Episode 26 | Carlos Phoenix on cyber and audit

The Assurance Show
The Assurance Show
Episode 26 | Carlos Phoenix on cyber and audit
/

 

Show Notes

Carlos talks to us about what auditors should consider regarding cyber security and information security.

He shares his views on a range of issues including:

  • Cyber security
  • How cyber security and information security differ
  • What auditors should focus on in planning and conducting cyber audits

Carlos is open to connecting with like-minded professionals.
You can reach out to him on LinkedIn.

Links

 

Transcript

Narrator: 

Welcome to the assurance show. This podcast is for internal auditors and performance auditors. We discuss risk and data focused ideas that are relevant to assurance professionals. Your hosts are Conor McGarrity and Yusuf Moolla.

Yusuf: 

Today we’ve got Carlos Phoenix. Carlos is based in LA, where he’s been living in Hollywood Hills for the last few months.

Carlos: 

Thank you Yusuf. And I bet listeners are thinking the Hollywood Hills does not sound like the epicenter of cybersecurity, but as we’ve seen with the COVID epidemic, we’re working from every place that we can. Zoom is everyone’s most common tool now, but there are many many other ways of working together, and that distributed workforce creates a lot of risk, but as well as opportunity for our society.

Yusuf: 

Excellent. Carlos, do you want to give us a bit of your background in terms of your history and we’ll get into why this is relevant to internal auditors in a sec.

Carlos: 

So when I first started, I was the computer programmer as many of us. And I then evolved to administer systems. And I found myself in big four accounting. with Deloitte. And then I eventually also worked for KPMG where we worked together and I spent about 15 years in the IT audit space. So I like to tell people that I’ve worked with or audited or consulted with over 20% of the fortune 500 companies. Some of those situations have been in the role of an architect or as an internal auditor or an external auditor, but it’s always been around computer security. So I’ve spent about 15 years specifically in the audit industry. And then I spent the last four working for a technology company where I specifically interface with, the company’s technology and how to show our customers, the technology, the capabilities, how to interface with our auditors. So even though I’m no longer in the pure audit industry, I still work a lot with it. I’ve. Grown to understand that audit builds upon a lot of other different roles. So even my time as a computer programmer is quite applicable to audit. I even did stint as a financial auditor. At the end of the day, what we’re trying to do in audit, regardless which, type of audit, whether it’s internal audit, external audit, or as an advisor to audit, we’re really trying to figure out how to mitigate business risk.

Yusuf: 

You touched on something interesting there, and it’s an important, concept to understand better. in your view, what’s the difference between information security and cyber security?

Carlos: 

One of the main things that I use to differentiate them is where the attack is coming from. So when we think about cyber security, we’re really thinking about any avenue that a hacker or an attacker can use to cause damage to the company. Now that could mean a denial of service attack. That could mean an impact to availability. That could also mean destruction of property. So being able to infect a hard drive and ruin it and ruin the data on it. While, when I look at information security, I think it’s a subset of overall security, but information security really focuses on the customer data, that PII information, the data that is really sensitive. And yes, when we think about security, we always talk about protecting the data. And I think the data is essential. We have to make sure we keep that secure, whether it’s credit card, data, or personal identifiable information. What you use to protect information is similar to what you would use to stop an attacker from coming into your network and causing damage. But oftentimes. There is a little bit of a nuance between information security and cyber security. I kind of think about it from the perspective of where is the attacker coming from and what are they trying to obtain? Is it just destroy things or are they trying to exfiltrate, for example, records and steal the underlying data. Are they trying to cause damage to the reputation of a company by simply taking down the website or making it difficult for that organization to operate, or are they trying to steal some intellectual property. And information security is about the data ultimately, but you know, you need both of them in an organization. You can’t ignore one or the other.

Yusuf: 

We’ve seen a few audits recently that were titled cybersecurity, but really we’re information security focused where the focus was on protection of information, as opposed to, more broadly what can go wrong. For your everyday auditor that is looking at understanding what the posture within the organization is with regard to cyber and what it is that they need to be looking at. What would you say the top three things that you’ve seen over the last few years has been in terms of, what we need to understand, and test for, as it relates to security, cyber in particular,

Carlos: 

The number one area to test is culture. You have to understand the organizational behavior. Is security afterthought or is it part of the cultural DNA. And you’ll know very quickly. Go to the front door and tailgate. Go in without a badge. Would they hold the door for you politely and let you in? Or will they excuse themselves and say, I’m sorry, I don’t know who you are and you don’t have a badge, I cannot let you in. When you get into the conversations with the individuals you’re interviewing, you can tell by their body language, are they leaning in. Interested ready, engaged, prepared. Do they have the documents ready to go or are they demanding a list be sent in advance and they’re going to have a good reason as to why they don’t have it. Maybe they’re going to cause doubt, should they even be providing this information? So there’s something to be said about the culture of the organization. And there’s a lot to be said about that organizational behavior, because that will trickle down. Does security have a seat at the table? Is it taken seriously? Are they seen as someone that gets in the way? Are they seen as a partner from the business side? Those things will indicate a lot more, I think, to an auditor than anything else. It’s the number one indicator to tell whether that company is going to take it seriously. The second thing that I think is really important to keep in mind is the balance of technology and usability or productivity. An organization that puts too much security will then create loopholes for a lot of employees to find ways around those loopholes. And so maybe they have really strong logging. Maybe they have really strong, authentication and authorization mechanisms. And if they’re too strong, then people may simply put things on USB sticks, for example, and hand them across to them person next to them. Are they able to take their computer and work from home? If they’re not, then people may simply print things out and work on them that way. There’s going to be an additional level of risk depending on how hard it is for employees to get to the information. There’s always a balance. So you want productivity and you want usability, but you don’t want at the risk of completely ignoring security, but too much security means that there’s probably a lot of work arounds that you’re going to have to really keep an eye on. And the third and final thing is making sure you understand the risk assessment, because I think a lot of times, especially young auditors that are really getting into this for the first time, they take everything verbatim. So if it says this, this is what the regulation says. if you have a finding and you haven’t done the right risk assessment, you might have a finding on something that simply isn’t that important. So maybe you got something, but you got something that doesn’t really matter. And I think it’s very valuable to think from the risk assessment perspective, because it makes your work more meaningful. It makes management more receptive to your findings, and it really gives you a good roadmap as to where you need to focus your time and attention.

Conor: 

For those young auditors out there, about to kick off their first cyber audit, is there any good documentation or reference materials or something that would provide a decent grounding for them in the fundamentals, that they could maybe draw from as part of their planning this audit?

Carlos: 

The first thing, any kind of young auditor has to remember is that there are so many frameworks and great references out there that you really just have to pick one and become an expert in that. If you aren’t an expert in at least one area, you’re just not going to have the depth during the conversation to really bring value to that initial audit. Maybe you get the screenshots, maybe you get the evidence that you need and you file it away in your audit file. But the value of what you’re doing is not in capturing screenshots and is not in gathering evidence. The value of an auditor coming to any business is in giving that business an objective third party review someone with a different set of eyes coming into the organization and trying to understand if their security posture is adequate. If they’re doing things in the way that is beneficial for a business. And so. Young auditors should pick one area and really focus on it. If it’s NIST great, go download NIST 800-53. I can tell you it makes great pool reading. At the same time I keep going to that document. If that’s not really , to your liking. I’ve been looking at the Australian Signals Directorate, for example, and their guidance through their I SM security manual. And that’s a great reference as well. Become an expert in one of those areas. Get to know it really, really well. And once you know that framework, once you have a really good sense for that framework, then you can move on to the second, third or fourth framework, and you’ll begin to see the nuances in those frameworks. When I first started out, Sarbanes Oxley was the framework that we used and COSO. COBIT where the two frameworks that I memorized and I thought of everything in the terms of a general computer control or GCC. Now I’ve been able to appreciate ISO 27001. I’ve been able to appreciate GDPR, PCI DSS. The list goes on because each one of these is really for a slightly different audience, slightly different industry. So if you become an expert in PCI and you, then you expect to carry that over into healthcare. It won’t work because it’s completely different, but it looks the same. It looks to be almost identical. You have access control, you have change management. You have the requirement for penetration testing, vulnerability scanning. If you take a look at ISO 27001, you see a lot more association between the company system security plan and what they’ve evaluated based on that system security plan documentation. So they’re not just going to pick a control for the sake of control. They’re going to try to map something that really aligns to their SSP. And so you have to start with the SSP and really take that as the blueprint for what you’re going to test. There’s a lot of nuance in this. So any new auditor would easily become overwhelmed. So my advice is pick one, get really good at that one. it’s going to make it a lot easier. When you move into your second or third framework, it won’t be as complicated. if you understand at least one framework, you understand the concept. And so instead of using just jargon and terminology, you’ll be able to explain to them, what is it you’re after you, won’t just rely on that acronym to give you the shortcut, but rather explain to them what the ask is, how it relates to the business, what the threats and security, aspects are that you’re trying to look out for. And then you’ll find more value in that. And the organization will find more value in it.

Yusuf: 

If you had to go back 15 years and give yourself a piece of advice, now that you know what you know, and, more gray in the beard. What would you tell yourself back then to help you? Not in terms necessarily of just accelerating your career, but helping you be a better auditor.

Carlos: 

I always felt like I was in a rush 15 years ago or earlier, I just thought I had to learn everything and accomplish everything within a certain period of time. I would just tell myself to slow down and not to worry about things as much. Because with time, with experience, you just acquire a level of, depth and knowledge that you just can’t shortcut. And I think at the start of my career, I found myself, significantly overworking. I remember 100 hour weeks were the norm. And,, there’s plenty of that. That’s going to happen. but at the start of your career, if you set expectations that it’s just going to take some time and you take the vacation, you won’t burn out, you’ll be better for it. And you’re going to need time to reflect on what you’ve learned, even if it feels like you’re learning a lot, it’s gonna make a big difference when you take two weeks off. And then you come back to the same material. You’ll just have a much, much deeper appreciation for the work that you’re doing. for a lot of auditors, I see that, that they get burned out. I got burned out. I found myself after a short period of time, simply not enjoying the work. And now almost 20 years into my career, I find that it’s much easier for me to stay focused, to do good work, to have bigger impacts by simply slowing down, taking time off, not being in a rush and young auditor coming into this, this workspace, is. Excited by it, excited by the prospects. this is all wonderful things that you’re going to see. I just take a look at the number of openings. At least in the United States. I looked at a couple of years ago, there was over a million openings and there’s no way we can fill that many. How many roles. So as an industry where we’re going to need people to stay in it, to take the time, to get good at it, and then to take the time to train, the next level of, auditors are coming behind us

Yusuf: 

Less haste, more speed.

Carlos: 

Diligence, but no rush.

Narrator: 

The assurance show is produced by Risk Insights. We provide data focused advice, training and coaching to internal audit teams and performance audit teams. You can find out more about our work at datainaudit.com. Now back to the conversation.

Yusuf: 

You would have spent some time involved in providing certification reports. What used to be many, many years ago called SAS70s. What did that look like for you, relative to the auditing work that you’d done before?

Carlos: 

So I started doing SAS70s pretty much at the start of my audit career. And one of the things that jumped out at me was they were very good at explaining financial controls and they were terrible about computer controls. You just couldn’t twist them enough to get a good handle on security. One of the things that I found with SAS70 reports is that, it was hard to get ahold of them. People didn’t really want to give you a copy of them. They weren’t clear on expectations. So they had a section around user entity controls. So what was the responsibility of the user of that service versus a service provider’s responsibility. And the reports were always just running late and they were usually for a six to 12 month period. And by the time they were done doing the full audit and you’ve got a copy of it. It could be three or six months old. So in a way it seemed outdated. And that was a process that needed a lot of work. and we did see the evolution of that with SSA 16, with, the new SOC one, SOC two and SOC three reports, where they split that out from the traditional SAS 70 financial disclosure focused controls, those became SOC one. And then SOC two picked up the trust services principles. That transition from where we were at the start of SAS 70 to where we are now with SOC two reports is night and day.

Yusuf: 

We’ve been looking at, a range of communications over the last, two to three years. It seems to be that the communications are ramping up around things like, we are certified or we are SAS certified or we are SOC certified or, we passed our security audit with flying colors and you look at what it is and it was a SOC one type one and it’s nothing to do with the security. I saw one the other day, which is a little bit closer, but again, it was, we passed our security audit with flying colors and you look at it and it’s SOC two, but a type one and you go, no, that doesn’t really cut it for me anyway. And interestingly, you talk about reputation and I’m sure many auditors out there will feel the same way, but when I see somebody saying we are secure and we passed our security audit, and then it goes on to say, we did a SOC two type one. It’s almost like. I’m not going to deal with you because I don’t think you really understand what security means.

Carlos: 

Yeah, I call that the tyranny of the logo. Everyone wants the logo on the website and they don’t even know what the logo means. I think a type one report is great. It tells you what the design is, tells you what your aspirations are, but if you don’t have a type two, I absolutely won’t take your logo seriously. At the same time, I try to think about what’s on that company’s website and how they’re describing the services. especially if it’s a technology company where you can glean a little bit more of this information. Do they have a section on security? Do they talk about. Their approach to security, or are they just putting a couple of logos down at the bottom of the page or in the top? Do they have multiple people? You can see the background of the security professionals, where they went to school, where they work, how long they’ve been in those roles. It’s what I call social engineering the security trust score. Would you do work with them? Would you work there yourself and. That gives you a lot more information, because again, it goes back to what I talked earlier about this cultural aspect, where we get so caught up on the logo or the, the title of a report or what the control says, that we forget that at the end in the day, we’re just human beings trying to do our job. You can easily find out if that company is truly taking security seriously, or if they’re simply playing the logo game, because we know how easy it is to get a logo. And I’ve even found companies that have logos and they have no certifications for those logos and I’ve called them out on it.

Yusuf: 

Interesting thing. why that’s important to auditors as well is, quite often we see, and we’re seeing this more and more where internal audit, are finding themselves involved in evaluating, outsourcing, of material contracts. And often that outsourcing involves understanding what the security posture of those organizations is, particularly when you’re outsourcing, technology related infrastructure. So often that outsourcing assessment will come to internal audit for them to look at and what they would then do is look at a form and see what’s been filled out. And whether it’s been filled out properly, et cetera, but really as an auditor we need to be curious and we need to, make sure that we’re, understanding exactly what it is that we looking at in front of us and verifying it.

Carlos: 

Evaluating service providers or any external organization is one of the most impossible things you can be asked to do. The two things that I think about when I’m in that position is one, how much power do I have? Can I push this vendor or the service provider for details? If I can’t and I have no power and it’s kind of a take it or leave it situation, you’re not going to glean very much from it. I just try to understand the boundaries of expectations and what your organization can do in that position. But if you can, and you have some power and some leverage in the relationship, it really does make sense to be curious about what is it you’re looking at. To really understand not just the product or the application of the service, but the underlying components. You can learn a lot by drilling into that. What kind of database do they use? Do they have any orchestration platform? How do they do their code reviews? What’s the technology they’re using for the various systems. And there are so many easy sources out there that will tell you, these are the preferred configurations. This is what we usually do when we’re hardening that environment or that component. And you can start there and try to see how much of that information you can get a less about finding an error and more about really understanding the nuance of what that technology is. And by going deep, you actually will get a better sense of what that service is and how it works. And then you can understand where the security controls are and what kinds of risks might be part of that transaction. So if you have the power. Go ahead and use your curiosity and dig in deep. You’ll learn a lot and you’ll end up with a better outcome.

Conor: 

If I’m an audit leader and I’ve been, advised or instructed by my audit committee or risk committee or whatever it may be that over the next three years, I want our auditors to do a range of cyber security audits, looking at different things. What’s the number one thing they should look at as part of this range of cyber security audits.

Carlos: 

If you had to pick a cybersecurity area to focus on, I think the number one type of work you can do is a penetration test with, some sort of model where you’re going to try to break into the network. Or you’re going to try to assess physical security by physically going down there and, presenting yourself as an employee or as a, you know, normal vendor, because in most of those cases and that kind of social engineering penetration testing world, you’re going to be quite successful, especially if it’s one of the first times you’ve done that experiment. And that success will have shockwaves across the company. People will be surprised to hear what the penetration testing team was able to do. So as much as you can get to the human element, I think that’s important. And then the, the other thing is really understanding the way that, that, security awareness training is performed and delivered in the organization. Is it done in a way that’s really boring and puts everyone to sleep. And, you know, there’s a piece of paper that gets handed from employee to employee with, you know, these are the answers to the final quiz. So you can just get it over with, or is it done in a way that’s engaging that actually that keeps it short. That keeps it a 15, 20 minutes. And, are they tracking progress on that? those are the kinds of things that I would look for if I were approaching an organization that, is doing this for the first time and you’re looking at a broad range of cybersecurity services. there’s there’s going to be a lot more, you can do, depending on time and money. You can take apart, crypto graphic libraries, and you can take a look at, what level of encryption they use and how those libraries have been validated. But is that the best return on investment? I don’t know. A lot of people do get caught up in those, those kinds of things. You can also take a look at things like ports, just simple ports. What are the ports that you use that have been approved? How do I know they’re approved? Are they encrypted? what kind of information goes over these ports? You can also ask for a network diagram and most companies don’t seem to have one. I it’s, it’s an unbelievable, but they don’t seem to draw this stuff out. Or if they do, you know, someone did it two years ago and since then they’ve quit. A network diagram forces people to think about conceptually their security and their network topology. When you think of a cybersecurity service that really ties back into the people, whether it’s social engineering, penetration testing, ports that are available,a network topology network diagram, there’s going to be high value in those. And if you do those right. That will then inform your next step. So what do you do next? And if you plan all this stuff in advance and you go through this exercise and then you find out there’s a big weakness, what do you do with the activities you’ve already planned? Yeah. And so you do yourself a disservice by planning so much of it in advance, but a lot of times the auditors want to be thorough. They have a checklist. This is the way it was done last year. And they then follow that plan. But if you were to say, do a plan where you’re going to spend 20 or 30% of your budget, try these human focused areas, then reassess your risk and then figure out how you’re going to spend the remaining amount of your budget. You’re going to be much more successful, but if you have a checklist and it says, this is what we did last year, we got to check the following 100 things. We’re going to weigh all the 100 things equally, and then it’s a race. You get a screenshot. Then you’re doing the profession, a disservice, you’re going to be treated like a checklist auditor. Basic things like that. And I think a lot of companies, the vast majority of them would benefit from having auditors that go in really focused on the people on the people element. And that aren’t afraid to ask a really stupid questions because I think that will create a much better report. And I think it’s going to be in a tone that management we’ll understand. If you tell, a CEO or a CIO. We don’t know how many computers systems we have. And therefore we don’t know if we’re protecting all of them. They’re going to understand that a lot more than if you went to them and said, there’s a logging tool that has a password length of eight when it should have a password length of 12. that would be my advice.

Yusuf: 

what’s been your focus over the last few years in terms of, making connections with others.

Carlos: 

I do get approached and it’s usually someone trying to sell me something. So I try not to respond to those LinkedIn requests anymore, but the majority of my interactions have been being invited to conferences to speak. before COVID-19 I was probably doing two or three conferences a quarter. So about six to 10 a year, I tend to put together about a presentation every month that is, really focus for external auditors, internal auditors, security people. I also put a lot of presentations together for customers. So I meet with my day job I meet with two to three customers a week and topics really range because I cover the globe in terms of different compliance frameworks and regulations. So I mainly do it through conferences, either speaking at them or participating and getting to know. You know, a general sense of what’s happening. I also subscribe to a lot of different newsletters. Like I mentioned, the FBI InfraGard sends me one about once a week or once every two weeks that summarizes a lot of the news events. And then, in my company where I worked at, now they have a Slack channel dedicated to security and, there’s a lot of activity, a lot of conversation. And I think that’s really cool because it means that I get to find commonality with other, what I call security nerds. People that really want to know about what’s happening. Just saw one of the posts today that did some research. There’s a USB cable called OMG cables. I don’t know if you’ve heard of them. you definitely have to Google this. It’s very, very interesting. so you have, a new type of USB cable that looks identical. So like an Apple USB cable or any other uses the cables. You couldn’t tell the difference. They weigh the same amount. They look the same. They’re the same colors. The difference with these OMG cables is that they’re programmable USBs that have a radio frequency attached to them. When you get them, you can set them up by simply plugging them into your USB on your computer and using some UI interface. It’s quite simple. You can set up, the radio frequency is broadcast over wifi, and you can tell the USB cable to launch certain things, whatever you want us to do, right. It’s a programmable chip, and you can give that cable to anybody else. They plug that cable into their computer. It charges their device as far as they’re concerned, it acts and looks like a USB cable, but you, you could have your mobile device, for example, your cell phone nearby. And now you’re able to see what it is that they’re transmitting. You have access to their hard drive. You can execute things on their local machine and they’re broadcasting their entire connection. that’s the kind of story that I like to, keep up with and converse with. And I would never have known about that if I didn’t follow the Slack channel, in my company day job,

Yusuf: 

I’ve got a 15 year old son who does all sorts of things on his computer and, phone, I’m giving him one.

Carlos: 

Well, what you could also do Yusuf is you could change your wifi router to use WEP encryption. Because, the work factor on the keys on that level of encryption is very low and after 12 minutes they repeat the same cryptography. So,, if you wanted to, you could also just simply downgrade your home router security, web technology. and then you could intercept all the packets and then you could simply have a, view into what, they’re doing, which is unreal and crazy because you think about, that’s an option that all routers have and that’s how fragile our technology is that you bring the security down a notch, you use the wrong cable, and then suddenly you’re wide open and susceptible to this. But I don’t know if auditors realized how much potential and how, how much, is in the palm of their hands. They’re able to navigate the conversation correctly. They would be able to rewrite the way that people think of security. And I think it’s going to require that kind of a change because technology has advanced far beyond our ability to govern ourselves.

Yusuf: 

Absolutely. I know you mentioned that you’re quite interested in sharing your ideas through conferences and other events. What’s the easiest way for people to get in touch with you?

Carlos: 

So the easiest way to get in touch with me is to find me on LinkedIn. My page on LinkedIn is linkedin.com/in/Carlos-Phoenix. And my last name is spelled P H O E N I X. You can also Google me. I have a beard I’m smiling. there aren’t that many Carlos Phoenixs on there that are smiling with the beard. if you do want to add me, just let me know that you heard me on the podcast and you’re interested. Otherwise I will just assume you’re trying to sell me something and I probably won’t accept the request.

Yusuf: 

We’ll put a link to that in the show notes to make it easier for people to find you, Carlos, thanks for chatting with us today. Really appreciate the time that you’ve spent with us. Some, fantastic, insights for, auditors and, we look forward to chatting with you again in future.

Carlos: 

Thank you so much, it’s been a pleasure.

Conor: 

Thank you, Carlos.

Narrator: 

If you enjoyed this podcast, please share it with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com. The link is in the show notes.