CyberTech Top Voice: Interview with Sandeep Pauddar and Dr. Andrei Ninu – DQS

CyberTech Top Voice Interview Series featuring Sandeep Pauddar and Dr. Andrei Ninu of DQS, highlights the complexities in the modern cyber-threat landscape, where every enterprise is a potential target. As regulatory frameworks grow more complex, certification should evolve from a check-the-box activity into a strategic defense mechanism. At the forefront of this transformation is DQS, a global certification leader, guiding organizations through the intricate terrain of cybersecurity, AI compliance, and medical device regulation.

In this exclusive CyberTech Top Voice Interview, we sit down with two industry heavyweights shaping the future of compliance and assurance:

• Sandeep Pauddar, Global Program Manager for IT audits and cybersecurity at DQS, brings over 25 years of cross-sector experience and deep expertise in standards like ISO/IEC 27001, TISAX, and ISO 42001. He leads the charge on auditor qualifications, global delivery consistency, and innovative audit tooling that makes security a strategic asset for clients.

• Dr. Andrei Ninu, a regulatory expert at DQS-MED, merges his PhD in Computer Science and Biomedical Engineering with years of postdoctoral research in medical robotics. Now, he spearheads regulatory readiness for AI-powered medical devices, helping manufacturers bridge the gap between innovation and patient safety under evolving frameworks like MDR and IVDR.

Together, they unpack what it takes to embed cybersecurity into enterprise culture, how audits are evolving with AI and automation, and why global consistency in compliance isn’t just a challenge—it’s a necessity.

Whether you’re a CISO, healthcare innovator, or digital transformation leader, this interview delivers hard-won insights and forward-looking perspectives from the heart of enterprise assurance.

Read on…

Hi, welcome to the CyberTech Top Voice interview series. Please tell us about your role at DQS and how you arrived here.

Sandeep Pauddar (SP): I’m the Global Program Manager for IT audits and cybersecurity at DQS, with over 25 years of experience in telecommunications, information security, and compliance auditing. I’m a certified lead auditor for standards including ISO/IEC 27001, TISAX, and ISO 42001. I oversee auditor qualification, audit KPIs, client relationships, and our global accreditation programs. My focus is on consistent, high-quality delivery and keeping our global audit teams aligned with fast-changing cybersecurity threats.

Dr. Andrei Ninu (AN): I’m a regulatory expert at DQS-MED, specializing in active medical devices and AI applications in healthcare. My background combines over a decade in software development with deep expertise in EU compliance, particularly MDR certification. I hold a PhD in Computer Science/Biomedical Engineering and previously led postdoctoral research in robotic-assisted rehabilitation. My role bridges technical and regulatory domains to support safe, compliant innovation in medical technology.

What are your core offerings, and how do you impact the current state of enterprise-level cybersecurity culture development?

SP: DQS provides assurance and certification services for information security, privacy, and AI governance frameworks, among many others. Our approach goes well beyond documentation reviews. We help enterprises embed cybersecurity as a continuous improvement culture, rather than a compliance task. Through internationally recognized standards like ISO/IEC 27001 and TISAX, we conduct audits that surface operational gaps and support long-term security maturity, often before incidents occur. Our auditors focus on how controls operate in practice, helping organizations integrate cybersecurity into daily operations. With the Plan-Do-Check-Act methodology at the core of our services, clients move from reactive fixes to proactive risk management.

Recommended CyberTech Interview: CyberTech Top Voice: Interview with Tammy Gollotti, SVP Global Marketing at Hitachi Vantara

What is the perfect CISO technology stack in 2025? What kind of solutions and tools should a CISO’s team have to operate successfully?

SP: There is no single “perfect” technology stack – it depends entirely on the organization’s sector and operational model. In manufacturing, many firms have outsourced IT infrastructure to cloud providers like Microsoft or Amazon. This shifts the CISO’s focus from tool management to vendor oversight and risk governance. In contrast, CISOs in tech-intensive sectors are hands-on with threat detection, endpoint protection, IAM systems, and compliance tooling. Their stack must evolve constantly. What unites both is the need for clear governance frameworks and tooling that aligns security with business priorities and operational realities.

As cybersecurity threats evolve in both volume and sophistication, how is DQS modernizing its audit and certification frameworks to stay ahead of attacker methodologies, especially in sectors like medical devices and critical infrastructure?

SP: We’ve invested heavily in automation and validation tools to improve audit precision. Instead of static Word documents or Excel checklists, our auditors use proprietary tools that guide structured workflows and flag missing data in real time. These built-in validations reduce manual error, raise report quality, and ensure every audit meets our internal standards before review. This is especially valuable in high-risk sectors like healthcare and critical infrastructure. We’re also exploring AI in audit design, but we’re focused on use cases that improve consistency and accuracy, not just efficiency.

AI and automation are entering the compliance space rapidly. How does DQS balance digital innovation with the irreplaceable value of human-centered professional judgment during audits and assessments?

SP: We innovate to enhance, not replace, auditor expertise. Our goal is to remove subjectivity and ensure consistent, objective evaluations. Every DQS auditor participates in Exchange of Experience sessions throughout the year to stay aligned with evolving best practices. These internal knowledge exchanges allow us to recalibrate interpretation of standards across teams and regions. Our digital tools support that process by embedding structure and validation into each step of the audit. This frees auditors to focus on evaluating control effectiveness and the result is a process that’s both disciplined and insightful.

Recommended CyberTech Interview: CyberTech Top Voice: Interview with Angela Cope, Director of Demand Gen at SoftChoice

Many organizations struggle with fragmented compliance efforts across global markets. How does DQS ensure consistency, accuracy, and adaptability in enterprise-scale audits spanning diverse regulatory environments?

SP: We use a two-tiered approach – automation and independent review. Our internal audit tools include built-in validation checks to help auditors ensure they’ve addressed all applicable requirements. Every audit also undergoes technical review by a senior auditor trained to identify inconsistencies and, if needed, request follow-up or corrections. This is especially critical in multi-site or cross-border audits, where regulatory expectations vary. By combining structured tools with expert oversight, we ensure our audits are both thorough and adaptable to a changing global compliance landscape.

In the medical device space, how is DQS adapting its certification processes to keep pace with the intersection of software, AI/ML algorithms, and evolving MDR/IVDR requirements?

AN: Software, and particularly AI/ML technologies, are having a significant impact on medical devices. These evolving and complex technologies enhance device capabilities and performance, but their benefits also introduce heightened risks that pose serious challenges for regulators. At DQS, we recognize these challenges and have responded by establishing a dedicated Software Operations Unit. This expert team supports the full certification lifecycle of software products, from audit preparation and customer support to technical documentation review and post-audit activities. In addition to its operational role, the Software Operations Unit contributes to strategic initiatives such as internal and external training, business development, and active representation in national and international regulatory committees.

Cybersecurity frameworks like ISO/IEC 27001, TISAX, and NIST have become essential for trust. How is DQS helping clients not just check the compliance box, but use certification as a strategic security advantage?

SP: Our client feedback consistently reinforces that audits strengthen security posture. Many organizations tell us they’ve uncovered critical gaps during the audit – issues that were fixed before they could be exploited. Other clients have shared that the collaborative nature of their ISO/IEC 27001 audit helped them address vulnerabilities ahead of a potential attack. In one case, a city municipality reported spending $9.5 million to recover from a cyberattack – costs that might have been avoided with earlier certification. The return on investment in a well-executed audit is clear, and we focus on helping clients realize that value over time.

Recommended CyberTech Interview: CyberTech Top Voice Interview Karen Pakes, VP Marketing and Business Development at Salvador Tech

What differentiates DQS’s approach to cybersecurity and data protection certification from more transactional or checklist-based providers? Can you share a case where this made a real impact?

SP: We integrate structured audit tooling with expert judgment to make the process relevant to each client’s environment. Our approach moves beyond one-size-fits-all compliance by helping auditors assess how controls align with risk and day-to-day operations. We bolster this with regular knowledge exchanges that keep our global team current on sector-specific developments. Clients tell us they value this consistency. In fact, many auditors who work with multiple certification bodies rely on DQS to maintain their skills. That trust is built through precision, insight, and a shared commitment to security that adds value beyond the certificate.

As digital health solutions and connected devices proliferate, how does DQS evaluate security-by-design principles in medical device audits? What gaps do you commonly see among manufacturers?

AN: Security-by-design principles are key to meeting today’s cybersecurity challenges, yet too often, security is treated reactively, addressed only after vulnerabilities arise. This mindset remains one of the most common gaps we observe during audits and assessments of technical documentation. While penetration testing is used to demonstrate device security, long-term security maintenance across the product lifecycle is frequently underdeveloped. This issue is especially acute in AI-enabled or cloud-connected devices, where manufacturers may underestimate how quickly evolving IT environments can affect device integrity and user safety. At DQS-MED, our auditors assess how cybersecurity is integrated throughout the product lifecycle, from early development to post-market surveillance. We examine threat and risk analysis, secure development practices, update and patch procedures, access control mechanisms, and data transmission safeguards.

What role do training and capacity-building programs play in DQS’s model? How do you ensure client teams internalize best practices long after an audit is complete?

SP: Certification is part of a broader improvement cycle. Our role doesn’t end once the certificate is issued. ISO/IEC 27001 requires annual surveillance audits, which gives us regular touchpoints with clients to assess progress and keep them aligned with evolving threats. For larger enterprises, we supplement that with quarterly check-ins to review past findings, clarify responsibilities, and address emerging risks. These aren’t formal audits, but structured conversations that help teams stay accountable and connected. Because ISO/IEC 27001 applies across the whole organization, these follow-ups often include HR, procurement, leadership, and of course, IT.

Recommended CyberTech Interview: CyberTech Top Voice: Interview with Bill Robbins, President at Menlo Security

With rapid developments in AI, what emerging risks or opportunities are you watching closely when it comes to compliance, especially in highly regulated sectors?

SP: The regulatory landscape for AI is evolving rapidly, and unevenly. In the US, AI oversight remains limited following the repeal of federal-level guidance. As a result, there’s been less urgency around ISO 42001 adoption. Europe, by contrast, has taken a strong regulatory stance through the AI Act, which introduces steep penalties for misuse, algorithmic bias, or inadequate governance.

We’re seeing a surge in interest from European companies that view certification as a way to build safeguards and reduce risk. China represents yet another model, where adoption is accelerating with fewer ethical constraints. For us, the most active and forward-looking market for AI compliance is Europe.

Looking ahead, how does DQS plan to strengthen its leadership position in the US market, particularly for enterprise clients seeking advanced, tech-enabled quality assurance solutions?

SP: Our approach to growth in the US is methodical and anchored in outcomes. We typically begin with a smaller scope, certifying a handful of customer sites, then expanding based on demonstrated results. One enterprise went from 16 to 34 certified locations after their initial audit, with plans to surpass 80. This phased approach allows us to scale without compromising audit quality or consistency.

What differentiates DQS is our ability to deliver in-depth technical assessments, backed by automation and deep sector expertise. US clients are increasingly looking for partners who understand complexity and can guide them through it with rigor and clarity.

As a cybersecurity marketing leader, what recommendations would you make to young professionals regarding security certifications and upskilling?

SP: Certifications matter, but context and curiosity matter more. Start with a solid foundation like ISO/IEC 27001 or CompTIA Security+, then deepen your skills in areas relevant to your sector. What sets professionals apart is their ability to apply technical knowledge in fast-moving environments. That’s why at DQS we train auditors regularly to stay sharp. I encourage young professionals to join peer groups, stay close to emerging standards, and learn how frameworks are applied in real-world audits. The most effective professionals I’ve worked with never stop learning and never rely solely on what they already know.

Tag a leader in the industry you would like to recommend for the “CyberTech Top Voice Interview Series”

Aldo Luévano Ibarra, Chairman of the Executive Board at Roomie

Recommended CyberTech Interview: CyberTech Top Voice Interview: Eric Schwake, Director of Cybersecurity Strategy at Salt Security

Thank you, Sandeep and Dr. Andrei, for speaking to us. We look forward to having you again at our Top Voice programs.

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com