Cybersécurité – rester résilient et favoriser la croissance de l’entreprise dans l’avenir

Veuillez noter que la transcription reflète la langue parlée lors de la webémission, parfois l’anglais, parfois le français. 

Zahid Fazal:

Good morning or good afternoon, everyone. My name is Zahid Fazal, and I'm EY Canada's Advanced Manufacturing and Mobility Leader. Today, I have the pleasure of kicking off our Innovation Forum of the Future series. This new series will include virtual events and thought leadership tailored to your needs and the needs of today's manufacturing and mobility organizations. So, please stay tuned for more events and great content over the next months to come. I know the reason many of you are here today, not because of me, but rather you want to hear some of the great panellists who've joined us today and I thank them in advance. We have a jam-packed agenda ahead of us and I'm looking forward to some robust discussions in the next hour or so. But before we start, just a couple of housekeeping details. Closed captioning can be accessed directly from the player controls CC1 is for English, CC2 is for French. Please also note that you might experience some minor delays in the closed captions. And finally, at the end of the session, please take a minute to complete the survey. We really appreciate your feedback. Let's now get down to the business. Today's webinar will shine a spotlight on a topic we hear a lot about, cybersecurity. According to our 2021 Global Information Security Survey, 40% of business leaders are concerned about managing cyber threats more than ever. Now we should be asking why are they concerned? And there are three main reasons. The first one, the risk itself has changed. Leaders are realizing that you cannot tackle the increase in this risk without drawing better connections between different functions within an organization. The second reason, innovation is happening everywhere. Cloud is now the foundation of emerging technology. Developers are building new codes and defining the servers to house it themselves. Nearly 40% of organizations view the relationship between security and product development teams as neutral, with a low level of consultation, and this no doubt prevents security and privacy by design from taking hold. The third reason we see is cybersecurity and privacy are invited too late to the party. Although many organizations are already looking beyond cloud 2.0 and addressing serverless technologies and blockchain through Cloud 3.0, cyber resources remain disconnected from the planning process. Less than a quarter of Canadian organizations bring cyber and privacy in at the planning stage, and this can lead to costly ramifications, resulting in design-build designs build without appropriate security safeguards and privacy settings. Now, all of this is as a result of something unexpected that happened over the course of the pandemic. The world shifted to immediately focusing on secure remote access and connectivity. So, what does all of this mean? New and emerging cyber risks are mounting as threat actors become increasingly mature, and legacy frameworks and internal disconnects within organizations represent serious gaps that must be addressed now. So, embracing new ways of managing the risk and creating a culture change can help entrench cybersecurity in every aspect of your business. And no doubt this will help build resiliency and drive future growth. Today's panellists will share their insights on how to effectively protect your organizations from cyber threats, drive security by design, remain resilient and unlock future growth. So, without further ado, let me welcome our moderator, Nicola Vizioli, Partner in EY Canada's Cybersecurity Consulting Leader and our three great panellists. Geneviève Bertrand, Senior Vice President, Information Technology at Kruger. Peter Elliott, Global Information Security Officer at Magna. And Stuart McDonald, Chief Information Officer at WestJet. Thank you.

Nicola Vizioli:

Thank you, Zahid. I appreciate the intro and good afternoon and good morning to those of you in western Canada. Bonjour à tous et bienvenue à notre session sur la cybersécurité. Thank you for taking the time to attend the session on cybersecurity. Unfortunately, it is still a hot topic and something no company is really immune to. Cybersecurity is a risk that impacts every single company out there, every industry, and there is an increased focus of cybercriminals, groups specifically attacking the advanced manufacturing and mobility industry. So, let's jump right into it. On va briser la glace avec Geneviève. Geneviève, j’aimerais te demander la première question. Je sais que tu es très occupée, durant les dernières années tu es en charge d’une transformation digitale, tu fais un shift à l’info nuagique, tu commences à allier, ou faire une convergence entre les technologies de l’information et des technologies opérationnelles. Comment votre cybersécurité a évolué et que faites vous différemment aujourd’hui que Kruger ne faisait peut-être pas dans le passé?

Geneviève Bertrand:

Nicola, merci beaucoup pour ta question. Quand j’ai joint Kruger, j’ai eu le plaisir de joindre Kruger en Novembre 2017, j’arrivais de Desjardins, donc l’industrie financière. À ce moment-là, mes discussions avec les exécutifs de Kruger c’était: «oh tu vas voir, les risques de cybersécurité c’est pas aussi présent dans le domaine manufacturier que dans le domaine financier.» Évidemment, le monde a beaucoup changé comme ça a été dit en introduction depuis ça alors, et l’équipe de cybersécurité a augmenté chez Kruger. C’était une équipe qui n’existait pas officiellement à mon arrivée. Maintenant, qu’est-ce qu’on s’est rendu compte aussi c’est que c’est d’une certaine façon peut-être plus facile de parler concepts de cybersécurité au niveau de l’information qu’au niveau des systèmes d’application d’affaires. La grande transformation puis le grand sujet de conversation qu’on a eu c’est avec nos collègues des opérations et de l’ingénierie, ceux qu’on a très bien sécurisé la technologie opérationnelle. Ce qu’est le sujet d’aujourd’hui, le manufacturing est vraiment intéressant et c’est une conversation que je pense qu’est pertinent dans l’industrie et qui va continuer pour bien longtemps.

Nicola Vizioli:

Puis dans un environnement technologique opérationnel, qu’est-ce que a tout changé pour toi, pour Kruger d’un point de vue cybernétique?

Geneviève Bertrand:

En fait, c’est que bon, Kruger est une entreprise vraiment vaste qui impacte toutes sortes de choses. Dans des centres de production d’énergie, on sait que malheureusement ces centres-là sont une cible. On opère également des centres de traitement des eaux, des centres de production d’électricité pour nos propres besoins manufacturiers et pour la vente. Ce qu’a changé pour nous c’est vraiment la reconnaissance de l’intérêt des personnes malveillantes et des personnes qui veulent causer du chaos, et l’importance critique que ça pourrait avoir sur nos revenus, notre profitabilité et notre façon d’opérer au jour à jour.

Nicola Vizioli:

Ok, merci beaucoup. There is an increase in new technologies, and these new technologies are increasing the risks and exposure. They are often introduced very rapidly. And this, I'm sure, is concerning many of the leaders who need to manage security risks. Stuart, if I may ask you a question. From a cybersecurity and privacy perspective, these two topics are not always brought in during the planning stages of a solution development or selection, which often means that the designs aren't built with security safeguards and default privacy settings. How can we change this approach, and how are organizations such as WestJet balancing the speed of executing an IT project with security?

Stuart McDonald:

I will personally thank you for having me. I'm responding in Australian, so I don't know what they will do for your closed captioning processes today, so we'll see how that goes. I think there's sort of two sides to this equation. One, is you have to have a strong architectural practice where security is an equal partner. I do remember working in a prior company where the [INAUDIBLE] says generic response to is, that's it, we're going to shut everything down. And that for me was more of a, you know, a failure of governance and really sort of the cyber practice itself in terms of working out how to influence and build sort of itself into the fabric of the organization. Because when it comes to security, 80 to 90% of the workloads and use cases should be standards. They're not unique. They're not bespoke. And so, you have to make sure that you have an architectural practice that has teeth. And so here at WestJet, we do have a dedicated architectural team, architectural governance that sits behind that that I actually also attend just to make sure that everybody understands the importance of architectural-driven transformation of an organization. And then I think the second side of that is education of risk, whether it's operational risk, being a safety-first company as we are, I can easily translate something as simple as ransomware taking over our operational control center, which directly controls our aircraft. And so, it's about turning these ethereal risks into things that are very tangible for the organization or more specifically, given we also fly into Europe with regards to GDPR education around the risks of fines. The implications associated to a breach on GDPR is 4% of your revenue. So, when you're talking to the commercial teams about how quickly they want to go, you can very easily erode new revenue opportunities with a multimillion-dollar or hundreds of millions of dollars fines as we've seen some of our industry partners have already gone through. So, I think both of those have to go hand in hand with the educational side, both from a board level all the way through the operational sides of the teams and making sure that you enforce that with teeth through the architectural practice itself.

Nicola Vizioli:

Ok. I see that you embed security in everything that you do, so the security by design concept, would that be considered a good practice at WestJet and a practice that's commonly used during your development lifecycles and IT projects?

Stuart McDonald:

I'd like to say it was always the case for our 25 years of history, but that would probably not be necessarily completely true. So, I think there is always a catch up that goes with that. There's remediation and legacy, debt that you've built over a period of time. And you know, the first couple of years, even when I was at WestJet, it was dealing with some of those enterprise debt problems that we had and building the the awareness of Social Security, but everything going forward is now built in. Does it mean we have every pattern established? No. But it still means that we can use the architectural groups themselves to build those patterns as we move forward. So, over time, we should start to get faster and faster as we put new solutions in.

Nicola Vizioli:

All right, thank you. Thank you for sharing that insight. Peter, let's bring you into the conversation now. And I want to pick your brain a little bit as a Chief Information Security Officer for a global company like Magna. What would you consider is your biggest risk for an organization like yours from a cybersecurity perspective, obviously?

Peter Elliot:

Well, again, yeah, thank you for having me and great to be here with some of my colleagues in other industries. Yeah, they are numerous, right? So, there's a few that I can think of right off the top of my head. So, it was touched on in the intro here. I mean, the threats continue to escalate, and I mean, just to pull at that threat a little bit. I mean, the advent of ransomware as a service and the reduced, you know, sort of barrier to entry to be able to monetize attacks is really something that I think drives a lot of the sort of risk that we see out there, particularly in cyber. But along with that comes, and I think everyone, you know, feels this as of late is the challenge in finding and retaining talent. It's really become a challenge. The combination of the escalating threats and, you know, the scarcity of finding talented cybersecurity professionals are two of the big challenges. With Magna specifically, and I mean, probably not the only company that has a model like this. Magna also has, and it's fiercely proud about its decentralized or federated operating model. And what's happened over time is we've realized that it's impossible to defend an organization that approaches cybersecurity in a decentralized manner. You know, information is key. Being able to know your assets, being able to know what's going on in your environment is key to defending it. But I mean, and again, these are very common themes, right? Supply chain and digitization are, for a company like Magna that is a Tier One automotive supplier, that means that we supply products directly to the auto manufacturers. The massive supply chain, the scope is just enormous. Throw into that, sensors, and production environments, I mean, everything has an IP address on it now. It's just a very, very large sort of attack surface. So, you know, without sounding negative in answering your question, I mean, how do you address it? Well, it all comes down to prioritization, right? Understanding what those threats are, prioritizing them in terms of likelihood. And then, you know, implementing programs in order to address those at a reasonable risk tolerance level.

Nicola Vizioli:

Ok, thank you for that. And one of the key things I'm seeing when talking to different CEOs is really that talent shortage out there. What are some of the steps that you've been taking to attract and mostly retain the good cyber practitioners out there?

Peter Elliot:

Right. So, we've taken sort of a multi-faceted approach at Magna. So, definitely staff augmentation and leveraging managed security service providers is part of that. You know, the team that we have internally, obviously, we try to retain that talent as much as we can. But also, you know, again, I think it's really important to try and bring in new talent, right? I mean, we're all competing for the same very scarce resources, and we need to bring more resources into the pool, so to speak. So, you know, investing in training, you know, new graduates is also sort of a key to that. So, I think it's multi-faceted. I don't think there's really one answer to that question.

Nicola Vizioli:

Okay. And you really exposed really good reasons why a lot of people in the industry are of the saying, 'it's not if we will get breached, but when'. Sur cette base Geneviève, j’aimerais te demander une question. En cas d‘instance cybernétique, quelles mesures avez-vous crées pour préparer votre entreprise?

Geneviève Bertrand:

C’est un peu une question courte mais peut-être une réponse un peu plus complexe. La première chose ça rappelle des concepts dont Peter parlait, c’est d’avoir un modèle structuré standardisé sur lequel hardware on veut déployer et comment on va le faire. Chez Kruger on a la chance d’encore lancer des nouvelles usines comme a été fait dans les derniers dix-huit (18) mois à Cherbourg. Et que là, on peut s’assurer que c’est bien fait, comme ça on a une façon de se protéger. Ça c’est la première chose. On a également déployé un service géré de détection. Il faut savoir, et avoir de l’intelligence artificielle qui regarde toujours toutes nos endpoints et puis qui se dit: «est-ce qu’il se passe quelque chose,» comme ça nos super ressources qu’on a de la misère à conserver, comme Peter parlait, ils peuvent dormir la nuit. La deuxième chose que je dirais c’est évidemment les procédures annuelles de pratique de relève de désastre. En bon français: «disaster recovery.» Et puis là, qu’est-ce qu’on est en train de faire, c’est vraiment avoir un partenariat avec les secteurs d’affaires pour dire c’est quoi les applications critiques, à quelle tolérance pour les ramener, dans quel ordre pour les ramener, et pratiquer ça. Au niveau vraiment spécifique dans nos sites opérationnels, on est en train aussi de centraliser les serveurs, comme ça on devient plus efficace dans la relève. La troisième chose que je dirais c’est avec nos exécutifs, comme plusieurs autres personnes, procéder à chaque année avec une revue annuelle du plan d’urgence. Qu’est-ce que j’appelle ça, avec les gens de tous les sites, c’est comme le «fire alarm,» la pratique de feu. Tout le monde le fait, des hôtels, à la maison, il faut faire la même chose et avoir la même discipline en cybersécurité. Une chose nouvelle qu’on a offerte avec beaucoup de bonheur en Décembre chez Kruger, c’est qu’on a offert une rencontre spécifique de trois heures avec l’ensemble de nos agences d’ingénierie opérationnelle, puis on a offert une simulation avec eux. On a pu voir l’ensemble, la beauté de leurs cerveaux qui disaient: «Ah, qu’est-ce qu’il faut faire pour le plan traitement des eaux, qu’est-ce qu’il faut faire pour la bouilloire?» Évidemment dans le secteur manufacturier, on opère des machines qu’on ne peut pas nécessairement juste arrêter comme ça, et il faut commencer à avoir l’esprit critique au niveau de la résilience puis la continuité des affaires. Quel est le rôle de chacun? Parce que malheureusement, l’année passée en Floride avec les centres de traitement des eaux, des choses comme ça, malheureusement je pense Nicola tu l’as dit, c’est qu’une endpoint qui a été attaquée. Et la dernière chose que je dirais, parce que j’avais dit quatre, je sais encore compter, c’est d’améliorer la conversation avec nos collègues d’ingénierie et des opérations puis ça on va le travailler, formaliser nos procédures informatiques puis les routines pour ramener les backups, la sauvegarde des données, mais aussi qu’est-ce qu’il faut faire au quotidien pour s’assurer de la sécurité pas seulement des données mais des employés.

Nicola Vizioli:

Merci Geneviève. C’est de très bons points. I think this highlights the importance of not only investing in prevention but if I heard you right, also having a response plan. And one of the key things I'm taking away from your responses is really preparing your executives to be ready in the event they need to match a cyber incident. Stuart, on this question for you. Have you seen a change at the executive level board level when it comes to cybersecurity over the past few years?

Stuart McDonald:

You know, I used to believe that, you know, the best way for getting a board member to explore new concepts was to put an article in an in-flight magazine. So, I think we've certainly moved on from that. I think the interesting thing in regards to COVID is it's actually given boards the experience of dealing with a biochemical type crisis that dramatically affects the supply chain. So, I think the same patent applies whether it's ransomware or other. So, I actually think boards have become better educated in potential cyber events as a result of that. And I have seen, even within our board, we've moved, even in my tenure from twice a year updates to meet our auditing requirements through to a standing agenda item at every board meeting. So, I think that has shifted. You know, I do get correspondence from our board members asking about things like Log4j. Now, I don't think they understood what Log4j was, but they knew enough to ask me the question that went with it. And so I am seeing that awareness is definitely there now. The ramifications though, and the impact, I think we still can do a lot more on. And it's important also to put it back in context, they can understand. And I saw an interesting data point the other day that said, you know, cyber events, whether it's criminal activities or impact to operations, is measured by GDP, is now the third-largest country in the world after the USA and China. And so I think when you sort of giving board members those kind of sort of metrics, it shows them the size and scale of the problem we're trying to deal with, so that when we're out looking for additional incremental funding to improve defences or other, there's a bit more context around. This is not just a trust me conversation. This threat landscape is expanding dramatically and exponentially in terms of its pace as well. So, I think we are seeing that conversation happen and the fact that for us, it is a standing broad agenda right now means it is top of mind.

Nicola Vizioli:

And Stuart, you mentioned metrics. Do you find that your board members and your executives are asking for more and more metrics?

Stuart McDonald:

They're looking at it more from commercial impact. So, when you're looking at whether it's a ransomware event that affects the utility companies and clearly cybersecurity insurance premiums, if you have insurance premiums associated to it, they're interested in terms of the impact of the business on that side of things. So, I think that's more the line they're questioning as opposed to specific cyber metrics in terms of what is your the rate of email that gets through without being trapped on the way through your perimeter defences, so they're not caught up in the mechanics of the technology itself. It's more just the commercial parts of the business.

Nicola Vizioli:

It's very interesting to me to see a change at the most executive levels, but also wanted to touch upon more from a seasonal perspective. So, my next question will be for Peter. In a recent survey that we carried out, we see that two-thirds of Chief Information Security Officers say that executive management wouldn't describe cybersecurity as a commercially minded meaning. We're investing a lot of money in cybersecurity, often increasing that the budget year over year, but not always seeing the return on investment. So, Peter, what can we do to change this perspective?

Peter Elliot:

Yeah, that's an excellent question. Yeah, and interesting to hear that result. So, from my perspective, I'm actually seeing this slowly start to change. I guess I'll use the word organically. We just went through our cyber insurance renewal at Magna recently, and I'm sure others that have gone through this process can attest to this. I mean, premiums are going up, doubling, tripling in some cases. Coverage is being reduced. There's more and more exclusions in these policies. So, you know where some companies may before have sort of fallen back on, 'Oh, we've got cyber insurance, so we're covered, or something happens'. That's not the case anymore. And increasingly, I think companies are going to realize they essentially are going to have to self-insure. So, I think that's one aspect. The other thing is, you know, customers are getting more savvy. In our case, it's the automotive manufacturer. So very generic questions. Do you have a process in place now? They want to know specifics about how you manage risk, how you're addressing it, sometimes even asking questions about what type of tooling you're using. So, I think those are, you know, organically that's changing. But your question is what can we do, I guess, as security professionals? Well, a couple of things that come to mind and I mean, Stuart touched on a couple of those things. I think focusing on company reputation, right? There's a stigma. Something bad happens at your company. It ends up in the press. Even if it was a non-event, you know your company name appearing on a headline along with the word ransomware can have real implications to your brand. So, I think there's increasing recognition about that. And you know, what I see, you know, sort of what I see from a compliance standpoint, what comes from our customers is that, you know, increasingly, I think you can start to use this as a differentiator. Magna is not the only parts supplier out there, and particularly in North America, it's quite a competitive business. So, you know, I see a shift potentially coming where our sales organization can say, you know, our business units have certification X or X standard, and they can really use that as a sales argument, you know, therefore, turning this on its head, this survey result that you got where people don't really see this as a commercially minded area or a cost center for lack of a better term.

Nicola Vizioli:

Thank you, Peter. I heard the word pandemic and COVID once or twice, I believe from Stuart, so I'm just going to, it wouldn't be fair if we don't touch upon COVID a little bit, as COVID is still driving a lot of changes, a lot of technology changes and accelerating a lot of the digital transformations, which is opening up the door to cybersecurity risk. So, my next question is for you Geneviève. How has the COVID pandemic changed your perspective on cybersecurity risks?

Geneviève Bertrand:

Évidemment, ça a grandement étendu le footprint parce que pour nous, on a eu deux choses en même temps. La pandémie a envoyé les gens travailler à la maison et on avait pas beaucoup, moins de cinq cents (500) personnes chez Kruger qui travaillaient de la maison. C’est la première chose, ça a été une révolution de donner les outils et de pouvoir continuer à opérer de façon sécuritaire. Ensuite, qu’on est-ce qu’on a regardé, qui a continué à évoluer, avec la persistance malheureuse du travail à la maison, les gens ne travaillaient plus à la maison, ils travaillaient de leurs chalets, d’autres environnements. Alors on a commencé à se rapprocher de nos employés et à essayer d’expliquer les standards, comment vous devriez vous équiper à la maison, et comment vous devriez accéder de façon sécuritaire, ou qui peut entendre ce dont vous discutez. Alors on continue dans la prochaine vague avec beaucoup plus de formation, plus de sensibilisation. Au Canada, on sait que toutes les lois au niveau des renseignements personnels vont changer cet automne, qu’est-ce que ça veut dire pour nos employés pour le quotidien, puis de travailler plus proche avec eux, informer and sécuriser.

Nicola Vizioli:

Est-ce que tu trouves que l’aspect humain a changé, il a fallu intervenir avec certains employés, leur donner certains conseils? Est-ce que l’effet Big Brother a eu un effet sur les employées Kruger?

Geneviève Bertrand:

On le voit vraiment de deux façons. Je pense qu’il faut devenir, comme leader et dirigeants plus ou moins, de créer certaines zones. Avant t’avais au moins cinq (5) minutes avant une réunion pour marcher, dire bonjour à quelqu’un. Il faut créer des zones, au niveau culturel c’est un changement où il va falloir s’impliquer et supporter les gens parce que COVID va nous avoir changés profondément. Même on parlait, Peter parlait tout à l’heure de recruter des talents. Même dans ce domaine-là, ça va nous avoir changé. Il y a des gens qui veulent absolument plus travailler à l’extérieur de la maison puis il y en à d’autres qui crient a l’aide parce qu’ils veulent voir du monde et ils veulent collaborer. COVID va profondément avoir changé les travailleurs, les hommes, les femmes, les générations à venir et les habitudes de sécurisation des données et des processus d’affaires pour les gens en technologie d’information.

Nicola Vizioli:

Merci beaucoup. This opens the door to ask some questions around privacy, as Geneviève mentioned in French, COVID 19 did bring up a lot of privacy questions, both from a company perspective but also from an employee perspective. But I wanted to touch privacy more from a consumer-facing perspective. Stuart, the next question will be for you, as out of the three panellists, I believe you're the most client-facing one and the most regulated industry as well. So, how has WestJet adapted to the new normality of collecting even more data than you were previously collecting, and more specifically around health data from your passengers and perhaps even employees?

Stuart McDonald:

This is a topic that's near and dear to my heart. I've spent the last two years negotiating with the government of Canada between Transport Canada, CBSA, Public Health, IRCC, airport authorities and even, I would use the word cautiously, our partners over at Air Canada in defining the QR codes that everybody now has, so that the QR code implementation that's Canada wide as a result of basically what was the initiative driven from the aviation side. Because we are so heavily regulated, and the key focus for us was we needed a way to enforce the random policies of the day. I do believe that we are a free outsourced [INAUDIBLE] for the Canadian government at this point in time for the whims of the moment. However, we needed a way that we could programmatically validate information so that we could still board aircraft. If we had to do things manually, no airport in this country would work, and a lot of the policies that have been asked of us basically would destroy the industry completely. Even though the government has done a reasonable job at trying that in the first place, but I think we're slowly improving from that one. But part of the design of those QR codes is we don't want your health information. We're not a health care provider. We don't want to be a health care provider. And I took that very strong position with government from day one, is that we don't want to be collecting information. So, what we are doing at that point is validation of those codes is we do have all the credentials so that we can check that they digitally signed. So, we had that relationship with government. There's two sides of the QR codes, reading them and validating them in terms of if they are true and valid record. So, we are doing both of those, and we are looking at the vaccination records themselves to make sure it's a known vaccine. It's within certain [INAUDIBLE]. You've got two doses or three as it may soon be as well, but that just translates into a simple flag on our tickets that says you're OK to fly. And so, that's the only record we keep, is you're OK to fly and we do that already. If you're on a no-fly list, if you've been on a special charter plane running down to Cancun and having lots of fun disobeying Transport Canada rules, you may be on that list. But at the end of the day, we don't know why you are or are not okay to fly, we just know that you're okay to fly, and that's really the piece that we hang onto as a result of that. And that's why also when it comes to the PCR testing, we are the only country in the world that requires PCR testing before you get on our plane and when you get off our plane when you're coming into the country. If you can imagine being in downtown Toronto, getting on the Go train, testing once and then testing as you get off the go train again, you know, that is what has been asked of us. We're careful, again, not to capture any of that information. And then sort of the last piece of it, which is we have been forced into capturing some health care information, is being a federally regulated company. All of our employees have to be vaccinated, so we have to capture that information that they have been vaccinated. And then equally, as I'm in the office today, I did my antigen test, and I did my antigen testing every single day. I have a whole antigen testing platform that we implemented to support this process as well, and that is segregated from every other system that we have. Because again, I want to keep my regulatory landscape small for hopefully something that I can throw away at the end of this process.

Nicola Vizioli:

Thank you for that, but I still want to double click on the privacy subject because, and speaking to many different CIOs and CEOs, but and also in a security survey that we did not too long ago, many leaders expect regulations to become increasingly demanding in Canada, but also the rest of the world; That will be cybersecurity regulations or privacy regulatory requirements. How is WestJet or how did WestJet prepare for this? Because I do believe your industry is a little bit, or even a lot more advanced than other types of industries from a regulatory perspective. But how do you manage to respond to more and more regulatory requirements? We see in Quebec the introduction of Law 64? We're seeing it in the rest of Canada, GDPR in Europe. So, we're seeing a lot more demand. So, what advice would you have for some of the audience who perhaps are not as advanced as WestJet would be?

Stuart McDonald:

So, we have things, We have stood up. I have a dedicated data governance department, which is separate from my dedicated privacy risk and compliance department because there are two different things and different lens that goes with that. So, you have to have a group that sits outside interpreting those regulations. We are GDPR compliant because of the nature of where we fly as well. So, we see the Quebec regulations just more of an extension of the GDPR regulations, as they said. And personally, I'm a big privacy first. I don't believe in holding onto the data. We're having some interesting debates right now in regards to credit card data in, terms of what you would do or not do with it. So, there is an ethical piece that goes with that as well. And so, we actually have a board session coming up around the ethical use of data beyond the privacy pieces of themselves because just because you can use it doesn't necessarily mean you want to use it. And so, I think it's really making sure that you look at the lenses from the ethics that serve the privacy itself and then the compliance that goes with that and how you want to enforce it. And then GDPR at the end of the day is some interesting things that come as a result of the right to be forgotten. And so, the right to be forgotten does create technical considerations. So, if someone's read an in-flight magazine and thinks that Blockchain's the next big thing, the ability to be forgotten from a Blockchain perspective doesn't exist. So, that rules that out as a solution for something. And so, you need to sort of think those things through. And then clearly, can you track where all the data is, every backup that you've ever made? Most likely not. So, there is a reasonable piece that is part of the assessments of GDPR. So, it's also working closely with your legal team to understand what position you want to take in regards to the regulations themselves. Because 4% of revenue is a lot of money at the end of the day if you're going to be fined. And it's not just the 4% of revenue, if you look at the data breach the British Airways had on the credit card data, they were able to negotiate down the GDPR fine but they're still dealing with a billion-dollar class action as a result of it.

Nicola Vizioli:

Yeah, that's a good point, because often with privacy, we see that it's not only the regulatory fines but there's also the other aspect of the commercial penalties that you may face with lawsuits and whatnot. Thank you for sharing that. Peter, I wanted to ask you a question as a Chief Information Security Officer, to kind of get your opinion as to where the industry is going. What do you foresee as an investment over the next couple of years from a cybersecurity perspective?

Peter Elliot:

Well, I mean, in terms of, so Magna, again, a tier one automotive supplier, manufacturing is core to our business and frankly where we regenerate our revenue. And I know from my colleagues, both at the OEMs and other manufacturers and happens to be our biggest, single biggest investment and multi-year project that we've just kicked off now is to really address the expansion in factory digitization. So, there's a, you know, an increasing and obvious need to, you know, in order to optimize processes to get data from operational technology environments. And, you know, with increasing business areas, you know, and we've probably heard all these buzzwords around autonomous driving and technology that Magna is developing in conjunction with the OEMs, really is sort of challenging us from our cyber risk posture, right? We've spent a lot of time and energy over the last several years bolstering our defences and our controls in the IT area. The OT area is definitely a gap that we have. I mean, we've got policies and standards and everything in place but as I had mentioned before, our decentralized operating model has led to some gaps there. And you know, I did not get paid by EY to say this, but we did engage EY last year to do kind of an independent assessment, and we found some gaps at some of our production facilities. So, a big challenge in an area investment that I see that manufacturing companies like Magna have to invest in is investing in tighter controls and those operational technology environments and really addressing what is the convergence that's going on between IT and OT environments. And that's really, that's more than technology, right? This is a people process and technology challenge. I know and a lot of our facilities, so you may have IT staff, you've got controls, engineers or what you would call operational technology staff. They don't always work together. They have sort of different drivers, right? So, in the IT side, you're managing data and applications and systems on the OT side, I mean, up times, everything. We have to be pumping widgets out the door and the right quality to our customer in order to deliver on our commitments. And this is a real challenge. So, for those here that are aware of how operational technology systems work, I mean, they certainly weren't, especially the legacy systems were not designed with security in mind. They were designed to be open. And as you can imagine, I mean, I mentioned a little bit earlier about the changing threat landscape. I mean, if you are a threat actor and you want to hold a company hostage to pay you, what better way than to completely impede their production. So, I mean, this is something that has been on, you know, industry notifications for the better part of the last couple of years, that threat actors are shifting over to verticals like manufacturing because they know the incentive to pay is incredibly high, right? So, that's, you know, in our industry, that is an area that I see is going to be an increasing focus. And I know it was an increasing focus because our customers are demanding to understand what our controls are for this particular risk.

Nicola Vizioli:

And I just wanted to touch one last question for you, Peter, and this is something that was brought up by Geneviève earlier in the conversation. But how important is it to invest in resilience and having a strong business continuity plan for a company such as yours?

Peter Elliot:

It's critical, right? I mean, it's been, you know, talked or mentioned a couple of times here. It's not a question of 'if' it's a question of 'when' you're going to have an incident. So, you know, you put these protections in place, you put the best sort of monitoring and threat intelligence around it. At the end of the day, controls fail, you know, often because, you know, at the end of the day, a person has done the wrong thing, whether it's configuring the technology or click the link or these types of things, so you can put, you know, the best controls in place, eventually, you're going to have an incident. And that's where you have those incident response plans, those crisis management plans, your business continuity plan, all these things in place so that you can respond to an incident quickly and effectively and ultimately mitigate the damage that is done to your business and to your organization.

Nicola Vizioli:

All right. Thank you, Peter. And before we open it up to questions from the virtual audience, and we have been collecting some during the session, I had one final question for all the participants. I'll ask it in English. What do you consider your biggest challenge in 2022 when it comes to cybersecurity? Donc, Geneviève, je vais commencer avec toi. Qu’est-ce que tu considères comme ton plus gros défi en 2022 d’un point de vue cybersécurité?

Geneviève Bertrand:

Je vais me contenir à trois choses. La première, c’est vraiment attirer et retenir le talent, mais le talent des équipes variées. Donc les équipes des employés Kruger puis de nos partenaires contractuels puis les agences. Définitivement, aussi dans la question de talent, c’est vraiment augmenter la sensibilité de «c’est quoi la cybersécurité pour les tous les employés Kruger.» Parce que chacun a un devoir de protection de l’entreprise. Ça c’est la première chose. La deuxième chose, c’est la balance de risk/reward, la balance de combien d’investissement, combien de dollars tu dois dépenser pour te protéger, qu’est-ce que ça va te rapporter. Stuart parlait tout à l’heure de la patching, un de nos grand partenaires va déployer la patch, mais pour déployer la patch il faut arrêter la machine. Peter parlait de ça tout à l’heure. Quelle patience que t’as pour patcher une vulnérabilité critique versus le coût d’arrêter les opérations pour les affaires. Vraiment la discussion, dont Peter parlait, est très active. La troisième chose, c’est les programmes de continuité des affaires, clairement ce dont j’ai discuté, c’est quoi le rôle de chaque personne, le rôle du chat-monitoring, le rôle de l’équipe anti-cyber, le rôle des sys. admins, puis le rôle des opérateurs au quotidien. Je fais sourire, je me remets sur mute.

Nicola Vizioli:

As usual, you overdeliver because I asked for one and you give me four, or three or four. So, you overdeliver as usual, Geneviève. Same question to Peter this time. What would you say is your biggest challenge for 2022?

Peter Elliot:

Well, I guess I sort of answered it a little bit in the previous question. I mean, that's going to be one of our big focus areas. But yeah, I mean, I guess taking a step back from that project, it's bringing the various departments together that don't normally work together to address that particular challenge, right? Because I mean, I kind of already touched on that. Getting operational technology and information technology ITOTP people to work together to solve some of these problems. Something that they're not necessarily always used to doing. But again, the broader, you know, supply chain risk, I mean, you know, increasingly involved with our supply chain risk organization, which I think like a lot of companies, still, there's that kind of traditional view on supply chain risk, which is OK, is that supply are going to be here in six months? Are they financially viable? You know, and these sorts of, you know, traditional risk associated with some of your suppliers. I mean, again, I mentioned the ransomware topic a couple of times, but I mean, that can stop one of your suppliers being able to supply you as easily as, you know, them not being here in six months because it's a poorly run business. So, I guess really, I see cyber, you know, more or less playing a role in functions where they didn't before being able to articulate it in a way that these people can understand and then work together to address these risks. I mean, that's, you know, sort of an overarching challenge that I see in the coming year, just because of the convergence that I see happening across these different areas.

Nicola Vizioli:

Thank you very much. Stuart, same question. Biggest challenge?

Stuart McDonald:

Well, I think we're one of those fun industries where we're affected by volcanoes, snow, heat, rain, wind, fog, pandemics, and political instability as well. So, I think, you know, one of the things we really haven't talked about today is the implications in regards to sort of the emerging political threats in the Ukraine, which is one, and the Olympics in China which is two. As the old song, stuck in the middle of you says, you know, clowns to the left of me jokers to the right here I am stuck in the middle of you. We are seeing a risk on critical infrastructure across the world, but definitely against those that are deemed against either of those particular causes. So, I think that is something that is top of mind for us, which leads us back into the quest for talent. Making sure you have the right people. And our business is a little bit different. You know, we have all the traditional cyber threats, but we also have a perspective from an aviation and avionics view because we have a lot of infrastructure that we actually build and put on the aircraft. So, there's different things that we have to manage and support there. And then equally, for the 140 odd locations, we fly around the world, I have no control of any of those locations or the third parties that operate those locations as well. So, we have a unique threat landscape that creates where I can't control traditional endpoints or any of the things that people would be looking at to manage what's happening there as well. So, I think for us, it's still going to be the talent topic, is getting the right people in and technology in the cyberspace is shifting quite dramatically as well. So, the days of just looking at a screen and an old sock are gone. So, the people you're looking for are quite different from the traditional sort of cyber groups you had in the past as well.

Nicola Vizioli:

Perfect. We'll open it up for a few questions from the audience, and there's quite a bit of them. So, the question and answer triggered a lot of questions and I'll start with you, Peter. One of the questions that came in from one of the audiences, with many of our services on the cloud and other service providers, what are their responsibility and how can we make sure they are taking actions to counter these types of threats?

Peter Elliot:

Yeah, excellent question. And it's definitely an ongoing continuous improvement area that we have. So, yeah, I mean, that's been a challenge. I think it was mentioned in one of the previous answers about making sure security is considered, you know, from the beginning of a project, and not coming in, you know, towards the end or after the project has already been completed. Vetting those cloud providers, right? I mean, jeez, if I had a dollar for each time, someone told me that, oh, we're fine from a security perspective because it's on Microsoft Azure, or it's on AWS, right? Well, OK, they've ensured that their own backend infrastructure is secure but if you've got some, you know, third party provider that sits on top of Azure or AWS, which is very often how a lot of these solution providers are delivering their services these days, you don't have anything showing that they've done their due diligence and made sure that your data that you're entrusting them with is secure. So, you know, vetting these providers properly and I mean, you know, there's a number of certifications out there you can use. You can, you know, ask them if they've got a SOC 2 Type 2 certification, for example. There's several ways of doing this right, to audit. But yeah, at the end of the day, that supplier you are entrusting with your information and the only entity that's really responsible for ensuring that information protected is you. So, you need to ask the right questions. They need to have adequate certifications in place. And you know, we have these discussions with our business units on a regular basis, right? They want to quick, cheap and dirty solution. Well, it's those quick, cheap and dirty solutions that very often end up with your data publicly being disclosed. So yeah, you have to be diligent, have to be diligent on those.

Nicola Vizioli:

Thank you. The next question, I think I'm going to address it to Geneviève because I think this is something you experienced. But what advice would you give a company that's under investing in cybersecurity and that needs to beef up their security? Quels conseils donnerais-tu à une entreprise qui n’investit pas assez dans la cybersécurité Geneviève?

Geneviève Bertrand:

La première clé, le premier moyen de défense c’est vos employés. Investissez dans la formation, la sensibilisation des employés parce que je pense que c’est Peter qui le disait précédemment, on est jamais à l’abri de quelqu’un qui va cliquer sur un lien, et qui va «be fished.». Première place, investissez dans les employés. Deuxième place, ayez la conversation avec les unités d’affaires pour voir quel est leur plus grand risque, ou ça va leur faire mal. Puis établissez un programme en étapes avec les moyens qu’on a. Malheureusement la cybersécurité ça se traite comme tous les autres problèmes d’affaires, il faut manger l’éléphant une bouchée à la fois.

Nicola Vizioli:

Merci Geneviève. Stuart, one question for you, with your involvement with the government is. What should be the actions our governments execute to try to curb these threats? Should the government have an active role in it?

Stuart McDonald:

I mean, the government is active, and we do have a lot of briefings with the government in regards to emerging threats, and we also have separate ones within the industry itself and sharing of threats and attacks that are going on there. So, they are actively at the table. I think it was interesting if you looked at the report that came out last week from the government around the potential for escalation around critical infrastructure, but it was actually last week flagged as low. And then you saw on the weekend it wasn't very low at all. So, I do think that the velocity of those is happening a lot faster than we anticipate. You know, I was speaking to the [INAUDIBLE] of the government, the Treasury for the Government of Canada, Catherine Luelo, who actually used to be over at Air Canada before. He was informing me that the IT budget for the government is $8 billion dollars. So, and a lot of that interestingly, some of their future focuses on sovereign identity and things like that in ways of sort of protecting identity for all Canadian citizens and permanent residents. So, there's some long-term things the government is focusing on, but definitely, in the short-term, they're very much actively working with us at the table.

Nicola Vizioli:

Ok, thank you for that. And Peter, one last question for you. You mentioned earlier in the conversation that some of your clients that are buying your products are asking more and more questions around cybersecurity. Are they also asking how resilient you would be with your supply chain in the event of a cyber incident? And what steps can a company in the advanced manufacturing industry take to make sure that they're resilient from a supply chain perspective?

Peter Elliot:

Yeah. I think well, even beyond automotive, you know, this whole supply chain topic is really at the forefront in general, right? But yeah, I know that several of our OEMs are looking at, you know, for the first time really, how to map that supply chain out, right? I mean, they know who supplies them directly, a company like Magna, who is an automotive tier one. They historically they've been less concerned about, you know, the Tier two, the Tier three, the Tier four suppliers. And if anything has changed that, it's this chip shortage which has been plaguing automotive, you know, since the pandemic came in. You know, if you think about a supply chain, so you know, we supply one of the automakers when it comes to chips, Magna have, I don't know, I'm just throwing out numbers, 10, 15 different chip suppliers that we deal with. But at the end of the day, at the bottom of the supply chain, it's the same three or four factories that are producing those chips, right? So, this is one of these things that the OEMs are now hypersensitive to. I know they're mapping it out. And of course, their cyber is a component there too, right? Because again, I mean, a pandemic is one thing, still a fire at one of those facilities, or a cyber incident at one of those facilities, it doesn't really matter, at the end of the day, any of those incidents can cause a ripple effect through the supply chain. And I know there's going to be a lot of work in this area. As I said, we correspond quite a bit with our supplier risk group. And I know this is coming, that the automakers are really looking to map that out to the nth degree, right down to where that chip comes from. So, a lot of focus in this area, you know, whether companies are managing this well now or they're going to be forced to by the companies that they supply.

Nicola Vizioli:

One last question before some closing arguments. Geneviève, une des questions qu’on a eu est comment compenses-tu pour le manque de talent sur le marché?

Geneviève Bertrand:

C’est une excellente question. Qu’est-ce qu’on a vraiment regardé, c’est l’ensemble des travaux qu’on fait puis le concept de taylorisation. On garde le travail d’expertise cyber pour ces équipes-là, tout ce qui est coordination, traduction, intégration on donne à des personnes qui ont aussi un talent mais qui ont pas le talent précis de cybersécurité. On a même regardé à l’intérieur de nos sys. admins, des gens de réseau, vraiment de dire on va aller chercher l’expertise de cyber puis on va demander à ces gens de faire exclusivement ça et de se faire supporter par des gens qui ont d’autres compétences. C’est la meilleure réponse que je peux te donner Nicola à ce moment.

Nicola Vizioli:

Thank you, it’s very appreciated. We're going to end it here, there's three minutes left and I wanted to take a moment to sincerely thank our three panellists, Geneviève, Stuart and Peter. Thank you very much for carving out time for this event. Your insight as leaders across Canada is very valuable, and I'm sure everybody in the audience learned something. Unfortunately, these virtual conferences don't allow me to interact much with the audience. So, we do have a bunch of questions and I'll try to get back to everyone in a written fashion. Hopefully, I could do so. But if there's anything, please feel free to reach out to either Zahid or myself. More than happy to jump on a call. Just a quick reminder some housekeeping stuff for the audience. You should see a link at the bottom. At least I'm told so, it takes a few seconds to complete would be very much appreciated. It gives us an opportunity to improve the overall experience. And on this, once again, I'd like to thank our panelists and hope to see you all very soon.

Geneviève Bertrand:

Merci de l’opportunité, au revoir.

Stuart McDonald:

Thank you for having me.

Nicola Vizioli:

Bye, everyone.