There’s generally an adoption lag between Canada and the U.S. with newer, more advanced technologies – and that’s what one might expect with sophisticated security tools. But according to recent findings from Info-Tech Research, the similarities between Canada and the U.S. are much more compelling than the differences.
When comparing samples from Canada (more than 550 organizations) with the U.S. (more than 1,000 organizations), the adoption gap simply isn’t there, said Michael O’Neil, managing director of Info-Tech Research Group’s Indaba Division. The survey compared spending on IT security, threat sources and the technologies deployed to address those threats – and how the approaches of IT managers in the two countries compare.
Not only did the survey find that spending on IT security was similar, but IT managers also had the same concerns, such as protection from external threats, protection of their physical data centre, protection from internal user malfeasance and security of mobile devices. The numbers were also similar when it came to security technologies deployed, from UTM devices and authentication tools to encryption software and wireless LAN security. “Equivalent samples from the two countries operate in more or less the same way in terms of their perception of where threats are coming from and the technologies they’re deploying against those threats,” he said.
However, this doesn’t reflect the differences in the composition of the two economies, said O’Neil. “While our samples include equal numbers of large, medium and small companies in different industries, the Canadian economy includes many more small entities in pretty much all industries,” he said, “and big entities do more stuff than small entities.” And, if you apply that finding to the relative composition of the two economies, you do start to see a gap between Canada and the U.S.
The other caveat is that Canada is a trade-oriented country, and, in some sectors, it’s almost necessary for Canadian businesses to adopt standards that are consistent with those adopted by U.S. businesses. “Security itself might prove to be a special case,” said O’Neil. “It’s an advanced technology, but it also addresses something that’s particularly important to Americans, who are major trading partners.”
Andrew Pridham, director of consulting services with CGI’s security practice in Ottawa, said this is just the cost of doing business with the U.S. “Sarbanes-Oxley, which was a result of the various scandals like Enron, has had an impact on Canadian firms,” he said, “and that’s because, if you want to be listed on their stock exchange, then you need to be compliant with Sarbanes-Oxley.” And that, he said, has led to a greater trend with respect to security spending toward compliance in general.
Our economies are closely linked, but we’re also linked in other areas. “We’re collaborating in NATO and NORAD, interoperating in Afghanistan,” said Pridham. “We’re pretty much operating in the same way, and there’s nothing that I’ve observed that indicates our level of security spending is much different in general – in government and industry.” However, security spending is hard to pin down, he added, because there are many areas where IT is shared, so security isn’t always neatly boxed within one part of an organization’s budget.
Mridula Sharma, director of IT at London Hydro, has also held several positions in the U.S. “From that perspective, I don’t see any differences,” she said. “We have the same challenges as they do – it’s a global economy and a much more global world with the Internet, and it doesn’t matter whether you’re in Beijing or in Toronto or in Washington, D.C., – security challenges really are the same for all of us.”
Security threats and attacks have also been on the rise, causing greater awareness around the globe. “Spam has increased quite a bit in the past four months,” said Sharma. “It’s our No. 1 priority right now.”
Mike Cuddy, CIO of Toromont in Concord, Ont., agrees. Three or four years ago, there may have been greater recognition in the U.S. of incidents that heighten the general public’s sensitivity to potential breaches. At that time, U.S. Web sites were often targets because they had such broad exposure. But today, says Cuddy, there’s not a lot of difference, and security transcends geographical boundaries and even industries. “We have U.S. operations as well as Canadian operations,” he said. “We wouldn’t look at them any differently from a security standpoint.”
Network computing has allowed organizations to put computing resources in locations that best optimize economics. “You don’t only book your Air Canada airline ticket as long as the server is in Toronto – you don’t really care where the server is,” he said. “And if Air Canada chooses to have that server in Canada or the U.S., it has to do with technology management economics. So when you’re looking at security of all those components, how can you separate it geographically?”
Where he sees a difference in focus on security-related technology initiatives is between companies that are private versus public, and between companies involved in different industries.
This is also consistent with findings from the survey. Financial institutions in the U.S., for example, are more security conscious than any other sector, including Canadian financial institutions – mainly because they’re subject to so many regulations from government and industry associations, said O’Neil. And that drives a high awareness of and investment level in security technologies in U.S. financial institutions.
In Canada, government investment patterns appear consistent with setting a good example for the organizations around them. “It looked like the Canadian government was actually more active than the U.S. government,” said O’Neil, “not in terms of the depth of the investment, but certainly in terms of the overall approach to security deployment.”
For the complete Info-Tech Security Report, please go to www.itbusiness.ca/InfoTechSecurity
In an exclusive excerpt from the Info-Tech report, senior analyst Ed Daugavietis studied the security spending data and identified four factors that he says are closely associated with increasing spending on security. These include:
- Investment pattern – The Info-Tech Quarterly IT Benchmarking Panel survey asks members to identify their approach to IT investment, with options ranging from “conservative” to “leading edge.” Those tending towards leading-edge investment patterns are nearly 50 per cent more likely than those on the conservative side of the spectrum to report increasing spending on security.
- Corporate growth rate – Viewing spending patterns through the filter of corporate growth yields a similarly distinct discrepancy in security spending increases. Organizations that are in high growth mode are 45 per cent more likely to report increases in security spending than those that are growing at less than five per cent, and more than twice as likely to boost spending as those whose revenues are declining.
- Current security spending levels – Project data makes it clear that organizations that already spend a lot on security continue to push their expenditures in this area, while those with lower current spending levels are less likely to accelerate allocations.
- Industry – Some industries are prone to security spending increases. In the U.S., Financial Services is clearly more aggressive than other segments in building security investments. In Canada, Financial Services and Business Services sector firms are most likely to continue to increase spending. “Taken independently, none of these accelerating factors is very surprising,” Daugavietis said. “However, by isolating four different circumstances that are each tied to increasing emphasis on security, we are able to help IT managers place security-related budget changes in context.”
In both countries, approximately 23 per cent of organizations allocate less than two per cent of their IT budgets to IT security. Almost one third of IT managers in the U.S. and Canada report that they are spending two to five per cent of the their total IT budgets on security.