Cybersecurity: Time to be proactive

What can public and private sector organizations do to mitigate cybersecurity risks and enforce regulatory compliance?

Public and private organizations in Canada are becoming increasingly aware of the need to actively protect sensitive data. However, that process is currently very reactive; a vulnerability is identified, a new patch for that weakness is created, and the patch is applied. But the damage is usually done by this point. 

What complicates this is that organizations are waiting to hear from the government and legal authorities on which regulations will be applied, instead of getting ahead of the curve. In terms of regulations that exist out there today, there is the Payments Services Directive (PSD2) in Europe, the General Data Protection Regulation (GDPR) also in Europe, and the California Consumer Privacy Act (CCPA), among others. In Canada, the government has released a few items. Canada’s Digital Charter, developed with input from Canadian citizens with a plan to make Canada a competitive, data-driven, digital economy, was released in May 2019.  At the same time, Innovation, Science and Economic Development Canada (ISED) released the Strengthening Privacy for the Digital Age consultation document to obtain feedback from industry and the general public on modernizing the Personal Information Protection and Electronic Documents Act (PIPEDA). We’ve also seen the Financial Transactions and Reports Analysis Centre (FINTRAC) publish an update in October 2019 for guidance on Know your Customer (KYC) requirements permitting digital onboarding.  So the Canadian government may wish to provide clarity on which regulations it could, should and will apply to Canadian organizations.

“The Canadian government may wish to provide clarity on which regulations it could, should and will apply to Canadian organizations.”

The problem for governments is monitoring compliance. How do you monitor financial institutions to ensure sensitive data is always protected? This is very difficult and complex. There are many financial institutions and smaller providers out there, so how can government make sure they are not lying about being compliant? This is where governments are facing challenges; they only realize that a regulation was being broken after the problem has surfaced.

Overall, organizations and the Canadian legal system would benefit from taking a proactive approach to data protection and cybersecurity efforts to help prevent future breaches.

Why did OneSpan choose to invest in Montreal and how strong is its cybersecurity ecosystem?

There are several reasons why OneSpan chose Montreal for its largest R&D centre worldwide. First, OneSpan acquired two Montreal-based companies – one in 2015 and another in 2018 – and consolidated the company’s research and development teams. During this process OneSpan saw the potential of Montreal’s talent pool and the amount of investment in high tech, including artificial intelligence and cybersecurity. There are also corresponding university programs at several institutions, the city is multicultural and multilingual, and Quebec offers financial incentives. Groups like Investissement Quebec and Montreal International are attracting external and foreign investment to the province. It was clear that Montreal was a prime location for the company’s global research and development efforts.

“OneSpan saw the potential of Montreal’s talent pool and the amount of investment in high tech, including artificial intelligence and cybersecurity. There are also corresponding university programs at several institutions, the city is multicultural and multilingual, and Quebec offers financial incentives.”

Also, Montreal is home to several large banks and financial institutions. For OneSpan, Montreal works as a great base for our R&D operations supporting both local and global customers.

Looking at talent specifically, how does Montreal’s cybersecurity ecosystem fare?

Montreal’s software industry is aggressively recruiting, all fighting to hire from the same talent pool. It will be important to continue investing in educational programs to educate students on cybersecurity, or look at ways to bring in external expertise.

“It was clear that Montreal was a prime location for the company’s global research and development efforts.”

The city’s top universities do have cybersecurity programs. However, they must continue to enhance, revamp and review their programs so they are up-to-date with the latest cybersecurity trends. There are so many new technologies being used as part of cybersecurity solutions – including artificial intelligence and behavioural biometrics – and we need universities to train, educate, and graduate students with that knowledge. 

What should Canada focus on to capitalize on the cybersecurity industry’s  growth?

To drive growth, there needs to be greater synergy between the cybersecurity industry and industries at risk of, and interested in preventing, cyberattacks, like banks, governments and health systems. Hackers can come from anywhere and hacking is becoming more accessible to everyone. The industry needs to work together to prevent fraud, and that includes academia, commercial industries, financial institutions and the government. It should be a common and consolidated effort on that front.

“To best position Canada for growth, I would urge Canada’s Federal government to set specific national priorities around cybersecurity.”

To best position Canada for growth, I would urge Canada’s Federal government to set specific national priorities around cybersecurity.The government should design specific metrics and specific key performance indications on reducing the number of successful cybersecurity attacks. It should also impose budget requirements on businesses to necessitate investment in cybersecurity. A national policy would help both Quebec and Canada organize the industry and would align Canada’s effort with international security.

Canada has good programs to support the sector, but it must streamline paperwork and support the industry in applying for these financial incentives. Supporting companies like OneSpan to apply for these programs would enable us to focus on attracting talent and onboarding new employees.

What do you see as the main drivers for growth in the cybersecurity industry?

The industry’s future growth will come with the alignment of artificial intelligence, machine learning and cybersecurity – areas Montreal has deep expertise in. This will enable organizations to be proactive against attacks.

Adopting a proactive approach will be key. As such, I would encourage everybody involved in cybersecurity to focus on applied research versus pure research. This is a must. It is not a question of understanding where we will be in 10 or 20 years time, but understanding how we will be ahead of the curve and ahead of the attacks.

“The industry’s future growth will come with the alignment of artificial intelligence, machine learning and cybersecurity – areas Montreal has deep expertise in. This will enable organizations to be proactive against attacks.”

Overall, I am optimistic about the cybersecurity ecosystem in Montreal and Canada. The public is more aware of the importance of cybersecurity and the importance of keeping data safe and secure. It is critical that we continue to increase global awareness and understanding of cybersecurity, and overall, Canada is in a good position to do that.