Alan McCafferty · uOttawa PDI News · Posted: Dec 04, 2024 12:08 PM EST | Last Updated: 1 minutes ago
Canada has a little bit of a humility problem. Not on a personal level, but when it comes to our broader place in the world. Specifically, we tend to think of ourselves as being somewhat off the radar when it comes to cybersecurity issues. There’s a mentality that cyberattacks and breaches are really more of a U.S. thing, or a European thing, than a Canadian thing.
But it’s not the case. Our institutions are well aware that not only is this problem here, but it’s growing in size, complexity, and severity. In fact, the Canadian government is making it a requirement for any supplier bidding on defense contracts to be certified under the Canadian Program for Cyber Security Certification.
Unfortunately, both our culture and our capabilities are lagging behind. Many Canadian industries and institutions have the wrong mindset, and for those that don’t, we’re behind in a crucial area: cybersecurity auditing.
A Mindset and Cultural Shift Is Required
The first challenge we’re facing is a lack of recognition of the need for effective cybersecurity auditing capabilities. There are a few components to this.
First, there is a prevailing mentality that there isn’t as much of a need for cybersecurity here in Canada. But this is demonstrably not the case. Industry surveys have found that ransomware payouts in Canada have been increasing in recent years, jumping by as much as 150% from 2021-2023 and hitting $1.13 million on average. For many organizations, which haven’t yet had a breach or attack, there seems to be mindset of “if it ain’t broke, don’t fix it.” But would you drive without car insurance just because you haven’t had an accident?
The second element of this mindset is the belief that this is a technology problem, and therefore one best solved by technology. Why would we need to audit our processes? Just update the firewalls as needed or buy a new one once something better is available. But technology is not the solution. As I’ve discussed elsewhere, even the best firewall on the market is far from perfect. And many, if not most, of the cybersecurity gaps created in organizations are created by people’s behavior, not by gaps in technology. In other words, this is a people problem.
The final element of this is a mentality of treating cybersecurity processes as one-and-done procedures. Typically, in organizations that have sent staff to be trained in cybersecurity, staff come back and put together plans and processes to ensure their organization remains secure and it is shocking how many times these documents end up on a shelf somewhere, gathering dust. That’s not to say they don’t get used or implemented: but once they’re done, they rarely get touched or updated.
Availability of Canadian Auditors Is Severely Lacking
Organizations that do recognize the need for cybersecurity audits to keep their processes up-to-date face another problem. These key positions are going begging. There are thousands of vacancies for cybersecurity positions in Canada, many of which are for cyber auditors.
The unfortunate reality is that just as our mindset needs to start playing catch-up, so do our capabilities. For many organizations, the only way to get access to trained and certified cybersecurity auditors is to look overseas.
This is not an insurmountable problem. But organizations here face greater logistical challenges training staff, and as demand increases, domestic businesses will face greater and greater competition and less availability for training. In other words, the trends point to a much greater need for domestic capacity.
The Cost of Breaches and Inefficiencies Is Growing
Meanwhile, Canadian organizations are becoming more reliant on technology to facilitate work, and these digital technologies have become ever more closely integrated with our most valuable assets and offerings. That means that the risk and cost of both inefficient cybersecurity and security breaches is growing. Ransoms are becoming more expensive, organizations are spending more to protect themselves, and cybersecurity is becoming more closely intertwined with daily operations.
It’s true that cybersecurity has gone from being somewhat obscure to mostly mainstream. You’d be hard-pressed to find an organization in just about any industry that is not familiar with the concept. Many may have a plan in place, with professionals and technology available either in-house or contracted to protect sensitive and valuable data and applications.
But the growing sophistication and dynamic nature of cyberattacks, and the complex nature of organizational cybersecurity, mean that it isn’t sufficient to simply put a plan or technology in place and be done with it. This is why effective cyber auditing is so crucial, and why our lack of domestic capability is so concerning.
For the defense sector, in particular, this isn’t optional: it’s the cost of doing business with the federal government. For other industries, it may be just as important, even if it’s less obvious. Plans and processes must be audited regularly to ensure they keep pace with ever-changing attack surfaces. Outdated and expensive practices must be pruned as needed. And investments in cybersecurity must be reviewed and assessed regularly to ensure they are paying for themselves.
uOttawa PDI Cybersecurity Offers Audit Attestation
This is why the uOttawa Professional Development Institute offers the Cyber Security Compliance and Auditing course to equip graduates with the knowledge, skills, and abilities to conduct effective internal Information Security and Cyber Security audits. Successful graduates get a uOttawa PDI Certificate and a formal Letter of Attestation that they are equipped and proficient to perform internal audits and prepare their organization for ISO, NIST, SOC 2, or ITSG-33 audits and certification audits.
The risk and cost of paying for cybersecurity that may or may not even be working has never been higher. And it’s never made more sense for your organization to train staff with the skills needed to ensure your cybersecurity investment is paying off.