Private sector should lead Canada’s cyber security strategy, say experts

In the global war against crime Canada is one of a number of countries with a national cyber strategy, aimed at strengthening important departments and working with the private sector to shore up critical infrastructure.

But two security experts told a conference Thursday that businesses, not Ottawa, should be leading the charge.

But they also laid the blame for the country’s poor cyber security at the executive floor.

“We (infosec pros) feel it’s difficult to convince upper management something should be done,” Jason Murray, senior manager for cyber security at consulting firm MNP LLP, told the SC Congress conference in Toronto on Canada’s cyber strategy. “They’re not listening to us. They get it, they just don’t need to do anything about it.

Jason Murray, MNP LLP
Jason Murray. Photos by Howard Solomon

“They’re accumulating technical debt. Every year they don’t spend enough on information security they’re adding to the debt and hoping that when the debt comes due they’re not around to take the fall … The market should punish these people, just like they were accumulating financial debt… and they would go out of business.”

However, he admitted, few companies – even those suffering huge breaches like Home Depot – lose customers over the long term.

But he also complained organizations “are not doing the basic hygene stuff… I go in there (to customers) and assess against the PCI (Payment Card Industry security) framework or the critical controls framework … and they’re scoring 40 per cent at best.”

Fellow panellist Peter Sloty, a former Toronto deputy police chief and now an executive director at Deloitte Canada, agreed the responsibility is on the private sector’s shoulders. “If a private entity is having a (digital) hygene factor, that’s leadership from the C-suite, and the shop floor as well. This could cost jobs, it could cost clients, it could cost value and reputation as well.”

But both also credited Ottawa with passing a law requiring organizations coming under federal privacy law to notify customers and partners of breaches where there is risk of significant harm to victims. The federal privacy commissioner will also have to be notified.

INSIDE Peter Sloty, Deloitte Canada
Peter Sloty, Deloitte Canada

The regulations around breach notification are still being ironed out and it is not expected to come into force until 2017.

Breach disclosure “is a great lever” for action, Sloty said. Recently made mandatory in Australia, he noted, it has “put a real burning platform under CEOs” to get security right.

Canada’s cyber security strategy includes a wide range of efforts. The Harper government announced an action plan in 2013 which included working with the provinces, municipalities and the private sector to improve IT security in a number of sectors, a plan the Trudeau government has adopted in its first budget.

The strategy includes the Canadian Cyber Incident Response Centre, a Public Safety Canada web site with many resources and the encouragement of the fledgling Canadian Cyber Threat Exchange (CTTX). The exchange is expected to go live in December.

However, Murray said organizations shouldn’t rush to join the exchange if they don’t have the capability to make use of the near real-time data feeds it will offer. He also called for federal funding to help train more infosec professionals. “We need people, we need processes, we need tech, we need all of that.”

Sloty called for a host of cyber security centres of excellence across the country.

In an interview Murray said there has to be a “carrot and stick” approach to Canada’s cyber security strategy, with mandatory breach notification being one of the sticks.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now