Back in 1789, Benjamin Franklin wrote a letter to a French scientist named Jean-Baptiste Le Roy in which he penned the famous quote: “In this world, nothing can be said to be certain, except death and taxes.”
Fast forward more than 200 years, and most government technology and security professionals would add auditors — who often bring audit findings — to Franklin’s list.
Nevertheless, does the relationship between security and technology leaders and their auditors need to be contentious?
My opinion on that question is generally “no.” In fact, I believe that auditors and chief information security officers (CISOs) can even be friends and work well together and have many mutual cyber goals.
But, as said in this 2021 article, which describes auditor relationships during my years as CISO in Michigan government, “Auditors and chief information security officers are both focused on finding vulnerabilities, fixing security problems and stopping data breaches. So why do they so seldom see eye-to-eye?”
Which leads us to March of this year when I met Peter Ulrich, the information technology audit manager with the Denver Auditor’s Office, at the Billington State and Local CyberSecurity Summit in Washington, D.C. Peter has achieved CISA and CSX-A certifications and has an amazing set of professional experiences, including many public- and private-sector leadership roles prior to joining Denver government service.
In addition to Peter’s kind, professional demeanor and his immense knowledge of the cybersecurity industry and the audit profession, I was especially impressed with how he described his relationship with Merlin Namuth, the CISO for the city and county of Denver. Indeed, their teams get along well, as I heard firsthand during an online meeting with the two of them. These conversations led to my interview with Peter, which is the focus of this blog. I hope to be able to interview Merlin in a separate blog later this year.
Dan Lohrmann (DL): You have a fascinating professional background. How did you get into your current role in tech and security auditing in government?
Peter Ulrich (PU): I was thriving in my role at Vantage Data Centers and learning a ton about the critical infrastructure running the cloud and AI, but was looking for more meaning in my role and serving others. I found the IT audit role at the Auditor’s Office at the city and county of Denver and was attracted by the mission of serving the residents of Denver and the people using the Denver International Airport. The scope of the operations was really big and there are so many different missions with very different requirements — I was also attracted by this complexity.
DL: How would you describe your role in working with Merlin Namuth in Denver? Is it working well so far?
PU: First and foremost, I must keep my independence and objectivity so I do not impair my ability to perform audits of his function. With that groundwork being established, Merlin has been transparent and open in his communication with my team and me. I am always happy when the people I am auditing are completely open about where they are and allow me to focus on really defining the root cause of the problem and designing recommendations that make real improvements to the risk profile in a reasonable amount of time.
I think this is working well because we both want the same result, which is to reduce risk and improve security. While he may not agree with every recommendation I make, we do not disagree on the intent of the recommendation, just maybe the way to reduce the risk.
DL: How do you deal with PR surrounding audit findings?
PU: I am extremely lucky that Denver’s auditor, Timothy O’Brien, has a communication team that composes press releases and handles any media inquiries. The press releases are circulated among the leadership and audit team members on each audit for review and editing. This helps ensure that we have the right message to residents and other stakeholders.
DL: Cybersecurity weaknesses are not something that government wants in the news. How do you balance that public announcement role (and Freedom of Information Act requirements) with the need to not disclose problems to bad actor hackers?
PU: My professional judgement is key to ensure the office is balancing transparency with the risk of disclosing confidential or questionable information. Once I determine the information may need to be restricted, I have discussions with Auditor O’Brien and office leadership to balance the transparency needed by the residents and the risk that bad actors could use the information. In Colorado, FOIA is called the Colorado Open Records Act (CORA), and there is municipal code that provides options for us to disclose the information to the city’s Audit Committee and the agency in a confidential workpaper. Additionally, we follow generally accepted government auditing standards (GAGAS), as outlined in the city charter, and the standards require us to protect sensitive audit evidence from public view. The Auditor’s Office’s workpapers are not subject to CORA, as we audit more than just technology and may have protected or regulatory data in our possession to perform our audit.
We take transparency very seriously, so we do not just place everything in a confidential workpaper, but make thoughtful decisions to protect the city from cyber threats while trying to make sure that residents know the IT systems and processes they need for the city and county to function are effective, secure, confidential, available and have integrity.
DL: What makes your interactions with Merlin both effective and impactful so both of you can get done what needs to be done in government cybersecurity?
PU: We both have the same goal to reduce risk, improve security and shrink the threat surface, but we may not always agree as to what the most important things are to correct with limited resources. I think we also understand both our roles, where Merlin and his team protect the city in a first line and second line, and my team and I provide assurance that the subjects under audit are either working effectively or not. The role clarity makes sure we can get done what needs to be done in our current responsibilities.
The other factor is trust, as in any relationship. I trust Merlin is doing his best to protect the city and county and has the skill to do his job. I believe he also trusts that I am thoughtful and skillful and will not overreact to things we find and will seek to understand the issues and problems associated with the findings.
DL: Why do you think many CISOs struggle with auditors, and what advice would you give both CISOs and auditors to improve value and effectiveness for both sides?
PU: I think a lot of CISOs see the audit results as a grade, and to some extent it is. However, I think a lot of auditors approach audits as “gotcha moments,” and to some extent it is. I think I had a lot of success selling the audit services from a couple of perspectives. First, my team and I are free consulting. Many of our audits would cost the organization hundreds of thousands of dollars. However, sometimes we do rebill the cost to the agency. Second, my team and I are here to reduce risk, improve security, and make processes more efficient, not to assign blame. I care about why it happened, not who was the leader when it happened, and how can we make the process under audit better.
I think a lot of IT auditors need to approach their work with a different mindset. We need to realize that the people in the organization under audit have full-time jobs and are often stretched thin without the added work of educating us about what they do. I also think many auditors need to have a relationship and hospitality mindset. We need the cooperation of the agency or department client to do our job, and we need to be flexible and try to be as understanding as possible. However, we need to help our clients realize we have professional standards and sometimes we must do some things they do not want us to do like walkthroughs or policy reviews.
FINAL THOUGHTS
Back in 2018, I wrote a blog entitled, “Security Audit Weaknesses Offer a Silver Lining,” ending with these words:
“Remember that although it may not feel like it, auditors can be helpful to your organization. Early audit findings surrounding cybersecurity helped steer enterprise priorities. This audit action data allowed us to obtain funding for key security and infrastructure initiatives during difficult budget times. We even gave our auditor general the results of internal security assessments. By developing positive relationships and building trust with auditors, you can solve problems simultaneously — like obtaining compliance and strengthening security.
“Leaders must follow through with audit remediation plans. Corporate memory is often lost with staff turnover, but remember compliance because the auditors won’t forget.”
