Cybersecurity panel: Canada ranks high, but challenges ahead
A panel of cybersecurity experts convened by the Economic Club of Canada on Monday in Toronto discussed what’s good about Canada’s current cybersecurity posture, but noted that there are still many challenges ahead.
Ali Ghorbani, director of the Canadian Institute for Cybersecurity, gave Canada a “good mark” overall for cybersecurity, noting that the country ranks ninth according to the United Nation’s International Telecommunication’s Global Cybersecurity Index.
“The Canadian government recognizes that cybersecurity… is an opportunity,” he said, pointing out the economic benefits of good cybersecurity as well as the business benefits of the provision of cybersecurity services. However, he called for a more holistic approach to cybersecurity and one that emphasizes working effectively with overseas powers. “When it comes to international co-operation, we have some work to do,” he said.
“For Canadian business and the Canadian landscape, it’s an interesting time,” offered panelist Bonnie Butlin, co-founder and executive director of the Security Partners’ Forum (SPF). She noted that Canada released a new federal cybersecurity strategy only weeks ago. While the Canadian federal government focuses its cybersecurity agenda on trade and business, other international governments are interested in changing the culture around cybersecurity. “Finding our way is going to be an interesting challenge,” she said.
One of the biggest challenges ahead, added Butlin, is effective staffing — employing people who are equipped to handle the complexities of the shifting cyber environment. Students and recent graduates may possess the latest and greatest knowledge, she said, but that lead may evaporate when directly applied to the workforce.
“If the strategy is just to bring in the next crop of students year after year, that doesn’t address your existing work. Just relying on the immediate graduates is not a solution in and of itself,” said Butlin. “Degrees have a shorter shelf life than they’ve ever had.”
Because the field can change so dramatically year to year, keeping up-to-date on cyber knowledge will be a constant struggle. Training budgets for most enterprises are on their way down, she said, and it’s often up to the individual employee to upskill on their own time and on their own dime.
A solution, said Butlin, is to place greater value on recognized certification programs, which require constant upgrades to remain current. There is also now a greater demand for experienced employees — experience and tenure is a prerequisite of some certifications — and job loyalty is highly prized.
Ghorbani agreed, adding that Canada should press its advantage in order to stay competitive with other countries. By encouraging training and placing high value on cybersecurity employees, Canada may be able to keep the homegrown skilled workforce here and also draw more talent from overseas.
Adding to the discussion, David Clark, senior claims counsel, specialty insurance, for Travelers Canada, noted that cybersecurity awareness may still be lacking in some organizations. His company offers cybersecurity services and works with clients in the event of a data breach or malware infection. “There’s not enough businesses out there that realize that it can happen to them,” he said.
He said that larger businesses, in general, are more aware of the risks and are more likely to invest in cyber insurance. Smaller businesses may think that they don’t hold any data or information of significant value, or are labouring under the assumption that they can handle a breach without help.
Even companies that don’t retain customer information likely keep some data on file about their employees, which can also pose a risk, said Clark, who noted that Canada’s mandatory breach notification law will come into effect on Nov. 1 this year. Disclosing a breach becomes even more thorny if you don’t have reliable expertise and “if you don’t know what you’re looking for.”
However, said Clark, the Canadian insurance industry is mature and resilient, which can help Canadian companies make the transition towards adopting a cybersecurity policy.