April 11, 2021 • 25 mins
Ari Levien is an experienced Chief Information Officer who has also played the role of Chief Risk Officer.
In this episode we discuss how a CIO (with an understanding of risk) thinks about security and risk. We also discuss his views of Internal Audit and what good looks like for IA.
About this podcast
The podcast for performance auditors and internal auditors that use (or want to use) data.
Hosted by Conor McGarrity and Yusuf Moolla.
Produced by Risk Insights (riskinsights.com.au).
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Narrator (00:07):
You're listening to the Assurance Show.
The podcast for performanceauditors and internal auditors
that focuses on data and risk.
Your hosts are ConorMcGarrity and Yusuf Moolla.
Yusuf (00:20):
Today we've got Ari Levien.
Ari, thanks for joining us.
Ari is the CIO and CRO atPeregrine Investment Managers,
a, boutique investmentmanagement firm in South Africa
with operations in the UK.
We met there over a decadeago, when I was part of the
internal audit team for what wasan outsourced internal audit,
(00:43):
by one of the big four that Iwas working with at the time.
And we spent quite a bit oftime together talking about
all things risk and auditand investment management
and technology at the time.
Ari (00:54):
Thank you, Yusuf.
It's a pleasure to be ableto contribute, hopefully
there's some value thatpeople get out of this.
I've been the CIO atPeregrine for a decade and
before that I was GroupIT Manager for a decade.
So been there a long time andIt's been very interesting
(01:14):
through the financial crisisof 2008 and world changing
there, and then the worldchanging now with all of the
emergency work from home thateverybody seems to be doing.
And so far so good.
Yusuf (01:29):
You recently took on the role of chief
risk officer as well.
What has that been like for you?
Ari (01:34):
It's been interesting.
The reason for me taking onthat responsibility is largely
because we sold our stockbrokingarm, and that really changed
the risk profile significantly.
It brought a more homogenouslevel of risk to the remaining
businesses in the group.
They started off as a verysmall acquisition, which we
made in about 2000 or 2001.
(01:56):
By the time we sold them,they were the largest broker
on the Johannesburg StockExchange by value, volume
and number of trades.
A very interesting business- stockbroking businesses have
got a very different riskprofile to asset managers
and wealth managers.
And with that separation, withthat sale, the board felt and I
(02:17):
agreed with the board that thebulk of the residual risk in
our group was technology risk.
The largest remaining subsidiarywas Citadel, who are private
client wealth managers.
That business isentirely based on trust.
It's about name, it's aboutbrand, it's about reputation.
In a business like that,where you're dealing with
(02:39):
high net worth and ultra highnet worth individuals, if
you've been the victim of acyber compromise, it really is
brand negative, shall we say.
The largest set of risksfrom a group perspective
was in the technology space.
And I think we're startingto see that more and more
with all of the ransomwaredetonating all over the place.
(03:02):
Risk can be a multi focal area.
You can look at it froma tech point of view.
You can look at it froma personal point of view.
You can look at from abusiness point of view.
And when all is said anddone, what you ultimately
need to do is look at it fromyour client point of view.
Each stakeholder needs to havetheir own viewpoint looked
at, and you need to make theusual trade-off because you
(03:26):
can't zero out all risks.
You've got to manageit appropriately.
That's one of the bigdifferentiators between
different businesses is that weall choose to manage our risks
somewhat differently, and thatgives clients with different
risk appetites variety.
The problem is.
It's a fight for information,because without information
(03:47):
you're not able toadequately assess what
your risks really are.
That's going to be one of thenext big drivers moving forward
is how do you manage all ofthis information and transform
that into something you can use?
Yusuf (04:03):
When we started working together, the discussions that
we had around risk, and itwas largely technology risks
that we were talking about.
But the discussions we hadaround risk were based on
a very different operatingenvironment back then,
relative to where we are now.
In the old days we used to say,don't write down your passwords.
Nowadays, the opportunitiesare more virtual than
(04:25):
they are physical.
So you're better off havinga long password and writing
it down, than having ashort password and not.
Ari (04:31):
Strangely enough, I actually would advocate
writing it down, but treat eachdocument where you write the
password down with the valueof what you're protecting.
if you've got a bankaccount with $50,000 in it.
And you write down the passwordfor your internet banking.
And that's the onlything that you need.
Treat that piece of paperlike it's worth $50,000.
(04:53):
That's not that difficult,but without a doubt, short
passwords, dictionary words,all of the things that we'd been
yelling about for the last 10years, people are still using.
And it's gettingpeople compromised.
A lot of, certainly in SouthAfrica, we've seen it, the,
some of the more traditionalISP issue, people with passwords
(05:14):
and don't let people selecttheir own and the password is
selected from a dictionary list.
And, that didn't go down well.
A lot of their clientsgot compromised very
quickly, very easily.
And they've nowsubsequently changed that.
Either write your passworddown, keep it somewhere
secure and treat thatas something valuable.
Or use one of the betterpassword managers there,
(05:37):
there are plenty to go around.
I'm not going to name namesjust for liability reasons,
but, the long and the shortof it is if you use any of
the top four or top fivepassword managers, you're
going to be absolutely fine.
And the truth is, every singlepiece of software, including
password managers, has bugs.
(05:59):
Most bugs are not exploitable,but many of them are.
Just because you're using atop five password manager,
it doesn't mean that they'renot going to be compromised.
It just means thatthe chance is less.
It's like any other risk, youcan take insurance to cover
some, others, you just haveto be a little bit paranoid.
Conor (06:18):
With the proliferation of cyber compromise attempts
globally, and the heightenedawareness among the public and
various organizations aboutit, have you found your clients
asking questions or seeking somesort of assurance about what are
you doing with my information?
Ari (06:34):
Absolutely.
We've definitely seen anincrease in that, and, we've
actually put together adocument for clients that
have been compromised.
Because a lot of the SouthAfrican clients use mom and
pop ISPs or second tier,they're still using them
for the email accounts.
(06:55):
They're not using Apple orMicrosoft or Google who really
are the three that I wouldrecommend as being your primary
email provider, if you're notusing a corporate email system.
An unholy number of themhave been compromised
mostly at the ISP level.
In some it's because theISP runs a web front end
(07:17):
for the email systems.
And those are not alwayskept as up-to-date as
perhaps they should be.
And so they can be breachedwithout the client's password.
In others, it's because theclient password is pathetic.
And sometimes that'sthe client's fault.
And sometimes that's,the ISP's fault.
I certainly don't want topoint fingers at anybody
(07:39):
except the industry as a whole.
Passwords reallyare dead and smelly.
We should be looking forother methods, but clients
are definitely becomingmore savvy about it.
The one very distressingthing is that, over the last
three years, in more than 50cases, it's been a case of
(07:59):
the clients being compromised.
The first phone call theymake is to us to say your
server's been hacked.
That almost placed the burdenof proof on the providers,
whether that's a financialservice provider or banks
or that sort of thing.
South Africa's got afinancial services CSIRT,
I sit on that CSIRT.
And across the board, allof the large and medium
(08:23):
sized organizations thatparticipate have seen
the same sort of thing.
It really comes down to theclients being compromised and
not wanting to believe it.
I've seen it with a familymember, it took quite a while
to persuade them that they hadbeen compromised and not the
(08:44):
financial services organization.
And that's gonna takequite a bit of education
to change, but it also putsquite a lot of pressure
on organizations becausewhen you've got one or two
clients coming to you saying.
you've been compromised.
You've got to prove to theclient that you haven't.
Now imagine you've got halfa million clients, all of
whom have been compromised.
(09:05):
Let's say that Googlegets compromised.
And one of the largeorganizations, they've got half
a million clients that use emailand they all come to the bank
to say, you've been compromised.
How do you provethat you're not?
To tie this into audit andassurance, this is where
having a trusted third partyopinion updated regularly
(09:30):
can make a huge difference.
We happen to use, in additionto normal internal audit, we
use specialist cybersecuritypentesters and auditors.
That's something thatwe've done religiously
twice a year, at least.
If I could afford to doit more often, I would.
And if I could afford tocycle between a number of
(09:53):
different trusted partners, thatwould also be very valuable.
Because everybodythinks differently.
Everybody works differently.
And if organization A sayswe weren't able to find any
holes, it doesn't mean thatorganization B might not
be able to find anything.
And actually if everybody'ssecurity gets better, then
we're all going to be better.
But that third party assurancemakes an incredible difference
(10:17):
because you can sit downwith a client or, COVID, have
a Zoom call with them or aTeams call and you can say to
them, we've got no indication.
We've got automaticelectronic auditing.
We've got trusted thirdparties looking at this.
We are, as certain asit is possible to be.
(10:37):
Because let's be honest,anybody that says that they
are completely certain thatthey haven't been compromised.
Really doesn't.
Yeah.
That's a good timeto say check, please.
I'm on my way out.
We're as certain aspossible that we haven't
been compromised.
And what we've done with someof our clients, when we've
had capacity in the teamis we've actually assisted
(10:59):
themand asked them if theywant our help to look at it.
First of all, we found thatthat builds good client
relationships, but I'm a verypassionate believer that from
a security point of view, thisis not organization A's problem
or organization B's problem.
It's all of our problem.
And until we can secure allof the home machines and
(11:24):
every mom and pop organizationcan be running a reasonable
level of security, there'regoing to be botnets that the
bad guys can use to crack tomore sophisticated things.
And.
It really makes a bigdifference to everybody.
If we can change the generallevel of security and
improve it, that I thinkis critically important.
(11:46):
And that's something that we'vetried very hard to work towards,
collaboration with industrygroups and that sort of thing.
And for anybody that wouldlike to please get involved
with the communities.
Everybody can make adifference, whether it's
writing documentation orrecording presentations,
(12:07):
or just encouraging peopleto do the right thing.
Yusuf (12:10):
There's quite a few really good security consultants
and they seem to work quitewell together as well.
So talking about community,I know one of the guys that
I used to work with back atDeloitte, Dominic White, is
now at SensePost, which ispart of Orange cyber defense.
And they do really good job,lots of research, critical
job, but they also seem tohave a good community going
where people talk about thingsamongst the security community.
(12:33):
Lots of collaborationgoing on as well.
So there's obviously goodintent in terms of security
people to get that uplift going.
Ari (12:41):
Hopefully I'm preaching to the choir, but security
research is criticallyimportant and sharing that
information is really vital.
Yes, the bad guys are going toget it, but how do you know the
bad guys don't have it anyway?
And the only way tomake progress on this
is actually to fix it.
You mentioned the name,so I'm going to just jump
on that and endorse it.
(13:02):
SensePost, do anoutstanding, job.
I've known Dominic sincehe was at Deloitte.
And I've known a lot ofthe SensePost people going
back to at least 2005 andabove all, they are ethical.
They do not behave in waysthat are questionable.
(13:24):
I'd like to give thema shout out for that,
because I think that's anincredible thing to do.
Those of us that are consumersof those sorts of services.
Everybody ensure thatyour provider is ethical.
There are horror stories aboutsome of these pentest firms and
cyber security consultancies.
Some of them are trueand some of them aren't.
Your gut often tells youthings before your conscious
(13:47):
mind has been able to figureout why you got to saying it.
And that's important.
Trust your gut.
Narrator (13:54):
The Assurance Show is produced by Risk Insights.
We work with performanceauditors and internal
auditors, delivering audits,helping audit teams use data,
and coaching auditors toimprove their data skills.
You can find out more aboutour work at datainaudit.com.
Now, back to the conversation.
Yusuf (14:14):
You've obviously had to deal with a range of internal
auditors over the years.
What has your experience beenwith internal auditors and
in particular, what would yousay the characteristics that
you saw from good interactionswith auditors would have been?
Ari (14:29):
Too many internal auditors don't read the previous
year's audit findings, auditnotes, but it's very simple.
Good internal audit iscurious, they question and
they ask intelligent questions.
What is the purposeof this control?
What do you find when it works?
What do you findif it doesn't work?
(14:50):
Are there any ways around andif you start getting towards a
higher grade, is this controlworth the costs that it
imposes on the organization?
And I'm not just talkingabout the cost in, being
counter to, it's not justthe dollars and cents.
So we've got this fantasticcontrol and it works 98%
(15:11):
of the time and it's cheapin dollar terms, but it
means that our competitorsare turning this particular
process around in 25 minutes.
We're taking three days.
Is it worth that?
And if it is.
Fantastic.
Shout it from the rooftops.
Say to the clients, wetake our time and make
(15:31):
sure that your money andyour information and your
interaction with us is safe.
That is why we delay this andyou can prove it and maybe your
competitors have started andthey've got something else fine.
You'll learn from it.
But some of the bestinteractions that you
and I had as a team.
(15:51):
Because that's theway that we worked.
Was asking questions andactually having an honest debate
about the value of a controland suggesting alternatives
and looking at things froman audit point of view.
And one of the things thatlanded up coming out of that
is when we look at new businessprocesses, we actually try and
(16:14):
involve internal audit fromthe design of those processes.
So from scratch, we look atwhat needs to be accomplished
and we say, okay guys, isthis a process that we're
going to need to audit?
Does it contributemeaningfully in any way?
Is there stuff that weneed to look out for?
Yes.
Fantastic.
Internal audit.
(16:35):
You need to be part of this.
How can we build this processso that it is easy toaudit and
that when control a fails and weneed to replace it with version
two, it is not going to takeus a year's worth of process
re-engineering and redoingsoftware and retraining staff.
(16:56):
It's the same as security.
If you add at the end,if you add audit at the
end, it's much harder.
It's much more expensive andit doesn't work nearly as well.
If you start at the beginningand you say, we know that
we got right to have toverify this process, how
the hell do we do this?
Okay.
And what is a good wayof , making sure that
(17:18):
internal and external auditand anybody independently
can have the transparencythat they need easily.
Conor (17:26):
Does that create any sort of conflict for the role
of internal audit though?
So if they're involved in thedesign of a new control and then
may ultimately be involved intesting its effectiveness, how
do you make sure there's nooverlap between those duties?
Ari (17:40):
Different teams.
What we did at one stage waswe actually would get internal
audit from one part of thebusiness to look at the controls
that we were designing inanother part of the business.
So that people aren'tobviously marking their own
homework, as you say, that'spotentially a major issue.
But that's also a good argumentfor having somebody with
(18:01):
internal audit experienceinvolved in the design process.
You really can make a lot ofuse out of people's experience.
We sometimes think, oh,you know, so and so's
almost about to retire.
I'm sure I can doeverything they can do.
Yeah.
Maybe you can, but inmedicine there is a story.
(18:23):
When my dad was lecturingmedical students, he
always used to say.
Very simple.
How do you know that somebodyhas gotten the disease?
So it's a bit like when you'rewalking down the streets and
you see Aunt Minnie, how doyou recognize Aunt Minnie?
You recognizeAunt Minniebecause you've seen her
before, you've met herand you've talked to her.
It's the same withthis sort of thing.
(18:44):
Somebody who's beendoing this for 20 years.
In all likelihood, you'regoing to find people
who've been doing it for ayear who are as competent
and perhaps as skilled.
But you cannot replace the valueof that 20 years of experience.
And that's.
(19:05):
Again, one of the reasonswhy I'm absolutely
passionate about havingteams that are heterogeneous.
You want people of multiplecultures, multiple genders,
multiple sexual orientations,multiple viewpoints.
You want radicals, youwant conservatives.
Not always possible in a smallteam, but the more diverse
(19:27):
the set of viewpoints thatyou can have, provided that
the people can trust eachother and you can have honest
interactions and debates.
Everybody lands ends upbenefiting and you get
a much better outcome.
In South Africa, there'sthis thing about a white
Afrikaner male culture,and you have it in the U.S.
With the Anglo-SaxonProtestants and you've
(19:49):
got it all over the world.
Not to pick on the whites,but people tend to think the
same because they've grownup in the same environment
and they've grown up in thesame background and they've
got similar cultural ideas.
Yusuf (20:00):
Group think.
Ari (20:01):
It's group think.
And that's where the.
hacker community.
And I'm not talking aboutthe malicious hackers.
I'm talking about the securityresearch community has
largely got it figured out.
There are people from allover the world doing the
most incredible research andyou'll find a 14 year old
(20:22):
Azerbaijaian boy working witha 60 year old American female.
And it doesn't matter.
Because people find othersthat they can work with.
And it gels, we've got toencourage that, especially
on the audit teams, becauseif your audit team or your
(20:44):
assurance team is comprised ofthe same sort of individuals
who are in the company makesfor great relationships
and very smooth sailing.
But actually it needs to bealmost a competition, a friendly
competition, but we've designedthis, it's working like that.
Come pick the holes in it.
Not because you guys arebetter than us, but because
(21:06):
you think differentlyand we all win from it.
Audits with out findings;and I'm not talking about
massive adverse findings.
I'm talking about auditsthat are, you know,
nothing to report.
That's a waste of time and many,and everybody is landing up with
the false sense of security,because if there's one thing
that we've got to learn fromthe cyber side of things, there
(21:29):
are a certain number of bugsper thousand lines of code.
That's just the way it is.
It's humans writing this stuff.
Humans make mistakes.
Humans are designingbusiness processes.
We make mistakes.
And the only way to getbetter, this is to improve
it over time and iterate.
There's an old softwareengineering saying
(21:52):
that you throw version1.0 of anything away.
Microsoft.
Heard that and,of their products.
I think they introducedversion five.
it didn't help them particularproduct metric was still the
usual bug Fest, but that'sthe same with everybody.
the nature of how we dothings, especially when
it's something new, if it'ssomething that hasn't been
(22:12):
done before we make mistakes,we've got to learn from them.
If you look at the historyof bridge construction,
Humans started buildingbridges probably 2/3000 years
ago, at least from a realstructural point of view.
If you Google for the gallopingbridge that was in the 1940s.
(22:32):
So over 2000 years worth ofbridge building experience.
Largely modern mathematicalmethods, model engineering,
understanding modern materials.
We still got it wrong.
Yusuf (22:43):
There was a bridge in Cape town that was being built.
And, they decided that they'renot going to build it from
one side to the other, they'regoing to start on the opposite
ends and meet in the middle.
And they, didn't meet inthe middle - I don't know
if you remember that, butthat bridge still stands.
So your lane and theoncoming lane sort of meet
head- on at some point.
Ari (23:03):
We've got to acknowledge that we make mistakes.
Donald Knuth.
Who's really the father of,modern computer science along
with Turing and the rest.
But premature optimizationis the root of all evil.
When you're looking at allof these processes, when
you're looking at something,don't automate it too early,
don't optimize it too early.
(23:25):
Figure out how it works.
Build it.
Make it nice and robustand then iterate a bit.
Yeah, you can, it's goingto cost you more short-term.
Long-term I promise it'sgoing to run smoother, work
better, and therefore it'sgoing to save you money.
we've got to also find a way ofgetting over the short-termism,
where if it's not going toshow in the next quarters
(23:45):
results, nobody's interested.
There's lots of things whereyou make an investment in time
and whatever, and it's goingto take five years before
you get to see financialbenefits, but you're going to
start seeing organizationalbenefit and culture benefits.
Old-fashioned values, notalways the best, but in many
(24:07):
cases we can learn a lotfrom the principles on which
those processes were built.
Got to move past boxticking and move to how is
this process adding value?
Where is it adding value?
Audit and assurance in generaland risk management has got so
(24:28):
much value to add because ifwe asked the right questions,
we spark all sorts of things.
Yusuf (24:36):
In terms of people getting hold of you,
getting in touch with you,connecting to bounce ideas.
What's the easiestway , for that to happen.
Ari (24:44):
Easiest is email.
I'll give you my personalemail address, which is
going to share just howlong I've been using Gmail.
because I've actually gotlevien@gmail.com that L E
V I E N at gmail dot com.
And there's one younglady from Vietnam.
(25:05):
Le Vien Van.
Yeah, if you're listeningto this, please stop trying
to use my Gmail address.
Thank you.
Yusuf (25:15):
Excellent.
I thank you very much forsharing your insights.
Lots to think about,and my takeaway has
been just be curious.
Conor (25:22):
Takeaway for me was internal audit is a critical
friend within any organization.
As long as the businessand internal auditors are
working towards the sameoverall objective, you'll
get better value all around.
Ari (25:34):
Absolutely.
Thank you for having me.
Narrator (25:36):
If you enjoyed this podcast, please share
with a friend and rateus in your podcast app.
For immediate notificationof new episodes, you can
subscribe at assuranceshow.com.
The link is in the show notes.
You're listening to the Assurance Show.
The podcast for performanceauditors and internal auditors
that focuses on data and risk.
Your hosts are ConorMcGarrity and Yusuf Moolla.
Yusuf (00:20):
Today we've got Ari Levien.
Ari, thanks for joining us.
Ari is the CIO and CRO atPeregrine Investment Managers,
a, boutique investmentmanagement firm in South Africa
with operations in the UK.
We met there over a decadeago, when I was part of the
internal audit team for what wasan outsourced internal audit,
(00:43):
by one of the big four that Iwas working with at the time.
And we spent quite a bit oftime together talking about
all things risk and auditand investment management
and technology at the time.
Ari (00:54):
Thank you, Yusuf.
It's a pleasure to be ableto contribute, hopefully
there's some value thatpeople get out of this.
I've been the CIO atPeregrine for a decade and
before that I was GroupIT Manager for a decade.
So been there a long time andIt's been very interesting
(01:14):
through the financial crisisof 2008 and world changing
there, and then the worldchanging now with all of the
emergency work from home thateverybody seems to be doing.
And so far so good.
Yusuf (01:29):
You recently took on the role of chief
risk officer as well.
What has that been like for you?
Ari (01:34):
It's been interesting.
The reason for me taking onthat responsibility is largely
because we sold our stockbrokingarm, and that really changed
the risk profile significantly.
It brought a more homogenouslevel of risk to the remaining
businesses in the group.
They started off as a verysmall acquisition, which we
made in about 2000 or 2001.
(01:56):
By the time we sold them,they were the largest broker
on the Johannesburg StockExchange by value, volume
and number of trades.
A very interesting business- stockbroking businesses have
got a very different riskprofile to asset managers
and wealth managers.
And with that separation, withthat sale, the board felt and I
(02:17):
agreed with the board that thebulk of the residual risk in
our group was technology risk.
The largest remaining subsidiarywas Citadel, who are private
client wealth managers.
That business isentirely based on trust.
It's about name, it's aboutbrand, it's about reputation.
In a business like that,where you're dealing with
(02:39):
high net worth and ultra highnet worth individuals, if
you've been the victim of acyber compromise, it really is
brand negative, shall we say.
The largest set of risksfrom a group perspective
was in the technology space.
And I think we're startingto see that more and more
with all of the ransomwaredetonating all over the place.
(03:02):
Risk can be a multi focal area.
You can look at it froma tech point of view.
You can look at it froma personal point of view.
You can look at from abusiness point of view.
And when all is said anddone, what you ultimately
need to do is look at it fromyour client point of view.
Each stakeholder needs to havetheir own viewpoint looked
at, and you need to make theusual trade-off because you
(03:26):
can't zero out all risks.
You've got to manageit appropriately.
That's one of the bigdifferentiators between
different businesses is that weall choose to manage our risks
somewhat differently, and thatgives clients with different
risk appetites variety.
The problem is.
It's a fight for information,because without information
(03:47):
you're not able toadequately assess what
your risks really are.
That's going to be one of thenext big drivers moving forward
is how do you manage all ofthis information and transform
that into something you can use?
Yusuf (04:03):
When we started working together, the discussions that
we had around risk, and itwas largely technology risks
that we were talking about.
But the discussions we hadaround risk were based on
a very different operatingenvironment back then,
relative to where we are now.
In the old days we used to say,don't write down your passwords.
Nowadays, the opportunitiesare more virtual than
(04:25):
they are physical.
So you're better off havinga long password and writing
it down, than having ashort password and not.
Ari (04:31):
Strangely enough, I actually would advocate
writing it down, but treat eachdocument where you write the
password down with the valueof what you're protecting.
if you've got a bankaccount with $50,000 in it.
And you write down the passwordfor your internet banking.
And that's the onlything that you need.
Treat that piece of paperlike it's worth $50,000.
(04:53):
That's not that difficult,but without a doubt, short
passwords, dictionary words,all of the things that we'd been
yelling about for the last 10years, people are still using.
And it's gettingpeople compromised.
A lot of, certainly in SouthAfrica, we've seen it, the,
some of the more traditionalISP issue, people with passwords
(05:14):
and don't let people selecttheir own and the password is
selected from a dictionary list.
And, that didn't go down well.
A lot of their clientsgot compromised very
quickly, very easily.
And they've nowsubsequently changed that.
Either write your passworddown, keep it somewhere
secure and treat thatas something valuable.
Or use one of the betterpassword managers there,
(05:37):
there are plenty to go around.
I'm not going to name namesjust for liability reasons,
but, the long and the shortof it is if you use any of
the top four or top fivepassword managers, you're
going to be absolutely fine.
And the truth is, every singlepiece of software, including
password managers, has bugs.
(05:59):
Most bugs are not exploitable,but many of them are.
Just because you're using atop five password manager,
it doesn't mean that they'renot going to be compromised.
It just means thatthe chance is less.
It's like any other risk, youcan take insurance to cover
some, others, you just haveto be a little bit paranoid.
Conor (06:18):
With the proliferation of cyber compromise attempts
globally, and the heightenedawareness among the public and
various organizations aboutit, have you found your clients
asking questions or seeking somesort of assurance about what are
you doing with my information?
Ari (06:34):
Absolutely.
We've definitely seen anincrease in that, and, we've
actually put together adocument for clients that
have been compromised.
Because a lot of the SouthAfrican clients use mom and
pop ISPs or second tier,they're still using them
for the email accounts.
(06:55):
They're not using Apple orMicrosoft or Google who really
are the three that I wouldrecommend as being your primary
email provider, if you're notusing a corporate email system.
An unholy number of themhave been compromised
mostly at the ISP level.
In some it's because theISP runs a web front end
(07:17):
for the email systems.
And those are not alwayskept as up-to-date as
perhaps they should be.
And so they can be breachedwithout the client's password.
In others, it's because theclient password is pathetic.
And sometimes that'sthe client's fault.
And sometimes that's,the ISP's fault.
I certainly don't want topoint fingers at anybody
(07:39):
except the industry as a whole.
Passwords reallyare dead and smelly.
We should be looking forother methods, but clients
are definitely becomingmore savvy about it.
The one very distressingthing is that, over the last
three years, in more than 50cases, it's been a case of
(07:59):
the clients being compromised.
The first phone call theymake is to us to say your
server's been hacked.
That almost placed the burdenof proof on the providers,
whether that's a financialservice provider or banks
or that sort of thing.
South Africa's got afinancial services CSIRT,
I sit on that CSIRT.
And across the board, allof the large and medium
(08:23):
sized organizations thatparticipate have seen
the same sort of thing.
It really comes down to theclients being compromised and
not wanting to believe it.
I've seen it with a familymember, it took quite a while
to persuade them that they hadbeen compromised and not the
(08:44):
financial services organization.
And that's gonna takequite a bit of education
to change, but it also putsquite a lot of pressure
on organizations becausewhen you've got one or two
clients coming to you saying.
you've been compromised.
You've got to prove to theclient that you haven't.
Now imagine you've got halfa million clients, all of
whom have been compromised.
(09:05):
Let's say that Googlegets compromised.
And one of the largeorganizations, they've got half
a million clients that use emailand they all come to the bank
to say, you've been compromised.
How do you provethat you're not?
To tie this into audit andassurance, this is where
having a trusted third partyopinion updated regularly
(09:30):
can make a huge difference.
We happen to use, in additionto normal internal audit, we
use specialist cybersecuritypentesters and auditors.
That's something thatwe've done religiously
twice a year, at least.
If I could afford to doit more often, I would.
And if I could afford tocycle between a number of
(09:53):
different trusted partners, thatwould also be very valuable.
Because everybodythinks differently.
Everybody works differently.
And if organization A sayswe weren't able to find any
holes, it doesn't mean thatorganization B might not
be able to find anything.
And actually if everybody'ssecurity gets better, then
we're all going to be better.
But that third party assurancemakes an incredible difference
(10:17):
because you can sit downwith a client or, COVID, have
a Zoom call with them or aTeams call and you can say to
them, we've got no indication.
We've got automaticelectronic auditing.
We've got trusted thirdparties looking at this.
We are, as certain asit is possible to be.
(10:37):
Because let's be honest,anybody that says that they
are completely certain thatthey haven't been compromised.
Really doesn't.
Yeah.
That's a good timeto say check, please.
I'm on my way out.
We're as certain aspossible that we haven't
been compromised.
And what we've done with someof our clients, when we've
had capacity in the teamis we've actually assisted
(10:59):
themand asked them if theywant our help to look at it.
First of all, we found thatthat builds good client
relationships, but I'm a verypassionate believer that from
a security point of view, thisis not organization A's problem
or organization B's problem.
It's all of our problem.
And until we can secure allof the home machines and
(11:24):
every mom and pop organizationcan be running a reasonable
level of security, there'regoing to be botnets that the
bad guys can use to crack tomore sophisticated things.
And.
It really makes a bigdifference to everybody.
If we can change the generallevel of security and
improve it, that I thinkis critically important.
(11:46):
And that's something that we'vetried very hard to work towards,
collaboration with industrygroups and that sort of thing.
And for anybody that wouldlike to please get involved
with the communities.
Everybody can make adifference, whether it's
writing documentation orrecording presentations,
(12:07):
or just encouraging peopleto do the right thing.
Yusuf (12:10):
There's quite a few really good security consultants
and they seem to work quitewell together as well.
So talking about community,I know one of the guys that
I used to work with back atDeloitte, Dominic White, is
now at SensePost, which ispart of Orange cyber defense.
And they do really good job,lots of research, critical
job, but they also seem tohave a good community going
where people talk about thingsamongst the security community.
(12:33):
Lots of collaborationgoing on as well.
So there's obviously goodintent in terms of security
people to get that uplift going.
Ari (12:41):
Hopefully I'm preaching to the choir, but security
research is criticallyimportant and sharing that
information is really vital.
Yes, the bad guys are going toget it, but how do you know the
bad guys don't have it anyway?
And the only way tomake progress on this
is actually to fix it.
You mentioned the name,so I'm going to just jump
on that and endorse it.
(13:02):
SensePost, do anoutstanding, job.
I've known Dominic sincehe was at Deloitte.
And I've known a lot ofthe SensePost people going
back to at least 2005 andabove all, they are ethical.
They do not behave in waysthat are questionable.
(13:24):
I'd like to give thema shout out for that,
because I think that's anincredible thing to do.
Those of us that are consumersof those sorts of services.
Everybody ensure thatyour provider is ethical.
There are horror stories aboutsome of these pentest firms and
cyber security consultancies.
Some of them are trueand some of them aren't.
Your gut often tells youthings before your conscious
(13:47):
mind has been able to figureout why you got to saying it.
And that's important.
Trust your gut.
Narrator (13:54):
The Assurance Show is produced by Risk Insights.
We work with performanceauditors and internal
auditors, delivering audits,helping audit teams use data,
and coaching auditors toimprove their data skills.
You can find out more aboutour work at datainaudit.com.
Now, back to the conversation.
Yusuf (14:14):
You've obviously had to deal with a range of internal
auditors over the years.
What has your experience beenwith internal auditors and
in particular, what would yousay the characteristics that
you saw from good interactionswith auditors would have been?
Ari (14:29):
Too many internal auditors don't read the previous
year's audit findings, auditnotes, but it's very simple.
Good internal audit iscurious, they question and
they ask intelligent questions.
What is the purposeof this control?
What do you find when it works?
What do you findif it doesn't work?
(14:50):
Are there any ways around andif you start getting towards a
higher grade, is this controlworth the costs that it
imposes on the organization?
And I'm not just talkingabout the cost in, being
counter to, it's not justthe dollars and cents.
So we've got this fantasticcontrol and it works 98%
(15:11):
of the time and it's cheapin dollar terms, but it
means that our competitorsare turning this particular
process around in 25 minutes.
We're taking three days.
Is it worth that?
And if it is.
Fantastic.
Shout it from the rooftops.
Say to the clients, wetake our time and make
(15:31):
sure that your money andyour information and your
interaction with us is safe.
That is why we delay this andyou can prove it and maybe your
competitors have started andthey've got something else fine.
You'll learn from it.
But some of the bestinteractions that you
and I had as a team.
(15:51):
Because that's theway that we worked.
Was asking questions andactually having an honest debate
about the value of a controland suggesting alternatives
and looking at things froman audit point of view.
And one of the things thatlanded up coming out of that
is when we look at new businessprocesses, we actually try and
(16:14):
involve internal audit fromthe design of those processes.
So from scratch, we look atwhat needs to be accomplished
and we say, okay guys, isthis a process that we're
going to need to audit?
Does it contributemeaningfully in any way?
Is there stuff that weneed to look out for?
Yes.
Fantastic.
Internal audit.
(16:35):
You need to be part of this.
How can we build this processso that it is easy toaudit and
that when control a fails and weneed to replace it with version
two, it is not going to takeus a year's worth of process
re-engineering and redoingsoftware and retraining staff.
(16:56):
It's the same as security.
If you add at the end,if you add audit at the
end, it's much harder.
It's much more expensive andit doesn't work nearly as well.
If you start at the beginningand you say, we know that
we got right to have toverify this process, how
the hell do we do this?
Okay.
And what is a good wayof , making sure that
(17:18):
internal and external auditand anybody independently
can have the transparencythat they need easily.
Conor (17:26):
Does that create any sort of conflict for the role
of internal audit though?
So if they're involved in thedesign of a new control and then
may ultimately be involved intesting its effectiveness, how
do you make sure there's nooverlap between those duties?
Ari (17:40):
Different teams.
What we did at one stage waswe actually would get internal
audit from one part of thebusiness to look at the controls
that we were designing inanother part of the business.
So that people aren'tobviously marking their own
homework, as you say, that'spotentially a major issue.
But that's also a good argumentfor having somebody with
(18:01):
internal audit experienceinvolved in the design process.
You really can make a lot ofuse out of people's experience.
We sometimes think, oh,you know, so and so's
almost about to retire.
I'm sure I can doeverything they can do.
Yeah.
Maybe you can, but inmedicine there is a story.
(18:23):
When my dad was lecturingmedical students, he
always used to say.
Very simple.
How do you know that somebodyhas gotten the disease?
So it's a bit like when you'rewalking down the streets and
you see Aunt Minnie, how doyou recognize Aunt Minnie?
You recognizeAunt Minniebecause you've seen her
before, you've met herand you've talked to her.
It's the same withthis sort of thing.
(18:44):
Somebody who's beendoing this for 20 years.
In all likelihood, you'regoing to find people
who've been doing it for ayear who are as competent
and perhaps as skilled.
But you cannot replace the valueof that 20 years of experience.
And that's.
(19:05):
Again, one of the reasonswhy I'm absolutely
passionate about havingteams that are heterogeneous.
You want people of multiplecultures, multiple genders,
multiple sexual orientations,multiple viewpoints.
You want radicals, youwant conservatives.
Not always possible in a smallteam, but the more diverse
(19:27):
the set of viewpoints thatyou can have, provided that
the people can trust eachother and you can have honest
interactions and debates.
Everybody lands ends upbenefiting and you get
a much better outcome.
In South Africa, there'sthis thing about a white
Afrikaner male culture,and you have it in the U.S.
With the Anglo-SaxonProtestants and you've
(19:49):
got it all over the world.
Not to pick on the whites,but people tend to think the
same because they've grownup in the same environment
and they've grown up in thesame background and they've
got similar cultural ideas.
Yusuf (20:00):
Group think.
Ari (20:01):
It's group think.
And that's where the.
hacker community.
And I'm not talking aboutthe malicious hackers.
I'm talking about the securityresearch community has
largely got it figured out.
There are people from allover the world doing the
most incredible research andyou'll find a 14 year old
(20:22):
Azerbaijaian boy working witha 60 year old American female.
And it doesn't matter.
Because people find othersthat they can work with.
And it gels, we've got toencourage that, especially
on the audit teams, becauseif your audit team or your
(20:44):
assurance team is comprised ofthe same sort of individuals
who are in the company makesfor great relationships
and very smooth sailing.
But actually it needs to bealmost a competition, a friendly
competition, but we've designedthis, it's working like that.
Come pick the holes in it.
Not because you guys arebetter than us, but because
(21:06):
you think differentlyand we all win from it.
Audits with out findings;and I'm not talking about
massive adverse findings.
I'm talking about auditsthat are, you know,
nothing to report.
That's a waste of time and many,and everybody is landing up with
the false sense of security,because if there's one thing
that we've got to learn fromthe cyber side of things, there
(21:29):
are a certain number of bugsper thousand lines of code.
That's just the way it is.
It's humans writing this stuff.
Humans make mistakes.
Humans are designingbusiness processes.
We make mistakes.
And the only way to getbetter, this is to improve
it over time and iterate.
There's an old softwareengineering saying
(21:52):
that you throw version1.0 of anything away.
Microsoft.
Heard that and,of their products.
I think they introducedversion five.
it didn't help them particularproduct metric was still the
usual bug Fest, but that'sthe same with everybody.
the nature of how we dothings, especially when
it's something new, if it'ssomething that hasn't been
(22:12):
done before we make mistakes,we've got to learn from them.
If you look at the historyof bridge construction,
Humans started buildingbridges probably 2/3000 years
ago, at least from a realstructural point of view.
If you Google for the gallopingbridge that was in the 1940s.
(22:32):
So over 2000 years worth ofbridge building experience.
Largely modern mathematicalmethods, model engineering,
understanding modern materials.
We still got it wrong.
Yusuf (22:43):
There was a bridge in Cape town that was being built.
And, they decided that they'renot going to build it from
one side to the other, they'regoing to start on the opposite
ends and meet in the middle.
And they, didn't meet inthe middle - I don't know
if you remember that, butthat bridge still stands.
So your lane and theoncoming lane sort of meet
head- on at some point.
Ari (23:03):
We've got to acknowledge that we make mistakes.
Donald Knuth.
Who's really the father of,modern computer science along
with Turing and the rest.
But premature optimizationis the root of all evil.
When you're looking at allof these processes, when
you're looking at something,don't automate it too early,
don't optimize it too early.
(23:25):
Figure out how it works.
Build it.
Make it nice and robustand then iterate a bit.
Yeah, you can, it's goingto cost you more short-term.
Long-term I promise it'sgoing to run smoother, work
better, and therefore it'sgoing to save you money.
we've got to also find a way ofgetting over the short-termism,
where if it's not going toshow in the next quarters
(23:45):
results, nobody's interested.
There's lots of things whereyou make an investment in time
and whatever, and it's goingto take five years before
you get to see financialbenefits, but you're going to
start seeing organizationalbenefit and culture benefits.
Old-fashioned values, notalways the best, but in many
(24:07):
cases we can learn a lotfrom the principles on which
those processes were built.
Got to move past boxticking and move to how is
this process adding value?
Where is it adding value?
Audit and assurance in generaland risk management has got so
(24:28):
much value to add because ifwe asked the right questions,
we spark all sorts of things.
Yusuf (24:36):
In terms of people getting hold of you,
getting in touch with you,connecting to bounce ideas.
What's the easiestway , for that to happen.
Ari (24:44):
Easiest is email.
I'll give you my personalemail address, which is
going to share just howlong I've been using Gmail.
because I've actually gotlevien@gmail.com that L E
V I E N at gmail dot com.
And there's one younglady from Vietnam.
(25:05):
Le Vien Van.
Yeah, if you're listeningto this, please stop trying
to use my Gmail address.
Thank you.
Yusuf (25:15):
Excellent.
I thank you very much forsharing your insights.
Lots to think about,and my takeaway has
been just be curious.
Conor (25:22):
Takeaway for me was internal audit is a critical
friend within any organization.
As long as the businessand internal auditors are
working towards the sameoverall objective, you'll
get better value all around.
Ari (25:34):
Absolutely.
Thank you for having me.
Narrator (25:36):
If you enjoyed this podcast, please share
with a friend and rateus in your podcast app.
For immediate notificationof new episodes, you can
subscribe at assuranceshow.com.
The link is in the show notes.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.