Rotman – Telus Release Joint Study on Canadian IT Security Practices

Canada is a distinct market, significantly different from the US, with a very different regulatory climate, yet subject to many of the same threats and risks.  With the threat landscape rapidly evolving, Canadian organizations are finding it difficult to maintain their security posture, especially amidst current financial challenges.  In 2009, top performers overcame these difficulties by:

  • Managing a complete breach life-cycle, ensuring detection and remediation improvements are accompanied by prevention improvements.
  • Developing flexible security programs with strong core capabilities and the ability to adjust to a rapidly changing threat environment.
  • Increasing focus on education and awareness across IT and other employees to ensure risks and responsibilities are understood by all.
  • Balancing technology spend with staffing to ensure that lack of resources does not impede deploying and using needed technologies.

Key Findings

  • Breaches and annual costs are up while per breach costs are down
  • Canada is catching up to the US in terms of breaches
  • Most breaches led by unauthorized Access by Employees
    • Insider breaches almost double in 2009, now comparable to US rates
  • Disclosure or loss of customer data remains top issues
  • Organizations cite damage to brand as biggest breach concern
  • Growing threats have rendered most security budgets inadequate
  • The average security budget was 7% of the IT budget
  • Top performing respondents spent at least 10% of their IT budget on IT security
  • Organizations rewarding formal education more than certifications
  • 46% of respondents earned more than $100,000
  • High-performing security programs have strong governance and focus on education
    • Business metrics substantially increased the perceived value of security
  • On-shore security outsourcing increases
    • Privacy favoring Canadian service providers
    • Publicly traded companies outsource to the best-value provider regardless of location
  • Application security practices not keeping up with evolving threats
    • More than half of respondents consider security in their development lifecycle
    • Focus in Canada is predominantly towards after-the-fact security, rather than “build it secure.”
  • Cloud security concerns similar to classic outsourcing
  • Technology investments focus on fighting malware
    • Organizations favor protecting applications versus fixing them

Highly recommended reading.  Download a copy of the Executive Briefing and the Full Report for FREE!  –  Compare your own security posture to over 600 study participants at