The Institute of Internal Auditors presents all things internal audit tech. In this episode, Terry Ray Field, CTO at Imperva, and a top expert in data security talks with David Petrisky, director Professional standards at the I i a about why asking the right questions is key to boosting security and compliance in organizations. They'll dive into how internal auditors can strengthen their organization's security, the hurdles they encounter, and practical strategies for success.
We'll start with the defense. Uh, how, how do you break that topic down? Uh, data, you know, defense of your data, uh, into manageable chunks. So when we think about data, when we think about anything in cybersecurity, it really, cybersecurity falls into two buckets. Resilience, keep my business up and protect my data. I don't care about my servers, I don't care about my web servers.
I care about my data. That's the only thing I can actually lose in my IT infrastructure that I would never, ever get back and is gonna put me in the news. So that's what I, that's, that's my goal, is to be able to prevent that. When I think about how do we break it into chunks, a lot of organizations like to begin with, and this is kind of driven by audit. They need to begin with, where is my private data? Where is my regulated data?
And they, they say that, they say that they want to begin there because that's where they want to prioritize their investment. That's where they wanna focus their, their resources. The reality is, is when they begin in that space, while it is a chunk they can begin with, the overwhelming majority of organizations that, I mean, the largest financial services in the or in the world, et cetera, tend to stop there. I covered my private data, I met regulation, internal audits, happy.
Why would I do anything else? Why would you? Because best practice would say that you're going to have a breach if you don't. So you should go do it, but it takes that breach. I've literally been told by other organizations, we won't get any more funding other than regulation until we get breached. And that's the big gap here. So when I look at the chunks, the easiest chunk for organizations to take out of anything is I at least need to do the same thing I would do in real life.
I need to have at least the ability to see what's going on across all of my data regulated and unaid, uh, unregulated. That's the biggest chunk that they need to get over, and that's the one that many tend to miss. They can go back afterwards and take that second chunk, which is classification, and if they want, and certainly will need to due to regulation. We'll talk about the, the, the veracity of it later. But, um, cryptography, encrypting my data.
It has various value to cybersecurity, if you will, but it's hyper valuable to regulation. So all of these are chunks, but watch your data protect or encrypt your data and know where your most critical data is, are the three biggest chunks that organizations tend to operate within. How would you prioritize that at, uh, systems or, or data sets to, uh, applying commensurate security process controls? So there's this thought of paths to data. All the ways you can get to data, right?
So the most common way that people get to their data is through their applications, web applications, APIs, uh, uh, application, programmable interfaces, these sorts of things. Today we talk about ai, artificial intelligence. It's just another application. It's just another API. But this is the way you get to data. And then you have all of your internal people, people, consultants, et cetera, that all have access. Third parties have access directly to your data.
So all of your data has access to it. When you think about how do you prioritize it, the easiest thing, and the thing that I feel like has really been done quite well is prioritizing the security of the applications themselves. It's, it's a bit unheard of if you're a large organization and you don't have a web application firewall or some kind of protection out front, it's just unheard of. And so that's, that's been done.
It's not until you get to the back end that you need to now say, do I protect my data bases, which is structured data? Do I protect my data warehouses, which is semi-structured files and, and structured data? Or do I focus on just my file servers? I think the answer really depends on what kind of business are you, are you manufacturing where you deal with a lot of files? Are you a healthcare where you're dealing with an EMR, electronic medical record system and other systems?
You have to define your own organization and decide where your weakness, if you will, or your, your prioritized data really is. And I would say begin there, but the, that's the, the most important word of it is it's begin don't end because you say, my file servers are important, but gosh, my databases just aren't. The reality is, is hackers are like water. They're gonna take the path of least resistance.
So if you put your controls only in production, only on file servers, I guarantee you where you're going to be breached is likely not gonna be in production. It's gonna be a non-prod, and it's probably not gonna be a file server. It's something you didn't think about. And that's gonna bite you. Along Those lines are, are there any like key frameworks, uh, that you use with your clients or in your own, uh, business to align your processes to leading practices? There?
There, there's 5, 6, 7 different ones that are out there. The one that we all hear about, and the one that most people adhere to, and, and frankly most of them are, tend to be copies of is nist, right? Uh, right. So NIST is the most popular one this year or recently. They brought out now a, a fourth facet of their, their, uh, their model to include governance as part of their model. Where before it was just protect, respond, detect, uh, and whatever the last one was.
The fact is, is governance was always missing out of that, that, that list. So they've added governance into it, which I think is good. And I think that's, it's important for organizations to see in front of them that governance is not the only thing you need to do. You have to solve for the ring, the circle, if you will, the onion of everything that NIST has to actually provide security.
And that's what organizations have to come to grips with is are you trying to solve for security or are you trying to solve for compliance? And there are two very different things in some cases. Yeah, Just staying on the, uh, security, I mean, so organizations that, uh, do, you know, align their control environment with say, in this framework or others, um, and, you know, are putting forth a normal level of defense.
So what kinds of vulnerabilities creep up e or, you know, uh, even with companies that are, you know, doing the things that they think, you know, are, are reasonably, you know, expected. The, the most common thing I think people try to prevent is the malicious attacker. And the reality is that that's not really the most common breach.
The most common breach is where you have somebody who inadvertently exposed data in a way they didn't anticipate the internal employee who's leaving the company, but has carte blanche access to so many different things and nobody's watching anyway. Because don't, we don't, we trust all of our employees and, and all of our admins.
And so, so the, the vulnerabilities that exist come around to authentication and access, but 90 plus percent of all data exposures and data breaches are fully authorized users. The people that are supposed to be there, you told them they could be there, you just weren't watching what they were doing. You didn't know what they were doing. And if I rewind back a long time and in a movie, Edward Snowden, yeah, okay. So he had access to everything and he, he took it away.
It wasn't until he was in Hong Kong that they figured it out and decided to do something about it. So when we think of it, and that's, that's just one raw example in in every organization I've ever worked for that I can remember and the organizations I work with, when somebody gives their two weeks notice, they would love to be able to monitor everything that person's does.
Does. I'm not saying they're bad, I'm just saying I need to watch everything they do because this is the hypercritical time. Most intelligent employees, if they said, I'm gonna give my two weeks notice, if they were gonna take something, they would've done it two months prior. Sure. And so it's, it's what are you doing all that other time of what's going on and what are you connecting your internal resources out to other things. Your APIs are just a user, your applications are just a user.
Are you monitoring everything that they do? 'cause they are vulnerable, whether you have an application firewall or otherwise. So we see supply chain attacks all the time. Long story short, vulnerabilities are not what I would say we, we thought about of a vulnerability 20 years ago where it's you type this string in and now you get this secret path into something most commonly around data. You're not typing anything in. You've hacked something else that has raw access into your data.
And it's, it's just the authorized access to your data that's being pulled out. It's not somebody compromising an exploit on a database, it's somebody using the controls that you've already put in place against you. Interesting. So, uh, as a CTO, um, you have an interesting perspective on it.
You know, what are some of the advice, advice or, or leading practices you would give to internal auditors for working with the IT and information security organizations to understand the processes and really ask better questions and, and, and test the controls, you know, a little more deeply? So ask better questions is, is is really the key facet, right? So it's not enough. I'll give you one, one great example.
I think it's not enough to ask your security team, do you know I'll become credit cards? Do you know where our credit cards are stored? The short answer is, of course, they know where the credit cards are stored. They're in that server and that server and that server. The question you should be asking is, can you demonstrate for me and prove to me that we have credit cards? Nowhere else except for where we expect them to be, which we know are in those three places.
We all know they're there. You don't need to test that. I need to know that you've looked everywhere else and they haven't migrated somewhere else. Credit cards are the easy one. Names, addresses phone numbers. 'cause marketing wanted to send a flyer somewhere and they stuck it on a server in AWS did you scan that server to see if we've got PII up there? Did you scan them all and look everywhere It comes back to classification, but it's about asking good quality questions.
It's the same thing I ask all of the cybersecurity people, which is, it is not enough to just simply say, that's where my private data is. You have to be able to ask yourself that good solid college try, which is, do I have data anywhere else? And if I can't answer that question, I haven't done myself any, uh, in quality.
Good by, by answering it myself in one server. What would be The best way for auditors to get those skills or those competencies to, you know, elevate their, their knowledge of these processes and be able to ask those questions? I work within, I, I, I work within, i, I a and I work with others to be able to try and bring that information to the audit community. And it's been very well received. Uh, so I, I would encourage auditors to, to do their own search.
There's not a website that says, you know, be a better auditor here, learn some security. Uh, I would say there's, there's blogs and there's other materials. Certainly we have them, I have them that are out there, but there's not one overarching group or source. I think that is the, the single source of truth for this type of information. It just comes down to really being able to, I think, look internally for now to say, what am I really trying to solve for?
And are my questions really getting to the truth about what I'm trying to get? Do I really wanna know where my private data is? Take taking the classification piece? Mm-Hmm. You can take that to what are we monitoring? Am I monitoring 10% of my environment? What's happening in the other 90% of that environment? What do I know about the other, do we know nothing about it? What about my development and test? How many consultants do we have? I'll just leave you with one, one example here.
I had a, a hospital who has a backend system to an electronic medical record system. That backend database ranges between 50 database administrators to 250 database administrators at any one time due to consultants, turnover, et cetera. Trying to monitor all that behavior and where people are going, frankly, it just doesn't get done. And that's a very large, very notable healthcare organization. Much less smaller wins or other organizations that are far less regulated.
That's the world we live in. There really isn't a lot of information. Oh. Well, let's pivot to the other side of the coin here and, and talk a little bit about compliance. Um, so what, what regulatory frameworks are, are most significant out there? What, what do you work with, uh, you know, your clients or you know, in your organization? What, what, what things are top of Mind? The ones we hear, uh, most frequently are those that are global, right?
So PCI, of course is out there, GDPR, it's not global, but it might as well be if you're doing business out there. Um, we're seeing more around NIS two in Europe and Dora in Europe. Uh, I just got back from Singapore on Friday last week. So monetary authority is Singapore. Some of through, uh, some of the privacy laws in Singapore and Japan and others, I've got an insurance company that has to meet 255 regulations around the world, right?
So one, one of the great things that I think regulations have done as a service to organizations is effectively, for the most part at the technical level, they're all copies of each other. Yeah. Most of them aren't saying to do something vastly different than what another one said. GDPR privacy kind of brought that to the forefront with a few other little things with data subject access requests and whatnot.
But at its foundation, at the security level of the data, they all are equally ambiguous. But also kind of say the same thing. You should encrypt your data. You they mandate regulate or insist that you encrypt your data. And then beyond that, maybe you audit it access control. It's, it's all the same stuff, right?
So it doesn't matter how many or which one it is, if you do the basic blocking and tackling of securing your data, whether it's NIST or something else, you're good for every regulation out there from the foundational security. If you just focus on the data that's relevant for a specific regulation, then fine. You're good for that regulation. And, and I've told companies before, I said, I'm not faulting anybody.
I get it. There are plenty of times when your budget is tied to passing an audit, and that's fine. I said, what's important to me, what's important, I hope to the ciso, the Chief Information Security officer of the organization, is that they inform there executive staff, their CIO, their whoever it happens to be, that that is not equal to security. I've, I've asked in, in groups before, does anybody believe that meeting regulatory compliance is the same as having best practice security?
And everybody agrees there's no hands that go up that's not the same. And it's important that executives understand that, which I think isn't always the case. Do you think that internal auditors understand that distinction? Or are you seeing too much emphasis on, uh, you know, testing compliance processes or, or do you think there's enough emphasis on the fundamental, uh, controls and, and defense concepts?
I think internal auditors would have a better pulse of what, what's, what best practice security for their organization would look like and would be meaning they will have, they will have a different perspective on, I get it. My credit cards are important, but we also have this internal data that's not regulated. It's equally important to my business. We need to be doing the same thing for this data that we're doing over here for our credit card data.
An external auditor may not care anything about your business and this other data. So at a minimum, understanding the business, the business needs and the types of data that are both monetizable and in demand in that organization, making certain that those fall into the same category as regulated data and internal co auditor can certainly help with the understanding of all of the data that's not important to the business and not regulated.
I think might still fall out of the purview of even internal audit to say, why is it important that I cover my development and test environment? Is it why? The reality is is we use production data in dev and test, so why wouldn't I go after that? There's no controls there. I'll go over why would I go after production?
Doesn't make sense. Yeah. So are there any final, you know, words of, uh, wisdom or advice that you would give to internal auditors, um, from having seen, you know, data compliance failures or, or even data security failures and the repercussions from those? Uh, I would say to this, this goes right back to the question. The, the, the comment ask better questions. I don't find, I have not found that security professionals are opposed to getting tough questions.
In fact, I think they like to not, not necessarily be challenged, but to have a little bit of forethought, have a, have a little bit of a, a better dialogue and a relationship between somebody who's thinking critically the way that the, the security team should be thinking critically about how do we close these gaps? Security does not know where all their gaps are. I promise you that. And so someone else, another smart team that can also think outside the box and ask those tough questions.
'cause I will tell you that's, it's, it's very frequent that a, that a security team will say, I have a thousand places where I store data. I've put controls over a small percentage of those, and over three months, six months a year, people change, heads, change what have you. And nobody thinks about the other large percentage of the, of the, of the places where we have data, they just focus on the controls that we have in place because that's what the other guy did, or the other lady did.
That's, that's what I'm looking at. Those are the controls we have in place. That's okay for the organization. My internal audit was okay with it regulatory, why would I do anything else? The reason why you would is because you have a strong internal auditor who's saying, we've been asking about this for years. What are we doing about the other 90% of places where we have data and we've yet to do anything about it? I realize we need budget. That's the kind of questions.
That's it. It it, it can't be one of these things where we just, uh, just take what we've done in the past and just run with it. You have to ask those questions and dig in. I think being a bulldog on it is, is an important factor. Awesome. Well, thank you so much Terry. It's been a very enlightening discussion and, uh, thank you for your time. Thanks, Dave. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts.
You can also catch other episodes on our YouTube channel@theiiaa.org. That's THE iia.org.