Many Canadian firms still have a long way to go to be considered a mature cybersecurity organization if a study for a vendor is representative.
Twenty-seven per cent of organizations would be described as having an “emerging” security posture, says the study for CDW Canada, which is the lowest of four categories on a maturity scale created for the study.
Organizations ranked as emerging have manually intensive and not well-documented security processes, a small dedicated security team — or no one dedicated with security responsibilities — and an “elementary and decentralized” security stack.
By comparison, 43 per cent of Canadian organizations would rank as having an intermediate security posture, 17 per cent as having an advanced security posture and 12 per cent as having a leading security posture.
Within each of the four categories, 53 per cent of those ranked as having only emerging maturity were medium and large organizations. Another 28 percent were small firms.
The rankings were established from the responses of 555 IT security and risk/compliance professionals to questions about their organizations. Of the IT security respondents, three quarters had supervisors or higher positions. Respondents worked at organizations with at least 15 full-time employees.
The report was the seventh cybersecurity study of Canadian firms. However, it used a different cybersecurity maturity scoring method than previous ones.
Theo van Wyk, head of solutions development and cybersecurity at CDW Canada, said he anticipated most firms would be in the middle, or intermediate, ranking for maturity — and they were.
But he admitted being surprised at how many organizations would be ranked as having only an emerging maturity.
That was “higher than I expected,” he said, considering cybersecurity is always in the news. But for a lot of organizations, he said, cybersecurity isn’t their business. “It just goes to show there’s a lot of education to be done to help organizations with security,” he said.
Asked what it will take to move an organization up one level in cybersecurity maturity scoring van Wyk said a “really, really quick win” would be getting buy-in for a security program from the C-suite and board. They need not only to understand what cybersecurity means to their organization, he said, but also to show all employees that it’s a management priority.
Second is having a regular security awareness training program so staff understands why it’s important. Third is having a cybersecurity program that documents proper processes, he said. And fourth is having resilience, so the organization can survive and recover from a cyber attack.
Van Wyk noted that only 36 per cent of survey respondents said their organization had completely recovered data when needed. Another 40 per cent said they had partially restored data. A full 21 per cent said they couldn’t restore any data when they had to.
The full report is available here. Registration is required.