Canadian Information Processing Society (CIPS)



Dave Roath: Leader PwC U.S. IT Risk & Security Assurance Practice

This week, Stephen Ibaraki has an exclusive interview with Dave Roath.

Dave RoathDave is a Risk Assurance Partner that leads the PwC U.S. IT Risk & Security Assurance practice. He resides in New York, NY. Dave has more than 20 years of experience in Business Process and IT risk, IT security, IT audit and compliance/regulatory readiness. Dave has a strong background in delivering IT Risk Management and Information Security Assurance, Privacy, Data Protection, Third Party Assurance, Advisory, and Internal Audit engagements.

Dave has led global teams and significant engagements on IT, Security, Business, Regulatory, and Audit issues surrounding Information technology, IT Risk Management, Governance, Security, Privacy, Data Protection, Regulatory and Strategy assessments. His client experience ranges from working with a broad variety of global financial institutions, technology companies, and other non financial services companies including: exchanges, money center, consumer, and international banks, savings and loan institutions, investment banks, hedge funds, electronic exchanges, broker/dealers, technology, products and services companies. David has a Bachelor of Science in Finance with a minor in Computer Science from Ithaca College and he is a Certified Public Accountant.

To listen to the interview, click on this MP3 file link

The latest blog on the interview can be found in the IT Managers Connection (IMC) forum where you can provide your comments in an interactive dialogue.


Interview Time Index (MM:SS) and Topic

:00:29: David, can you profile your history prior to your current role and a defining lesson you wish to share?
"....I've always enjoyed leveraging the audit experience and the knowledge of business, and to communicate in business and accounting terms and relay some of the IT risks and IT security to a business perspective...."

:03:38: With emerging technologies such as mobile computing, social media, cloud computing — what are companies doing to address some of the security concerns around these areas?
"....I keep bringing up the board and the audit committee because they ultimately are the key stakeholders with the shareholders and customers....We at PwC do a lot of assessments to help our clients with that...."

:13:00: Do we see increased regulatory activity around IT Risk & Security related to all of the security breaches, especially cyber-security breaches?
"....The answer is primarily yes....The challenge is today most of the regulators have limited resources, so they tend to focus on the large companies and bigger entities and will audit them very heavily....The privacy of the data and how do you know what needs to be private, and then how do you secure that and how do you address each of the different regulations on a state basis in the US and then country to country?...."

:15:23: With all of the different technologies in the marketplace and new technologies appearing frequently, are internal audit departments equipped with the resources and skills to address the risks that these technologies present?
"....It is so challenging and difficult to keep up with all the new technologies, issues and hacks that are occurring and new vulnerabilities that are being identified. That was one of the issues when we did our global CIO survey, that the global CIOs and CISOs didn't have the confidence that the internal audit department have, the appropriate skills to address all of the new risks especially the advanced persistent threats the risk from the outside...."

:19:31: Can you define SSAE 16 versus SAS 70 and address key objectives and controls around financial reporting? What are companies doing with third party vendors to address these additional risks?
"....SAS 70 is a report on controls over a period of time, which is geared for auditor to auditor communication over subject matter that is geared for financial reporting, and ultimately to give comfort around the control over financial reporting. The guidance has changed slightly and now the SAS 70 are called SSAE 16. What they don't do is address necessarily the reputation and brand risk and the brand impact around other broader controls...."

:25:07: David, can your profile your current role and measurable goals for this year?
"....I currently lead the PwC U.S. IT Risk and Security Assurance practice....We've been creating knowledge and awareness — working with a lot of our clients on the business side to create this awareness that these 3rd party assurance reports assess....In other areas we've been helping a lot of clients and a big focus is with the internal audit....Continuing to create the awareness with our clients around where they want to be with security...."

:31:59: What best practices and useful lessons can you share from your job?
"....We're in a borderless environment now. Technology has changed so significantly and it has evolved so rapidly that you can never be fully comfortable that you are really secure....Second, the board and audit committee involvement....Another area is a number of companies were so focused on attack and pend with these detailed technical reviews, but something is fundamentally wrong when they have the same issue year after year....Another area is with broader IT risk and really helping our clients do a proper effective IT risk assessment...One other area is from a data management perspective. Most of our clients can't answer which data needs to stay sensitive or confidential or private...."

:37:51: Are you able to quantify the brand and reputation damage a serious breach could be?
"....It is very difficult to quantify because every company is individual (in terms of what their business is and what sector they are in), but there have been different studies that have been published over time and there is a large varying discrepancy in terms of what the impact is....You are talking about hundreds of billions....It's such a significant risk...."

:41:36: Do you have a sense of what the percentage is for a company being proactive (ie. bringing in an expert on a proactive basis to protect against all of these issues that can occur) versus after the fact reactive?
"....I think it depends on the individual companies and the industries that they're in. A lot of the financial services companies, healthcare companies will have internal IT risk managers, set security departments. Big organizations will put budget aside for proactively engaging 3rd parties like PwC coming to do assessments or remediation or implementation. But there are a number of other companies that still to this day focus on security as an afterthought, especially when you get to some of the private companies, the startup companies who are so focused on just growing the business...."

:45:03: David, can you share the many added valuable insights you provided as a speaker at the ISACA World Congress?
"....I don't get surprised very often in my travels (and I travel the world fairly often), but I was surprised at the number of questions that came up and the dialogue and the interaction. It was really fascinating and honestly it was somewhat concerning because it was such a large volume of questions. People are so aware right now on how significant an issue it has really become...."

:47:19: I was struck by one key piece of data where they talked about the human factor. There was this mention of 90% of the companies out there have somebody internally that is seeing things they shouldn't be seeing, or they don't have the right to see it and somehow they've gained access to the material.
"....That's accurate....In some companies you may not have a philosophy that certain things have to be private or secure, and you end up having the ability to gain additional access you may not have intended or you're not aware of that employees have or that they can go in there and get access to. It's a significant concern...."

:50:46: What do you see as the top disruptive technologies and how can these be managed?
"....Mobile devices, social media, cloud computing — all of these are different technologies that are relatively new in the scheme of things. How do you protect them? What do you do about it? A lot of this is around consumerization....They can become incredibly disruptive...."

:52:01: Do you feel computing should be a recognized profession on par with accounting, medicine and law with demonstrated professional development, adherence to a code of ethics, personal responsibility, public accountability, quality assurance and recognized credentials?
[See and the Global Industry Council,]
"....I think computing by itself is somewhat of a commodity. There are a lot of lower cost providers and programmers especially in some of the other countries globally who are able to provide the services at very low cost so I don't think it's at a level for that....What I do think is at that level it's from a security perspective — a security officer and an IT risk manager or a compliance officer and privacy where it's really a legal focus. I think it's at those levels where the responsibility that they have right now is so significant to a company's brand and reputation that it can't be over-emphasized...."

:53:20: David, from your extensive speaking, travels, and work, please share some stories (amusing, surprising, unexpected, amazing).
"....Every time I go and speak to people globally and all the work that we're doing, there's not a day that goes by that I don't learn something that's new for something that's interesting...."


Music by Sunny Smith Productions and Shaun O'Leary