Ashit Dalal is a well-known cybersecurity (IT and OT/ICS), data privacy, risk management, governance, compliance, EHS, process, and functional safety professional with more than 25 years of manufacturing, operations, strategic leadership, consulting, auditing, and training experience with Fortune 500 companies such as Unilever, Reliance, IBM, and Shell.
He is a platinum member of ISACA with CISA, CISM, CRISC, CGEIT, and CDPSE certifications, and is also an Exemplar Global-certified master auditor for ISO 14001, ISO 45001, and ISO 50001. He is a lead auditor for ISO 9001, ISO 27001, ISO 20001:2018, ISO 27701: 2019, Responsible Care, R2:2013 and RIOS standards, and is an IEC 62443 lead assessor and a TUV SUD-certified functional safety engineer. He currently works as an independent principal consultant and director for IT/OT cybersecurity with eDelta Consulting & CPA Services, a New York-based consulting and CPA firm. His clients include some of the best-known companies in the areas of oil and gas, chemicals and petrochemicals, pharmaceuticals, energy, utilities, banking and financial services, software and IT, telecom, health care, and life sciences.
He is the senior member of the American Institute of Chemical Engineers (AICHE) and a member of the Industrial Control Systems Joint Working Group (ICSJWG), owned by DHS/CISA, as well as an internationally recognized speaker at ISACA chapters in the United States and India. He is also a member of the adjunct faculty for cybersecurity, privacy, and sustainability for part-time and full-time MBA programs at one of the top management schools in Mumbai, India.
In this interview, we discuss sector-specific auditing, the importance of training and risk, and the proper attitude for auditors to take with auditees.
EXEMPLAR GLOBAL: How did you get started in auditing?
ASHIT DALAL: In 1996, when ISO 14001 was published, I was one of the first to be certified as a lead auditor to the standard in India. In my first audit, I led a team of three or four auditors in certifying one of the largest cement companies in the world. That was my first experience in auditing, but with my background as a chemical engineer, environmental health and safety were ingrained in my DNA. This is something that I’m very passionate about. When I moved to the United States in 2002, I saw the increasing demand for ISO 14001. Soon thereafter safety started coming in, especially with the OSHAS 18001 standard in 2007. And then there was no looking back for me, because I found all this to be very interesting and I realized I was cut out to be an auditor. By my nature as an engineer, I’m objective in my assessments and analysis. Especially when you are wearing the hat of an auditor, you must be very objective and dispassionate. The first principle of auditing, whether you do a cybersecurity audit, an environmental health and safety (EHS) audit, or a quality system audit, is to find the facts and not the faults. Many auditors, I believe, think that auditing means finding fault. My approach is very different. I go and find the facts and make sure that the auditee understands those facts. That is what I enjoy the most, because whether finding facts leads to the discovery of gaps or good processes, I always communicate with the auditee and make sure that they understand what I found and why. They value that. It’s like the old story, do you look at a glass as half-full or half-empty? I would say it’s half-full, but more than that, I want to look at how to make it fully full. And that’s what auditing is all about, and that has been my journey.
EG: That is excellent advice—find the fact not the fault. Let’s talk a little bit more about some areas that you have expertise in, like cybersecurity and data privacy. How did you begin to get into those specific areas of industry?
AD: Those seeds were first sown for me in India, where I was an IBM business partner. Network security was a big part of this work, which always interested me. Now, this was pre-Y2K, and I think people at that time never really thought about cybersecurity, per se, they just thought of network and data security at a very preliminary level. So, if you asked someone, “What is your approach to security?” they would say, “Oh, we have a firewall.” After Y2K, when I moved to the U.S., Sarbanes-Oxley came in, particularly SOX 404, bringing with it the idea of internal controls. I used some of my knowledge on the network security side and acquired my first certification in cybersecurity, as a certified information systems auditor (CISA). I already had credentials as a lead auditor to BS 7799, which was the predecessor of ISO 27001. I was already doing some work in that area, so I knew that information security was getting important—first, because of SOX 404, and second, because of increasing awareness due to some very high-profile hacks in the early 2000s. After CISA I started acquiring other certifications. I’m a platinum-level member of ISACA, one of the veterans you might say. I have contributed substantially in the areas of cybersecurity (both IT and industrial cybersecurity), governance, risk, and compliance (GRC), and data privacy. I have also done a lot of cybersecurity assessments based on ISO 27001. So, my two passions are obviously cybersecurity and EHS, including process safety, and one of the things I have done is to integrate safety and security. That’s a very novel approach, and what I’m working on nowadays.
EG: From your perspective as a professional who has trained and been trained, what would you say are some of the benefits of training? What are some of the lessons you’ve learned from training?
AD: Especially in the technology field, things change rapidly. One of the things I learned from IBM (where training is a constant process) is the importance of keeping employees well updated, whether within risk, compliance, software development, artificial intelligence, machine learning, etc. From that experience as well as some of the training I’ve received from Exemplar Global partners, I have learned to constantly motivate myself to learn new things, new technologies. Nothing can be sacrosanct because things move at lightning speed in today’s environment.
For instance, if you have done some work with ISO standards, you may want to look at industrial cybersecurity. The whole world is moving to Industry 4.0. The Industrial Internet of Things (IIoT) is becoming more paramount, so you must hone your skills in those areas, especially if you have a background in manufacturing, safety, or security. Investigate some of the new standards that are coming in, like IEC 62243 on OT and industrial control system (ICS) cybersecurity or IEC 61511 on process safety. At some point in time, everything is going to merge, as we have seen in the ISO world with Annex SL. For example, in EHS, ISO 45001 is aligned with Annex SL. The takeaway is that auditors should look at training opportunities and constantly upgrade their skills. Take courses, many of which are virtual now because of COVID-19, that are more relevant to your current areas of expertise and help you acquire additional skills. There are ample such opportunities, so you can improve your skills and network, too.
EG: Absolutely. That’s good advice as well. I’d like to turn the conversation to a topic that’s front of mind for many people, and that’s risk, which is inherent in any systematic approach to improvement. What do you think that auditors most need to know about risk when they are looking at the management systems of an auditee?
AD: That’s a great question. There is not a “right” approach or a “wrong” approach. I think one of the things auditors must know is the auditee’s industry and the position of the organization within that sector. An example would be IBM and Hewlett-Packard (HP), which are in the same industry. IBM’s risk posture, however, may be somewhat different than that of HP. When you start on the audit, be sure to get a strengths, weaknesses, opportunities, and threats (SWOT) analysis. One question I always ask is the impact of cyber risk on the organization, because cyber risk is such a generic risk now, everyone is exposed to it, whether it’s an internal attack, ransomware, malware, data privacy, etc. Map out how it’s going to affect their overall business, whether from the quality perspective, the business continuity perspective, or the EHS perspective. Then, be sure to talk to management. I have had very good conversations with the CEOs of the companies I have audited. Some companies take cyber risk for granted because they feel it should be left to IT. But this is not an IT issue—it is a business issue, and it must be on the radar of the C-suite. They should have full visibility and a handle on the organization’s cyber risk and/or data privacy risk. Mapping out the processes connected with those risks allows you to see how it is going to affect other interested parties or stakeholders, like customers or suppliers.
Risks can also come from suppliers; for example, Target was hacked because a backdoor vulnerability and exposure from an HVAC service provider. This topic needs to be considered holistically. Obviously, you need to start with the low-hanging fruit. There may be thousands of risk aspects or issues within an organization, but I would take what is called the risk-based approach, and look at the top five or 10 risks that are most going to affect customers, suppliers, interest parties, and the organization as a whole. Taking an integrated enterprise risk management approach and asking very pointed questions to the leadership team is among the most important things an auditor should do. Don’t just look at risk as in section 6 in ISO 9001 or ISO 14001 or ISO 45001. That’s not the right way. I would map it out to section 9.3, which is management review, and section 4.0 on the context of the organization. Management needs to understand and consider how they are planning to handle enterprise risk and integrate it with the overall corporate or business strategy.
EG: Excellent. Finally, what advice would you give to somebody starting out as an auditor?
AD: The best advice I would give is to be passionate and objective. Many auditors, I think, do too much interpretation during an audit. Please read ISO 19011, which describes the characteristics, attributes, and soft skills that an auditor should have. Remember, the audit is a fact-finding mission and not a fault-finding mission. Be courteous to the auditee. If there are gaps, explain the issues. Of course, this is not a consultative process, but you can provide a proper rundown of why any major or minor gaps exist. Adopt a process-based audit approach, not a checklist-based audit approach. Do it holistically to look at the operations as well as the competence, training, and awareness of the employee doing that job. And use the risk-based approach—I think that’s the most important thing.
At the end of the day, if you can add value through your experience and knowledge, share it with the client without being a consultant. To me, all clients are the same, because I’ve audited clients like Disney on one side and a mom-and-pop shop with two or three people on the other. Everyone is important and should be treated with respect and dignity. Make sure you are using the proper audit criteria and completely understand the standard you are auditing against, as well as the internal requirements of the client, their policies and procedures, and their customer requirements. Do not venture into the compliance auditing mode, because this is a management system audit. Many auditors try to be compliance auditors, especially within EHS or cybersecurity. You are trying to look at compliance as a part of the management system as opposed to doing a hard-core compliance assessment. That’s another important piece of advice I would offer. In the end, I would summarize that auditing is a noble profession and if you cannot be objective, analytical, and dispassionate in your approach, do not venture into it.