Canadian execs say organizational complexity poses 'concerning' cyber risk

30 November 2021 3 min. read
More news on

More than 80% of Canadian executives believe avoidable organizational complexity poses a “concerning” level of cyber and privacy risk, according to PwC's 2022 Digital Trust Insights. The consulting firm in July and August 2021 surveyed 3,602 business, technology and security executives globally, including 114 respondents in Canada.

Most Canadian executives (70%) are anticipating an increase in cybercrime, with the top targets being mobile, the internet of things, and cloud. Most execs (66%) also expect cyber spending to grow, up from 56% in last year’s survey.

The areas where organizational complexity poses the greatest risk, according to global CEOs, are the cloud environment and governance of tech investments.

“Digital connections continue to multiply and form complex webs that grow more intricate with each new technology. The answer here isn’t just adding more technology, instead it’s about working together as a unified whole, from the tech stack to the boardroom,” said Sajith Nair, partner and national technology and cloud leader, PwC Canada.

Canadian executives believe adoption of a cloud technology strategy is the highest priority area for cyber simplification. Other key simplification initiatives include integrated controls across risk disciplines and integrated data governance.

Canadian execs say organizational complexity poses 'concerning' cyber risk

“Digital and cloud transformation, when done thoughtfully, provides organizations tremendous opportunities to simplify,” Nair added. “Many however are unintentionally introducing additional complexities which are exposing them to unnecessary and avoidable cyber and privacy risks.”

Though more than 80% of Canadian execs view data governance and data infrastructure as areas of unnecessary and avoidable complexity, only one-third say they have mature and fully implemented data trust processes across governance, discovery, protection, and minimization.

Furthermore, only 36% of Canadian leaders told PwC they have mapped all their data – including where did it come from and where did it go – and only 29% have data minimization processes. Mature data trust processes are especially critical as regulation accelerates, including Quebec’s Bill 64 and the expected reintroduction of federal Bill C-11.

Third-party breaches and complex and opaque vendor networks pose another risk to organizations. Only 41% of Canadian respondents said they thoroughly understand the risk of third-party data breaches while nearly one-quarter said they have little or no understanding.

PwC notes that the organizations with the best cyber outcomes over the past two years have consolidated technology vendors – since decreasing third-parties reduces threat surfaces and simplifies security assessments.

According to the report, security leaders believe CEOs tend to get involved when a crisis strikes, whereas CEOs think they’re more engaged. Chief executives said they participate in cyber discussions during M&A, changes to operating model, and future strategy.

“CISOs and their teams can benefit from broadening their outreach beyond CIO or CTO relationships to the greater C-suite, to create business-informed solutions,” said Jennifer Johnson, leader of national cybersecurity, privacy, and financial crime markets at PwC Canada. “Quantification of cyber risks will help CISOs better engage C-suite on cyber exposure and get their support for cyber program.”