Canadian CIOs admit lack of security awareness

Data loss prevention and storage encryption still sore points for some IT leaders

Have hackers, bonets or rogue ex-employees managed to steal mission-critical data from the enterprise? Don't ask the CIO.

According to PricewaterhouseCoopers, which worked with our U.S. CIO magazine on an annual survey of more than 7,000 individuals in 130 countries, Canadian organizations are eight per cent less likely to know if they've had a security incident compared to their global counterparts. A total of 39 per cent said they were unaware of any breaches and of those that know something went wrong, nearly half, or 46 per cent, don't know exactly what happened.

These were sobering results for David Craig, PwC Canada's National Information Security practice leader. The Global State of Information Security 2010 reveals just how laggard many firms are in taking a more proactive approach, he said.

"There are few proscribed controls that work in a regulatory manner to protect certain information," he said. "If there was a government fiat of some kind, they would probably act more quickly."

In fact, compliance in its various forms emerged as the leading driver for IT security spending in Canada overall, followed by disaster recovery. That doesn't really address the knowledge gaps, however, said Salim Hasham, a vice-president who works primarily with PricewaterhouseCoopers security clients in the Greater Toronto Area.

"To not be able to discuss what kind of attacks you've withstood or what vulnerabilities you're dealing with is like telling the CEO you have no idea where 60 per cent of your assets are," he said.

Follow the money

Despite the economic downturn, the budget outlook for security is not as bad as might have been expected. Globally, six out of 10 firms said they expected to see security spending stay the same or increase. Of the less than half worldwide who are planning to cut spending, most are deferring by less than six months and reducing budgets by no more than 10 per cent. "These companies are very aware of audit committees and their accountability to them," says Craig.

Hashim says there are other positive signs, particularly within Canada. "We're really seeing the elevation of the CISO (chief information security officer) role," he says. "They're no longer just playing the position of referee but moving to the concept of security as enablement -- that by protecting information you can actually get more business done."

There is also greater collaboration between executives responsible for security in like-minded firms or industries -- even among those who would normally see themselves as competitors. "I've seen a lot of CISOs in financial services sharing ideas," Hashim says.

Where's the DLP?

Although Canadian respondents to the survey showed higher concerns around business continuity and disaster recovery, they have been more hesitant around product categories such as data loss prevention (DLP). According to PwC, 34 per cent of Canadian organizations have a DLP tool in place, compared to 44 per cent globally.

These results didn't overly concern Craig. "I think DLP is still seen as an emerging category," he says. "Most organizations here seem to have a wait-and-see attitude. Already they're noticing consolidation happening within the vendor community for DLP products, and in some cases they may be waiting for more mature tools before they're prepared to make an investment."

Leggo my laptop!

Besides covering broad trends, the Global State of Information Security 2010 also dug deep into the details. For instance, PwC examined the most common items that are exploited or stolen as a result of breaches. Although laptops are an obvious choice, they appear to be more attractive to thieves in Canada than anywhere else. Ninety one per cent of Canadian respondents cited mobile computers compared to 71 per cent around the world.

Hashim says he's heard of bad practices surrounding such technology. "You'll see organizations that employ no laptop encryption because it would slow down boot times," he says.

Craig adds that the infiltration of consumer technology into the enterprise makes some risks even greater. "Just think about all the smart phones that are brought into a call centre," he says, "It has a camera, recording features -- everything you need to compromise data. It doesn't matter if they don't give them Internet access at their terminals anymore."

Drive the business

Security concerns may be partly behind the relatively low adoption rates PwC tracked around cloud computing, compared to technology such as virtualization which is bringing more efficiency to enterprise data centres. In the long term, cloud computing may hold more appeal, even as it potentially opens up greater avenues for risk.

"All you have to do is look at Google to see how competing on data is becoming more important," says Craig. "Firms want to customize what they offer to their users, and cloud computing could be a way to do that. But what's the trade-off?"

Hashim says he hopes CIOs will look at the data and do a thorough review of how information is classified across the enterprise. This way they can better determine its value and prioritize their security investments accordingly. "If you don't do that, you don't have a hope in Hell of protecting it," he says. "If you want it to be, security can be a driver of business transformation."

PwC's next iteration of the survey is already in field.

Join the CSO newsletter!

Error: Please check your email address.

Tags CIOssecurity

More about DLPGoogleISOLPPricewaterhouseCoopersPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Shane Schick

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts