The Harsh Truths About Cybersecurity
- Details
- Written by Ernest Solomon
The pandemic compelled organizations to focus on their security postures as threats evolved globally. Consequently, CIOs realize they can't address cyberattacks with a "one size fits all" approach. Instead, security strategy is considered a holistic journey where enterprises use tactical measures in combination with a long-term vision to ensure that each initiative provides a building block for a future-ready environment.
To explore this critical topic, I participated in a panel at the Leadership in Tech Summit: Priorities for Turbulent Times. Along with Melissa Carvalho, RBC's Global Cyber Security Vice President and Negin Arminian, Menlo Security's Cybersecurity Strategy Senior Manager, we examined the harsh truths facing the modern enterprise. Watch our panel discussion video: https://youtu.be/CXeDn1JMiXI
This article highlights the top priorities for organizations and ways to overcome obstacles. It presents an overall strategy of reactive and proactive elements across four core areas: Governance & Control, Security Solutions, Operations & Compliance, and People Culture & Awareness.
The following is a summary of the harsh truths and ways that leading organizations mitigate their impacts.
Governance & Control
- Security is a journey and not a destination: There is no such thing as a 100% secure environment. So, purge the idea of a flawless security implementation/roadmap. Instead, every leader in the enterprise should be held accountable for the constant evolution of their cybersecurity strategies.
- Budgets remain under constant pressure: Although a cyber defence strategy is a managed cost, consider cybersecurity an organizational investment that protects and secures critical assets. Start by quantifying the impacts of a breach by considering downtime, recovery, legal, compliance, and reputational costs. Then, acknowledge that an increased budget helps to deliver the tools, frameworks, talent and partnerships that reduce organizational risk.
- The board is watching: Many corporate boards prioritize cybersecurity by creating dedicated committees to address the associated risks. As a result, be proactive by educating board members and working with them to ensure security remains a top priority.
- Security slows down the business: Users often view cybersecurity as a productivity blocker, resulting in attempts to circumvent processes and technical controls. Instead, CIOs must make security initiatives an enabler while developing solid partnerships with the business. To help ensure success, the security team should approach their work from a business perspective to demystify cybersecurity while making it seamless to end users.
- The big picture remains unclear: Organizations often do not know why they need security and what their strategy includes. Therefore, CIOs must develop a comprehensive view of the enterprise security posture and multi-year strategy to build awareness. This approach requires a gap analysis based on a proven information security framework and the 3C's of strategy implementation – Clarify, Communicate and Cascade.
Security Solutions
- Attackers have penetrated your defences: The rapid increase in incidents and long-running attacks means that it's only a matter of time before bad actors breach your defences. As a result, accelerate plan development by assuming hackers are already in your systems and networks. This approach makes resiliency and rapid recovery a priority.
- You're reinventing the wheel: Security challenges continue to be solved by industry and vendor communities. As a result, it is crucial to learn from partners and implement vendor-assisted solutions to reduce effort and accelerate the time to results. Furthermore, refrain from simply looking at the top category leader or the new shiny penny. Instead, seek a partner who aligns with your organization's goals and security objectives.
- You have too many tools: Organizations implement a vast array of tools hoping that the bad actors will disappear. Unfortunately, this approach leads to tool overload and knowledge sprawl, which consumes valuable resources and leaves hidden gaps. Instead, CIOs should focus on how each tool contributes towards the overall strategy by addressing a gap and avoiding overlap. The goal should be an integrated security fabric where the tools complement one another to cover all components of the extended enterprise.
- You can't support your tools: Operational tools adoption is a real challenge. Correspondingly, organizations find it difficult to sustain their tools to extract the maximum value from them. To address this issue, include a training and transition plan into all vendor contracts and leverage your vendor training credits.
Operations & Compliance
- There is no separate category for cyber risk: Creating a dedicated cyber risk department can produce sub-optimal results. Instead, add cyber into the overall organizational risk identification and mitigation framework to address all internal and external factors. In addition, prioritize a relentless focus on how to effectively turn down the risk dial as part of the security team's mandate.
- Backups remain exposed: Attackers continue targeting the organization's backups to maximize damage and increase ransom demands for valuable data assets. As a result, CIOs need to implement an immutable backup strategy that includes encryption and multiple online and offline copies.
- You don't have 360o visibility into your ecosystem: Constantly monitoring vendor cyber risk based on compliance and control requirements remains a significant challenge. CIOs must implement continuous cyber-rating capabilities to understand their vendors' cyber posture and make decisions for onboarding new vendors.
- You aren't ready for an actual attack: Most organizations remain unprepared for a real attack. As a result, businesses must prioritize recovery rehearsals through tabletop exercises to verify and evolve action plans. Implement Red, Blue, and Purple teams to constantly adjust plans for new attack vectors and develop enterprise RACIs to ensure the entire organization falls within scope.
- Policies will not protect the organization and address compliance requirements: Policies provide guidelines and boundaries for users but do not supply the ability to enforce them. As a result, CIOs must implement mitigating technology controls to support those policies (e.g., complex passwords, USB lockdown, device encryption, etc.).
- You can't rely on cyber insurance: Cyber insurance will change drastically in the upcoming years through increased premiums, claim denials, and exclusions. These changes will force rigorous processes that verify organizations implement the appropriate controls and best practices required to reduce risks and impacts. CIOs must plan for the additional time, costs, and effort to maintain their insurance policies.
People, Culture & Awareness
- The talent crisis is not over: The cybersecurity workforce reached an all-time high with an estimated 4.7 million security professionals and the need for 3.4 million more ((ISC)2 2022 workforce study), emphasizing that people will remain core to the organization. As a result, talent acquisition and retention strategies need to be well-defined, focusing on organizational values, culture, DEI, and ESG. In addition, CIOs must continually invest in people by upskilling them with the appropriate tools and training to improve automation and workflows for increased efficiencies.
- Cybersecurity awareness is not optional: End-user errors are a primary root cause of breaches. As a result, it's imperative to implement a continuous cybersecurity awareness plan that includes training and phishing exercises for all levels of the organization. This initiative focuses on learning how security threats happen and how end-users must act to avoid potential risks. To improve effectiveness, leverage the communications team and business partners to align and simplify the messaging.
- Leadership isn't committed: During the cybersecurity journey, friction often slows progress due to scope and compliance constraints. Despite these challenges, protecting the enterprise requires continuous senior leadership commitment to reduce risk in an evolving IT environment and a growing cyber threat landscape. Adopt a mindset of constant learning and transformation by leveraging new technologies, processes, and frameworks to help the organization by simplifying cybersecurity.
- DEI is more important than you think: For example, the UK biometric passport tool failed to work correctly for women of colour, resulting in re-work and negative press coverage. Organizations must acknowledge that DEI is vital in avoiding unintended biases introduced by new technologies. In addition, DEI also helps alleviate the cybersecurity resource gap by increasing access to a larger population of untapped talent.
Summing up the truths
Every organization faces a high risk of operations downtime and data loss caused by security breaches. In addition, these incidents' longer-term impacts often result in legal, financial, compliance, and reputational repercussions.
The upkeep of an effective security posture requires a leadership mindset of constant change to fine-tune processes, tools, and goals. In addition, the fast-changing threat landscape demands CIOs build a next-generation security fabric consisting of automated architectures and improved security controls. By addressing the harsh truths of cybersecurity, organizations will proactively enhance resilience and reduce their risks.
Ernest Solomon is a CIO and certified CISO with over 20 years of success in transforming enterprises and directing IT operations to achieve exceptional business outcomes.
Past Attendees
ADP - VP Architecture & Infrastructure
AESO - VP, Information Technology
Agnico Eagle Mines - VP, IT
Agrium - Global Mgr., IT Security
Agrium - Senior Director IT Shared Services
Aimia - SVP & Global CIO
Ainsworth Engineered - Director IT
Air Canada Vacations - Director IT
Alberta Energy Regulator - Director, Office of the CIO
Anthem Properties - VP IS
AON Risk Solutions Canada - Head of IT
Avison Young - VP Global Enterprise Architecture & Integration
Aviva Canada - VP, Architecture & Strategy
Bank of America Merrill Lynch - CTO
BC Ferry Services - VP & CIO
Bell Business Markets - Director, Strategy & Planning
Bell Canada - National Director, Digital Transformation
Bellatrix Exploration - Director, Information Technology
Bentall Kennedy - VP IT
BFL CANADA - CIO
BFL CANADA - Director, Cybersecurity & IT Risk Management
Black Press - CTO
BlackBerry - VP Corporate IT
BMO Financial Group - Director, Technology & Operations Transformation
BMO Financial Group - Head of Services Delivery
Bombardier Aerospace - CISO
Bonavista Petroleum - Head of IT
Borden Ladner Gervais LLP - Global CIO
Bow Valley College - Director, IT Services
Bridgewater Bank - Head of IT
BuildDirect - VP IT
Bulk Barn - Head, IT
Burnco - CIO
Caisse de Depot et Placement du Quebec - VP, IT Planning, Architecture, Governance, Operations
Calfrac Well Services - Head of IT
Canada Goose - CTO
Canada Live - VP of Technology
Canada Mortgage and Housing - VP, Information & Technology
Canada Protection Plan - Head of IT
Canadian Depository for Securities - CIO
Canadian Direct Insurance - CTO
Canadian Payments Association - VP & CIO
Canucks Sports - Head of IT
Capgemini - Service Delivery Director
CAPREIT - CIO
Cardel Homes - VP MIS
Cargojet - CIO
CBI Health Group - CIO
CCS Corp. - VP IT
CDSPI - Board Director
Centerra Gold - Director IT & Comm
CI Global Asset Management - VP of Enterprise Infrastructure $amp; Operations
CIBC - Senior Director, Infrastructure Planning & Engineering
CIBC - SVP & CIO, Retail and Business Banking Technology
CIBC Mellon - AVP, Enterprise Architecture
CIBC Mellon - SVP & CIO
Cineplex Entertainment - CTO
City of Brampton - Senior Manager, IT Architecture & Planning
City of Richmond Hill - CIO
City of Toronto - Director of Strategic Planning & Architecture
CN Rail Service - Chief Information Security Officer
Coast Capital Savings - VP Technology
Colliers - Head of Technology & Data
Concordia University - AVP & CIO
Crescent Point Energy - Head of IT
Dairy Farmers of Ontario - Head of IT and Administration
Dale Parizeau Morris Mackenzie - VP, IT
Davies Ward Phillips & Vineberg LLP - Director, Information Technology
DealerTrack Canada - Director, Technology
Defence Construction Canada - Corporate Manager, IT
Deloitte - Director, Risk Advisory
Dentons - Canada CIO
Devon Energy - Director, Integrated Business Services
Direct Cash - VP IT & Security
Dynamic Tire Corp - CIO
D+H Partnership - VP, Head of Canadian Mortgage Technology
eHealth - EVP, Technology
eHealth Ontario - VP, IT Systems & Services
Encana - Director, InfoSec
Enbridge Inc. - VP, Technology and Information Services
Enerflex - CIO
Enerplus - VP. IS
ENMAX - VP, IT & PMO
Equitable Bank - CIO
Equitable Bank - CISO
Equity Financial Trust - VP, IT
Essential Energy Services - Director, IT
Expedia Cruise Ship Centers - VP IS
FGL Sports - VP, Information Technology
Finastra - SVP, Head Technology Managed Services
Fix Auto Canada - COO & SVP
Flightnetwork.com - CIO
Freedom Mobile - Head, Customer Applications, Experience, & Strategy
FT Services - CIO
FundServ - CIO
Genus Capital Management - CTO
Genworth Financial Inc. - VP IT
Geotab - Board Member
Golder Associates - CTO
Gran Tierra Energy - Director IT
Grant Thornton LLP - CIO
Grand River Hospital - Director, Data Governance & Analytics
Greenwin Inc - VP, Information Technology
Groupe Dynamite - Director, IT
GSK Canada - IT Director
GTAA - Acting CIO
H&R Block Canada - VP IT
Haventree Bank - VP, Technology
Hewitt Equipment Ltd. - VP & CIO
Hitachi Vantara - GVP & Global CTO
Home Trust Company - CIO
Home Trust Company - CTO
Home Trust Company - VP & CISO
Horizon North Logistics - CIO
HSB Canada - VP IT
IBM Canada - Associate Partner, Payments Industry
Indigo Books and Music - CIO
Interac Corp - Director, Platform Engineering
ivari - SVP & CIO
JP Morgan Chase Canada - Executive Director, Information Risk Management
Keyera Energy - Director, Information Technology
KFC Canada - CTO
KnowledgeOne - CIO
LaFarge Canada - Director, IT
Landmark Cinemas Canada - VP, IT
LAWPRO - CIO
LCBO - Director, Applications Systems
LCBO - SVP & CIO
Leisureworld Senior Care Corp - VP IS
Lifeguard Digital Health - Chief Security & Informatics Officer
Loblaw Companies Ltd - Senior Director, Customer Engagement Technology
London Drugs - GM IT
Loto-Quebec - Corporate Director, InfoSec
Magna International Inc - VP & Global Leader, IT (CIO)
Manulife - Global Head of Private Markets & Real Estate Technology
March Networks - VP Professional Services & CIO
MaRS Discovery District - Managing Director, Fintech and Commerce
McCain Foods Limited - Manager InfoSec
McInnis Cement - Director of Information Technology
Medical Pharmacies Group - VP, Information Technology
MEG Energy - Manager, Information Technology Solutions & Services
Metrolinx - EVP & CIO
Minto Group - VP IT
MMM Group - CIO
Montreal Police Service - CIO
Morguard Investments - CIO
Moulding & Millwork - CIO
MullenLowe Group - Global CIO
National Bank of Canada - Information Security Officer
National Capital Commission - Chief, IT infrastructure & Support Services
NHL Players' Association - Head, Security & Technology
Northbridge Financial Corp - CIO
OEC Group Canada - Vice President, Information Technology and Client solutions
ODAIA - CEO
Oildex - VP, Architecture & Infrastructure
OPTrust - AVP, Enterprise Data Services
Olympia Financial Group - CIO
OMERS - EVP, Data & Technology
OMERS - SVP IT
OMERS - SVP, Data & Advanced Analytics
Ontario Pension Board - CTO
Ontario Teachers' Pension Plan - SVP, Product & Delivery
Ontario Trillium Foundation - CIO
Osum Oil Sands Corp - Manager, IS
Ottawa Police Service - CIO
Pacific Western Transportation - CIO
Packers Plus - Global IT Director
Pason Systems - Manager, Digital Communications & Corporate IT
Patient News - CTO
Peel District School Board - CIO
Pengrowth Corp - Director IS
Penn West Exploration - Snr. Manager, IT Operations
Peterson Investment Group - Head of IT
PFB Corp. - CIO
Pizza Pizza - CIO & VP, IT
Precision Drilling - VP, IT
Precision Drilling - Director, IT Infrastructure & Security
PSP Investments - Snr. Director, Internal Audit & Business Infosec
Public Works and Government Services Canada - Director, IT Security Directorate
PwC - Managing Director, Real Estate Technology Advisory
Pythian - CTO
Qantas - Global CIO
Queen's University - Director, Information Technology
RBC Royal Bank - Head of Application Security, Data Protection & Security Consulting
RBC Royal Bank - VP, Technology Platforms & Risk Management
RBC Royal Bank - Global Cybersecurity VP
Regal Lifestyle Communities - CIO
Revera Inc. - CIO
Revera Inc. - Security Architect
Rheem Manufacturing - CISO & Enterprise Architect
Ricoh Canada - VP,IT
RioCan Property Services - VP IT
Roche - Head of IT Americas – Operations
Rogers Communications - SVP, Customer Experience IT
ROM - CIO
Russel Metals - VP,IS
Salvation Army Canada - Board Director
SCI Group - CIO
Scotiabank - Head, Systems Architecture & Platform Modernization
Scotiabank - VP - International Systems Technology
Scotiabank - Head, System Architecture & Platform Modernization
Scotiabank - Global Head, GBM Compliance & Transformation
Sears Canada - Divisional VP, Information Technology Services
Secure Energy Services - GM, IT
Shaw - Head, Customer Applications, Experience, & Strategy
Shaw Communications - VP, Technology Operations
Shaw Communications - Director, Risk Management
SMART Technologies - Director, IS Corporate Services
Smartcentres - Director IS, IT
SmartOne Solutions - President & CIO
Societe de Transport de Montreal - Division Head - Security and Compliance
Street Capital Financial - CIO
Sun Life Financial - AVP, Data & Business Intelligence Services
Sun Life Financial - VP Application Ops & Services
Sunco Communication - COO
Suncor Energy Inc. - Director, Application Portfolio Optimization, I&PM, Business Services
Symcor - CTO, VP Technology Services
Talisman Energy - SVP IT & Business Services
TD Bank - Enterprise Architect
Teknion - SVP, CIO
TELUS - Chief Security Architect
Tervita Corporation - VP, Information Technology
The Hudsons Bay Company - VP Technology
The Hudson's Bay Company - SVP & CIO
The Source - VP, Information Technology
TMX Group - CISO & Global Head of Infrastructure Services
Toromont Industries - VP & CIO
Toronto District School Board - Chief Technology Officer
Toronto Hospital for Sick Children - Director of Technology
Toronto Parking Authority - CIO
Toronto Police Services - CISO
Toronto Transit Commission (TTC) - Chief Enterprise Architect
Toronto Transit Commission (TTC) - CIO
Toyota Canada - National Manager, IS
Transamerica Life Canada - CIO
Trican Well Services Ltd. - Director, Business Information Systems
Tridel Corporation - CIO
Trillium Health Partners - IT Director, Applications & Clinical Informatics
UFA Cooperative - VP & CIO
University of Calgary - Executive Director, Development Services
University of Ottawa - CIO
University of Ottawa - Senior Director IT Services & Infrastructure
University of Toronto - Director, Centre for Management & Technology
University of Waterloo - Director, Technology Entrepreneurship
Valencia Risk - Managing Director
Vancity - VP Technology & Solutions
Viterra - Director Enterprise Technology
Wawanesa Mutual Insurance Company - Director of Innovation Outpost
World Health - Director IT
Wolseley Canada - CIO & COO
WSIB - Board Director
Yellow Pages Group - Director - Enterprise Data Management
York Region District School Board - CIO
York University - Board Director
Technology Archive
- ► 2023 (1)
- ► 2022 (1)
- ► 2019 (3)
- ► 2018 (1)
- ► 2017 (2)
- ► 2016 (2)
- ► 2015 (1)
- ► 2014 (3)
- ► 2013 (5)
- ► 2012 (4)
Organizations expect their CIOs to protect enterprise data and technology assets from the growing volume of cyber threats. Unfortunately, the speed at which cyber-attacks emerge poses tough challenges for resource-constrained IT departments.
