In August 2020, the Government of Canada launched CyberSecure Canada. By the time it was launched in 2020, SMEs had already been waiting two years for the program to be launched and had been developed in cooperation with industry, business associations, Standards Council of Canada, and the Communications Security Establishment. As the Standards Council of Canada states, “
The program aims to
raise the cyber security baseline among SMEs in Canada;
increase consumer confidence in the digital economy;
promote international standardization; and
better position SMEs to compete globally.”
So where is the program after a little more than three years?
Only 41 organizations have received the CyberSecure Canada certification.
How small is 41? That is approximately .0033% of Canadian SMEs, based on the number of SMEs in 2022. If this is not enough to tell you that this program has failed, let us use the Standard Council of Canada’s own metrics to determine how well the program has performed. The Standards Council of Canada said it expected at least 2000 SMEs to be certified in 2021, with 5000 expected by 2025. By these accounts we can likely call CyberSecure Canada a failure.
What went Wrong?
Lack of Recognition
Although developed with consultation and based on, what are the tangible benefits of obtaining the certification over other initiatives? To become certified allows you to show a CyberSecure Canada emblem to be proud and show your customers that you take cyber security seriously. But what average Canadian or international customer will see the CyberSecure Canada emblem and understand what it means or what went into it?
Cost
To obtain a level 1 certification costs $495, but one does not get the full benefits of showing that you have received the CyberSecure Canada certification, which can cost upwards for $5000 or more for auditing and ensuring compliance.
Why would a company choose to do this when $5000 could be spent much more beneficial ways, such as additional security improvements when all that CyberSecure Canada really does is give you an emblem to display that few Canadians will understand.
Lack of Tangible Benefit or Requirements
If we look at the upcoming Canadian Program for Cyber Security Certification, the certification will be required for certain defence procurements. Businesses will absolutely be acquiring this certification if part of their business includes defence procurement.
Corporations will first and foremost always say they take cyber security seriously and hope their customers believe them. There are better ways to showing and proving you take cyber security seriously than to receive the CyberSecure Canada certification.
So What?
By itself, the failure of CyberSecure Canada may not be too impactful as the Canadian Program for Cyber Security Certification will likely take on the role of what CyberSecure Canada was trying to attempt. CyberSecure Canada received $28.4 million, which is a “drop” in the bucket when compared to the Canadian Program for Cyber Security Certification ($25 million) and the Canadian Digital Adoption Program ($4 Billion), but there is increasing cause for concern about the ability for the Government of Canada to develop buy-in for these programs.
The Canadian Digital Adoption Program, which has had a difficult time GIVING money away. The Canadian Digital Adoption program has $1.4 billion in grants and advisory service and $2.6 billion for loans. In its first year of operation, the Canadian Digital Adoption Program has only distributed $131 million in grants and loans, which is 3% of its budget.
Among the reasons cited for this include the program being complicated and that it has been poorly promoted. In addition, I have personally heard some criticize the program for its criteria and inability of certain startups and new businesses to receive more than the micro-grant. Nevertheless, these critiques are in large part due to now yet being sizeable enough to qualify for the larger grant or loan offered by the Canadian Digital Adoption Program.
Following the news that the program was in trouble, business associations have been lobbying for some of this money to be diverted to other opportunities or programs. Regardless of one’s position on how this money could be spent most effectively, it will matter little if businesses aren’t buying into the program and taking advantage of what exists in the first place.
The Canadian Program for Cybersecurity Certification is looking to take advantage of the certification system that CyberSecure Canada had started, but this is an auditing and certification market that has never really been active based on the numbers of organizations who have become certified. This is not to say organizations are not certified, but many do exist. It remains to be seen just how much this sector is ready for the Canadian Program for Cybersecurity Certification once it is meant to begin implementation. While there is significant buy in from industry for this new certification, there are unlikely any good metrics right now to determine how well the auditing and certifying market is ready for the number of firms who will be looking to become certified.
Update: To clarify, the Canadian Program for Cybersecurity Certification is not directly trying to leverage the certification and auditing regime that was created around CyberSecure Canada. Rather, the hope is that this market of auditors will help to kickstart the auditing for the Canadian Program for Cybersecurity Certification rather than starting from scratch. However, it is recognized that the Canadian Program for Cybersecurity Certification has a much more rigorous process, so it is not a seamless transition.
The Canadian Program for Cybersecurity Certification is currently in the process of conducting financial analyses of costs for the certification. They would do well also to include a market analysis and understand where these other programs have faltered.
Original information that motivated me to write this came from an informal ATIP request, but the ATIP that I found this information may have been originally requested by Matt Malone, who first wrote on this last year and is worth a read.