Episode 40 | A CIO/CRO perspective on risk, security and internal audit with Ari Levien

The Assurance Show
The Assurance Show
Episode 40 | A CIO/CRO perspective on risk, security and internal audit with Ari Levien
/

 

Summary

Ari Levien is an experienced Chief Information Officer who has also played the role of Chief Risk Officer.

In this episode we discuss how a CIO (with an understanding of risk) thinks about security and risk.  We also discuss his views of Internal Audit and what good looks like for IA.

 

Transcript

Narrator: 

You’re listening to the Assurance Show. The podcast for performance auditors and internal auditors that focuses on data and risk. Your hosts are Conor McGarrity and Yusuf Moolla.

Yusuf Moolla: 

Today we’ve got Ari Levien. Ari, thanks for joining us. Ari is the CIO and CRO at Peregrine Investment Managers, a, boutique investment management firm in South Africa with operations in the UK. We met there over a decade ago, when I was part of the internal audit team for what was an outsourced internal audit, by one of the big four that I was working with at the time. And we spent quite a bit of time together talking about all things risk and audit and investment management and technology at the time.

Ari Levien: 

Thank you, Yusuf. It’s a pleasure to be able to contribute, hopefully there’s some value that people get out of this. I’ve been the CIO at Peregrine for a decade and before that I was Group IT Manager for a decade. So been there a long time and It’s been very interesting through the financial crisis of 2008 and world changing there, and then the world changing now with all of the emergency work from home that everybody seems to be doing. And so far so good.

Yusuf: 

You recently took on the role of chief risk officer as well. What has that been like for you?

Ari: 

It’s been interesting. The reason for me taking on that responsibility is largely because we sold our stockbroking arm, and that really changed the risk profile significantly. It brought a more homogenous level of risk to the remaining businesses in the group. They started off as a very small acquisition, which we made in about 2000 or 2001. By the time we sold them, they were the largest broker on the Johannesburg Stock Exchange by value, volume and number of trades. A very interesting business – stockbroking businesses have got a very different risk profile to asset managers and wealth managers. And with that separation, with that sale, the board felt and I agreed with the board that the bulk of the residual risk in our group was technology risk. The largest remaining subsidiary was Citadel, who are private client wealth managers. That business is entirely based on trust. It’s about name, it’s about brand, it’s about reputation. In a business like that, where you’re dealing with high net worth and ultra high net worth individuals, if you’ve been the victim of a cyber compromise, it really is brand negative, shall we say. The largest set of risks from a group perspective was in the technology space. And I think we’re starting to see that more and more with all of the ransomware detonating all over the place. Risk can be a multi focal area. You can look at it from a tech point of view. You can look at it from a personal point of view. You can look at from a business point of view. And when all is said and done, what you ultimately need to do is look at it from your client point of view. Each stakeholder needs to have their own viewpoint looked at, and you need to make the usual trade-off because you can’t zero out all risks. You’ve got to manage it appropriately. That’s one of the big differentiators between different businesses is that we all choose to manage our risks somewhat differently, and that gives clients with different risk appetites variety. The problem is. It’s a fight for information, because without information you’re not able to adequately assess what your risks really are. That’s going to be one of the next big drivers moving forward is how do you manage all of this information and transform that into something you can use?

Yusuf: 

When we started working together, the discussions that we had around risk, and it was largely technology risks that we were talking about. But the discussions we had around risk were based on a very different operating environment back then, relative to where we are now. In the old days we used to say, don’t write down your passwords. Nowadays, the opportunities are more virtual than they are physical. So you’re better off having a long password and writing it down, than having a short password and not.

Ari: 

Strangely enough, I actually would advocate writing it down, but treat each document where you write the password down with the value of what you’re protecting. if you’ve got a bank account with $50,000 in it. And you write down the password for your internet banking. And that’s the only thing that you need. Treat that piece of paper like it’s worth $50,000. That’s not that difficult, but without a doubt, short passwords, dictionary words, all of the things that we’d been yelling about for the last 10 years, people are still using. And it’s getting people compromised. A lot of, certainly in South Africa, we’ve seen it, the, some of the more traditional ISP issue, people with passwords and don’t let people select their own and the password is selected from a dictionary list. And, that didn’t go down well. A lot of their clients got compromised very quickly, very easily. And they’ve now subsequently changed that. Either write your password down, keep it somewhere secure and treat that as something valuable. Or use one of the better password managers there, there are plenty to go around. I’m not going to name names just for liability reasons, but, the long and the short of it is if you use any of the top four or top five password managers, you’re going to be absolutely fine. And the truth is, every single piece of software, including password managers, has bugs. Most bugs are not exploitable, but many of them are. Just because you’re using a top five password manager, it doesn’t mean that they’re not going to be compromised. It just means that the chance is less. It’s like any other risk, you can take insurance to cover some, others, you just have to be a little bit paranoid.

Conor McGarrity: 

With the proliferation of cyber compromise attempts globally, and the heightened awareness among the public and various organizations about it, have you found your clients asking questions or seeking some sort of assurance about what are you doing with my information?

Ari: 

Absolutely. We’ve definitely seen an increase in that, and, we’ve actually put together a document for clients that have been compromised. Because a lot of the South African clients use mom and pop ISPs or second tier, they’re still using them for the email accounts. They’re not using Apple or Microsoft or Google who really are the three that I would recommend as being your primary email provider, if you’re not using a corporate email system. An unholy number of them have been compromised mostly at the ISP level. In some it’s because the ISP runs a web front end for the email systems. And those are not always kept as up-to-date as perhaps they should be. And so they can be breached without the client’s password. In others, it’s because the client password is pathetic. And sometimes that’s the client’s fault. And sometimes that’s, the ISP’s fault. I certainly don’t want to point fingers at anybody except the industry as a whole. Passwords really are dead and smelly. We should be looking for other methods, but clients are definitely becoming more savvy about it. The one very distressing thing is that, over the last three years, in more than 50 cases, it’s been a case of the clients being compromised. The first phone call they make is to us to say your server’s been hacked. That almost placed the burden of proof on the providers, whether that’s a financial service provider or banks or that sort of thing. South Africa’s got a financial services CSIRT, I sit on that CSIRT. And across the board, all of the large and medium sized organizations that participate have seen the same sort of thing. It really comes down to the clients being compromised and not wanting to believe it. I’ve seen it with a family member, it took quite a while to persuade them that they had been compromised and not the financial services organization. And that’s gonna take quite a bit of education to change, but it also puts quite a lot of pressure on organizations because when you’ve got one or two clients coming to you saying. you’ve been compromised. You’ve got to prove to the client that you haven’t. Now imagine you’ve got half a million clients, all of whom have been compromised. Let’s say that Google gets compromised. And one of the large organizations, they’ve got half a million clients that use email and they all come to the bank to say, you’ve been compromised. How do you prove that you’re not? To tie this into audit and assurance, this is where having a trusted third party opinion updated regularly can make a huge difference. We happen to use, in addition to normal internal audit, we use specialist cybersecurity pentesters and auditors. That’s something that we’ve done religiously twice a year, at least. If I could afford to do it more often, I would. And if I could afford to cycle between a number of different trusted partners, that would also be very valuable. Because everybody thinks differently. Everybody works differently. And if organization A says we weren’t able to find any holes, it doesn’t mean that organization B might not be able to find anything. And actually if everybody’s security gets better, then we’re all going to be better. But that third party assurance makes an incredible difference because you can sit down with a client or, COVID, have a Zoom call with them or a Teams call and you can say to them, we’ve got no indication. We’ve got automatic electronic auditing. We’ve got trusted third parties looking at this. We are, as certain as it is possible to be. Because let’s be honest, anybody that says that they are completely certain that they haven’t been compromised. Really doesn’t. Yeah. That’s a good time to say check, please. I’m on my way out. We’re as certain as possible that we haven’t been compromised. And what we’ve done with some of our clients, when we’ve had capacity in the team is we’ve actually assisted themand asked them if they want our help to look at it. First of all, we found that that builds good client relationships, but I’m a very passionate believer that from a security point of view, this is not organization A’s problem or organization B’s problem. It’s all of our problem. And until we can secure all of the home machines and every mom and pop organization can be running a reasonable level of security, there’re going to be botnets that the bad guys can use to crack to more sophisticated things. And. It really makes a big difference to everybody. If we can change the general level of security and improve it, that I think is critically important. And that’s something that we’ve tried very hard to work towards, collaboration with industry groups and that sort of thing. And for anybody that would like to please get involved with the communities. Everybody can make a difference, whether it’s writing documentation or recording presentations, or just encouraging people to do the right thing.

Yusuf: 

There’s quite a few really good security consultants and they seem to work quite well together as well. So talking about community, I know one of the guys that I used to work with back at Deloitte, Dominic White, is now at SensePost, which is part of Orange cyber defense. And they do really good job, lots of research, critical job, but they also seem to have a good community going where people talk about things amongst the security community. Lots of collaboration going on as well. So there’s obviously good intent in terms of security people to get that uplift going.

Ari: 

Hopefully I’m preaching to the choir, but security research is critically important and sharing that information is really vital. Yes, the bad guys are going to get it, but how do you know the bad guys don’t have it anyway? And the only way to make progress on this is actually to fix it. You mentioned the name, so I’m going to just jump on that and endorse it. SensePost, do an outstanding, job. I’ve known Dominic since he was at Deloitte. And I’ve known a lot of the SensePost people going back to at least 2005 and above all, they are ethical. They do not behave in ways that are questionable. I’d like to give them a shout out for that, because I think that’s an incredible thing to do. Those of us that are consumers of those sorts of services. Everybody ensure that your provider is ethical. There are horror stories about some of these pentest firms and cyber security consultancies. Some of them are true and some of them aren’t. Your gut often tells you things before your conscious mind has been able to figure out why you got to saying it. And that’s important. Trust your gut.

Narrator: 

The Assurance Show is produced by Risk Insights. We work with performance auditors and internal auditors, delivering audits, helping audit teams use data, and coaching auditors to improve their data skills. You can find out more about our work at datainaudit.com. Now, back to the conversation.

Yusuf: 

You’ve obviously had to deal with a range of internal auditors over the years. What has your experience been with internal auditors and in particular, what would you say the characteristics that you saw from good interactions with auditors would have been?

Ari: 

Too many internal auditors don’t read the previous year’s audit findings, audit notes, but it’s very simple. Good internal audit is curious, they question and they ask intelligent questions. What is the purpose of this control? What do you find when it works? What do you find if it doesn’t work? Are there any ways around and if you start getting towards a higher grade, is this control worth the costs that it imposes on the organization? And I’m not just talking about the cost in, being counter to, it’s not just the dollars and cents. So we’ve got this fantastic control and it works 98% of the time and it’s cheap in dollar terms, but it means that our competitors are turning this particular process around in 25 minutes. We’re taking three days. Is it worth that? And if it is. Fantastic. Shout it from the rooftops. Say to the clients, we take our time and make sure that your money and your information and your interaction with us is safe. That is why we delay this and you can prove it and maybe your competitors have started and they’ve got something else fine. You’ll learn from it. But some of the best interactions that you and I had as a team. Because that’s the way that we worked. Was asking questions and actually having an honest debate about the value of a control and suggesting alternatives and looking at things from an audit point of view. And one of the things that landed up coming out of that is when we look at new business processes, we actually try and involve internal audit from the design of those processes. So from scratch, we look at what needs to be accomplished and we say, okay guys, is this a process that we’re going to need to audit? Does it contribute meaningfully in any way? Is there stuff that we need to look out for? Yes. Fantastic. Internal audit. You need to be part of this. How can we build this process so that it is easy toaudit and that when control a fails and we need to replace it with version two, it is not going to take us a year’s worth of process re-engineering and redoing software and retraining staff. It’s the same as security. If you add at the end, if you add audit at the end, it’s much harder. It’s much more expensive and it doesn’t work nearly as well. If you start at the beginning and you say, we know that we got right to have to verify this process, how the hell do we do this? Okay. And what is a good way of , making sure that internal and external audit and anybody independently can have the transparency that they need easily.

Conor: 

Does that create any sort of conflict for the role of internal audit though? So if they’re involved in the design of a new control and then may ultimately be involved in testing its effectiveness, how do you make sure there’s no overlap between those duties?

Ari: 

Different teams. What we did at one stage was we actually would get internal audit from one part of the business to look at the controls that we were designing in another part of the business. So that people aren’t obviously marking their own homework, as you say, that’s potentially a major issue. But that’s also a good argument for having somebody with internal audit experience involved in the design process. You really can make a lot of use out of people’s experience. We sometimes think, oh, you know, so and so’s almost about to retire. I’m sure I can do everything they can do. Yeah. Maybe you can, but in medicine there is a story. When my dad was lecturing medical students, he always used to say. Very simple. How do you know that somebody has gotten the disease? So it’s a bit like when you’re walking down the streets and you see Aunt Minnie, how do you recognize Aunt Minnie? You recognizeAunt Minnie because you’ve seen her before, you’ve met her and you’ve talked to her. It’s the same with this sort of thing. Somebody who’s been doing this for 20 years. In all likelihood, you’re going to find people who’ve been doing it for a year who are as competent and perhaps as skilled. But you cannot replace the value of that 20 years of experience. And that’s. Again, one of the reasons why I’m absolutely passionate about having teams that are heterogeneous. You want people of multiple cultures, multiple genders, multiple sexual orientations, multiple viewpoints. You want radicals, you want conservatives. Not always possible in a small team, but the more diverse the set of viewpoints that you can have, provided that the people can trust each other and you can have honest interactions and debates. Everybody lands ends up benefiting and you get a much better outcome. In South Africa, there’s this thing about a white Afrikaner male culture, and you have it in the U.S. With the Anglo-Saxon Protestants and you’ve got it all over the world. Not to pick on the whites, but people tend to think the same because they’ve grown up in the same environment and they’ve grown up in the same background and they’ve got similar cultural ideas.

Yusuf: 

Group think.

Ari: 

It’s group think. And that’s where the. hacker community. And I’m not talking about the malicious hackers. I’m talking about the security research community has largely got it figured out. There are people from all over the world doing the most incredible research and you’ll find a 14 year old Azerbaijaian boy working with a 60 year old American female. And it doesn’t matter. Because people find others that they can work with. And it gels, we’ve got to encourage that, especially on the audit teams, because if your audit team or your assurance team is comprised of the same sort of individuals who are in the company makes for great relationships and very smooth sailing. But actually it needs to be almost a competition, a friendly competition, but we’ve designed this, it’s working like that. Come pick the holes in it. Not because you guys are better than us, but because you think differently and we all win from it. Audits with out findings; and I’m not talking about massive adverse findings. I’m talking about audits that are, you know, nothing to report. That’s a waste of time and many, and everybody is landing up with the false sense of security, because if there’s one thing that we’ve got to learn from the cyber side of things, there are a certain number of bugs per thousand lines of code. That’s just the way it is. It’s humans writing this stuff. Humans make mistakes. Humans are designing business processes. We make mistakes. And the only way to get better, this is to improve it over time and iterate. There’s an old software engineering saying that you throw version 1.0 of anything away. Microsoft. Heard that and, of their products. I think they introduced version five. it didn’t help them particular product metric was still the usual bug Fest, but that’s the same with everybody. the nature of how we do things, especially when it’s something new, if it’s something that hasn’t been done before we make mistakes, we’ve got to learn from them. If you look at the history of bridge construction, Humans started building bridges probably 2/3000 years ago, at least from a real structural point of view. If you Google for the galloping bridge that was in the 1940s. So over 2000 years worth of bridge building experience. Largely modern mathematical methods, model engineering, understanding modern materials. We still got it wrong.

Yusuf: 

There was a bridge in Cape town that was being built. And, they decided that they’re not going to build it from one side to the other, they’re going to start on the opposite ends and meet in the middle. And they, didn’t meet in the middle – I don’t know if you remember that, but that bridge still stands. So your lane and the oncoming lane sort of meet head- on at some point.

Ari: 

We’ve got to acknowledge that we make mistakes. Donald Knuth. Who’s really the father of, modern computer science along with Turing and the rest. But premature optimization is the root of all evil. When you’re looking at all of these processes, when you’re looking at something, don’t automate it too early, don’t optimize it too early. Figure out how it works. Build it. Make it nice and robust and then iterate a bit. Yeah, you can, it’s going to cost you more short-term. Long-term I promise it’s going to run smoother, work better, and therefore it’s going to save you money. we’ve got to also find a way of getting over the short-termism, where if it’s not going to show in the next quarters results, nobody’s interested. There’s lots of things where you make an investment in time and whatever, and it’s going to take five years before you get to see financial benefits, but you’re going to start seeing organizational benefit and culture benefits. Old-fashioned values, not always the best, but in many cases we can learn a lot from the principles on which those processes were built. Got to move past box ticking and move to how is this process adding value? Where is it adding value? Audit and assurance in general and risk management has got so much value to add because if we asked the right questions, we spark all sorts of things.

Yusuf: 

In terms of people getting hold of you, getting in touch with you, connecting to bounce ideas. What’s the easiest way , for that to happen.

Ari: 

Easiest is email. I’ll give you my personal email address, which is going to share just how long I’ve been using Gmail. because I’ve actually got levien@gmail.com that L E V I E N at gmail dot com. And there’s one young lady from Vietnam. Le Vien Van. Yeah, if you’re listening to this, please stop trying to use my Gmail address. Thank you.

Yusuf: 

Excellent. I thank you very much for sharing your insights. Lots to think about, and my takeaway has been just be curious.

Conor: 

Takeaway for me was internal audit is a critical friend within any organization. As long as the business and internal auditors are working towards the same overall objective, you’ll get better value all around.

Ari: 

Absolutely. Thank you for having me.

Narrator: 

If you enjoyed this podcast, please share with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com. The link is in the show notes.