TORONTO – Canadian companies report fewer IT security incidents than their American counterparts, but that doesn’t mean they’re not willing to pay around $90,000 on average for the right talent, according to a research report released Wednesday.
Those responsible for IT security at the director level earn an average of nearly $107,000, survey respondents said, usually within financial, IT and telecommunications firms. Many of these IT security pros are based in smaller firms of less than 1,000 employees, and at least a quarter of them are CIOs, CTOs or chief information security officers.
Results from the survey of 300 Canadian firms, which was conducted by Telus and the University of Toronto’s Rotman School of Management in Toronto, were released at the 2008 InfoSecurity Canada conference.
\Walid Hejazi, an associate professor at Rotman, said the survey was comparable to that of a similar research product by the Computer Security Institute, a U.S. organization that focuses on threats and vulnerabilities within American firms. Although Canadian IT security execs put firewalls, antivirus and training at the top of their list of technologies and initiatives, companies here tended not to suffer the same degree of data loss or theft.
“One of the important points here, though, is that 40 per cent of respondents in big firms said they didn’t know about security breaches,” Hejazi said. “There’s a lot of uncertainty.”
Telus and Rotman looked not only at products and strategies but tried to correlate the data with what companies described as their satisfaction around IT security. Based on the survey data, those who had deployed log management or vulnerability management software were less satisfied than those who had deployed e-mail encryption, storage encryption or PKI technologies.
Yogen Appalraju, vice-president of Telus Security Solutions, said it might be a mistake to read too much into the correlations, which could be influenced by a number of factors. Some companies might be deploying log management as part of a project to comply with industry regulations, for example, and vulnerability management might be fragmented across the company. Conversely, using e-mail encryption isn’t necessarily a guaranteed route to IT security satisfaction, Appalraju said.
“I don’t know how to explain it,” he admitted.
There was also some variation in how satisfied companies were, based on what kind of activities they are pursuing. Those that are focused on security training and awareness show some satisfaction, but not as much as those firms that are tying security of IT to the overall performance evaluation of their technology staff, or those who are enforcing mandatory testing on security training.
Appalraju suggested these latter companies have a bit more maturity in their IT security approach.
“They’re not spending a lot of time developing a security strategy. They’ve invested in the fundamental areas way earlier,” he said, though he added, “There aren’t a lot of companies who can say, they know what ‘enough security’ is.”
The study also looked at the possibility of handing off IT security chores to a third party, but Hejazi said the results showed poor overall support for it. At least 40 per cent of the respondents said they do not outsource IT security at all, while another 17 per cent they would do so only to Canadian companies. Thirteen per cent said they would only outsource to companies in countries whose laws around privacy are as stringent as Canada’s.
“We did notice that the firms who outsourced security tend to be larger, with more than 10,000 people,” he said. Those firms also tended to express overall satisfaction with their IT security, compared with non-outsourcing firms.
Some of the hesitancy around outsourcing may be due to legislation south of the boarder. The survey showed that 39 per cent of Canadian companies are very concerned about the U.S. Patriot Act.
InfoSecurity Canada 2008 continues on Thursday.
