Canadian firms lagging in zero trust, SASE architectures, survey suggests

Canadian organizations are lagging other countries in implementing zero trust and secure access service edge (SASE) architectures, a global survey for Cisco Systems suggests.

According to a report released this week, only 39.5 per cent of Canadian respondents said their organization had a mature implementation of a zero trust architecture. That compared to 61.5 per cent of respondents in Indonesia, 47 per cent of respondents in India, 46.2 per cent in Saudi Arabia and 41.4 per cent in the U.S.

Still, Canadian respondents were ahead of those in the U.K., France and Germany.

Just over 92 per cent of Canadian respondents said they were investing in some way in a zero trust architecture, with 51.3 per cent saying their organization was making steady progress, while 7.9 per cent said they were only working on it in a loose or limited way.

The U.S. National Institute for Standards and Technology (NIST) says zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. Authentication and authorization of both a user and device are discrete functions performed before a session to a resource is established. One expert at the SANS Institute has said organizations can’t have a zero trust architecture until they have mastered basic cybersecurity controls.

In another part of the survey, 33.9 per cent of Canadian respondents said they have a mature implementation of SASE architecture. Again, that put them behind respondents in Indonesia, India, the U.S. and Saudi Arabia, but roughly even with the U.K., Brazil, Malaysia and Japan.

According to Wikipedia, SASE combines SD-WAN with computer security functions, including cloud access security brokers (CASB), Secure Web Gateways (SWG), antivirus/malware inspection, virtual private networking (VPN), firewall as a service (FWaaS), and data loss prevention (DLP), all delivered by a single cloud service at the network edge.

The survey numbers are included in volume two of Cisco’s Security Outcomes Study, a survey of 5,123 security and privacy professionals in 27 countries. They were asked about their use of 25 general security practices and how each correlates with the achievement of 11 program-level outcomes.

Cisco says the data on zero trust and SASE is important because organizations that claim to have mature implementations were 35 percent more likely to report strong security operations than those with nascent implementations.

Dave Lews, Cisco’s Canadian-based global advisory CISO, said he wasn’t surprised at how Canadians rated their maturity levels for implementing zero trust and SASE. Generally, he said, Canadians are conservative in implementing new technology.

“I’ve worked in a number of Canadian organizations. A lot were running systems that were beyond their useful life that were still being relied on as mission-critical systems.”

In the past two decades, he added, there has been “a definite improvement overall in how security is being handled” by Canadian IT leaders.

He also suggested the numbers on these two questions shouldn’t be overestimated. “Zero trust and SASE are proven methodologies that improve security in organizations. That being said, there are other approaches organizations may be using. Because an organization may not necessarily be on a path towards zero trust, I wouldn’t penalize them for a moment. They may have a different program they are utilizing to reduce risk.”

Among the study’s findings:

–modern, well-integrated IT contributes to overall program success more than any other security practice or control;

–SecOps programs built on strong people, processes, and technology saw a 3.5 times performance boost over those with weaker resources;

–Outsourced detection and response teams were perceived to be superior, but internal teams show faster mean-time-to-respond (six days vs. 13 days);

–teams that extensively use threat intelligence are twice as likely to report strong detection and response capabilities;

–The probability of maintaining business resilience doesn’t improve until business continuity and disaster recovery capabilities cover at least 80 per cent of critical systems;

–organizations that regularly test their business continuity and disaster recovery capabilities in multiple ways are 2.5 times more likely to maintain business resiliency.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs