We all know the conventional wisdom around the creation of debt: avoid it wherever possible. Not paying the bills and carrying a balance on your credit card are dangerous. Debt is a like hole that becomes increasingly difficult to escape from. Think about why credit and reference checks are so important when establishing a new business relationship (or hiring a new employee). We all want to know we are doing business with responsible organizations and people who are committed to good management and ethical stewardship.
Think about the landlord who fails to invest in proper upkeep of his or her properties; risking future catastrophe to save money or to avoid any short term effort. Putting off necessary (if not urgent) investments and delaying work is a kind of debt accumulation. Eventually it will have to get paid – either when it gets forced upon the crummy landlord by the authorities or when a disaster strikes and they become legally liable.
The same phenomenon is true when it comes to IT leadership and investment in information security. Whether due to a lack of executive sponsorship, or a state of denial on the part of the IT professionals managing your systems, today’s realities are stark and getting worse. The analysts and experts all agree; too many Canadian organizations are chronically underfunding and neglecting the importance of an information security strategy.
Leaders in the cyber security field are not mincing words; their concern about Canadian executives not taking security as seriously as they should is clear. At the 2016 SC Congress in Toronto, Jason Murray, senior manager for cyber security at MNP LLP characterized the situation like this: “They’re accumulating technical debt. Every year they don’t spend enough on information security they’re adding to the debt and hoping that when the debt comes due they’re not around to take the fall … The market should punish these people, just like they were accumulating financial debt… and they would go out of business.” (Source)
Is your business investing enough resources into security? Are you confident you can identify your current risk areas? What would you do if you found out about an information breach at your company? These are tough questions that Canadian IT professionals need to get a handle on with growing urgency. Every month that goes by and you maintain an immature security posture, you are accumulating technical debt and increasing the odds of a disaster. The stakes are getting higher too, with new federal regulations coming into effect in 2017.
The laws are changing here in Canada. In accordance with the Federal government’s national Cyber Security Strategy, mandatory disclosure laws are coming into force within the next year. These laws are going to mandate full disclosure for any organization that has an information security breach. Not only must you notify your customers and partners about a breach, your business will be obliged to report any major incident to the Federal Privacy Commissioner as well.
The first step toward a mature cyber security strategy is understanding your current state and articulating where your business needs to be. Let us help you conduct a vulnerability assessment. Invest in the right tools. Don’t let your business become an example. We can help.