Key finding: Enterprises that say "no" to new technologies in an effort to reduce risk are in fact less secure than enterprises that say "yes" and adopt responsibly
March 7, 2013
/CNW/ - TELUS and the Rotman School of Management at The
University of Toronto
today released the fifth annual study on Canadian IT Security. Taking a qualitative approach for the first time, the research team interviewed security leaders from across the country in a variety of industries to capture personalized insight about the security issues that keep them up at night.
"This year, we felt it was critical to validate our quantitative findings from previous years with qualitative insights," said Dr.
, professor of Business Economics, Rotman School of Management. "We wanted to provide Canadian security leaders with access to real life experiences, best practices and strategies used by their peers."
Four key security-related concerns were revealed during the roundtable discussions and interviews:
- Has my organization been breached, and I don't know about it?
- How will a breach affect my brand?
- What are my employees doing with corporate data?
- How do I retain my security resources?
In exploring these four concerns, several insights emerged:
- A pervasive sense of vulnerability: Most Canadian security leaders believe that a security breach is inevitable and lack confidence in their organizations' ability to detect the breach and mitigate possible damage.
- People are the weakest link: Whether a result of ignorance or malicious intent, people pose the greatest risk to Canadian enterprise security, elevating the importance of awareness and education.
- "Yes" organizations are more secure than "no" organizations: Organizations that work with employees to adopt innovation or new technology responsibly ("yes" organizations) are more secure than organizations that limit innovation adoption with rigid IT security controls ("no" organizations). "No" organizations tend to operate with a false sense of security because employees often circumvent controls to access technologies they deem critical to productivity leaving the organization unaware and at risk.