CTRLPhreaks

By: Clarissa Lucas & Bill Bensing
  • Summary

  • Dial into a frequency where the meticulous world of auditing and the rebellious spirit of hacking collide! Meet Clarissa and Bill, your audacious hosts, navigating you through the labyrinth of traditional auditing and into a realm where controls aren’t just checkboxes but catalysts for change. Steer away from the monotonous audit routines and venture into a world where compliance and managing risk is not a battle but a collaborative journey toward organizational excellence. Clarissa, author of “Beyond Agile Auditing,” and Bill, one mind behind “Investments Unlimited,” unite to decode the enigma of bridging the chasm between the historically rigid auditing world and the dynamic technology universe. Control Phreaks is not just a podcast; it’s a movement! A call to all auditors and technologists to break free from the chains of conventional audit practices and to boldly step into a future where controls empower, not encumber.
    Copyright 2024 Clarissa Lucas & Bill Bensing
    Show More Show Less
Episodes
  • Safety vs. Security: Why Words Matter with Sounil Yu
    Apr 26 2024
    Summary

    Sounil Yu, author of Cyber Defense Matrix, discusses the importance of terminology in cybersecurity and the distinction between safety and security. He explains how the Cyber Defense Matrix helps organize and identify gaps in security capabilities. He also introduces the concept of the D.I.E. Triad (distributed, immutable, ephemeral) and how it can reduce the impact of liabilities in cybersecurity. The conversation highlights the need to redefine the economic equation of cybersecurity from a cost to an investment. The talk explores the concepts of cyber safety and cybersecurity and how they relate to risk management and defense strategies. The guests discuss the importance of having necessary defenses in place, even for smaller businesses that may not be direct targets. They also delve into the three-line model and how it aligns with the cyber defense matrix. The matrix is a valuable tool for understanding the full scope of cybersecurity and making risk-based decisions. The conversation emphasizes the need for a common language and understanding between tech and audit professionals.

    Takeaways
    • Terminology is crucial in cybersecurity to ensure clear communication and understanding.
    • The Cyber Defense Matrix helps organize and identify gaps in security capabilities.
    • The D.I.E. triad (distributed, immutable, ephemeral) can reduce the impact of liabilities in cybersecurity.
    • Redefining the economic equation of cybersecurity from a cost to an investment is essential. Having necessary defenses in place is vital for all organizations, regardless of their size or direct targeting.
    • The cyber defense matrix is a helpful tool for understanding the full scope of cybersecurity and making risk-based decisions.
    • Common language and understanding between tech and audit professionals are crucial for effective communication and collaboration.
    • Risk tolerance and appetite should clearly articulate and align with the organization's goals and resources.
    • The cyber defense matrix can be used as an assurance map to identify controls and risk coverage gaps.

    Chapters


    00:00 Introduction and Background

    06:18 The D.I.E. Triad

    14:13 The Importance of Terminology

    26:40 Risk Tolerance and Risk Appetite

    35:07 The Role of Language and Common Understanding

    Show More Show Less
    45 mins
  • Policy as Code: An Audit-Tech Peacekeeper with Mike Leuzinger and Andy Kolenko
    Apr 20 2024
    Summary

    In this episode, Mike Leuzinger and Andy Kolenko discuss policy as code from a technology and audit perspective. Policy as code extends infrastructure as code, allowing organizations to automate and manage policies across multiple technology stacks. It can enable continuous compliance, self-service for auditors, and more robust controls through automation. However, challenges include dealing with heterogeneity and the complexity of new technologies. Bridging the gap between technologists and auditors is crucial for successful implementation. The conversation explores the challenges and benefits of implementing policy as code in an organization. Mike, Andy, Clariss, and Bill discuss the complexity of keeping up with proprietary schemas and controls and the importance of relying on vendors and industry standards. They also touch on the responsibility of setting and managing Policy as Code, highlighting the industry's lack of established processes and ownership. The conversation emphasizes the need for collaboration between auditors and technology partners and the importance of staying updated on compliance guidance and leveraging tools like Open Policy Agent and the AWS Well-Architected Framework.

    Takeaways


    • Policy as code extends infrastructure as code, enabling organizations to automate and manage policies across multiple technology stacks.
    • Policy as code enables continuous auditing and monitoring, providing more continuous assurance to stakeholders.
    • Self-service for auditors reduces miscommunication and allows them to obtain the necessary evidence without relying on clients.
    • Policy as code strengthens controls through automation, preventing security vulnerabilities from going into production.
    • Challenges of policy as code include dealing with heterogeneity and the complexity of new technologies.
    • Bridging the gap between technologists and auditors is crucial for successfully implementing policy as code. Keeping up with proprietary schemas and controls remains challenging, and organizations should rely on vendors and industry standards to stay ahead.
    • The responsibility for setting and managing Policy as Code is still unclear, and there is a need for more established processes and ownership.
    • Collaboration between auditors and technology partners is crucial for the successful implementation of Policy as Code.

    Show More Show Less
    41 mins
  • Harvesting Harmony: John Deere's IT & Audit Jamboree
    Jan 27 2024

    In this episode, Lynn, Roberto, & Matt from John Deere discuss their digital transformation journey and its impact on IT and Internal Audit. They highlight the importance of agility in internal audit and how it helped prioritize work and enhance relationships with stakeholders. The team also shares the challenges they faced during the transformation and the strategies they used to overcome them. Additionally, they discuss the concept of defining deployable and its role in bridging the gap between technology and audit. The conversation explores the partnership between audit and other departments, the importance of metrics and measuring outcomes, applying software engineering principles to audit, and advice for implementing Agile in audit.

    Takeaways
    • Digital transformation requires agility in internal audit to prioritize work and enhance stakeholder relationships.
    • Challenges during the transformation can be overcome through continuous improvement and a focus on cultural change.
    • Defining deployable is crucial in bridging the gap between technology and audit.
    • Psychological safety and modeling behaviors are vital to creating a culture of trust and innovation.
    • Partnerships between audit and other departments are crucial for automation and improving audit processes.
    • Metrics should focus on measuring outcomes rather than just activities.
    • Applying software engineering principles to audits can improve efficiency and effectiveness.
    • When implementing Agile in audit, start small, adapt, build relationships, and disrupt with precision.

    Show More Show Less
    58 mins

What listeners say about CTRLPhreaks

Average Customer Ratings

Reviews - Please select the tabs below to change the source of reviews.

In the spirit of reconciliation, Audible acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.