.
In conclusion: how do you see the future of audits, compliance and regulatory processes? Will digitalisation become the standard?
I believe so. And I would like it very much. Something absurd is happening today on the regulator’s side: they are getting dozens of audits that are not comparable. Each auditor has their own style, their own metrics and outputs. It is then extremely difficult for the regulator to consolidate the results into data that can be measured and compared. Instead, there should be a single system that becomes the standard, ideally at European Union level. Digitalisation brings comparability, measurability and quality. And if Cyberman is to provide this – why not? We are open to cooperation. And it would be an effective solution for all.
Cybersecurity is no longer just a topic for IT departments. Increasingly, it is becoming part of strategic management, corporate culture and an organisation’s reputation. Projects like Cyberman show that automation, data integration and trusted record keeping can change the entire approach to security processes. That even complex areas such as audits, asset registration and regulatory compliance can be made accessible and automated without losing the human dimension of decision making. It represents a step towards a new generation of solutions that proactively translate legislation into a practical and technology-enabled reality. This is where duty becomes an added value and audit becomes a real tool for development.
