Skip to main content
  • Cybersecurity

Just how valuable is cybersecurity data sovereignty for Canadian organizations?

By Mark Brownlee

CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the second blog post in a series of five for 2022.

CIRA has always been aware of the importance that Canadian organizations place on storing their data in Canada, including the data they accumulate while protecting their organizations from the wide range of cyber threats they face today. But new research sheds light on exactly how much they value keeping their cybersecurity data within our borders.

According to the results of CIRA’s 2022 Cybersecurity Survey, 63 per cent of Canadian organizations say they value data sovereignty over price when selecting a cybersecurity vendor.

These findings were consistent across all three sectors included in the survey, with 62 per cent of private sector organizations, 66 per cent of public sector organizations and 65 per cent of organizations in the MUSH sector (municipalities, universities, school boards and hospitals) indicating their willingness to pay more knowing that their cybersecurity data will be stored in Canada.


Why Canadian organizations are willing to pay more

Why is cybersecurity data sovereignty important and why are Canadian organizations willing to pay more for it? Because as long as your organization’s cyber security data lives in Canada, it’s subject to Canadian data privacy laws, specifically the Personal Information Protection and Electronic Documents Act (PIPEDA). Once it crosses the border to another jurisdiction, however, the same protections are not in place. Your cybersecurity data is now subject to the laws of another country and that has the potential to open your business up to a variety of data-related risks. When it comes to cybersecurity data sovereignty, there are two key factors to consider: data at rest and data in motion. Data at rest refers to the geographical location where your data is stored and data in motion refers to the path it takes to get to there. “Today there are more and more cloud platforms that are native to Canada, which helps to address the data-at-rest part of the equation,” says Jacques Latour, Chief Technology Officer at CIRA. “But much more is required to ensure that data in motion stays within our borders.” He cites the lack of peering within Canada among the large networks as the reason much of our data in motion flows to the US then back to Canada. He also notes that even if this data is encrypted, meta data can still be derived from it, which could undermine the privacy of some individuals and organizations.”


Why keeping your cybersecurity data in Canada is important

The greater sovereignty we have over our data in Canada, the better protected we are by Canadian privacy laws, and the less we have to rely on the internet infrastructure of other countries. For Canadian organizations across all sectors, keeping your cybersecurity data within Canada makes sense for several reasons. For one thing, when your organization’s data lives in Canada, it builds trust with your employees and customers. There’s a growing level of awareness and sophistication among Canadians when it comes to issues of data sovereignty and data privacy, and as we spend more time online, we want clear answers. We want to know where it’s stored, who owns it and who profits from it. That includes the data that’s used to protect the networks and cloud applications we log into every day. The ability to confidently reassure customers, members and others that that your cybersecurity data is securely stored in Canada makes a difference. Storing your cybersecurity data on Canadian soil also simplifies your operations. When it’s stored in another country, you have to conform to two sets of rules, and that means greater complexity, more management oversight and higher costs. By storing your data domestically, you have more time and resources to focus on protecting your organization from damaging cyber threats.


How you can invest in a data sovereignty strategy for cybersecurity

When you’re ready to invest in a data sovereignty strategy for cybersecurity, there are a couple of things you can do. The first step is to focus on Canadian companies that provide cybersecurity solutions. These are more likely to use an approach that focuses on data sovereignty. The second step is, simply, to find out where each of these vendors will store your data. While many Canadian firms are likely to store their data in Canada, others may not.

Looking for a cybersecurity solution that keeps your data in Canada? CIRA DNS Firewall is a built-in-Canada service that keeps all your data secure and sovereign.


About the author
Mark Brownlee

Mark Brownlee is a Product Marketing Manager with CIRA Cybersecurity Services. His work, which focuses on the CIRA DNS Firewall and Canadian Shield products, is dedicated to helping protect people and organizations in Canada from cyber threats. His background is in marketing strategy, communications planning and advertising best practices.