Survey shows state of Canadian security

The Canadian security industry is centralized in an urban corridor consisting of Toronto, Ottawa and Montreal, and is a sector where there are huge growth opportunities if industry leaders and government work together, said the Canadian Advanced Technology Alliance (CATA) during a meeting of industry insiders and media in Toronto on Tuesday.

Between April and May 2003, CATA constructed a database that listed the 698 security firms based in the country. Right now CATA estimates there are about 22,000 people working for these companies with total annual revenues of about $1.5 billion.

From May to August, CATA surveyed theses companies about the state of the Canadian security industry, and released the resulting report on Tuesday, which was authored by Jean-Guy Rens, executive director of CATA. He said the survey was commissioned after the U.S. Consulate in Canada requested information about the state of the Canadian security industry, and CATA realized no such data was available.

While these companies admit to losing ground in the tech boom, they said the recovery in the security sector has been quicker than most. However, there are still obstacles to growth in this industry in Canada, one of which is the lack of venture capital.

Simply put, Canadian security companies need more money for R&D. CATA said this lack of funding could result in lost market opportunities both in the short and long-term because it will result in less innovation and fewer opportunities for expansion into new markets.

CATA also said the government needs to be more proactive to encourage transparency in reporting security incidents – California just passed a law stating that when a company has a security breach, it must notify its clients – and ensure these standards are supported within the Canadian industry.

While CATA is not saying that laws of California’s magnitude need to be passed, transparency is one key issue that needs to be addressed. However, the best means of addressing these issues are not yet clear – whether the industry should drive it through best practices or if government should do it through legislation, CATA said.

The government also needs to clarify accountability for all parties in regards to security, and foster an environment of co-operation between industry, academic, and government. There are few educational programs dedicated to IT security – the exception being a master’s program at Concordia University College of Alberta in Edmonton. Courses at the undergraduate level are scattered through more than 700 IT programs.

Right now the factors that are driving this industry are the proliferation of the Internet and the digitization of traditional security devices, CATA said, and the lines between physical security and security of information are starting to blur.

“Security is not a technology issue,” said Craig Helsden, national principal, security and privacy testing group at IBM Corp.’s Global Services, in London Ont. “To say you have a firewall does not mean you are secure. It’s now a boardroom issue.”

He added that security now falls into the overarching realm of risk management – a holistic approach rather than a technological approach – and companies will have to modify their organizational structure by taking security out of IT and turning it into its own entity.

In addition he said companies should spend between 30 and 40 per cent of their security budgets on training and education for staff, considering the majority of security breaches are internal.

Of the 698 companies in CATA’s database, 294 firms responded to the survey and 38 refused to answer – an excellent response level, Rens said. The survey indicated that, on average, there are seven employees per security company in Canada. As well, 69 per cent of the services and products created by these companies are exported – mostly to the U.S. – and are sold equally to private and public organizations.

While 62 per cent of firms are located in the Toronto-Ottawa-Montreal region with 27.2 per cent, 15.5 per cent and 19.8 per cent of companies respectively, other sub-hubs in this industry are Vancouver, Quebec City and Calgary with 7.9 per cent, 4.4 per cent, and 3.7 per cent respectively.

While about two-thirds of the 698 companies are involved in information security, only 10 per cent involved in both physical and information security, Rens said. Twenty-two firms are involved in physical security only.

About 50 per cent of respondents said they were in the early growth stage, and over 85 per cent said their revenues were growing. Rens said 59 per cent of these companies were created in 1995 after the Internet was privatized.

CATA is online at