Canadian IT and security professionals report lower levels of security program success than their counterparts in the Americas, according to a new survey.
The goal of Cisco’s 2021 Security Outcomes Study was to uncover the security measures that are working best to protect organizations. It’s based on a global survey, but also presents regional data from over 1000 professionals in the Americas.
In the survey, respondents were asked about their level of success on 11 security outcomes. Canadian participants gave themselves lower ratings in every category than those in the United States, Mexico and Brazil. Generally, Mexico had the highest scores, with the U.S. and Brazil falling in the middle. The report is careful to note that this doesn’t necessarily mean that Canadian organizations are less secure. Rather, it’s possible that they may measure themselves against higher standards.
Nonetheless, the results suggest that while Canadians feel they are managing security risks, they see room for improvement in operating efficiency and enabling the business. “A key trend from the survey is about how you are evolving your security strategy in a way that meets the needs of the business,” said Mike Hanley, Chief Information Security Officer with Cisco.
Canada is good at compliance
Canadian IT professionals reported their highest success rate on meeting compliance regulations. Fifty per cent of Canadian organizations said their programs are achieving this outcome. “This does not surprise me in the slightest because we tend to be a risk-averse culture,” said Dave Lewis, Global Advisory CISO at Cisco Canada. “We are more about the belt and suspenders as opposed to the flip flops on the beach.”
At the same time, Hanley cautioned against weighing down the business with compliance checklists. “It’s important that stakeholders are invested in security and don’t feel like you’re working against business objectives,” he said. “Compliance will be a natural outcome of a great security program.”
Canadian participants reported a 49 per cent success rate in managing top risks, gaining executive confidence and creating a security culture. “Having a strong security culture in your organization helps to improve security across the board because you have everybody being part of the solution,” said Lewis. “If you have a security awareness program that you’ve gamified to engage people, they become part of the solution, part of an extension of your security team. You want to have security as an enabler, not as a stopping point.”
A different view on key success factors
At the global level, the report found that ongoing technology refreshes, strong integration and timely incident responses are the leading best practices in security programs. Canadian respondents agreed that timely incident responses are an important factor which increases the likelihood of program success by 15 per cent.
However, Canadians put greater weight on two other success factors. According to the results, they believe that establishing clear security reporting to executives improves the chances of success by 19 per cent and using automation effectively does so by 17 per cent.
More business focus is needed
Based on the study, Canadians see a need to improve operational efficiencies. Only 38 per cent of the participants reported success at minimizing unplanned work, while 39 per cent said they’re good at running security programs cost-effectively.
Although Canadian IT professionals saw their organizations’ security culture as a strength, just 33 per cent say they’re doing well at obtaining buy-in from their peers. As well, 37 per cent say they’re having success at retaining security talent. “There needs to be greater focus on talent and getting peer support within your organization,” said Lewis. “We need to move from a siloed approach to more of a matrix approach so that we can get better solutions that are going to be streamlined.” Lewis suggested that Canadian organizations could do better at retaining talent by aligning salaries with other western countries.
Forty per cent of Canadian survey participants said their security programs are keeping up with the business, well below the results in rest of the Americas. “This is the historical view of security which is starting to change,” said Lewis. “You don’t want security as a bolt-on. You want to get it into every aspect of the business.”
Hanley said that his top advice for security professionals is to get to know the business better. “Your effectiveness could be limited by your business understanding,” he said. Know where the business is going and prepare a security strategy to support it. Skate to where the puck is going.”