Dan Swanson has more than thirty five years of experience in Internal Audit, Information Security, Information Systems, Management Consulting, and Project Management. Dan has an extensive background in the financial services, healthcare and transportation sectors, as well as significant experience in auditing at all levels of government (federal, provincial, and municipal). Over a thirty-five year period, Dan has completed audit and security related projects for more than thirty organizations including such organizations as: Investors Group, Canadian Air Force, World Bank, City of Winnipeg, Red River College, Royal Canadian Mounted Police, Manitoba Government Services, Manitoba Family Services, Manitoba Health, Manitoba eHealth, Manitoba Lotteries, Via Rail Canada, University of Manitoba, Western Economic Diversification, National Research Council of Canada, and Farm Credit Corporation.
Christopher P. Skroupa: To what extent do you see boards integrating cyber security oversight into board room agendas and making it a priority?
Dan Swanson: Risk management is a long-term trend; it has been extended into IT Risk Management, and now into Cyber Risk Management. I believe it’s making its way onto the agendas. Albeit perhaps to the audit committee agenda as opposed to the full board agenda. It certainly is an increased priority from the audit committee perspective from my experience. A regular discussion of organizational resiliency protocol and the investments that are being put into place improve our cyber response capability and other resiliency efforts.
Skroupa: Can you describe the costs associated with poor cyber security protocol in terms of competition, reputational, and litigation risks — what are their factors?
Swanson: Poor protocols are no longer accepted by customers, by regulators, by boards, or by senior management. There is a general consensus that investment requirements should be considered from a security perspective. It is very difficult to identify or forecast the costs involved, since it impacts the reputation in the short-term. Target has some fairly massive numbers, maybe not on the percentage of sales, but from a legal cost and management distraction to the core competency of a successful business. Long-term competitiveness requires investing in good security practice and improving resiliency and reliability of operations. These security protocols are a cost of doing business.
Skroupa: What do you see as the company’s role in regard to cyber security oversight/ management? Is there a gap in capability?
Swanson: I think this question is the crux of the whole issue. Most organizations have different environments, business priorities, and business challenges. Cyber security oversight and management focuses need to be specific. Cyber security is multi-faceted and multi-disciplined as far as high performing. The company’s role can be categorized into the board level, the executive management, the senior management, and the accompanying security/compliance functions. Each level has a major role in cyber security. Long-term resilience depends on a robust capability. Short-term analysis requires a definitive strategy: where you are today, and where you want to go over the next 2-3 years. Program leadership and capabilities need to align their goals as well. Use projects to address some of your key gaps or key opportunities. Build to the long-term. Overall, we try to extend the Enterprise Risk Management capability and cyber security as an opportunity to take our performance to another level.
Skroupa: Can you summarize the key challenges that companies face in terms of the current approaches to cyber security issues?
Swanson: The moving target of what is acceptable practice over the long-term is the current challenging issue. Accepted practice standards are growing and dynamically changing. Technology is improving all the time. An industry investment into new capabilities and technologies can address some of these emerging threats. However, this is not only a technology issue, but rather a business issue. Unwavering executive support is certainly required. The agendas at the board and executive level are packed solid, and it’s a matter of available time to add another element. Implementing these capabilities also takes time and money. This is a cost of doing business. It’s an ongoing periodic oversight, update, and explanation of technology’s potential. Your ISO, risk manager, and compliance program all have to contribute to the solution of improving cyber capabilities.
Skroupa: What is the role of governance and innovation in managing cyber security threats/data breaches? To what extent will innovation help governance become more effective when it comes to cyber risk?
Swanson: The board’s interest in governance conveys a message to the organization. Critical awareness increases when the board adds cyber risk and cyber/IT investment to their agenda on a regular basis. Cyber is a sustainment issue for the organization, and therefore a fundamental board issue. Conveying cyber as being a sustainment issue provides massive support to the executive team. Enterprise Risk Management needs to consider disruptions and mitigate risk, and cyber is just one aspect. Innovation contributes to the solution. Investments in new technologies and practices permit organizations to be more secure. You cannot just chase the next silver bullet. It’s a long-term investment in capabilities, and a continual monitoring of what innovative practices have come out. Part of that leads to a concluding suggestion, in the sense of conferences and workshops. The landscape is changing rapidly in this space. Hearing about new practices, in a neutral environment that is not sales focused, is a very valuable technique.