When TELUS and the University of Toronto's Rotman School of Management got together with the grandiose goal of getting some cold hard numbers behind the Canadian information security landscape for their "2011 Rotman-TELUS Joint Study on Canadian IT Security Practices", they probably didn't anticipate it would be that complicated to quantify the state of affairs. After all, you should just have to ask the right questions and the answers should take care of themselves, right?
 

TELUS and The Rotman School of Management - whose motto is "a new way to think" - decided that asking a few hundred IT professionals and reporting the straight dope would be the way to go. Fair enough. So overall security breaches are apparently down 50% from last year. But last year they were up 29% over the previous year. Although they acknowledge that the discrepancies are in the reporting of breaches may be due to a variety of factors, it's all about the numbers. But wait, the study is on "IT Security Practices". So why not include some of those promised 'clarity and 'insights' instead of meaningless figures? Ah, is it because you don't want to alienate potential respondents whose participation in future years may continue to facilitate the production of this um.. "study"? No need for cynicism here. By their own admission, over the past 4 studies, some 2000 people have been interviewed, so if this year's number of 600+ is unprecedented, then we're looking at an awful lot of turnover in respondents. Is the spectre of a lack of clear baseline starting to form? The fact that this undermines the very meaning of the numbers perhaps underlined the need for bravely including other factors within those promised deliverables. And so it was.
 
To be fair, the ever-expanding scope of the report appears to now include every buzzword known to man: social media, mobile security, cloud computing, people process and technology, risk posture, breaches, privacy, internal, external monitoring, etc. are all words lifted from the intro page alone. I copy them here without hesitation because I know as well as they do, that it will endear me to search engines, but the ambitious undertaking is no less daunting because of the ridiculous promotional verbiage.  

In the interest of your time and my tireless efforts to combat reverse peristalsis, I'll pluck out a handful of gems from this landmark study to at least see you off on this year 2012 with a smile on your face:

In the words of one of the august figures appointed by TELUS to help ensure the paper was received with adequate fanfare exclaimed: "This is quite alarming". Really? How about the fact that government organizations care more about compliance than the private sector, and they're all adapting to new and emerging breach notification regulations? Hmmm?

Huh? Wait, so. um.. no. Never mind. Have a look at this picture, then move on.

There's a surprise! See my first point but brace yourself for my next one.

Wow. Really? People will defy their tyrannical overlords when told they can't access Facebook? Or is it more likely that someone in IT has simply misconfigured Internet filtering to allow certain sites (and the ever-elusive instant messaging clients) to connect via a more circuitous route? If Skype finds its own way out of your network, is that really a breach of policy? Oh, let's call it an insider security breach and report it. It'll make for good press.


If I could stomach it, I'd go on, because many more pearls of wisdom await the determined reader, but I'll stop here. Remember to take security experts - including yours truly - with a grain of salt!

Enjoy 2012 and give common sense a chance! ;)