Speaker 1: Welcome to The Cyber Risk Management Podcast. Your mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity counsel is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Hey, Jake. Today, we've got a guest, Julio Tirado, and we are going to talk about the role of the internal audit team with respect to cyber risk management. It's going to be a good one.

Jake Bernstein: That does sound like fun. Julio, welcome to the podcast.

Julio Tirado: Thanks, guys. It's a pleasure to be here.

Kip Boyle: Julio, I want to give you a chance to introduce yourself so that our listeners can get to know you a little bit. So tell us a little bit about who you are and your background, please.

Julio Tirado: Sure. Sure. Well, thank you again for having me. It's a total pleasure. I started internal audit in 2007. I applied for a junior auditor role, and it was somewhat of a general audit role in that I got to learn and play with lots of things within the organization. And a year into the role, I was given the task to be part of an IT audit. My background academically was in finance and business, so I did a lot of research and did as much homework as I could to get ready for it. By the time the audit was done, I just was left so hungry to learn so much more, so that was really the beginning of my learning journey in tech and security.

Throughout my career, I've had the chance to do a few other things. I took a break to be Mr. Entrepreneur, so for two and a half years I started a consulting business under my own name, just doing work for other banks like I've done before. Two and a half years later, I ended up having to come back to be an employee, long story short, and got the chance to be a security officer for about a year and a risk management officer, so got to view things from a different lens, which is very, very helpful. Eventually pivoting back to audit, so I'm now the director of internal audit at SpiritBank. SpiritBank is a community bank, a headquarter in Tulsa, Oklahoma. We are five branches, 800 million in consolidated assets, and we specialize in the business of business, commercial real estate, SBA loans, just doing a lot for that community, including PPP, which is a big deal for the economy with the pandemic.

Kip Boyle: Oh, yeah. Yeah-

Jake Bernstein: Kip, you didn't tell me that Julio was from the state that stole the Seattle Supersonics. I don't know that we can continue this recording.

Kip Boyle: I didn't want to bias you, Jake.

Jake Bernstein: That was an omission of material fact, Kip, as you know.

Kip Boyle: It was, and it ended up working. Here you are.

Jake Bernstein: Here I am.

Kip Boyle: But we'll forgive Julio. He probably wasn't involved. And if he was, he probably shouldn't mention it. Oh, you know what? Internal audit. Okay. Well, first of all, Julio, I just want to say I really appreciate your background, because you have seen the same issues from multiple perspectives, right? So I think that's fantastic. I think that's going to help what we talk about today, make it really valuable, make it really meaningful. And by the way, your experience... And this is me having talked with a lot of other IT auditors... your experience of being put, a guy in finance being put in into an IT audit and just sort of having to figure it out apparently is very common.

Julio Tirado: Very, very common. Yes.

Jake Bernstein: Can we take a step back and let me just ask Julio... I think almost everyone has heard the word audit and auditor, but what does it really mean? Just on a basic level, what does an auditor do? What does the internal audit team do?

Julio Tirado: Mm-hmm (affirmative). That's a legitimate question. I will not give you the formal definition, because it would just be completely useless.

Kip Boyle: Oh, thank God.

Julio Tirado: So internal auditors are risk-minded professionals. They're thinking about business from a risk perspective. Let's start with that. So they're risk-minded professionals that help an organization achieve its goals. We're supposed to look at the big picture, understand the organization, strategic goals, and collectively help achieve those goals by way of internal audits and related work. So helping a company achieve its goals is a key point, helping a company prepare to tackle the uncertainty or the unfamiliar, ie. risk management. So you'll often hear that internal audit department's independent, and what that means is quite typically we are structured to report to an audit committee, which is a board committee of members that are independent, independent directors. So that's a differentiator with internal audit, unlike other functions within an organization.

And I like to think that internal auditors are perpetual learners. We're supposed to understand many aspects of an organization. As you guys know, the theme with this podcast is cybersecurity. That's a huge piece of the puzzle. In our community, we're getting a lot of attention to continue to grow that skillset because, as you know, hashtag Exchange, hashtag SolarWinds, this is a big deal, right? That skillset is growing demand. But if I were to kind of conclude and summarize in one sentence, internal audit is about making the company better.

Kip Boyle: And that's when it works the way that it's supposed to, right? So on its best days, that's what it does.

Julio Tirado: Absolutely.

Kip Boyle: And the reason why I'm qualifying what you said is because over the course of my career, unfortunately I've seen cases where that's not always true, right? Everybody has a bad day or whatever, bad season, or where things aren't happening right. But some people I've noticed really... And not necessarily senior decision-makers, but other members of the organization, I've seen them take an adversarial position to the internal audit team.

Julio Tirado: Yeah, yeah.

Kip Boyle: Right? And they do that for different reasons. And sometimes senior managers can actually keep internal audit at an arm's length for whatever reason because maybe they feel that internal audit is meddling with something. I've noticed that senior decision-makers often are thinking about the happy path, right? They want to do something, and all they can think about is how great it's going to be when it gets done. And then here comes the internal auditor going, "Well, have you thought about..." and you're just kind of piddling on their parade, right? So sometimes they're just like... They bristle, right? There's tension. There's tension. How do we deal with that tension, I think, is a crucial part of whether you're being allowed to really fulfill the vision that you just described.

Jake Bernstein: So I don't know... I hope Kip warned you, but I'm a litigator by trade. That means that I like to ask a lot of questions and then dig in, and so-

Julio Tirado: That's okay. Dig away.

Jake Bernstein: I still find myself wondering, what does the internal audit team do? Now do you see why I'm asking that? Because I think in very concrete terms at the moment, and I'm wondering... Let me try this. What I think of when I hear auditor and audit, is... And this is a very high level, but I want to know what your perspective is... is it's the group responsible for making sure that the company is actually doing what the company says it is doing or what the company is supposed to do. And correct me if I'm wrong, but it's about details, right? As much as it is about high-level risk management and improving the company, isn't it true that at the core, auditors are really digging into the nittiest and grittiest of details? And I'm going somewhere with this on purpose, because what I'm thinking is that-

Kip Boyle: We're going to a deposition. That's what it sounds like. Keep going.

Jake Bernstein: Well, so actually that's exactly where I was going is that one of the things that has been fascinating to kind of evolve... The conversation that I started having with Kip years and years ago was, I want my clients to understand that it's not enough to write some pretty documents and stick them in a binder on a shelf, that what's going to happen in real life in litigation is that a enterprising lawyer or a regulator is going to depose the low-level employees and is going to dig into and ask, "Okay, what would you say you actually do here, though? I know what the document says. I know that you've given it to me, and I've read it, but I don't care. What are you doing?" And that, to me, is what the auditor is also doing. "Okay, this is what it all says. What's actually happening?" Am I right, or am I wrong?

Julio Tirado: Yeah. Well, you are right at its most basic level. And I'll say you guys should have warned me. I should have talked to counsel before doing your show, little pre-disclosure there.

Kip Boyle: You're scaring future guests. Be careful.

Julio Tirado: No, I'm kidding. So that's a very legitimate question. At its most basic, it's really about evaluating our processes. I think of a company as a complex machine with a lot of moving parts, and all those moving parts have to be managed, and we have requirements and standards and expectations. Some things are acceptable, some things are not. So at its very, very basic, a company will have a policy... A bank, I'll speak of a bank specifically, being a bank employee, a financial institution will have policies that, as you know, will have standards and risk limits and expectations for how the company should be managed, right? And at a more detailed level, we're going to have procedures with specifics of what should be done at a very process level.

So as the auditor, I am considered to be the eyes and the ears of the board, in that I help the board by evaluating our processes relative to best practice, relative to our policies, so that the board can have an independent opinion that our moving parts are operating in a way that is great, in a way that is intended, and in a way that is desired for the benefit of the company over the long run. So at a very minimum, it's about an evaluation of risk and control. Now, I say at a minimum because it can and it does go beyond that. As it relates to cybersecurity specifically, I don't limit myself to our existing policies and procedures. I am constantly doing research about the industry, about new threats, working with a lot of my friends in the security community that are pen testers and CISOs. I'm calling this person, that person, "Hey, what do you think about this attack?"

So I, as the auditor, I am working my tail off to bring in new ideas and possibilities to further mitigate risk, because at the end of the day, if you're a director, if you're a CEO, you got to run a business, you got to oversee a business, but you don't want to have to lose sleep overnight because of another ransomware attack or this or that kind of compromise, right? So I have to proactively find ways to continue to get better. That is the extra step beyond the basic evaluation of controls.

Kip Boyle: Yeah. Yeah.

Jake Bernstein: So I have a theory, Kip, which is that you and I should become best friends with as many internal auditors as we can possibly find because I think that, Julio, what you're describing is an incredibly important part of cyber risk management and a absolutely critical ally of any CISO or cyber security counsel or virtual CISO for any organization. And the reason is that... What do we always say to our clients? "Cybersecurity isn't something you buy, it's something you do," right?

Kip Boyle: Yeah. Yeah. And we also say, "It's a team sport."

Jake Bernstein: It's a team sport. Right.

Kip Boyle: And we also say, "Here's our invoice," in a way.

Jake Bernstein: But, Julio, what you're describing, what you do is actually part of every... Every statute that describes reasonable cybersecurity currently includes a component of verification and testing of a company's own procedures, and that seems to me to be what you are describing and that... I think Kip and I would agree that if a company isn't doing that, one, you don't really know what kind of controls you have in place necessarily, and two, you don't really know if they're working.

I don't want to go off on too large of a tangent here, but before we dig into the original talking points, I am curious, if a company doesn't have an internal audit team, and I presume that only large enough... You have to be a certain size to have an internal audit team. What if a company doesn't have an internal audit team? What should they do in order to... Can you hire an auditor to come in? Are there groups that do that? Real fast, and then we'll go into cyber risk management, but I think it's worthwhile because a lot of our listeners are going to be in that position where they need to do cyber risk management, but their companies aren't big enough to have true internal audit teams.

Julio Tirado: That's a very, very legitimate question considering that the vast majority of businesses are not regulated entities, banks, and public companies. That's a huge problem. So the easy answer, easy in quotations because it's not the cheapest, is there are consultants that a company can hire, obviously. That's always a thing. There are plenty of internal audit consultants out there in the community. Hypothetically, that is an option.

One thing that I have never heard anyone bring up and I think would be a really good opportunity is... If I am an entrepreneur and I am of a size where I am legitimately concerned... I got a lot of moving parts. I'm thinking about so many things. I'm just not sure what makes sense for me... contact your local Institute of Internal Auditors chapter, IIA. There are IIA chapters all across the planet. And I used to be a volunteer initially. I'm actually technically a volunteer now, doing what I call the cybersecurity round table. But the IIA chapter is a chapter of internal audit professionals. If you are an entrepreneur and you contact the volunteers and say, "Hey, guys, I have this small business. I'm doing this, I'm doing that, but I'd like to get some ideas, some support on how to manage my risk," I guarantee you you will have a ton of people that would help in some capacity. So that might be a really good way to start, probably low cost or no cost, and just to go from there.

Jake Bernstein: That's amazing. Thank you very much for that.

Kip Boyle: Yeah, we've got three specific questions for Julio, right? Jake and I put our heads together and we're like, "What do we really want to ask this guy?"

Jake Bernstein: Well, except this has been such a great conversation that we haven't even needed those. Let's go ahead and dig into that.

Kip Boyle: Well, that's how excited we were, right? A lot of big preamble, but okay. But here's three specific questions, and it's only fair, right? We gave Julio the questions ahead of time so he wouldn't be surprised. What does cyber risk management look like from the internal audit team's perspective? And you've kind of talked to this a little bit, but I also want to add another thing that I've seen, and maybe you can talk to this, too. But typically, like you were just saying, internal audit is concerned with the whole universe of risk, right? It could be financial risk or operational risk or so forth. And now here comes cyber risk, "Da, da, da, da, da, da. Hi, I'm new." Okay, well, where's it all fit in for you guys?

Julio Tirado: Yeah. That's a legitimate question because, as you kind of implied, the scope is the whole company for me. We have to break that up into parts. In my experience, and to be fair, I'm no self-appointed representative of an entire profession, but in my experience, I see internal auditors go at cybersecurity from the perspective of a framework. And I like to kind of put it in a spectrum on the worst end and the best end.

On the worst end, I see audit going towards security from the perspective of Sarbanes-Oxley testing or FDICIA testing. But those that aren't familiar, if a company becomes publicly-traded, you now among other things have to comply with Sarbanes-Oxley requirements, which includes testing of internal controls over financial reporting, otherwise known as ICFR. And if you're a brand new company, you are going to work with consultants, or if you're soon to be publicly-traded, you work with consultants to figure out, what are these key controls? What are the things that you have to test, right? And they'll start with the balance sheet, they'll start with the income statement, and work their way back. That process will include technology and security controls, so patch management, access management, authentication, all those good things. Now, I said worst because the driver behind regulations were financial statement fraud, Enron, MCI WorldCom, a Tyco back in the day. So even though we'll have technology security controls, the context is going to be financial reporting, accuracy, and reliability.

Kip Boyle: Which is an important company asset, but it's not the only one.

Julio Tirado: Absolutely. Very, very critical.

Jake Bernstein: And the focus is definitely not cybersecurity writ large.

Kip Boyle: Right.

Julio Tirado: It is not, but to be very, very clear, there are plenty of cybersecurity-related controls included in that universal testing. But because of the context, I put it in the worst side of the spectrum. Now on the best side, on the best side, in my opinion, the internal audit departments that are a little more mature in the security space, we're going to lean on cybersecurity frameworks like the NIST cybersecurity framework or the CIS Top 20 critical security controls framework, the artist formerly known as the SANS Top 20. And these frameworks, as you guys know, are created for security by security professionals. I especially love the CIS Top 20 because I read, in the very beginning, it was formed by boots-on-the-ground, pen tester CISOs and so on who were building this framework from real world lessons.

Kip Boyle: Oh, Julio, I love that you're talking up the NIST cybersecurity framework, but man, we're going to have to have you come back for another episode when I burst your bubble about the CIS 20. But keep going.

Jake Bernstein: I was going to say, Kip... I'll just say, Kip, uh-oh. Julio, you're about to learn why you need to let go of this Top 20.

Kip Boyle: Yeah. Yeah, there's a better choice now. But you're right. SANS Top 20, which became CIS Top 20, it was absolutely created by practitioners, which is why it was so fabulous. The problem, in short, today is it's become an extremely politicized framework and it's not as relevant as it used to be. It really hasn't kept up with the times. So those are my two brief comments about it. You can come back, and I'll give you a full debrief.

Julio Tirado: Hey, that seems like a plan. Well, in full disclosure-

Kip Boyle: But keep going. Keep going. Keep going, because we asked you this question.

Julio Tirado: Yeah, yeah, yeah. Well, in full disclosure, I have migrated to NIST, but the reason I love CIS is because one of the challenges I have as an internal audit practitioner is knowing which of all those controls are the most impactful. And the reason CIS stands out like a sore thumb is I can say, based on best practice, based on the security industry, the CIS 20 has 20 objectives. If I focus as an auditor on the top five or six, I am supposedly drastically addressing a lot of cybersecurity risk exposure. So you can make the argument, you start with the NIST framework, and in terms of prioritizing, you sprinkle a little CIS to kind pivot.

Kip Boyle: Yeah. Or you can map it, right? Because we do that in our work, where we... Because there's overlap. Every framework in my line of work has a lot of overlap. Sometimes it's 80, 90% overlap. You can actually map these things back and forth. That's one of the things that I like to do for my customers is start with NIST CSF and then say, "Oh, well, you've got HIPAA concerns? Great. We can map it all to HIPAA. Oh, you take credit cards? Great. Here's the PCI mapping." The idea here is you want to mitigate risk once, and then you want to comply many.

Julio Tirado: Yes. Exactly.

Jake Bernstein: And I totally understand where you're coming from, Julio, and I think that there would be a lot of lawyers that would agree because the CIS Top 20 is... It's really ideal to point at kind of concrete steps; whereas the CSF, it is a true framework, right? It is a skeleton upon which one must build an actual cybersecurity program. I like the CSF because of that, because I view it as... for a number of different reasons. But I agree that the CIS Top 20 has that going for it, in that insofar as there really actually aren't controls in the CSF itself. You can go find a Special Publication 800-53 Revision 5, and yeah, you've got an entire enormous catalog of controls, but-

Kip Boyle: But which one do you choose?

Jake Bernstein: Which one do you choose?

Kip Boyle: It's the simplicity and the prioritization that practitioners really struggle with, right?

Jake Bernstein: Yep. Yep.

Kip Boyle: So I understand the allure of the CIS 20. I really do. And it came from a great place. I just think it's old and busted. It's really all about the Essential Eight these days, I think. We did an episode, podcast episode on Essential Eight, so I'm not going to grind on it too much. But Jake and I are doing two ransomware responses right now, and guess what I'm bringing out and putting on the table to prevent new ransomware attacks on these companies is the Essential Eight, because that's what it was designed to do was to deal with modern problems, just like NIST CSF compared to ISO 27001, right? One's older than the other; one was made at a time when the internet wasn't as scary and dangerous as it is now.

Julio Tirado: Well, the implication behind what you guys are saying is that this is an evolving game.

Kip Boyle: It is.

Julio Tirado: So we have to keep up with the changes and not lose as much hair and crosstalk-

Kip Boyle: Julio, it's like I coached you before you showed up here, but I didn't. I didn't. Hale told me you were the right guy. He was right.

Jake Bernstein: I think we need to send Julio a copy of the book, because he would like it.

Kip Boyle: Definitely. Yeah. Julio, that's-

Julio Tirado: As long as you sign it.

Kip Boyle: That's what my book is all about, right, is that this is an evolving thing, and we can't be too hesitant to discard stuff that was great in the day but just really isn't everything we need anymore. Okay, so the first question that I asked you was, what does cyber risk management look like from the internal audit team's perspective? Did you want to add anything more to your really good response before we move on to the second question?

Julio Tirado: Well, the only thing I was going to add is, by comparison to in my experience what I've seen with security professionals, I see a lot of security folks go at cybersecurity risk management from a more functional perspective, experiential, based on their experience, based on their knowledge, event-driven, "Attacks are happening. We have to respond," and the frameworks may come afterwards sometimes. But I like both. I like to have both. I like the power of CSF, of NIST cybersecurity framework, along with the functional perspective that supplements the latest issues and is very risk-driven. So if we can get both in the mix, audit's viewpoint, security's viewpoint, that's the goal. We can make that happen, that's the end goal.

Kip Boyle: Great.

Jake Bernstein: Okay. So second question, how should the CISO work with their internal audit team?

Kip Boyle: They should throw vegetables, right? Get out of here.

Julio Tirado: I was going to say that. I love Mexican food. So starting point this... No, I'm kidding-

Kip Boyle: No, that's a great point, Julio. Let me stop you right there. That's a great point. I want to pick up on that for just a moment, because what a lot of technically-minded people... I come from a systems background. I worked as a systems administrator, as a network administrator. We don't always appreciate relationships. We don't always understand just how far relationships will go to help us. So if I'm going to reach out to the internal audit team and make a new friend and get an ally, start with food, man.

Julio Tirado: There you go.

Kip Boyle: Start with food.

Julio Tirado: You can't go wrong.

Kip Boyle: And whether it's pizza or whatever, find out what the other person likes and have a DoorDash show up and give them the lunch that they deserve. Man, I'm glad you mentioned that. Keep going.

Julio Tirado: That's a great point. The pandemic is no excuse. Just DoorDash that baby, right?

Kip Boyle: Exactly.

Jake Bernstein: Yes. I like it. Good idea.

Julio Tirado: Well, so you hit on the first point I was going to make. Before we talk about what the CISO can do for audit, we need to talk about some conditions that we have to make. You mentioned relationships. Number one priority for audit and for security is we have to develop that trusting relationship. And the reason why right off the bat is when somebody sees me and they see the word director of internal audit in the title, there's this huge barrier that comes up, this invisible barrier, like the invisible hand but for audit. And-

Jake Bernstein: I'm scared, and we are just talking about it on a podcast.

Julio Tirado: You should be. And you didn't even know I do jujitsu, so crosstalk. Oh my God. That's a challenge we have to overcome. And before we can make progress, we have to take time to build that relationship. I would say even before the lunch thing, let's learn about each other, maybe as a part of it, to be honest, but let's learn about each other's people. Kip, you're CISO. I'm the audit guy. I have a son. I have a wife. I mentioned to you guys I love Brazilian jujitsu. That's my hobby. I love to play basketball. And I'll get to know you, Kip, and you'll tell me... You have kids? Maybe you do and maybe you don't. Maybe you love Taekwondo.

Kip Boyle: I do.

Julio Tirado: Well, there you go. How many kids do you have, Kip?

Jake Bernstein: Hey, wait a second. So you're telling me that auditors aren't deployed from their Borg recharging stations when needed by upper management? You have your real people?

Julio Tirado: You would be surprised. After my first year, I quit auditing my wife, right? This whole business is about-

Jake Bernstein: Probably a good call.

Julio Tirado: But seriously, we're people. We're all people, so let's get to know us as people, and the lunches are a great idea. So step one, prioritize relationships so we can have the necessary trusting open communication for the next step. Now, how can CISO, how can security help audit? I think of at least two things. The first one is, by necessity, by design... I'm going to put you on the spot, Kip, since you have the CISO title. Using Microsoft Exchange as a recent example, that is a big deal. Major vulnerabilities affecting the entire globe for anybody with Exchange on premise. You're going to react to that much faster than I will because it is literally your responsibility. Now I, as the internal auditor, by design, more often than not, I'm going to come after the fact. Unless I'm helping you in some sort of consulting capacity, it's more than likely it's going to hit you before it hits me. So what I've learned is security professionals, they're more likely to stay connected to the latest issues, the latest threats, the external things, as well as the internal things, the things that are developing within the organization that have security implications.

As an internal auditor, one of my biggest struggles, you guys, is staying connected to the key issues. How can security help me stay connected? Email me the DHS inaudible document that came out on the latest attack in case I don't have it. Keep in the loop of major issues within the organization, because what's expected of the internal audit community is that we pivot to risk. We have to have these big old plans that at least happen annually that break the audit universe into multiple parts, and then we have individual plans per audit, and if changes in risks are happening, we're supposed to be pivoting to. So security, you guys can hook us up with some awesome knowledge to keep us connected.

Jake Bernstein: And I have a comment/question. Another way that the CISO, I think, could help is... It seems to me that there is a danger, and maybe I'm wrong about this, but I suspect I'm not, that there might be people out there who hide things from their own internal audit teams. It might happen that people don't want them to know-

Kip Boyle: Can neither confirmed nor deny that I have ever seen anything like that.

Jake Bernstein: Look, I speak as a lawyer, and I know for a fact people hide things from legal, right? It happens all the time. You see something and you're like, "Who approved that?" "Nobody." "Did you show it?" "No." It's just like, you can't do that. So I'm sure it happens to auditors as well. I think one of the things that... That is counterproductive, so whoever's hiding things from either legal or audit, stop doing it, and if you're the CISO, one of your jobs isn't just to keep the audit team apprised of general security and industry happenings, but tell them what is happening in the company.

Julio Tirado: Yes. Exactly.

Jake Bernstein: They cannot do their jobs without that, and I think... Right? That's-

Kip Boyle: Well, okay. But there's a couple of caveats, okay? I'll give you my personal experience on this, my anecdote. So when I was a CISO at an insurance company, I reported to the CIO, and my peers were the director of application support, the director of infrastructure, and so forth. I was in a bit of a conflict of interest situation because my... So one of the expectations for me from my boss was that I would support my boss. If my boss had to make tough choices about how to prioritize the allocation of budget or something like that and I didn't think that he did a good job and I didn't think that it's a risk that I thought was super important, didn't get enough prioritization, well what do I do, right? Because as the CISO, where do I take that, right? I take it to my boss, he overrules me, tells me to sit down and color, my peers are just like, "Yeah, man, we're going to push out this new technology," and I'm sitting there going, "Yeah, but you didn't do enough risk management..." That's kind of my bottom line, whatever the specifics are... and so that puts me in a tight spot. I either just shut up and color, or I try to figure out, "Well, who can I bring this to? I don't report to the independent subcommittee of the board."

Jake Bernstein: Audit committee. And you know what I was just going to say is I actually think that the future... Corporate governance is obviously a huge part of all of this, but I think a future model would be to form a triangle with the audit committee at the upper top of the triangle, and then the CISO and the internal audit team crosstalk two bottom-

Kip Boyle: And there are a lot of calls to have the CISO report to the Audit Subcommittee of Independent Directors, and that does have happens sometimes. And sometimes the CISO's outside the IT department and is reporting up through the chief risk officer or something like that, right? So there are org structures that kind of relieve the tension that I'm talking about. But if I was to go to Julio and say, "Hey, we're going to roll out this massive system upgrade, and I don't think the cyber risk aspect's being taken care of," and then Julio starts asking questions, well my relationship with my boss and my peers are at risk, right?

Jake Bernstein: It is, but that in and of itself, that is the... And I totally agree. But from the overall corporate perspective, that's a problem, because you must be free to tell somebody that there's a problem-

Kip Boyle: Yeah, I agree. I agree. I agree. So what I would do, and this is kind of bleeding over into the third question, but I made sure that I had a good relationship with the director of internal audit so that I could come to that person and I could say, "Hey, hear me out. This is something I'm seeing, and I just need a sanity check on this. What do you think?" And to have the kind of relationship where the director of internal audit would listen to me, but not take action, right? I would come to them and say, "I'm sharing something with you because I need feedback. Do not do anything with this information. I am explicitly telling you I'm not asking you to do anything. I just need each some perspective."

Does the director of internal audit have enough emotional maturity to take that confidential information that I just shared with them, that I came for some coaching and perspective, and can they actually hold onto it without pivoting their plan to it without working with me? And once they do pivot their plan into it, I got to step back because I need to give them room to maneuver and do their job, because I'm a member of the management team, right? I'm not an independent authority in that sense. So when Julio talks about how the audit team has a certain amount of independence from management, I need to respect that as much as possible. There's a line here that needs to be watched.

Jake Bernstein: Man, it's got to be hard to be an auditor, because you're inside, but you're also kind of... There's almost always going to be this tension. It's a little bit like legal, although I think it's almost worse because the in-house counsel tends to be... Yeah, this is fascinating.

Julio Tirado: Well, you guys both made so many awesome points. I'm trying to struggle which one to pick on to give feedback to. So I mentioned earlier that we need to start with the relationships. So if we had a good relationship... I have a great relationship with our CISO. If we have a great relationship with CISOs, then we can have these discussions about real world issues. We all know we have roles to play. I have obligations as the auditor, you have obligations as a CISO, but if we cannot freely talk about concerns, then it's hard to make as much progress. Listen, Kip, you and your example, talking to the director of audit, there's not just risk benefit to you sharing content. There's emotional benefit because you're not having this output... It's going somewhere, rather than standing in your head, causing you stress. So the ability to go back and forth is important because you want to have ongoing communication outside of audits. If the only time I talk to my CISO is during audits, that's a bad sign. I want to stay connected with my folks across the whole company outside of audits, whether it's personal or not, so that we can have these discussions. Now-

Kip Boyle: And on that note, so you might be doing an internal audit and you might feel like you're getting stonewalled from somebody in the IT department, right? So wouldn't it be good for you to be able to come to me and say, "Don't do anything, Kip, but I just want to run something by you. I'm seeing something. I'm feeling something. Need to know if there's any legitimacy to what I'm seeing and feeling." So we can help each other. It's a two-way street.

Julio Tirado: Absolutely. Well, we all care about the same end goal. We want our organizations to be successful. We want them to thrive, more profitable, operate safely and soundly. I'm obviously speaking like a banker here for a second, but we all care about the same ultimate thing. It's just that we're in our silos and we view things from a different perspective. That's why communication has to be number one.

Kip Boyle: Yeah. Yeah, yeah, yeah. Yeah. Well, let's move on to the third question. Again, we've already touched on this a little bit, but I just want to give you the chance to weigh in on this question, which is, how can internal audit help the CISO?

Julio Tirado: The nature of internal audit, and I mentioned this in the beginning of this podcast, is one that involves the entire universe, the whole scope of the organization. Those of us that are in audit leadership, we prioritize the relationship aspects. So you already know, I report to an audit committee, functionally. I report to CEO administratively, so leave, pay raises, things like that that my CEO handles. But I also have to build connections and relationships with the leadership across the whole company. So I make that a priority, I build those relationships, number one. Keep that in the back of your mind. Put a pin on that.

Number two, let's say hypothetically, Kip and Jake, you guys both... You work in an organization that has a securities job of five people and you know it needs to be 10 people. I know security is always understaffed, audit is always understaffed. It's like a permanent condition. But in this hypothetical scenario, it is so bad that you have real world control failures. You got actual exposure that's unacceptable. It's causing legal liability. Jake is losing sleep because he's having to do a lot of case law research. So this is a situation where you and I as CISO, Kip, can talk about these concerns. In this case specifically, I'm going to go with the assumption you're getting no support from upper management. Let's say you reported the CFO, and just for whatever reason, you're not getting the help you want. I can come in to help because I am 100% empowered to address these issues. The things you care about, staffing adequacy, control concerns, too much risk, I care about those things too. So within the scope of regular audit, I'm supposed to... Remember, I said, "I audit to risk." If I have extra risk, I should be auditing to that. So I, as the auditor, in an auditing way, can address your concerns, number one.

Number two, which is my favorite, I prefer not to do an auditing, not to audit issues. I prefer to talk to management and see them solve them on their own. In this hypothetical scenario, I will talk to your CFO and I will explain to the CFO, "Hey, Susana, Joanna, John," whatever, "I've learned of these concerns. Let me tell you why I think this is a problem. This is how it could impact the business. We can have potential legal issues." I will do the best that I can to frame it from a technical problem to a business problem and then try to be your advocate because, again, I care about those same issues. The whole organization is in my scope.

Kip Boyle: Love it.

Julio Tirado: So if we have that relationship, audit can absolutely be a partner. And that's honestly a goal to shoot for, to try to have those partnerships across the whole company.

Jake Bernstein: And just to clarify for listeners who may not fully grasp the critical importance of what Julio said about reporting to the audit committee versus administratively reporting to the CEO, correct me if I'm wrong, but my understanding of what that means is that the CEO can't fire you; the audit committee is the one that... Only the Audit Committee of Independent Directors can fire you. And the reason that that is important... My guess is that, knowing how people are in corporations work, is that it's not going to be about... It's going to be a political issue internal to the company, right?

This is why Sarbanes-Oxley exists, right, is that if you don't have an independent audit group that reports to this audit committee, then you're really left with trusting a very few number of people, and a lot like the security kind of... The word just left my mind. Not policy. The principle. Thank you... security principle of minimizing single points of failure, being able to have least privilege and things like that. It's really the same idea. The audit committee and the auditors are a part of the overall control system for the company at large, and it's really, really important, I think, for the CISO and the internal audit team to be able to not just communicate effectively, but meaningfully and have that authority. Because in my perfect world, the CISO and the auditor would both report to the audit committee and there wouldn't be a hiring/firing ability for the CISO over... from really anyone maybe other than the CEO, I think, would probably be okay. But I get really squirrely when I hear about a CISO that reports to the chief technology officer or the chief information officer like Kip did, crosstalk that was a long time ago. This independence is part of why.

I really appreciate this discussion today. I know we're kind of running long, as we've been doing recently. But do you have any other final thoughts on just this discussion as a whole, how internal audit can help the CISO, et cetera?

Julio Tirado: No. I think we've covered, I think, all the ground. If we make communication and relationships a priority, the rest of it would get significantly easier. And I have to add that I completely agree with you guys. It would be ideal to have security and audit both report to the audit committee functionally for those same concerns. And in the internal audit community, what we tend to have as a convention... yeah, I would say as a convention is an audit charter that describes the responsibilities of the internal audit committee, excuse me, the audit committee and of the internal audit function. And within these charters we can explain that it would be the sole responsibility of the audit committee to fire that audit leader.

But the independence is really valuable. Combine the independence with the relationship aspect of making sure that I, as the auditor, connect with all folks across the company in a really constructive way, that's a powerful recipe for success. And an objective measure for any internal auditor out there, an objective measure for how successful you're being, is how often you're being asked by managers, "Can you help me with this extra project," or "Can you look at these things in your audit?" And from time to time, I'll add 10%... 10% of my audit program will involve things that that particular manager will want me to be the second pair of eyes on. You have enough of those, then you know you're doing a good job managing the relationships and crosstalk-

Kip Boyle: By the way, that's the same metric for CISOs is if you have senior decision-makers coming to you saying, "We're thinking about blank," fill in the blank, "What do you think?" oh my God, that's CISO nirvana, right? Because what-

Jake Bernstein: Same with general counsel.

Kip Boyle: Because what usually happens is-

Julio Tirado: There you go.

Kip Boyle: ... they're pushing servers into production or whatever, they're launching a new product, and that's the first time you've ever heard of it. That's when you know your relationships are not what they should be. All right. Well, what a great episode today. Julio, let's wrap it up, but as we do, why don't you tell everybody how to find you on the internet, how to connect with you, assuming that you want that?

Julio Tirado: Sure, sure. I'll take a gamble. No, well, thank you for having me, first of all. I appreciate what you guys do in the phenomenal episodes you put out there. If you want to reach out to me, you can find me on LinkedIn, just to be sure you know and you heard me on the podcast, because otherwise I am selective on LinkedIn. I also point out, you guys, I have a few things to note. In April 30th, BSides Oklahoma will have their conference. Anybody that hasn't heard of BSides is a information security conference. There's lots of chapters across the country. So April 30th-

Kip Boyle: Yeah. Around the world.

Julio Tirado: Yeah. Yeah, exactly. It's a global effort. So April 30th, BSidesOK.com. Completely free, completely virtual. I'm doing a talk in early May at the ISACA North America Conference, second day, so check it out. The title of the talk is called Internal Audit Evolution by Unnatural Selection with Machine Learning Basics. So it's a little controversial, but it's about empowering folks to professionally evolve with some new techniques. And we're going to cover artificial intelligence, because that's one of the areas that, in the audit community, we're constantly hearing that we have to develop, but there just isn't enough information about how to do that. So I'll go over some recommendations to get that started.

And the last thing, last plug is I am working with a company called Secure Ideas to provide a webinar on active directory for the audit community. And as you guys know, in the tech space attackers love active directory. It's a low-hanging fruit for them. We're going to talk about some fundamentals and some key top X, top five issues to secure active directory. It's going to come out in September. Still sorting out the date, but if you hit me up on LinkedIn, I'll definitely promote it as we get closer. And it should be free, so definitely check it out.

Kip Boyle: Fantastic. Thank you for your thought leadership and giving us some pointers for where you're going to be in 2021. That wraps up this episode of The Cyber Risk Management Podcast. Today, we discussed the role of the internal audit team with respect to cyber risk management. What a great conversation, and we did that with the help of our guest, Julio Tirado. Thanks, everybody. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on The Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision-makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.