Canadian CIOs admit lack of security awareness

Data loss prevention and storage encryption still sore points for some IT leaders

Have hackers, bonets or rogue ex-employees managed to steal mission-critical data from the enterprise? Don't ask the CIO.

According to PricewaterhouseCoopers, which worked with our U.S. CIO magazine on an annual survey of more than 7,000 individuals in 130 countries, Canadian organizations are eight per cent less likely to know if they've had a security incident compared to their global counterparts. A total of 39 per cent said they were unaware of any breaches and of those that know something went wrong, nearly half, or 46 per cent, don't know exactly what happened.

These were sobering results for David Craig, PwC Canada's National Information Security practice leader. The Global State of Information Security 2010 reveals just how laggard many firms are in taking a more proactive approach, he said.

"There are few proscribed controls that work in a regulatory manner to protect certain information," he said. "If there was a government fiat of some kind, they would probably act more quickly."

In fact, compliance in its various forms emerged as the leading driver for IT security spending in Canada overall, followed by disaster recovery. That doesn't really address the knowledge gaps, however, said Salim Hasham, a vice-president who works primarily with PricewaterhouseCoopers security clients in the Greater Toronto Area.

"To not be able to discuss what kind of attacks you've withstood or what vulnerabilities you're dealing with is like telling the CEO you have no idea where 60 per cent of your assets are," he said.

Follow the money

Despite the economic downturn, the budget outlook for security is not as bad as might have been expected. Globally, six out of 10 firms said they expected to see security spending stay the same or increase. Of the less than half worldwide who are planning to cut spending, most are deferring by less than six months and reducing budgets by no more than 10 per cent. "These companies are very aware of audit committees and their accountability to them," says Craig.

Hashim says there are other positive signs, particularly within Canada. "We're really seeing the elevation of the CISO (chief information security officer) role," he says. "They're no longer just playing the position of referee but moving to the concept of security as enablement -- that by protecting information you can actually get more business done."

There is also greater collaboration between executives responsible for security in like-minded firms or industries -- even among those who would normally see themselves as competitors. "I've seen a lot of CISOs in financial services sharing ideas," Hashim says.

Where's the DLP?

Although Canadian respondents to the survey showed higher concerns around business continuity and disaster recovery, they have been more hesitant around product categories such as data loss prevention (DLP). According to PwC, 34 per cent of Canadian organizations have a DLP tool in place, compared to 44 per cent globally.

These results didn't overly concern Craig. "I think DLP is still seen as an emerging category," he says. "Most organizations here seem to have a wait-and-see attitude. Already they're noticing consolidation happening within the vendor community for DLP products, and in some cases they may be waiting for more mature tools before they're prepared to make an investment."

Leggo my laptop!

Besides covering broad trends, the Global State of Information Security 2010 also dug deep into the details. For instance, PwC examined the most common items that are exploited or stolen as a result of breaches. Although laptops are an obvious choice, they appear to be more attractive to thieves in Canada than anywhere else. Ninety one per cent of Canadian respondents cited mobile computers compared to 71 per cent around the world.

Hashim says he's heard of bad practices surrounding such technology. "You'll see organizations that employ no laptop encryption because it would slow down boot times," he says.

Craig adds that the infiltration of consumer technology into the enterprise makes some risks even greater. "Just think about all the smart phones that are brought into a call centre," he says, "It has a camera, recording features -- everything you need to compromise data. It doesn't matter if they don't give them Internet access at their terminals anymore."

Drive the business

Security concerns may be partly behind the relatively low adoption rates PwC tracked around cloud computing, compared to technology such as virtualization which is bringing more efficiency to enterprise data centres. In the long term, cloud computing may hold more appeal, even as it potentially opens up greater avenues for risk.

"All you have to do is look at Google to see how competing on data is becoming more important," says Craig. "Firms want to customize what they offer to their users, and cloud computing could be a way to do that. But what's the trade-off?"

Hashim says he hopes CIOs will look at the data and do a thorough review of how information is classified across the enterprise. This way they can better determine its value and prioritize their security investments accordingly. "If you don't do that, you don't have a hope in Hell of protecting it," he says. "If you want it to be, security can be a driver of business transformation."

PwC's next iteration of the survey is already in field.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags CIOssecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Shane Schick

CIO Canada
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?