Data seems to be a chief point of concern. Data governance and data infrastructure are considered to be areas of “unnecessary and avoidable” complexity by a majority of Canadian respondents (80% and 81%, respectively, compared to 77% for both globally). Most large companies’ technology architectures, which include legacy systems, are complicated. Mergers with other entities may multiply risks by connecting already complex networks and systems.
The most worried about all this complexity are CEOs. Globally, they assign a complexity level of ten to 7 of 11 areas in their organizations. CEOs tend to be more concerned about cyber and privacy risks arising from complexities in the cloud environment, governance of tech investments and crossover from IT to operational technology (OT). We’ve heard similar concerns from Canadian CEOs and executives.
Complexity isn’t bad in and of itself. Often, it’s a by-product of business growth. The larger an organization, the more complex it will naturally be, needing more people and technologies to serve a growing customer base. The costs of creating unnecessary complexity aren’t obvious, and it’s hard to create urgency around combatting complexity—that is, until an attack occurs.
Asked to highlight the top consequences of operational complexity, our Canadian respondents selected:
Complexity not only threatens today’s fortunes, in the view of executives. It also prevents organizations from creating new opportunities quickly and pursuing future ones.
Businesses know the risks of complexity, yet only 35% of global respondents have performed any streamlining of their operations, and a quarter say they’ve done nothing at all or are just getting started. But a shift appears to be underway.
Simplifying an organization takes time, requiring changes in viewpoints and company culture. That’s not easy to achieve, but the payoffs are mighty. Globally, the companies that have had the best cybersecurity outcomes over the past two years (most improved) are 5x more likely to have streamlined operations enterprise-wide. We see similar results among Canadian organizations.
More and more CISOs and CIOs are taking a hard look at their tech investments, no longer just entertaining or chasing the latest products from tech vendors. We’re seeing consolidation of tech vendors and applications to reverse the hard-to-manage and risky tangle of disparate and vulnerable software and tech stack.
To be fair, simplifying cybersecurity can be challenging. Asked to prioritize among nine initiatives aimed at simplifying cyber programs and processes, Canadian respondents displayed a slight preference for adoption of a cloud-technology strategy, but numbers otherwise were very similar.
CISOs who are building layers of control, for defence in depth, are well intentioned but must guard against introducing more complexity and cost. More controls and security technologies don’t always make a company more secure.
Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation. Yet companies typically waste an average of 35% of their cloud budgets on inefficiencies. Runaway complexity can quickly result from extensive technology options, new architectural approaches, complicated service plans, unused capacity and confusing billing and pricing, especially when the technologies offered are constantly changing.
Done right, however, cloud transformations can be secure, efficient and successful. Cloud security is among the top investment priorities of our Canadian survey respondents. That’s encouraging—but only 20% of Canadian respondents report realizing benefits from these investments (16% globally). Thirty-four percent haven’t fully benefited from cloud security investments (35% globally), and 42% are just starting or planning theirs (45% globally).
Whether or not you’re using the cloud to simplify, minimizing and combining your tech stack and processes may feel like a bold move. Doing so requires asking hard questions and maintaining a keep-it-simple mindset. To get there, your organization will need security-minded leadership starting at the very top.
Average share of total spending on cyber simplification
Organizations first need to set up that good foundation we call data trust: making sure you’re using data responsibly, securely, accurately and ethically so you can rely on it for business decisions. (And when it comes to customer data, you want to make sure customers know they can trust you to keep their information safe from unauthorized eyes and inappropriate use.)
But only approximately a third of respondents, both in Canada and globally, report having mature, fully implemented data trust processes in four key areas: governance, discovery, protection and minimization. Nearly one in five Canadian respondents (one in four globally) says they have no formal data trust processes in place at all. Once you’ve crafted your data strategy, governance—the policies, procedures and processes for fulfilling the strategy—should follow immediately.
Securing your data from tampering as well as theft is also critical to success, yet only about one-third of Canadian and global respondents report having in place fully implemented, formal data security processes including encryption and secure data-sharing (30% in Canada; 34% globally). Verifying and protecting the integrity of your data are essential as well. Not doing so is like hiring workers without fact-checking their resumés. You can’t be certain of the quality of the information.
And only 36% have mapped all their data (35% globally), meaning they know where it comes from and where it goes. Even fewer—29%—have mature data minimization processes (35% globally).
The two-thirds of organizations that haven’t formally implemented data trust practices may be at risk in more ways than one.
Effective data governance is important not only for operational resilience, but also for compliance with regulations such as Bill 64 in Quebec and the expected reintroduction of the federal Consumer Privacy Protection Act (Bill C-11). Both bills include significant regulatory changes in the way companies operating in Canada must protect personal information and are backed by substantial fines for non-compliance. When someone asks for information about their data—what you’re keeping and what you’re doing with it—you need to be able to answer quickly and accurately.
Percentage who say they’ve fully implemented formal processes around these data trust practices
Ask: What’s the cyber plan for that? You can ignite major change—operational and cultural—simply by asking this one question of every business executive in charge of a transformation or new business initiative. By placing cybersecurity front-row centre, you can avoid the unnecessary and costly complexities you may see now, when it’s an afterthought.
Include the CISO and security teams early in cloud migration and adoption, mergers and acquisitions, and other organizational initiatives. That way, every executive at the helm of a major business initiative will be able to readily answer the cyber-plan question.
Dare to subtract. Left on their own, technology and data tend to multiply, divide and conquer efficiency and security. Whittle down excess with security goals in mind: assess your data stores and eliminate everything you don’t need now. Move your disparate apps and solutions into a cloud environment for easier management and consolidate, liquidate and automate where you can. Also, rethink your tech and cyber investment processes. Focus first on simplifying where benefits are greatest for the whole organization.
With regulatory updates including big fines on the horizon, now is the time to take a strategic data trust approach. Build an ecosystem that will allow your organization to create, use, share and retire data securely and transparently. Invest as needed to improve your customer experience and build the trust you’ll need to unlock data value. This will help you better protect customer and employee privacy and manage your privacy risk exposure—and get the buy-in that's needed of the business and enable your company’s strategic data-related priorities.