The State of Cybersecurity in Canada: Research insights from 400 Canadian CISOs
By David Senf, National Cybersecurity Strategist, Bell
For more than 15 years, I’ve been helping organizations evaluate and implement security programs to protect their business environments. Over this time, it has become clear to me that not all security programs are created equal, which can lead some organizations to deliver measurably higher levels of success on a range of security outcomes than their peers. Success, in this case, is the end result of everything a security leader, their team, the business, and their third-party suppliers have put in place to achieve their security outcomes. But what are these outcomes and how do CISOs actually measure them? And more importantly, which factors are most instrumental in driving their success?
To find out, we conducted a research project that surveyed 402 CISOs from Canadian organizations across public and private sectors. Here’s a sneak peek of some of our findings:
1. CISOs measure success against a number of outcomes with these five being top of mind:
- Meeting/exceeding compliance objectives:
27% of organizations report exceeding compliance requirements. Compliance remains a core driver for security programs, yet many organizations continue to struggle to keep pace with changing requirements.
- Maintaining a high level of confidence in their security posture from business stakeholders:
26% of respondents express a high degree of confidence in the ability of their security program to adequately protect business activities in the cloud. This is the lowest score among the five outcomes, which speaks to the cautious nature of the respondents, as well as the many challenges that arise when securing cloud environments, and all of the other attack surfaces.
- Achieving the best possible rates for cyber insurance:
30% of respondents say their firm gets the best cyber insurance rates. Since many insurers require risk assessments and due diligence to set those rates, this can be seen as a third-party assessment of risk posture. Clearly, organizations will use other means to validate their posture, but an insurer’s assessment is a useful perspective.
- Having highly satisfied security staff :
About 3-in-10 organizations enjoy very high rates of satisfaction among security employees. Earning higher scores on employee satisfaction has a causal link to the already difficult task of retaining security talent.
- Not experiencing a cybersecurity breach during the past 12 months:
While 35% of respondents reported their business did not experience a breach during the previous 12 months, it’s worth noting that some might have been unaware of a breach. This only serves to emphasize the fact that at least 65% did experience a breach, and likely more.
2. Success is not often determined by budget. Organizations that have the largest security budgets showed that they are not necessarily more secure. Other factors identified in this study mattered more. For example, resource allocation far exceeded the importance of total budget size. That being said, to allocate resources effectively good governance is essential.
3. Organizations with well-defined security governance outperform their peers. Security governance is most successful when a collaborative approach is adopted across the organization. In part, because executing well on technical guardrails (e.g., configuration management, policy as code, access management, etc.) relies on strong alignment to address risks, separation of duties, and responsibilities. Success can not be achieved when these decisions are made in silos.
4. Being open to change can have a positive impact on security outcomes. Experimentation and being open to change do matter. Many of the most successful organizations in our study are experimenting with, or have deployed, generative AI solutions such as ChatGPT into their security operations. Early adopters of large language models are finding use for natural language queries (across vendor syntax and languages), augmenting threat intelligence, reporting, incident response playbooks, and more.
To learn more about the insights uncovered in this research, and explore how this information can help you improve your security outcomes, please check out the full report.