Skip to main content

Most cybersecurity professionals are snapped up by large corporations, leaving small business without the talent to help them protect their systems.

Gorodenkoff Productions OU/iStockPhoto / Getty Images

If you survey the owners, chief technology officers and IT specialists of most small- to medium-sized enterprises (SMEs) and ask them to highlight the digital dilemmas keeping them awake at night, cybersecurity will likely top most of their lists.

Finding the professionals needed to fend off cyberattackers would surely come a close second.

“There are a lot of smart people out there, but they’re being hired by the big companies,” says Alex Dow, chief technology officer at Vancouver’s Mirai Security Inc., a cybersecurity consultancy. “Companies in the small- to medium-sized space really struggle to find talent that’s willing to work in that space. Even my company struggles to win talent over from the Amazons and the Microsofts in Vancouver.”

Story continues below advertisement

Compounding the problem, Mr. Dow says, is the fact that novice cybersecurity specialists often need on-the-job training and time to gain practical experience before building the skills to tackle the toughest challenges facing their employers, such as social engineering-focused phishing and ransomware attacks. In reality, most SMEs can’t afford to spend the time necessary to train these new digital defenders.

Sometimes they can’t afford them at all. As Mr. Dow notes, new cybersecurity recruits can command salaries of up to $80,000 in markets such as Vancouver and Toronto. “We brought a recent grad in and he wanted $65,000,” he recalls.

That dearth of qualified professionals is a growing problem. A 2018 Deloitte Canada report projected a 7-per-cent annual increase in demand for cyber talent across the country, with organizations needing to fill about 3,600 cybersecurity positions between now and 2021. Globally, the consulting firm projects a 1.8 million-person shortage in cybersecurity professionals by 2022.

The latest Statistics Canada data highlight the importance of closing that talent gap. Fully, 21 per cent of Canadian businesses reported being victims of cybercrimes in 2017, with 10 per cent connecting those incidents to declines in revenue. More than half said cybersecurity issues impacted their ability to do business, at least in the short-term.

As the number of IT incidents continues to grow and the cyber-skills shortage deepens, SMEs are scrambling to protect themselves. Do they hire a full-time IT staffer or build out a full department? Or outsource to a third-party provider?

What they do know is they need to act now. But while doing more with less is a small- to medium-sized mantra, the escalating rate of cyberattacks is putting that philosophy to the test.

“There really aren’t enough cybersecurity practitioners in the marketplace,” says Moshe Toledano, a Montreal-based consultant and former chief information security officer at Bombardier Inc. He says that despite their limited budget, SMEs can no longer take a laissez-faire approach to cybersecurity. The attacks are far too frequent and the skills so specialized that having a part-time IT specialist managing that risk is likely inadequate.

Story continues below advertisement

So too is having a specialist that focuses solely on the technical side of cybercrime prevention. In Mr. Toledano’s view, it’s important for IT professionals to possess soft skills, such as the ability to analyze and effectively communicate a threat’s severity to senior leaders in a timely way.

Convincing them to proactively invest in risk-mitigation strategies and tools – such as teaching employees to spot phishing emails, or frequently patching software, for example – is one of the keys to preventing an attack.

Tying security to the business is also important, according to Mike Kulawik, the principal security solutions architect at digital security infrastructure and cloud services provider Scalar Decisions Inc., in Calgary.

Security professionals not only need to be able to spot security gaps, he says, but to develop fixes that are user-friendly and take the business’s operational needs into account.

“I’ve worked with many junior security people and they will try to impose such strict controls that the business apps are either unusable or so slow that it impacts productivity,” Mr. Kulawik says.

Vivek Gupta, Toronto-based cybersecurity practice leader with BDO Canada LLP, points to another, fundamental challenge for SME owners and their IT teams: understanding and quantifying the value of the digital assets they need to protect.

Story continues below advertisement

That could include personal information such as credit card or social insurance information, competitive data or intellectual property. Understanding the consequences of losing those assets – from lawsuits to regulatory ramifications – can help to develop the business case for hiring a full-time cybersecurity specialist, he says.

“A breach isn’t a matter of if or even when anymore,” he says. “A breach has potentially already happened; research shows it takes four to six months for someone to realize they’ve been breached. The question is, are you prepared to recover?”

For Mr. Dow, the ultimate case for making that kind of (often costly) initial cybersecurity investment comes down to the potential cost of not acting.

He says many large organizations are now adding security criteria into RFPs to protect their own networks, requiring suppliers to outline their cybersecurity protocols before agreeing to new contracts. SMEs that rely on dated strategies are facing a decided disadvantage.

“They might be able to survive without doing security until a ransomware attack happens,” Mr. Dow says of SMEs. “But if they want to be competitive and sell to the Fortune 1,000 or Fortune 2,000 [companies], they need to start demonstrating that they know what they’re doing when it comes to cybersecurity.”

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter