The national standard is meant to lay out core requirements for the qualifications of cybersecurity workers.
The CIO Strategy Council, Canada’s national forum for chief information officers (CIO) and executive tech leaders, wants to establish a national occupational standard (NOS) for cybersecurity workers in the country.
“Cybersecurity is not, however, just about technical systems, it’s also about people, their behaviour and how they connect and engage with those systems.”
– CIO Strategy Council
This week, the Council announced that it is seeking input from industry stakeholders on its draft for the national standard, which aims to lay out the minimum core requirements for the qualification of cybersecurity professionals and their responsibilities. These roles include those working in IT security, information security that involves digital artifacts, and digital security.
Despite the internet and connected computing being around for over two decades, the Council said that cybersecurity remains an evolving field of work.
“As such, the work has not been well defined in occupational terms and cybersecurity work is often conflated with other organizational roles,” the draft reads. “Accordingly, the NOS defines primary cybersecurity work as distinct from other occupations in information technology, security, business management, or public administration. Cybersecurity is not, however, just about technical systems, it’s also about people, their behaviour and how they connect and engage with those systems.”
In the draft document, the Council divided the roles within the cybersecurity sector into four major work categories and occupational sub-groups: oversee and govern, design and develop, operate & maintain, as well as protect and defend.
Under the oversee and govern classification, for example, includes CIOs, in which the NOS states must have five to 10 years of experience in the IT domain, and three to five years in cybersecurity management roles.
Technation initially published its own version of an NOS for cybersecurity workers, which was funded in part by the Government of Canada’s Sectoral Initiatives Program. Technation’s report served as a seed document in the development of this NOS draft, according to the Council.
This move by the Council to create an NOS for cybersecurity comes amid a rise in cyberattacks in Canada as the COVID-19 pandemic exposed the vulnerabilities in cybersecurity across all sectors.
The 2020 Cyberthreat Defense Report by CyberEdge Group found that 78 percent of Canadians organizations experienced at least one cyber attack within a 12-month period. In 2021, this figure went up to 85.7 percent of Canadian companies.
Public Safety Minister Marco Mendicino issued a warning in June about cyberthreats from Russia, following a cyber attack that hit Global Affairs Canada in January. This, along with the broader rise in cyber threats in Canada, prompted the federal government to make it mandatory for Canadian businesses and organizations to report cyber attacks.
The Government of Canada conducted a comprehensive Cyber Review in 2016 that augmented the insights gained from experts and stakeholders in the private and public sectors. The review led to the creation of Canada’s National Cyber Security Strategy, which was introduced in 2018.
Canada’s National Cyber Security Action Plan was released in 2019 and is meant to be the blueprint for the implementation of the Strategy. It sets out the initiatives and milestones that support the Strategy’s goals, and presents a roadmap of how to achieve and maintain security in the digital age. The initiative is funded through Budget 2018, with $507.7 million allocated over 5 years, and 108.8 million ongoing.
Most recently, the Government of Canada introduced Bill C-26 (An Act Respecting Cybersecurity) to bolster the country’s cybersecurity infrastructures and processes across the financial, telecommunications, energy, and transportation sectors.
Bill C-26 seeks to amend the Telecommunications Act to add security as a policy objective, bringing telecommunications in line with other critical sectors. The legislation also introduces the Critical Cyber Systems Protection Act, which aims to help organizations better prepare, prevent, and respond to cyber incidents.
As part of the Strategy, the government launched CyberSecure Canada in 2019 to encourage small to medium-sized businesses to learn the fundamentals of cybersecurity.
Photo courtesy of Unsplash.