A New Cybersecurity Standard, the Same Old Problem

Cover for A New Cybersecurity Standard, the Same Old Problem

The Canadian government recently released CAN/DGSI 104:2021 Rev 1 (2024), yet another cybersecurity standard that adds confusion for SMEs instead of solving their core challenges of aligning to global frameworks and deploying effective defences against cyber threats. SMEs need help protecting against cyber threats, but most lack the expertise to interpret or implement a 44-page standard effectively.

The Standards Proliferation Problem

The cybersecurity landscape has been dominated by a few widely recognized frameworks for many years, including:

  • the NIST Cybersecurity Framework (CSF - de facto standards for Critical Infrastructure, Government, Defense in North America)
  • CIS Critical Security Controls (CISv8 - formerly SANS Top 20, traditionally favoured by small and medium-sized enterprises)
  • ISO’s 27000 and 31000 Series (International Security/Risk management)

The Digital Governance Standards Institute (DGSI) positions their standards as “Developed for use in Canada and around the world. Free to download to implement… Easy to understand and quick to deploy.” as if these are unique value propositions amidst a sea of standards. We completed a “quick and dirty mapping” against more mature national standards standards for SMEs found no sign of unique insights or value.


How Standards Proliferation Does More Harm Than Good:

  • Redundancy: CAN/DGSI 104 closely mirrors controls from existing frameworks, offering little unique value.
  • Increased Complexity: More frameworks mean more effort for organizations to interpret and implement overlapping requirements.
  • Resource Drain (Public): Taxpayer funds spent on developing these standards could be better allocated to helping businesses implement practical solutions.
  • Resource Drain (Private): Businesses spend time and money on consultants to create documentation that then needs to be mapped to recognized frameworks (for international customers).
  • False Confidence: Compliance with one of these frameworks often provides little assurance of actual security improvements.

I find myself wondering if DGSI 104 was crafted to protect SMEs—or to boost consultant profits and justify bureaucratic expansion?

A Common Sense Solution: Practical, AI-Powered Support for SMEs

Imagine if the resources spent on developing yet another redundant standard were instead used to:

As governments worldwide continue to layer on new regulatory requirements, the compliance landscape will only become more challenging. RESTIV’s AI/ML-powered platform is designed to simplify this complexity, providing businesses with real-time insights and actionable recommendations.

Our platform enables companies to:

  • Identify, inventory, and translate regulatory requirements to help accountable executives understand their obligations.
  • Automatically map controls across frameworks like NIST CSF, CISv8, ISO27001, Essential Eight, CAN/DGSI 104 and more.
  • Identify gaps in compliance and address them proactively.
  • Reduce reliance on expensive, manual consultancy services.

The truth is, compliance shouldn’t be about ticking boxes—it should be about protecting your organization’s ability to operate confidently and securely. RESTIV’s platform empowers businesses to achieve this, without the false starts and missteps that often accompany fragmented standards and “yet another cybersecurity tool” to manage.

The Path Forward

Governments, standards bodies, and businesses need to shift their focus from creating more frameworks to ensuring practical implementation support. Meanwhile, SMEs need solutions that cut through the confusion and enable them to secure their operations efficiently. RESTIV is here to help you do exactly that.

Visit RESTIV.io to learn how our Compliance Copilot eases the burdens of compliance, Third Party Risk Management (TPRM), Audits, and assessments so that you can focus on growing your business.  We scale the expertise of seasoned auditors, penetration testers, and other cybersecurity experts through automation and AI to close the cyber talent gap.

RESTIV delivers the trust and rigor of traditional audits with the game-changing precision and speed of AI and automation—because compliance shouldn’t be a bottleneck, it should be your competitive advantage.

Framework Mapping

CIS Controls v8CAN/DGSI 104:2021 Rev 1 2024AU Essential EightUK Cyber EssentialsNZ NCSC Framework
1. Enterprise Asset Inventory4.4.3 Asset RegisterAsset ManagementAsset ManagementAsset Management
2. Software Asset Inventory5.2 Patch ManagementApplication ControlSoftware ControlSoftware Security
3. Data Protection5.6 Backup and Encrypt DataData BackupsData SecurityInformation Protection
4. Secure Configuration5.4 Secure ConfigurationSystem HardeningSecure ConfigurationSecurity Configuration
5. Account Management5.5 User AuthenticationAdmin PrivilegesAccess ControlIdentity Management
6. Access Control5.8 Access ControlRestrict Admin PrivilegesUser Access ControlAccess Management
7. Continuous Vulnerability Management5.2 Patch ManagementPatch ApplicationsPatch ManagementVulnerability Management
8. Audit Log Management6.6 Log ManagementSystem MonitoringSecurity MonitoringSecurity Monitoring
9. Email and Web Browser Protection5.7 Perimeter DefenseEmail Content FilteringEmail SecurityEmail Protection
10. Malware Defenses5.3 Security SoftwareAnti-malwareMalware ProtectionMalware Protection
11. Data Recovery5.6 Backup and Encrypt DataData BackupsBackup SystemsBusiness Continuity
12. Network Infrastructure5.7 Perimeter DefenseNetwork SegmentationFirewall ConfigurationNetwork Security
13. Network Monitoring5.7 Perimeter DefenseNetwork MonitoringSecurity MonitoringNetwork Monitoring
14. Security Awareness Training4.3 Security TrainingSecurity TrainingStaff TrainingSecurity Awareness
15. Service Provider Management6.2 Cloud ServicesThird Party ManagementSupply ChainService Management
16. Application Security6.3 Secure WebsitesApplication HardeningApplication SecurityApplication Security
17. Incident Response5.1 Incident ResponseIncident ResponseIncident ManagementIncident Response
18. Penetration TestingNot CoveredNot CoveredNot CoveredSecurity Testing