00:00:02
The Institute of Internal Auditors presents all things internal audit tech in this episode, Sammy Rifke, Vice president of Isaka Casablanca, joins Mike Levy, CEO of Cherry Hill advisory, to discuss the evolving cybersecurity landscape. They explore how AI is transforming, threat detection and response, the importance of cybersecurity governance.
00:00:22
In internal audits role in managing cyber risks.
00:00:26
Sammy, thanks for joining us.
00:00:27
Today.
00:00:28
Thank you, Mike. It's a pleasure to be here for this podcast. And I'm appreciating insights from my experience about EI and cyber security challenge.
00:00:37
So Sammy, you know, one of the questions I think as we get started in this process, maybe you can talk us through how is your background influenced your approach to cyber security and threat management as it relates to internal audit in the process?
00:00:50
Well, Mike, I have spent significant portion of my career in IT audit and overseeing audit teams and working across various organizations to establish secure and resilient systems. So coming from this background, I have always had deep understanding of governance and compliance frameworks. This has naturally.
00:01:11
Influenced my approach to cybersecurity, where I don't just focus on identifying threats, but also on building strong processes and governance mechanism to prevent them. I had also the opportunity to work.
00:01:26
In organization with critical infrastructure and I have learned that cyber security is not not just not about the reacting to attacks, but also about proactive risk management and sometimes this kind of critical infrastructure can influence organization.
00:01:46
To affect even national and regional stability. So my audit background has always pushed me to think beyond technical vulnerabilities and consider governance issues, risk management issues and also business issues.
00:02:04
Yeah, I think I think that's.
00:02:05
Really.
00:02:06
Relevant and you know, when we look at our top risk, you know in the 20, the 2025 risk and Focus report was just released and cybersecurity continues to be top of the list. I think in 2020 in 2025 it's a $10.5 trillion problem in terms of losses to organizations and you know with with the.
00:02:24
Advent of AI. I think it continues to be a.
00:02:27
Another complexity that we have to really think about from from my perspective and from an internal audit perspective, it's a really it's it's a great opportunity for us to be advisors to the organization. So I mean from your when you think about AI, cybersecurity, how we look at the advisory relationship to the assurance relationship, maybe you can share some insights.
00:02:47
From you know your experience, where you've dealt with significant cyber cyber challenges.
00:02:53
I think M1 of the most significant challenges I encountered was during the COVID-19 pandemic. The launch of the new cybersecurity law in Morocco, though the timing couldn't have been more critical. As you know, many companies were already struggling with the rapid shift to remote work, and suddenly they also had to.
00:03:13
Comply with new cyber security regulations. This law required organizations to quickly adapt their systems and processes to meet higher security standards, and many were unprepared for such an abrupt change. So the challenge was.
00:03:29
Trifolds first ensuring that companies had robust cyber security measures in place during the time when they were more vulnerable to cyber attacks and 2nd guiding them through the compliance with the legal framework that had come into force amidst the global crisis. In my role, I had to help.
00:03:49
Various organizations assess their security infrastructure, identifying gaps and implement measures to comply with the law.
00:03:58
We provided tailored action for each organization, balancing the immediate cybersecurity threats posed by remote work environment with the long term goals to for full compliance with the new regulation. This experience highlighted the importance of agility and strong governance in maintaining cyber security resilience.
00:04:17
Even in the face of unprecedented challenge.
00:04:22
I think it's really interesting to hear about some of the significant impacts that remote work world during the pandemic you know, created within the cybersecurity landscape and how we protected systems, but also to your point, the shift to resiliency and how you know, I think we, you know, as organizations shifted their strategies to not just how do you prevent.
00:04:25
6.
00:04:42
Attacks and breaches. But how do you recover from them? I mean, I think I think all of that becomes real.
00:04:46
Really important and relevant. I know we mentioned AI early on and how some of the AI landscape has changed. And when you think about even the most common use case that you see people using around ChatGPT and the Microsoft Co pilots, there's a statistic out there that took some Netflix something like three years to get to the first, their first one million users.
00:05:06
It took open AI's ChatGPT, something like 5 days. When you think about how the velocity and the speed that AI technology has been, you know, especially gender of AI, has been transforming the landscape of cybersecurity.
00:05:23
Where do you see some of the risks?
00:05:25
Yai has brought a level of speed and precision to cybersecurity that was ending a few years ago. One of the biggest transformations is in threat detection. Traditional methods often rely on rule based system which can only catch known threats. Eli particularly machine learning can.
00:05:44
Analyze massive amounts of data and recognize patterns that would be impossible for human analysts.
00:05:50
To catch what makes EI also more effective than traditional methods is its ability to learn and adapt. It doesn't just react to known threats. It evolves by detecting anomalies and spotting emerging risks. Yeah, tools, for example, can automatically detect abnormal behavior within networks.
00:06:10
Allowing organizations to catch potential attacks before they escalate, and this is incredibly important as threats become more and more sophisticated, often using tactics that evade conventional detection method. Also, EI systems are today capable of.
00:06:28
Continuously improving their trade detection capabilities, they don't rely on human inputs to update their models. They learn from each new attack and bridge they encounter. This means they are not only faster but also more accurate in detecting sophisticated attacks that traditional methods might miss.
00:06:47
When you think about things like.
00:06:50
Incident response and and obviously from a cyber risk perspective, how we respond and how quickly we can contain an issue within an organization becomes really relevant to whether data loss occurs. You know how significant the breach is, how long their downtime is and you know one thing I've seen in practice is tools that are leveraging.
00:07:10
Artificial intelligence, whether it's gender of AI or other, have been marked far more effective at some of the automated incident response procedures.
00:07:18
And tools that are not and it's creating a lot of value within organizations.
00:07:23
Just a question on what you had mentioned earlier, I mean, when you think about internal audits role with cyber response and the landscape and managing some of these risks.
00:07:32
Where do you see internal audit fitting into this? Because I've seen a lot. I've seen audit being a central part of this in some of my experiences, but curious to to get your perspective on that.
00:07:42
I think internal audit has a vital role in the cyber security poster. Why? Because when we run IT audits especially we have lots of findings related to vulnerabilities, threats and even weak poster that organization have. And as auditors we are advisors.
00:08:02
To the organizations and we need to.
00:08:05
Strange, our skills related to cyber security to give more and more recommendations in order to strength this poster and give the organization and action plans that will help them to avoid any cyber attacks etcetera. Also we talk about some relations that auditors need to make with.
00:08:25
Other assurance actors inside organizations like the CSU, like the legal, etcetera, and this kind of orchestration that need to to be building inside organization organizations will help auditors to rely on others assurance actors.
00:08:43
And for example, when you see you perform penetration testing, vulnerability testing, etcetera with the need of auditors, he can identify other layers of risk, not only the technical risks, but as I said earlier, even governance, financial and business risk also.
00:09:03
Oh yeah, for sure. And and, you know, I think when I when we talked to practitioners and we talked to our Members from an IA perspective, one of the things that I always see with cybersecurity is and the value continuum that internal audit provides to organizations. I mean, this is a huge opportunity.
00:09:19
For us to serve as advisors and really focus on.
00:09:24
Making sure that the organization understands the true ramifications for risks because one of the things when technologies and tools are being implemented, whether it's on the business process side from an operational technology perspective or within the IT security teams, sometimes those groups are more siloed than they you know then they realize they are and we interrupted.
00:09:44
Have seen become very.
00:09:46
And helping to connect the dots and making sure that organizations are thinking through all the risks and the potential ramifications and impacts. And we're seeing internal auditors, at least from my my lens, become involved in the process earlier on. And and I mentioned it earlier, but serving in advisory services type projects I think becomes really.
00:10:06
Impactful to the organization and it's another opportunity for us to deliver value.
00:10:10
With the advent of generative AI as it relates to cybersecurity, one of the reasons from my perspective and Sam I'm curious to get your your thoughts on this too as to why this is you're seeing so much adoption within the cybersecurity landscape is is also on the attacker side because I don't know about you, but I've seen a significant number of new risks and threats.
00:10:30
Start to pop up that are leveraging generative AI on the other side of this as well. So for example.
00:10:35
You know, historically social engineering and ransomware type attacks when you when you, when you look at social engineering for example, and you see how we educate and train our teams to detect and prevent social engineering attacks. And now with the advent of generative generative AI, you start to see these very hyper focused and hyper realistic.
00:10:55
And personalized social engineering threats and attacks start to happen. You know, I'm curious to get your perspective because you know, I, you know, the with gender of AI with anything, there's going to be used for good and it's going to be.
00:11:07
For for bad and I think that's really important for auditors and organizations as a whole to really consider because whether or not you adopt generative AI practices or tools within your cybersecurity landscape, those that attack are certainly going to. And I think that's critical for organizations to to think about. And Sammy, I'm curious to get your perspective on that.
00:11:27
I agree with you. I think today the use of EI is.
00:11:32
Related to both sides, attackers and defenders, even for for for for us as organizations as cyber security professionals or auditors, we have lots of challenges to face the if you want to to to deal with EI in cyber security and integrating EI into cyber security strategies.
00:11:52
A lot of potential if you are on the side of the desk.
00:11:56
But also it presents a lot of challenges, as you said, some challenges comes from the use of EI by attackers that we have like more sophisticated types of of attacks like APT's like new kind of social engineering, deep faiths etcetera which are very difficult.
00:12:16
To detect and and to cure, but I think also some other challenges are related to the way we are implementing EI. For example, one of the most critical obstacle is the data quality. As we know, EI systems are based on machine.
00:12:33
And they are. They require lots of volume of high quality data to function effectively. Imagine organization that have not clean their data or have not well structured data sets. They might struggle with inaccurate threat detection leading to false positives or missed attacks. So they are using EI.
00:12:54
But the fact that they have bad quality data, they can have more vulnerabilities than the the the poster when they are not using here. Another challenge also in my mind it lies in the how to allow.
00:13:08
Like this kind of EI technology with the existing cyber security frameworks, because lots of organizations, they already have tools, governance frameworks, etc. Policies inside their organization. So how to bring EI into this existing environment and to align it with it and I think.
00:13:29
EI tools must be integrated into the broader security architecture, which can be complex and time-consuming. This includes, for example, ensuring that EI driven insights can be effectively act.
00:13:41
Up and down by human teams and that the tools are seamlessly integrated with traditional cyber security measures. So we have like hybrid integration like firewalls, IDs, intrusion, intrusion detection systems etcetera.
00:13:57
You mentioned the the way that we are training our personnel about how to avoid new kind of attacks etcetera. And I think another issue is related to.
00:14:10
Talent and EI in cybersecurity is still developing field, so any organization today faces difficulties finding professionals with the right combination of cybersecurity expertise and EA knowledge. This talent gap can slow down EA implementation and reduce the effectiveness of the technology.
00:14:31
Well said and you know, I think one thing to highlight just in terms of how we approach AI and how we approach auditing in general around cybersecurity, I mean.
00:14:42
This is this is going to be a key topic that will be discussed at the you know we have a cyber bias putting on a cybersecurity virtual conference on October at on on October 30th. And yeah, this is a key topic that will be discussed and I think yeah, we could only go so far in a podcast. But now I think it's important to note that we've put out a lot of resources from an IA perspective.
00:14:49
Yes.
00:15:02
That's that are really focused on how to audit AI and specifically generative AI. And that obviously ties in quite closely to cybersecurity. And there's an entire AI auditing framework that the CIA has been has released, which is posted on the website.
00:15:17
Members, but also you know this, this virtual conference will touch on a lot of these topics that you've highlighted today.
00:15:23
When we think.
00:15:24
About where to start and how. As internal auditors, we that we can advise our organizations and help guide them and influence decisions. What do you typically see as some of the biggest challenges that organizations face and you know as as such internal auditors face when trying to integrate AI into their cybersecurity strategy.
00:15:44
I've talked about the the the talent challenge and the alignment challenge. I think also about another challenge related to transparency and governance, which is very, very significant consideration. Yeah, it can sometimes function as black box, making decisions that are not easily explainable.
00:16:04
And here we are talking about what we call X EI explainable AI. The way to to to explain how EI reacts and how.
00:16:12
The I make decision for any process and this is a field that need to grow and to be used more and more by organization to have clear explanation. How about how EI behavior and how EI reacts so organizations need to ensure that ER driven security decisions are transparent and interpretable to build trust with stakeholders.
00:16:34
And meets also regulatory requirements.
00:16:37
Interpret interpretable and clear. Why? Because we are talking about hybrid position between human between the cyber security analysts, etcetera, and EI tools. And if the the results and the the analysis made by EI are not clear are are, are fade et cetera, this could make.
00:16:58
Wrong decision making and in cybersecurity fields that could affect the lot of vulnerabilities inside the organization. This is this also ties into the need for robust ethical guidelines around the use of.
00:17:13
Yeah, particularly as related to, we'll talk about it later, maybe to data privacy and automated decision making.
00:17:23
The one thing I often counsel internal audit teams on when I talk to them about this is around the governance process, because ultimately, whether you're implementing AI and again more specifically generative AI within an organization, I think whether it's cyber, the cyber team or you know happening on the cybersecurity side or it's happening for operational reasons.
00:17:44
And making sure that the organization has the right governance process to evaluate the technologies and the impacts to the organization so that the.
00:17:52
The the right lenses on it and the right people are seeing it and subsequently.
00:17:55
Approving.
00:17:55
OK.
00:17:56
I think becomes really important to an organization as auditors. I've seen us spend a lot of time helping guide that process and in some cases even help, you know, help with the considerations and establishment of that process.
00:18:10
And you know, I think that becomes really important, especially as you mentioned around some of the ethical considerations as it as it relates to the deployment of this, maybe we talk a little bit more about that now. I mean, what do you, what do you see as some of the you know if you if you're an internal auditor and an organization is starting to deploy AI within cybersecurity?
00:18:29
What do you see as some of the potential ethical considerations or risks that we need to be aware of and then make sure the organization is considering?
00:18:37
Well, Mike, there are several ethical consideration to keep in mind when deploying EI in the cybersecurity. One that comes to my mind is related to vice decisions. So if an AI system is trained on biased data, it can perpetuate those biases, possibly leading to unfair targeting.
00:18:58
Or discrimination in threat detection.
00:19:01
Ohh, garbage in. Garbage out. We need to have clean and well structured data and also very general data covering lots of layers. Lots of for example terms of person, gender etcetera, etcetera to to, to to be sure that the data represent well the target of of the analysis.
00:19:22
Also, another ethical concern is privacy, and as you know, EI systems often require.
00:19:29
Access to sensitive data to function effectively. Organizations today need to ensure that they are transparent about what data they are collecting and how it's being used, and that they are complying with the privacy regulations like GDPR in Europe or CPR or other regulation.
00:19:49
All around the world, ensuring that data privacy while harnessing EI full potential is a real delicate balance. That organization must navigate.
00:20:01
I think also about another kind of ethical consideration is it's related to accountability. So if an AI system makes a wrong decision, failing to stop, for example, a bridge or incorrectly flagging legitimate action as malicious, who is responsible? So these are important.
00:20:20
Consideration that organization must address as they integrate EI into their cybersecurity strategies.
00:20:28
Well said, I've seen. I've seen a lot and I think when you think about this stuff within organizations, the change management around the implementation and.
00:20:35
Communicating and making sure that you have a well thought out process within the organization for some of these ethical considerations also goes a long way, because I've seen organizations and you know, teams sometimes struggle with the perception that it also creates among employees around someones looking and reading even if it's machine, every single word that I'm saying or doing and.
00:20:57
Analyzing it for trends and outliers, which sometimes can create some cause for concern among employees. And I think to your point, if the considerations are thoughtful and well documented and well approached, I think it goes a long way in the change management cycle to get this stuff deployed in an effective way.
00:21:15
So when we look at when we look forward and we think about what the role of artificial intelligence in cybersecurity looks like today versus what it might look like, say 10 years from now, what do you think I mean, I guess if we look 10 years back, we.
00:21:29
Never.
00:21:29
Would have even had a generative AI on our radar. But when we look 10 years, so it's hard to say.
00:21:34
When we look 10 years out and we sort of vision what the future looks like, where do you see it going or where do you think, where do you think we end up?
00:21:41
Sure, Mike. I hope the future will be will be bright looking ahead. Yeah, we'll continue to be a Dr. driven force in cyber security and its role will expand beyond what we see today. One of the key area where EI will evolve is predictive analytics. I think right now.
00:22:01
Is excellent in in detecting ongoing trends, but in the next decade we see EI systems that can predict future attacks based on global cyber trends and patterns. Because EI is still learning. So imagine in in in a decade. What?
00:22:17
Kind of amount and amount of data. EI systems will accumulate. This will all allow organizations to take a more proactive approach to defense. I also believe EI will become more independent in automated incident response systems where the majority of cyber attacks are mitigated without human intervention.
00:22:39
Moreover, I think also that EI's role in cybersecurity will evolve with other emerging technologies, like, for example, quantum computing. That will introduce new risks and opportunities for encryption and data security. Yeah, I will likely play key role in developing.
00:22:58
Defenses against quantum powered at.
00:23:01
That will crack any any existing and knowing the encryption that we have today, which could break every method of encryption at the same time also become become will become more integrated with technologies like blockchain to enhance data integrity, authentification and secure transactions.
00:23:21
This kind of synergies between EI and other emerging technologies will create a robust multi layered cyber security solution capable of addressing the increasingly complex threat landscape.
00:23:35
I think and I hope that in the next decade, we will, we can expect EI to not only detect and respond to threats more efficiently, but also to shape the entire cyber security ecosystem, creating a future where prevention, detection, response are all seamlessly interconnected.
00:23:55
Well said and I, you know, it's hard to predict what happens 10 years from now. I think one thing we can both agree will happen is that you know, we're seeing it already that the the human versus machine continuum, we're gonna see technology take on more and more of some of this.
00:24:09
Transactional and systematic processing for us so that we can focus on the more strategic. I think that's we're already starting to see that happen in a in a big way. And I think we're going to continue to see that.
00:24:21
As we cross the years, I think the you know, the other piece I would highlight, I think the regulatory landscape is going to evolve quite significantly and we're already seeing it in, in, in short order with some of the things that have happened. And I think we're going to see a much more robust regulatory and oversight process that governmental entities start to.
00:24:38
Create and and evolve.
00:24:39
And I think that's going to also.
00:24:41
Dictate some of the the work internal audit we'll have to.
00:24:45
Think about within organizations as it as it relates to the risks and evaluating them within organizations.
00:24:52
So Sammy, I think when we.
00:24:53
Look at some of the most impactful cybersecurity projects that you've LED or have been part of in your career, especially as it relates to cyber defense and AI. You know the topic we've been talking about would, you know, maybe you can give some examples and we've, you know, we've talked about some in the abstract, but I think it would be interesting for the audience to hear.
00:25:12
Some of the things you've been involved in and or engaged in that you you think?
00:25:15
Would be relevant to internal auditors.
00:25:18
Sure, Mike. I have one in mind, the less technical but related to human elements.
00:25:25
And one of the the most impactful initiative has led was during my time as President of Isaac Casablanca chapter, we launched the program in collaboration with the local partner aimed to supporting new students and recent graduates by offering them free training and courses on cybersecurity fundamentals.
00:25:45
And the goal was to equip them with the skills necessary to thrive in the rapidly growing cybersecurity field and also to increase their opportunities for employment.
00:25:55
This initiative was incredibly rewarding. Why? Because it not just relied to the technical knowledge it's imparted, but also because it provided these young professionals with strong foundation and the confidence to pursue cybersecurity careers. What truly made the experience memorable for me was.
00:26:16
See and the satisfaction and the engagement in the rise during the training sessions and also the impacts of the program extended beyond the classroom, as many of the participants later shared their success stories, credits and training with helping them land their first job in the field.
00:26:33
This initiative was more than successful, enabling us to reach a larger audience and provide additional resources. Also, the ultimate reward was knowing that we were helping to shape the next generation of cybersecurity professionals and contribute to a stronger, more resilient workforce in in Morocco.
00:26:53
Thanks for that. Yeah, I think so. I think so much of our work as professionals, practitioners.
00:26:59
Members of an association is really focused on.
00:27:03
How we can drive more awareness to the profession as well as the cybersecurity landscape. The more people we can educate about internal audit and then some of these risk emerging risk topics around cyber and AI, I think the better off we will be as a profession and the better off organizations will also be because you have more people than focused on.
00:27:22
Enhancing and protecting organizational value. Yeah, I think from my perspective that that's been the biggest impact as a as a practitioner that I've seen is.
00:27:31
Helping organizations think through their strategies and the deployments and doing that in a thoughtful enough way that you bring everybody else, you bring everybody along for the ride, I think really creates a impactful organization and with that is always the training aspect. So I was, I'm happy to. I was happy to hear that.
00:27:46
As an example, from your perspective.
00:27:48
Sammy, I really wanted to thank you for joining us today. I'm after hearing you talk about cyber and yeah, AI and how we see them come together. I'm really excited to hear you hear you talk at the conference later this month and you know and I and I think you're. Yeah, you're one of our keynote speakers and I'm really I'm really excited about it. I think it'll be a really insightful presentations. So wanted to thank you for your time.
00:28:09
All the work you've done to us.
00:28:11
Enhance our profession.
00:28:12
Thank you Mike, for having me and I hope this discussion has provided valuable insights into the role. Yeah, it plays in cybersecurity today and in the future, and I hope to share more knowledge during the cyber Cyber Security Conference led by DIA.
00:28:30
Wonderful.
00:28:31
Join the IRA's cybersecurity Virtual Conference on October 30th. It's all online so you can attend from anywhere. Visit theia.org or check the show notes to Sign up today and secure your spot. If you like this podcast, please subscribe and rate US. You can subscribe wherever.
00:28:49
You get your podcast.
00:28:50
You can also catch other episodes on YouTube.
00:28:53
At theiaa.org, that's theia.org.