HomeSitemap This email address is being protected from spambots. You need JavaScript enabled to view it.

Technology

New technologies and adoption trends that influence IT strategy, and the issues and opportunities they represent.

The Harsh Truths About Cybersecurity

The pandemic compelled organizations to focus on their security postures as threats evolved globally. Consequently, CIOs realize they can't address cyberattacks with a "one size fits all" approach. Instead, security strategy is considered a holistic journey where enterprises use tactical measures in combination with a long-term vision to ensure that each initiative provides a building block for a future-ready environment.

To explore this critical topic, I participated in a panel at the Leadership in Tech Summit: Priorities for Turbulent Times. Along with Melissa Carvalho, RBC's Global Cyber Security Vice President and Negin Arminian, Menlo Security's Cybersecurity Strategy Senior Manager, we examined the harsh truths facing the modern enterprise. Watch our panel discussion video: https://youtu.be/CXeDn1JMiXI

This article highlights the top priorities for organizations and ways to overcome obstacles. It presents an overall strategy of reactive and proactive elements across four core areas: Governance & Control, Security Solutions, Operations & Compliance, and People Culture & Awareness.

The following is a summary of the harsh truths and ways that leading organizations mitigate their impacts.

 

Governance & Control

  • Security is a journey and not a destination: There is no such thing as a 100% secure environment. So, purge the idea of a flawless security implementation/roadmap. Instead, every leader in the enterprise should be held accountable for the constant evolution of their cybersecurity strategies.
  • Budgets remain under constant pressure:  Although a cyber defence strategy is a managed cost, consider cybersecurity an organizational investment that protects and secures critical assets. Start by quantifying the impacts of a breach by considering downtime, recovery, legal, compliance, and reputational costs. Then, acknowledge that an increased budget helps to deliver the tools, frameworks, talent and partnerships that reduce organizational risk.
  • The board is watching: Many corporate boards prioritize cybersecurity by creating dedicated committees to address the associated risks. As a result, be proactive by educating board members and working with them to ensure security remains a top priority.
  • Security slows down the business: Users often view cybersecurity as a productivity blocker, resulting in attempts to circumvent processes and technical controls. Instead, CIOs must make security initiatives an enabler while developing solid partnerships with the business. To help ensure success, the security team should approach their work from a business perspective to demystify cybersecurity while making it seamless to end users.
  • The big picture remains unclear: Organizations often do not know why they need security and what their strategy includes. Therefore, CIOs must develop a comprehensive view of the enterprise security posture and multi-year strategy to build awareness. This approach requires a gap analysis based on a proven information security framework and the 3C's of strategy implementation – Clarify, Communicate and Cascade.  

 

Security Solutions

  • Attackers have penetrated your defences: The rapid increase in incidents and long-running attacks means that it's only a matter of time before bad actors breach your defences. As a result, accelerate plan development by assuming hackers are already in your systems and networks. This approach makes resiliency and rapid recovery a priority.
  • You're reinventing the wheel: Security challenges continue to be solved by industry and vendor communities. As a result, it is crucial to learn from partners and implement vendor-assisted solutions to reduce effort and accelerate the time to results. Furthermore, refrain from simply looking at the top category leader or the new shiny penny. Instead, seek a partner who aligns with your organization's goals and security objectives.
  • You have too many tools: Organizations implement a vast array of tools hoping that the bad actors will disappear. Unfortunately, this approach leads to tool overload and knowledge sprawl, which consumes valuable resources and leaves hidden gaps. Instead, CIOs should focus on how each tool contributes towards the overall strategy by addressing a gap and avoiding overlap. The goal should be an integrated security fabric where the tools complement one another to cover all components of the extended enterprise.
  • You can't support your tools: Operational tools adoption is a real challenge. Correspondingly, organizations find it difficult to sustain their tools to extract the maximum value from them. To address this issue, include a training and transition plan into all vendor contracts and leverage your vendor training credits. 

 

Operations & Compliance

  • There is no separate category for cyber risk: Creating a dedicated cyber risk department can produce sub-optimal results. Instead, add cyber into the overall organizational risk identification and mitigation framework to address all internal and external factors. In addition, prioritize a relentless focus on how to effectively turn down the risk dial as part of the security team's mandate.
  • Backups remain exposed: Attackers continue targeting the organization's backups to maximize damage and increase ransom demands for valuable data assets. As a result, CIOs need to implement an immutable backup strategy that includes encryption and multiple online and offline copies.
  • You don't have 360o visibility into your ecosystem: Constantly monitoring vendor cyber risk based on compliance and control requirements remains a significant challenge. CIOs must implement continuous cyber-rating capabilities to understand their vendors' cyber posture and make decisions for onboarding new vendors.
  • You aren't ready for an actual attack: Most organizations remain unprepared for a real attack. As a result, businesses must prioritize recovery rehearsals through tabletop exercises to verify and evolve action plans. Implement Red, Blue, and Purple teams to constantly adjust plans for new attack vectors and develop enterprise RACIs to ensure the entire organization falls within scope.
  • Policies will not protect the organization and address compliance requirements: Policies provide guidelines and boundaries for users but do not supply the ability to enforce them. As a result, CIOs must implement mitigating technology controls to support those policies (e.g., complex passwords, USB lockdown, device encryption, etc.).
  • You can't rely on cyber insurance: Cyber insurance will change drastically in the upcoming years through increased premiums, claim denials, and exclusions. These changes will force rigorous processes that verify organizations implement the appropriate controls and best practices required to reduce risks and impacts. CIOs must plan for the additional time, costs, and effort to maintain their insurance policies.

 

People, Culture & Awareness

  • The talent crisis is not over: The cybersecurity workforce reached an all-time high with an estimated 4.7 million security professionals and the need for 3.4 million more ((ISC)2 2022 workforce study), emphasizing that people will remain core to the organization. As a result, talent acquisition and retention strategies need to be well-defined, focusing on organizational values, culture, DEI, and ESG. In addition, CIOs must continually invest in people by upskilling them with the appropriate tools and training to improve automation and workflows for increased efficiencies.
  • Cybersecurity awareness is not optional: End-user errors are a primary root cause of breaches. As a result, it's imperative to implement a continuous cybersecurity awareness plan that includes training and phishing exercises for all levels of the organization. This initiative focuses on learning how security threats happen and how end-users must act to avoid potential risks. To improve effectiveness, leverage the communications team and business partners to align and simplify the messaging.
  • Leadership isn't committed: During the cybersecurity journey, friction often slows progress due to scope and compliance constraints. Despite these challenges, protecting the enterprise requires continuous senior leadership commitment to reduce risk in an evolving IT environment and a growing cyber threat landscape. Adopt a mindset of constant learning and transformation by leveraging new technologies, processes, and frameworks to help the organization by simplifying cybersecurity.
  • DEI is more important than you think: For example, the UK biometric passport tool failed to work correctly for women of colour, resulting in re-work and negative press coverage. Organizations must acknowledge that DEI is vital in avoiding unintended biases introduced by new technologies. In addition, DEI also helps alleviate the cybersecurity resource gap by increasing access to a larger population of untapped talent.

 

Summing up the truths

Every organization faces a high risk of operations downtime and data loss caused by security breaches. In addition, these incidents' longer-term impacts often result in legal, financial, compliance, and reputational repercussions.

The upkeep of an effective security posture requires a leadership mindset of constant change to fine-tune processes, tools, and goals. In addition, the fast-changing threat landscape demands CIOs build a next-generation security fabric consisting of automated architectures and improved security controls. By addressing the harsh truths of cybersecurity, organizations will proactively enhance resilience and reduce their risks.

Ernest Solomon is a CIO and certified CISO with over 20 years of success in transforming enterprises and directing IT operations to achieve exceptional business outcomes.

Past Attendees


ADP - VP Architecture & Infrastructure

AESO - VP, Information Technology

Agnico Eagle Mines - VP, IT

Agrium - Global Mgr., IT Security

Agrium - Senior Director IT Shared Services

Aimia - SVP & Global CIO

Ainsworth Engineered - Director IT

Air Canada Vacations - Director IT

Alberta Energy Regulator - Director, Office of the CIO

Anthem Properties - VP IS

AON Risk Solutions Canada - Head of IT

Avison Young - VP Global Enterprise Architecture & Integration

Aviva Canada - VP, Architecture & Strategy

Bank of America Merrill Lynch - CTO

BC Ferry Services - VP & CIO

Bell Business Markets - Director, Strategy & Planning

Bell Canada - National Director, Digital Transformation

Bellatrix Exploration - Director, Information Technology

Bentall Kennedy - VP IT

BFL CANADA - CIO

BFL CANADA - Director, Cybersecurity & IT Risk Management

Black Press - CTO

BlackBerry - VP Corporate IT

BMO Financial Group - Director, Technology & Operations Transformation

BMO Financial Group - Head of Services Delivery

Bombardier Aerospace - CISO

Bonavista Petroleum - Head of IT

Borden Ladner Gervais LLP - Global CIO

Bow Valley College - Director, IT Services

Bridgewater Bank - Head of IT

BuildDirect - VP IT

Bulk Barn - Head, IT

Burnco - CIO

Caisse de Depot et Placement du Quebec - VP, IT Planning, Architecture, Governance, Operations

Calfrac Well Services - Head of IT

Canada Goose - CTO

Canada Live - VP of Technology

Canada Mortgage and Housing - VP, Information & Technology

Canada Protection Plan - Head of IT

Canadian Depository for Securities - CIO

Canadian Direct Insurance - CTO

Canadian Payments Association - VP & CIO

Canucks Sports - Head of IT

Capgemini - Service Delivery Director

CAPREIT - CIO

Cardel Homes - VP MIS

Cargojet - CIO

CBI Health Group - CIO

CCS Corp. - VP IT

CDSPI - Board Director

Centerra Gold - Director IT & Comm

CI Global Asset Management - VP of Enterprise Infrastructure $amp; Operations

CIBC - Senior Director, Infrastructure Planning & Engineering

CIBC - SVP & CIO, Retail and Business Banking Technology

CIBC Mellon - AVP, Enterprise Architecture

CIBC Mellon - SVP & CIO

Cineplex Entertainment - CTO

City of Brampton - Senior Manager, IT Architecture & Planning

City of Richmond Hill - CIO

City of Toronto - Director of Strategic Planning & Architecture

CN Rail Service - Chief Information Security Officer

Coast Capital Savings - VP Technology

Colliers - Head of Technology & Data

Concordia University - AVP & CIO

Crescent Point Energy - Head of IT

Dairy Farmers of Ontario - Head of IT and Administration

Dale Parizeau Morris Mackenzie - VP, IT

Davies Ward Phillips & Vineberg LLP - Director, Information Technology

DealerTrack Canada - Director, Technology

Defence Construction Canada - Corporate Manager, IT

Deloitte - Director, Risk Advisory

Dentons - Canada CIO

Devon Energy - Director, Integrated Business Services

Direct Cash - VP IT & Security

Dynamic Tire Corp - CIO

D+H Partnership - VP, Head of Canadian Mortgage Technology

eHealth - EVP, Technology

eHealth Ontario - VP, IT Systems & Services

Encana - Director, InfoSec

Enbridge Inc. - VP, Technology and Information Services

Enerflex - CIO

Enerplus - VP. IS

ENMAX - VP, IT & PMO

Equitable Bank - CIO

Equitable Bank - CISO

Equity Financial Trust - VP, IT

Essential Energy Services - Director, IT

Expedia Cruise Ship Centers - VP IS

FGL Sports - VP, Information Technology

Finastra - SVP, Head Technology Managed Services

Fix Auto Canada - COO & SVP

Flightnetwork.com - CIO

Freedom Mobile - Head, Customer Applications, Experience, & Strategy

FT Services - CIO

FundServ - CIO

Genus Capital Management - CTO

Genworth Financial Inc. - VP IT

Geotab - Board Member

Golder Associates - CTO

Gran Tierra Energy - Director IT

Grant Thornton LLP - CIO

Grand River Hospital - Director, Data Governance & Analytics

Greenwin Inc - VP, Information Technology

Groupe Dynamite - Director, IT

GSK Canada - IT Director

GTAA - Acting CIO

H&R Block Canada - VP IT

Haventree Bank - VP, Technology

Hewitt Equipment Ltd. - VP & CIO

Hitachi Vantara - GVP & Global CTO

Home Trust Company - CIO

Home Trust Company - CTO

Home Trust Company - VP & CISO

Horizon North Logistics - CIO

HSB Canada - VP IT

IBM Canada - Associate Partner, Payments Industry

Indigo Books and Music - CIO

Interac Corp - Director, Platform Engineering

ivari - SVP & CIO

JP Morgan Chase Canada - Executive Director, Information Risk Management

Keyera Energy - Director, Information Technology

KFC Canada - CTO

KnowledgeOne - CIO

LaFarge Canada - Director, IT

Landmark Cinemas Canada - VP, IT

LAWPRO - CIO

LCBO - Director, Applications Systems

LCBO - SVP & CIO

Leisureworld Senior Care Corp - VP IS

Lifeguard Digital Health - Chief Security & Informatics Officer

Loblaw Companies Ltd - Senior Director, Customer Engagement Technology

London Drugs - GM IT

Loto-Quebec - Corporate Director, InfoSec

Magna International Inc - VP & Global Leader, IT (CIO)

Manulife - Global Head of Private Markets & Real Estate Technology

March Networks - VP Professional Services & CIO

MaRS Discovery District - Managing Director, Fintech and Commerce

McCain Foods Limited - Manager InfoSec

McInnis Cement - Director of Information Technology

Medical Pharmacies Group - VP, Information Technology

MEG Energy - Manager, Information Technology Solutions & Services

Metrolinx - EVP & CIO

Minto Group - VP IT

MMM Group - CIO

Montreal Police Service - CIO

Morguard Investments - CIO

Moulding & Millwork - CIO

MullenLowe Group - Global CIO

National Bank of Canada - Information Security Officer

National Capital Commission - Chief, IT infrastructure & Support Services

NHL Players' Association - Head, Security & Technology

Northbridge Financial Corp - CIO

OEC Group Canada - Vice President, Information Technology and Client solutions

ODAIA - CEO

Oildex - VP, Architecture & Infrastructure

OPTrust - AVP, Enterprise Data Services

Olympia Financial Group - CIO

OMERS - EVP, Data & Technology

OMERS - SVP IT

OMERS - SVP, Data & Advanced Analytics

Ontario Pension Board - CTO

Ontario Teachers' Pension Plan - SVP, Product & Delivery

Ontario Trillium Foundation - CIO

Osum Oil Sands Corp - Manager, IS

Ottawa Police Service - CIO

Pacific Western Transportation - CIO

Packers Plus - Global IT Director

Pason Systems - Manager, Digital Communications & Corporate IT

Patient News - CTO

Peel District School Board - CIO

Pengrowth Corp - Director IS

Penn West Exploration - Snr. Manager, IT Operations

Peterson Investment Group - Head of IT

PFB Corp. - CIO

Pizza Pizza - CIO & VP, IT

Precision Drilling - VP, IT

Precision Drilling - Director, IT Infrastructure & Security

PSP Investments - Snr. Director, Internal Audit & Business Infosec

Public Works and Government Services Canada - Director, IT Security Directorate

PwC - Managing Director, Real Estate Technology Advisory

Pythian - CTO

Qantas - Global CIO

Queen's University - Director, Information Technology

RBC Royal Bank - Head of Application Security, Data Protection & Security Consulting

RBC Royal Bank - VP, Technology Platforms & Risk Management

RBC Royal Bank - Global Cybersecurity VP

Regal Lifestyle Communities - CIO

Revera Inc. - CIO

Revera Inc. - Security Architect

Rheem Manufacturing - CISO & Enterprise Architect

Ricoh Canada - VP,IT

RioCan Property Services - VP IT

Roche - Head of IT Americas – Operations

Rogers Communications - SVP, Customer Experience IT

ROM - CIO

Russel Metals - VP,IS

Salvation Army Canada - Board Director

SCI Group - CIO

Scotiabank - Head, Systems Architecture & Platform Modernization

Scotiabank - VP - International Systems Technology

Scotiabank - Head, System Architecture & Platform Modernization

Scotiabank - Global Head, GBM Compliance & Transformation

Sears Canada - Divisional VP, Information Technology Services

Secure Energy Services - GM, IT

Shaw - Head, Customer Applications, Experience, & Strategy

Shaw Communications - VP, Technology Operations

Shaw Communications - Director, Risk Management

SMART Technologies - Director, IS Corporate Services

Smartcentres - Director IS, IT

SmartOne Solutions - President & CIO

Societe de Transport de Montreal - Division Head - Security and Compliance

Street Capital Financial - CIO

Sun Life Financial - AVP, Data & Business Intelligence Services

Sun Life Financial - VP Application Ops & Services

Sunco Communication - COO

Suncor Energy Inc. - Director, Application Portfolio Optimization, I&PM, Business Services

Symcor - CTO, VP Technology Services

Talisman Energy - SVP IT & Business Services

TD Bank - Enterprise Architect

Teknion - SVP, CIO

TELUS - Chief Security Architect

Tervita Corporation - VP, Information Technology

The Hudsons Bay Company - VP Technology

The Hudson's Bay Company - SVP & CIO

The Source - VP, Information Technology

TMX Group - CISO & Global Head of Infrastructure Services

Toromont Industries - VP & CIO

Toronto District School Board - Chief Technology Officer

Toronto Hospital for Sick Children - Director of Technology

Toronto Parking Authority - CIO

Toronto Police Services - CISO

Toronto Transit Commission (TTC) - Chief Enterprise Architect

Toronto Transit Commission (TTC) - CIO

Toyota Canada - National Manager, IS

Transamerica Life Canada - CIO

Trican Well Services Ltd. - Director, Business Information Systems

Tridel Corporation - CIO

Trillium Health Partners - IT Director, Applications & Clinical Informatics

UFA Cooperative - VP & CIO

University of Calgary - Executive Director, Development Services

University of Ottawa - CIO

University of Ottawa - Senior Director IT Services & Infrastructure

University of Toronto - Director, Centre for Management & Technology

University of Waterloo - Director, Technology Entrepreneurship

Valencia Risk - Managing Director

Vancity - VP Technology & Solutions

Viterra - Director Enterprise Technology

Wawanesa Mutual Insurance Company - Director of Innovation Outpost

World Health - Director IT

Wolseley Canada - CIO & COO

WSIB - Board Director

Yellow Pages Group - Director - Enterprise Data Management

York Region District School Board - CIO

York University - Board Director

Technology Archive