The 2016 Cyber Readiness Study of Canadian Organizations was published today by Scalar Decisions, a solution provider based in Toronto, and RSA partner. Scalar was recently rated #1 for Security among Information Communications and Technology companies in Canada by The Branham Group.
When we compare the results of the second annual Scalar Security Study with the RSA Inaugural Cybersecurity Poverty Index, it bears asking "Is Canada really better at cyber?"...or maybe Canadians are just more optimistic!?!?!
The thorough survey of 654 IT security practitioners hailing from Canada covers a spectrum of cyber-related topics including incidents, threats, readiness, priorities, budget, etc. Respondents were well balanced by roles, organization size, and vertical markets. It's a good read for practitioners and executives seeking to compare their own self-assessments (in some detail) with those of their peers.
Most notable to this reader was the relative confidence expressed by our Canadian brethren. On a scale of 1-10, 53% answered 7 or better when asked to rate the effectiveness of their organization's cyber security posture and its ability to mitigate risks, vulnerabilities, and attacks across the enterprise. In contrast, the RSA study conducted earlier in 2015 revealed only 25% of respondents in the Americas indicated that they have mature security strategies or advantaged capabilities.
Aside from these self-assessments, the report actually corroborates research by RSA and a host of analysts on the dismal state of cyber:
- Only 25% believe their cyber security strategy is fully aligned with business objectives and mission, fortunately this is up 2% over the previous year.
- Only 37% believe they are winning the cyber security war, down 4% from the previous year.
- 70% experienced exploits and malware evading intrusion detection systems, and 82% experienced attacks that evaded their anti-virus.
- 51% experienced an incident involving the loss or exposure of sensitive information, up 5% from the previous year.
- The business impact from losses is up, most notably the cost of clean-up and remediation ($766,667 over the past 12 months, up 13% over the previous year).
- Only 38% say they have systems and controls in place to deal with advanced persistent threats, while organizations have an average of one separate APT-related incident per month. A full 54% say they have no controls in place.
These sentiments echo many of our discussions with customers and prospects. While traditional preventive technology continues to fail, organizations recognize the need to build and evolve their detection and response capabilities. In fact, the survey finds that 45% of organizations will invest more in network traffic surveillance in 2016 and 36% will invest more in security data analytics. There is also a pressing need to align risk and security practices as Operations and Information Technology converge. RSA Advanced Security Operations partners such as Scalar are experienced in helping organizations meet these challenges.
Canadians also find that Identity Management and Authentication is the most effective technology in helping to achieve their security objectives. It ranked #1, with 49% acknowledging its effectiveness (up 4% from the previous year). 34% of organizations plan spending increases in identity management and authentication.
One of the more startling revelations of last year's Verizon Data Breach report was that 95% of web app attacks involve compromised credentials. Therefore, it is no surprise that many organizations seek to apply secure and frictionless access across their enterprise; including their SaaS, mobile, and web applications.
So, while the details certainly confirm that Canadian security practitioners are grounded in reality, perhaps they are slightly more optimistic about their own capabilities than the rest of us. And frankly, there's need for optimism in Canada. Were the playoffs to start today, none of the seven Canadian NHL teams would make the cut. Ouch!