The Institute of Internal Auditors presents all things internal audit tech. In this episode, Sammy Rifkey, vice president of Isaka Casablanca, joins Mike Levy, CEO of Cherry Hill Advisory to discuss the evolving cybersecurity landscape. They explore how AI is transforming threat detection and response, the importance of cybersecurity, governance, and internal audits role in managing cyber risks. Sammy, thanks for joining us today. Thank you, Mike. It's a pleasure to be here for this podcast.
And I'm, uh, I'll be sharing insight from my experience about AI and cybersecurity challenge. So, Sammy, you know, one of the questions, I think as we get started in this process, um, maybe you can talk us through, you know, how has your background influenced your approach to cybersecurity and threat management, um, as it relates to internal audit in the profession?
Well, Mike, I have spent significant portion of my career in IT audit and overseeing audit teams and working across various organizations to establish secure and resilient systems. So, coming from this background, I have always had deep understanding of governance and compliance frameworks. This has naturally influenced my approach to cybersecurity, where I don't just focus on identifying threats, but also on building strong processes and governance mechanism to prevent them.
I had also the, uh, opportunity to work in, uh, organization with critical infrastructure, and I have learned that cybersecurity is not, not just not about the reacting to attacks, but also about proactive risk management. And sometimes this kind of critical infrastructure can influence organization to affect even national and regional stability.
So my audit background has always pushed me to think beyond technical vulnerabilities and consider governance issues, risk management issues, and also business issues. Yeah, I think, I think that's really relevant. And, you know, when we look at our top risk, you know, and the 20, the 2025 risk and focus report was just released, and cybersecurity continues to be top of the list. You know, I think in 2020, in 2025, it's a $10.5 trillion problem in terms of, uh, losses to organizations.
And, you know, with, with the advent of ai, I think it continues to be a, uh, another complexity that we have to really think about from, um, from my perspective and from an internal audit perspective, it's a really, it's, it's a great opportunity for us to be advisors to the organization.
So, I mean, from your, per, when you think about AI cybersecurity, how we look at the advisory relationship, uh, to the assurance relationship, maybe you can share some insights from, you know, your experience where you've dealt with significant cyber cyber challenges. I think Mike, one of the most significant challenges I encountered was during the pandemic, the launch of the new cybersecurity law in Morocco.
So the timing couldn't have been more critical as, uh, you know, many companies were already struggling with the rapid shift to remote work, and suddenly they also had to comply with new, uh, cybersecurity reg regulations. This law required organizations to quickly adapt their systems and processes to meet higher security standards, and the many were unprepared for such an abrupt change. So the challenge was twofold.
First, ensuring that companies had robust cybersecurity measures in place during a time when they were more vulnerable to cyber attacks. And second, guiding them through the compliance with the legal framework that had come into force amidst global crisis. In my role, I had to help various organizations assess their security infrastructure, identifying gaps and implement measures to comply with the law.
We provided tailored action for each organization, balancing the immediate cybersecurity threats post by remote work environment with the long term goals to, for full compliance with the new regulations. This experience highlighted the importance of agility and strong governance in maintaining cybersecurity resilience, even in the face of unprecedented, uh, challenges.
I think it's really, um, interesting to hear about some of the significant impacts that remote work world, um, during the pandemic, you know, created within the cybersecurity landscape and how we protect its systems. But also, to your point, you know, the shift to resiliency and how, you know, I think we, you know, as organizations shifted their strategies to not just how do you prevent attacks and breaches, but how do you recover from them?
I mean, I think that, I think all of that becomes really important and relevant. I know we mentioned AI early on and how some of the AI landscape has changed. And when you think about even the most, uh, common use case that you see people using around chat GPTs or the Microsoft Copilots, um, there's a statistic out there, you know, it took some Netflix, something like three years to get to the first, their first 1 million users, and it took open AI chat GT something like five days.
Um, when you think about how the velocity and the speed that AI technology has been, you know, especially generator of AI has been transforming the landscape of cybersecurity, where do you see some of the risks? AI has brought a level of speed and precision to cybersecurity that was unthinkable a few years ago. One of the biggest transformations is in threat detection. Traditional methods often rely on rule-based system, which can only catch known threats.
ai, particularly machine learning, can analyze massive amounts of data and recognize patterns that will be impossible for human analysts to catch. What makes AI also more effective than traditional methods is its ability to learn and adapt. It doesn't just react to known threats. It evolves by detecting anomalies and spotting emerging risks. AI tools, for example, can automatically detect abnormal behavior within networks, allowing organization to catch potential attacks before they escalate.
And this is incredibly important as threats become more and more sophisticated, often using tactics that evade conventional, uh, detection methods. Also, AI systems are today capable of continuously improving their threat detection capabilities. They don't rely on human input to update their models. They learn from each new attack and breach they encounter. This means they are not only faster, but also more accurate in detecting sophisticated attacks that traditional methods might miss.
You know, when you think about things like incident response and o and obviously from a cyber risk perspective, how we respond and how quickly we can contain an issue, um, within an organization becomes really relevant.
Uh, whether data loss occurs, you know, how significant the breach is, how long your downtime is, and you know, one thing I've seen in practices, tools that are leveraging artificial intelligence, whether it's generative AI or other, have been marked far more effective at some of the automated incident response procedures than tools that are not. And it's creating a lot of value within organizations. Um, just a question on what you had mentioned earlier.
I I, when you think about internal audit's role with cyber response and the landscape and managing some of these risks, where do you see internal audit fitting into this? Um, because I've seen a lot, I've seen audit being a central part of this in some of my experiences, but curious, uh, to get your perspective on that.
I think internal audit has a vital role in, uh, cybersecurity poster y because when we run IT audits, especially, we have lots of findings related to vulnerabilities, threats, and even weak poster that organization had.
And as auditors, we are, uh, advisors to the organizations and we need to train our skills related to cybersecurity to give more and more recommendations, uh, in order to, uh, strength this poster and give the organization an action plans that will help them to avoid any cyber attacks, et cetera.
Also, we talk about some relations that auditors need to make with other assurance actors inside the organizations like the czu, like the legal, et cetera, and this kind of orchestration that need to, to be built in inside the organization. Organizations will help auditors to rely on other assurance actors work.
And for example, uh, when a CSO perform penetration testing, uh, vulnerability testing, et cetera, uh, with the need of auditors, he can identify other layers of risks, not only the technical risks, but as I said earlier, even governance, financial and business risk also.
Oh, yeah, for sure. And I, and you know, I think when I, when we talk to practitioners and we talk to our members from an IA perspective, one of the things that I always see with cybersecurity is in the value continuum that internal audit provides to organizations. I mean, this is a huge opportunity for us to serve as advisors and really focus on making sure that the organization understands the true ramifications for risks.
Because one of the things when technologies and tools are being implemented, whether it's on the business process side, from an operational technology perspective or within the IT security teams, sometimes those groups are more siloed than they, you know, than they realize they are. And it, we, internal audit I've seen become very effective at helping to connect the dots and making sure that organizations are thinking through all the risks and the potential ramifications and impacts.
Um, and we're seeing internal auditors, at least from my my lens, become involved in the process earlier on, and, and I mentioned it earlier, but serving in advisory services type projects, I think becomes really impactful to the organization. And it's another opportunity for us to deliver value with the advent of generative AI as it relates to cybersecurity.
One of the reasons from my perspective, and Sammy, I'm curious to get your your thoughts on this too, um, as to why this is, you're seeing so much adoption within the cybersecurity landscape is is also on the attacker side. 'cause I don't know about you, but I've seen a significant number of new risks and threats start to pop up that are leveraging generative AI on the other side of this as well.
So for example, you know, historically social engineering and ransomware type attacks, when you, when you, when you look at social engineering, for example, and you see how we educate and train our teams to detect and prevent social engineering attacks, and now with the advent of generative a generative ai, you start to see these very hyper-focused and hyper-realistic and personalized social engineering threats and attacks start to happen.
You know, I'm curious to get your perspective because, you know, I I, you know, the, with generative ai with anything, there's gonna be used for good and it's gonna be used for, for bad. And I think that's really important for auditors and organizations as a whole to really consider. Because whether or not you adopt generative AI practices or tools within your cybersecurity landscape, those that attack are certainly going to, and I think that's critical for organizations to, to think about.
And you know, Sammy, I'm curious to get your perspective on that. I agree with you. Um, I think, uh, today the use of AI is, uh, uh, related to both side attackers and defenders. Even for, for, for, for us as organizations, as cybersecurity professionals or auditors, we have lots of challenges to face, uh, uh, if you want to, to, to deal with ai, uh, in cybersecurity and integrating AI into cybersecurity strategies offers, uh, a lot of potential if you are on the side of the defenders.
But also it present lots of challenges. As you said, some challenges comes from the use of AI by attackers. So we have like more sophisticated types of, of attacks like, uh, APTs, like, uh, new kind of social engineering, DeepFakes, et cetera, which are very difficult to detect and, uh, and to cure. But, uh, I think also some other challenges are related to the way we are implementing ai. For example, one of the most critical obstacle is the data quality.
As we know, AI systems are based on machine learning, and they, they require a lot of, uh, of volume of high quality data to function effectively. Imagine organization that have not cleaned their data or have not well structured dataset, they might struggle with inaccurate threat detection leading to force positives or missed attacks. So they are using ai, but the fact that they have bad quality data, they can have more, uh, vulnerabilities than the, the, the poster when they are not using ai.
Another challenge also in my mind, it's lies in the how to align is kind of AI technology with the existing cybersecurity frameworks, because lots of organization, they already have tools, governance frameworks, et cetera, policies inside their, their organization. So how to bring AI into this existing environment and to align it with it. And I think AI tools must be integrated into the browser security architecture, which can be complex and time consuming.
This includes, for example, ensuring that AI driven insights can be effectively acted up and on by, by human teams, and that the tools are seamlessly integrated with traditional cybersecurity measures. So we have like hybrid, uh, integration like firewalls, uh, IDS, uh, intrusion, intrusion detection systems, et cetera. You mentioned the, uh, the way that we are training our personal about how to avoid, uh, new kind of attacks, et cetera.
And I think another issue is related to talent and AI in cybersecurity is still developing field. So any organization today faces difficulties finding professionals with the right combination of cybersecurity expertise and EA knowledge, this talent gap can slow down ea uh, implementation and reduce the effectiveness of the technology.
Well said. And you know, I think one thing to highlight just in terms of how we approach AI and how we approach auditing in general around cybersecurity, I mean, you know, this is, this is gonna be a key topic that'll be discussed, uh, at the, you know, we have a cyber IA is putting on a cybersecurity virtual conference Yes. On October, on, on October 30th. And, you know, this is a key topic that'll be discussed.
And I think, I think, yeah, we could only go so far in a podcast, but, you know, I think it's important to note that we've put out a lot of resources from an i i a perspective that's, that are really focused on how to audit AI and specifically generative ai. And that obviously ties in quite closely to cybersecurity. And there's an entire AI auditing framework that the IA has been re has released, um, which is posted on the website for members.
But also, you know, this, this virtual conference will touch on a lot of these topics that you've highlighted today. When we think about where to start and how as internal auditors we, you know, we can advise our organizations and help guide them and influence decisions, you know, what do you typically see as some of the biggest challenges that organizations face?
And, you know, as, as such internal auditors face when trying to integrate AI into their cybersecurity strategy, I've talked about the, the, the talent challenge and the alignment challenge. I think also about another challenge related to trans transparency and governance, which is, uh, very, very significant. Uh, consideration AI can sometimes function as black box making decisions that are not easily explainable.
And here we are talking about what we call X ai, explainable ai, the way to, to, to explain how AI react and how AI make decision for any process. And this is a field that need to grow and to be used more and more by organization to have clear explanation. How about how AI behave and how AI react.
So organization need to ensure that air driven security decisions are transparent and interpretable to build trust with stakeholders and meet also regulatory, uh, requirements interpret interpretable and clear why, because we are talking about hybrid position between human, between, uh, cybersecurity analysts, et cetera, and AI tools.
And if the, uh, the results and the, the analysis made by AI are not clear or are are, are fade, et cetera, this could make, uh, a wrong decision making and, uh, in cybersecurity fields that could affect, uh, lots of vulnerabilities, uh, inside the organization. This is, this also ties into the need for robust ethical guidelines around the use of ai, particularly as related to, we'll talk about it later, maybe to data privacy and, uh, automated, uh, decision making.
The one thing I, I often counsel internal audit teams on when I talk to them about this, is around the governance process.
Um, because ultimately whether you're implementing ai, and again, more specifically generative AI within an organization, I think whether it's cyber, the cyber team, or you know, it happening on the cybersecurity side, or it's happening for operational reasons, and making sure that the organization has the right governance process to evaluate the technologies and the impacts to the organization so that the, the right lenses on it and the right people are seeing it and subsequently approving,
I think becomes really important to an organization. And as auditors, I've seen us spend a lot of time helping guide that process and in some cases even help, you know, help with the considerations and establishment of that process. And, you know, I think that becomes really important, especially as you mentioned around some of the ethical considerations as it, as it relates to the deployment of this. Maybe we talk a little bit more about that now.
I mean, what do you, what do you see as some of the, you know, if you're, if you're an internal auditor and an organization is starting to deploy AI within cybersecurity, what do you see as some of the potential ethical considerations or risks that we need to be aware of and then, you know, make sure the organization is considering? Well, Mike, uh, there are several ethical consideration to keep in mind when deploying AI in cybersecurity.
One that comes to my mind is, uh, related to bias decisions. So if an AI system is trained on bias data, it can perpetuate those biases, possibly leading to unfair targeting or discrimination in threat detection. So garbage in, garbage out, we need to have clean and well structured data, and also very general data covering lots of liars, lots of example in terms of person, gender, uh, uh, et cetera, et cetera, to, to, to be sure that the data represent well, the target of, of the analysis.
Also, another, uh, ethical concern is privacy. Privacy. Uh, and as you know, AI systems often require access to sensitive data to function effectively. Organization today need to ensure that they are transparent about what data they are collecting and how it's being used, uh, and that they are complying with the privacy regulations like GDPR in Europe or CCPA or other regulation, uh, all around the world.
Ensuring that DA data privacy while harnessing AI full potential is a real delicate balance that organization must navigate. Uh, I think also about another kind of ethical, uh, consideration is it's related to accountability. So if an AI system makes a wrong decision, failing to stop, for example, a breach or incorrectly flagging legitimate action as malicious, who is responsible.
So these are important considerations that organization must address as they integrate AI into their cybersecurity strategies. Yeah, well said. I've seen, I've seen a lot and I, I think when you think about this stuff within organizations, the change management around the implementation and communicating and making sure that you have a well thought out process within the organization for some of these ethical considerations also goes a long way.
'cause I've seen organizations and, you know, teams sometimes struggle with the perception that it also creates among employees around someone's looking and reading, even if it's a machine, every single word that I'm saying or doing and analyzing it for trends and outliers, which sometimes can create some cause for concern among employees.
And I think to your point, if the considerations are thoughtful and well documented and well approached, I think it goes a long way in the change management cycle to get this stuff deployed in an effective way. Sure. So when we look at, I, when we look forward and we think about what the role of artificial intelligence in cybersecurity looks like today versus what it might look like, say 10 years from now, what do you think?
I, I, I mean, I guess if we look 10 years back, we never would've even had a generative AI on our radar. But when we look 10 years, so it's hard to say, but when we look 10 years out and we sort of vision what the future looks like, where do you see it going or where do you think it, where do you think we end up? Sure, Mike. I hope the future will be, uh, will be bright looking ahead.
AI will continue to be a drive, a driven force in cybersecurity, and its role will expand beyond what we see today. One of the key area where AI will evolve is predictive analytics. I think right now AI is excellent in, in detecting ongoing threats, but in the next decade, uh, we see AI systems that can predict future attacks based on global cyber trends and pattern because AI is still learning.
So imagine in, in, in a decade what kind of amount and amount of data, uh, AI systems will accumulate this will all allow organization to take a more proactive approach to defense. I also believe AI will become more embedded in automated incident response systems where the majority of cyber attacks are mitigated without human interventions.
Uh, moreover, I think also that ai, uh, role in cybersecurity will evolve with other emerging technologies like, for example, quantum computing, uh, that will introduce new risks and opportunities for encryption and data security. Uh, AI will likely play key role in developing defense against quantum powered attacks that will crack any, any existing and unknown, uh, encryption that we have today, which could break every method of encryption.
At the same time, EA also become, become, uh, will become more integrated with technologies like blockchain to enhance data integrity, identification, and secure transactions. These kind of synergies between EI and other emergent technologies will create a robust multi-layered SI cybersecurity solution capable of addressing the in increasingly, uh, complex threats landscape.
I think, and I hope that in the next decade we will, we can expect AI to not only detect, understand to threats more efficiently, but also to shape the entire cybersecurity ecosystem, creating a future where prevention detection response are all seamlessly interconnected. Well said, and I, you know, I, it's hard to predict what happens 10 years from now.
I think one thing we can both agree will happen is that, you know, we're seeing it already that the, the human versus machine continuum, we're gonna see technology take on more and more of some of this, um, transactional and systematic processing for us so that we can focus on the more strategic. I think that's, we're already starting to see that happen in a, in a big way, and I think we're gonna continue to see that as we cross the ears.
I think the, you know, the other piece I would highlight, I think the regulatory landscape is gonna evolve quite significantly, and we're already seeing it in such, in a, in short order with some of the things that have happened. And I think we're gonna see a much more robust regulatory and oversight process that governmental entities start to create and, and evolve.
And I think that's gonna also dictate some of the, uh, the work internal audit will have to think about within organizations as it as it relates to the risks and, you know, evaluating them within organizations. So Sammy, I think when we look at some of the most impactful cybersecurity pro or projects that you've led, um, or have been part of in your career, you know, especially as it relates to cyber defense and ai, you know, the topic we've been talking about.
Would you, you know, maybe you can give some examples. Um, I know we've, I know we've talked about some in the abstract, but I think it would be interesting for the audience to hear, you know, some of the things you've been involved in and or engaged in that you, you think would be relevant to internal auditors. Sure. Mike, I have one in mind, uh, less technical, but uh, related to human elements.
And one of the, the most impactful initiative I've led was during my time as president of isaka Casablanca chapter, we launched a program in collaboration with the local partner aimed to supporting new students and recent graduates by offering them free training and courses on cybersecurity fundamentals. And the goal was to equip them with the skills necessary to thrive in the rapidly growing cybersecurity field, and also to increase their opportunities for employment.
This initiative was incredibly rewarding. Why? Because it not just relied to the, uh, technical knowledge, it's imparted, but also because it provided these young professionals with strong foundation and the confidence to pursue cybersecurity careers. What truly made the experience memorable for me was seeing the satisfaction and the engagement in their eyes during the training sessions, and also the impact of the program extended beyond the classroom.
As many of the participants later shared their success stories, credits, and the training with helping them learn their first job in the field, this initiative was more than successful, enabling us to reach a larger audience and provide additional resources. Also, the ultimate reward was knowing that we were helping to shape the next generation of cybersecurity professionals and contribute to a stronger, more resilience workforce in, in Morocco. Thanks for that. Yeah, I think so.
I think so much of our work as professionals, practitioners, members of an association is really focused on how we can drive more awareness to the profession as well as the cybersecurity landscape.
The more people we can educate about internal audit and then some of these risk, emerging risk topics around cyber and ai, I think the better off we will be as a profession and the better off organizations will also be 'cause you have more people than focused on enhancing and protecting organizational value.
You know, I think from my perspective that that's been the biggest impact as a, as a practitioner that I've seen, is just helping organizations think through their strategies and the deployments and doing that in a thoughtful enough way that you bring everybody else, you bring everybody along for the ride, I think really creates a impactful organization. And with that is always the training aspect. So I was, I'm happy to, I was, was happy to hear that as an example from your perspective.
Sammy, I really wanted to thank you for joining us today. I'm, you know, after hearing you talk about cyber and, you know, AI and how we see them come together, I'm really excited to hear you hear you talk at the conference later this month. Um, know and I, and I think you're, yeah, you're one of our keynote speakers and I'm really, yes, I'm really excited about it. I think it'll be a really insightful presentation.
So wanted to thank you for your time and all the work you've done to, uh, enhance our profession. Thank you, Mike, for having me. And I hope this discussion will, has provided valuable insights into the role of AI plays in cybersecurity today and in the future. And I hope to share more knowledge during the Cyber Cybersecurity Conference, uh, uh, led by the i a Wonderful, Join the I a's Cybersecurity virtual Conference on October 30th. It's all online, so you can attend from anywhere.
Visit the iia.org or check the show notes to sign up today and secure your spot. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcast. You can also catch other episodes on YouTube or the IIA a.org. That's THE IIA A org.