Canadian CIOs admit lack of security awareness

Data loss prevention and storage encryption still sore points for some IT leaders

Have hackers, bonets or rogue ex-employees managed to steal mission-critical data from the enterprise? Don't ask the CIO.

According to PricewaterhouseCoopers, which worked with our U.S. CIO magazine on an annual survey of more than 7,000 individuals in 130 countries, Canadian organizations are eight per cent less likely to know if they've had a security incident compared to their global counterparts. A total of 39 per cent said they were unaware of any breaches and of those that know something went wrong, nearly half, or 46 per cent, don't know exactly what happened.

These were sobering results for David Craig, PwC Canada's National Information Security practice leader. The Global State of Information Security 2010 reveals just how laggard many firms are in taking a more proactive approach, he said.

"There are few proscribed controls that work in a regulatory manner to protect certain information," he said. "If there was a government fiat of some kind, they would probably act more quickly."

In fact, compliance in its various forms emerged as the leading driver for IT security spending in Canada overall, followed by disaster recovery. That doesn't really address the knowledge gaps, however, said Salim Hasham, a vice-president who works primarily with PricewaterhouseCoopers security clients in the Greater Toronto Area.

"To not be able to discuss what kind of attacks you've withstood or what vulnerabilities you're dealing with is like telling the CEO you have no idea where 60 per cent of your assets are," he said.

Follow the money

Despite the economic downturn, the budget outlook for security is not as bad as might have been expected. Globally, six out of 10 firms said they expected to see security spending stay the same or increase. Of the less than half worldwide who are planning to cut spending, most are deferring by less than six months and reducing budgets by no more than 10 per cent. "These companies are very aware of audit committees and their accountability to them," says Craig.

Hashim says there are other positive signs, particularly within Canada. "We're really seeing the elevation of the CISO (chief information security officer) role," he says. "They're no longer just playing the position of referee but moving to the concept of security as enablement -- that by protecting information you can actually get more business done."

There is also greater collaboration between executives responsible for security in like-minded firms or industries -- even among those who would normally see themselves as competitors. "I've seen a lot of CISOs in financial services sharing ideas," Hashim says.

Where's the DLP?

Although Canadian respondents to the survey showed higher concerns around business continuity and disaster recovery, they have been more hesitant around product categories such as data loss prevention (DLP). According to PwC, 34 per cent of Canadian organizations have a DLP tool in place, compared to 44 per cent globally.

These results didn't overly concern Craig. "I think DLP is still seen as an emerging category," he says. "Most organizations here seem to have a wait-and-see attitude. Already they're noticing consolidation happening within the vendor community for DLP products, and in some cases they may be waiting for more mature tools before they're prepared to make an investment."

Leggo my laptop!

Besides covering broad trends, the Global State of Information Security 2010 also dug deep into the details. For instance, PwC examined the most common items that are exploited or stolen as a result of breaches. Although laptops are an obvious choice, they appear to be more attractive to thieves in Canada than anywhere else. Ninety one per cent of Canadian respondents cited mobile computers compared to 71 per cent around the world.

Hashim says he's heard of bad practices surrounding such technology. "You'll see organizations that employ no laptop encryption because it would slow down boot times," he says.

Craig adds that the infiltration of consumer technology into the enterprise makes some risks even greater. "Just think about all the smart phones that are brought into a call centre," he says, "It has a camera, recording features -- everything you need to compromise data. It doesn't matter if they don't give them Internet access at their terminals anymore."

Drive the business

Security concerns may be partly behind the relatively low adoption rates PwC tracked around cloud computing, compared to technology such as virtualization which is bringing more efficiency to enterprise data centres. In the long term, cloud computing may hold more appeal, even as it potentially opens up greater avenues for risk.

"All you have to do is look at Google to see how competing on data is becoming more important," says Craig. "Firms want to customize what they offer to their users, and cloud computing could be a way to do that. But what's the trade-off?"

Hashim says he hopes CIOs will look at the data and do a thorough review of how information is classified across the enterprise. This way they can better determine its value and prioritize their security investments accordingly. "If you don't do that, you don't have a hope in Hell of protecting it," he says. "If you want it to be, security can be a driver of business transformation."

PwC's next iteration of the survey is already in field.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Shane Schick

CIO Canada
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?