TORONTO — The Canadian government needs to take a more active role in setting standards and creating a culture of transparency around IT security, executives and members of the Canadian Advanced technology Alliance said Tuesday.
IT industry association made its recommendations as part of the release of a study that profiles Canadian IT security trends. CATA has created a database on its Web site of 700 firms, approximately 300 of which completed its survey. The results showed an industry that is closing the traditional divide between IT security and its physical counterpart, according to the report’s author. IT also shows surprising strength despite the industry-wide slump: 85 per cent of respondents said their business has increased this year.
“”There’s been a crisis, but not as big as the rest of the IT sector,”” said Jean-Guy Rens, a CATA executive director who complemented the survey with a series of one-on-one interviews.
Rens suggested that the government encourage corporate enterprises to report security breaches as a general good business practice. According to Craig Heldson, national principal with IBM Canada’s security and privacy testing group, it’s becoming an obligation in the United States. He pointed to a recent law in California, SB-1382, which requires companies to notify all their customers when security has been compromised. “”How are you going to notify three million people?”” he said. “”The postage alone will kill you.””
Canada is nonetheless likely to move in a similar direction, Heldson said, which is why businesses should start reporting incidents now. Bank of Montreal chief information security officer Robert Garigue agreed, adding that transparency is a part of maintaining credibility with customers. “”I have to make these trustworthy practices visible.””
One audience member suggested security legislation and government-mandated security audits could prove expensive. “”What kind of plane would you like to fly on — a regulated one or an unregulated one?”” Garigue shot back.
Rens also suggested the formation of a “”triumvirate forum”” with the government, the private sector and Canadian universities to develop the skills necessary to meet employers needs, something Heldson admitted was a challenge at IBM. Garigue said BMO has spent the last few years turning to co-op programs with computer science classes to help find new talent.
“”They go back to their classes and they end up doing their thesis on security,”” he said. “”We seeing a lot more situations where we recruit from people we train (as co-op students).””
Security companies told CATA their biggest obstacle to growth was adequate financing. According to CATA board member Norm Kirkpatrick, that’s due to a lack of industry knowledge among venture capital firms here, who tend to be generalists. While many of these Canadian security firms generate most of their business from the United States, Kirkpatrick also warned them to remember where they paid their taxes.
“”If we asked you to be a member of CATA and help fund this study, you would have said, ‘Nah, I just bought a pair of $500 roller skates for my kid, and you CATA people are asking too much,”” he said. “”You have to work it on both sides.””
The CATA report, which is available for sale, includes several case studies that illustrate the different core businesses in advanced security.