A New Cybersecurity Standard, the Same Old Problem
The Canadian government recently released CAN/DGSI 104:2021 Rev 1 (2024), yet another cybersecurity standard that adds confusion for SMEs instead of solving their core challenges of aligning to global frameworks and deploying effective defences against cyber threats. SMEs need help protecting against cyber threats, but most lack the expertise to interpret or implement a 44-page standard effectively.
The Standards Proliferation Problem
The cybersecurity landscape has been dominated by a few widely recognized frameworks for many years, including:
- the NIST Cybersecurity Framework (CSF - de facto standards for Critical Infrastructure, Government, Defense in North America)
- CIS Critical Security Controls (CISv8 - formerly SANS Top 20, traditionally favoured by small and medium-sized enterprises)
- ISO’s 27000 and 31000 Series (International Security/Risk management)
The Digital Governance Standards Institute (DGSI) positions their standards as “Developed for use in Canada and around the world. Free to download to implement… Easy to understand and quick to deploy.” as if these are unique value propositions amidst a sea of standards. We completed a “quick and dirty mapping” against more mature national standards standards for SMEs found no sign of unique insights or value.
How Standards Proliferation Does More Harm Than Good:
- Redundancy: CAN/DGSI 104 closely mirrors controls from existing frameworks, offering little unique value.
- Increased Complexity: More frameworks mean more effort for organizations to interpret and implement overlapping requirements.
- Resource Drain (Public): Taxpayer funds spent on developing these standards could be better allocated to helping businesses implement practical solutions.
- Resource Drain (Private): Businesses spend time and money on consultants to create documentation that then needs to be mapped to recognized frameworks (for international customers).
- False Confidence: Compliance with one of these frameworks often provides little assurance of actual security improvements.
I find myself wondering if DGSI 104 was crafted to protect SMEs—or to boost consultant profits and justify bureaucratic expansion?
A Common Sense Solution: Practical, AI-Powered Support for SMEs
Imagine if the resources spent on developing yet another redundant standard were instead used to:
- Cutting Costs instead of Creating Confusion: Support SMEs in automation and AI-driven solutions to reduce insurer uncertainty and premiums by demonstrating continuous, verifiable control effectiveness.
- Defences Over Documentation: Accelerate access to adoption and innovation funding via programs like [IRAP AI Assist] (https://nrc.canada.ca/en/support-technology-innovation/nrc-irap-support-smes-innovating-artificial-intelligence) and [Regional AI Initiative] (https://www.canada.ca/en/prairies-economic-development/services/funding/regional-artificial-intelligence-initiative/page3-en.html) to deploy defences rather than develop documents.
Navigating Complexity with RESTIV
As governments worldwide continue to layer on new regulatory requirements, the compliance landscape will only become more challenging. RESTIV’s AI/ML-powered platform is designed to simplify this complexity, providing businesses with real-time insights and actionable recommendations.
Our platform enables companies to:
- Identify, inventory, and translate regulatory requirements to help accountable executives understand their obligations.
- Automatically map controls across frameworks like NIST CSF, CISv8, ISO27001, Essential Eight, CAN/DGSI 104 and more.
- Identify gaps in compliance and address them proactively.
- Reduce reliance on expensive, manual consultancy services.
The truth is, compliance shouldn’t be about ticking boxes—it should be about protecting your organization’s ability to operate confidently and securely. RESTIV’s platform empowers businesses to achieve this, without the false starts and missteps that often accompany fragmented standards and “yet another cybersecurity tool” to manage.
The Path Forward
Governments, standards bodies, and businesses need to shift their focus from creating more frameworks to ensuring practical implementation support. Meanwhile, SMEs need solutions that cut through the confusion and enable them to secure their operations efficiently. RESTIV is here to help you do exactly that.
Visit RESTIV.io to learn how our Compliance Copilot eases the burdens of compliance, Third Party Risk Management (TPRM), Audits, and assessments so that you can focus on growing your business. We scale the expertise of seasoned auditors, penetration testers, and other cybersecurity experts through automation and AI to close the cyber talent gap.
RESTIV delivers the trust and rigor of traditional audits with the game-changing precision and speed of AI and automation—because compliance shouldn’t be a bottleneck, it should be your competitive advantage.
Framework Mapping
CIS Controls v8 | CAN/DGSI 104:2021 Rev 1 2024 | AU Essential Eight | UK Cyber Essentials | NZ NCSC Framework |
---|---|---|---|---|
1. Enterprise Asset Inventory | 4.4.3 Asset Register | Asset Management | Asset Management | Asset Management |
2. Software Asset Inventory | 5.2 Patch Management | Application Control | Software Control | Software Security |
3. Data Protection | 5.6 Backup and Encrypt Data | Data Backups | Data Security | Information Protection |
4. Secure Configuration | 5.4 Secure Configuration | System Hardening | Secure Configuration | Security Configuration |
5. Account Management | 5.5 User Authentication | Admin Privileges | Access Control | Identity Management |
6. Access Control | 5.8 Access Control | Restrict Admin Privileges | User Access Control | Access Management |
7. Continuous Vulnerability Management | 5.2 Patch Management | Patch Applications | Patch Management | Vulnerability Management |
8. Audit Log Management | 6.6 Log Management | System Monitoring | Security Monitoring | Security Monitoring |
9. Email and Web Browser Protection | 5.7 Perimeter Defense | Email Content Filtering | Email Security | Email Protection |
10. Malware Defenses | 5.3 Security Software | Anti-malware | Malware Protection | Malware Protection |
11. Data Recovery | 5.6 Backup and Encrypt Data | Data Backups | Backup Systems | Business Continuity |
12. Network Infrastructure | 5.7 Perimeter Defense | Network Segmentation | Firewall Configuration | Network Security |
13. Network Monitoring | 5.7 Perimeter Defense | Network Monitoring | Security Monitoring | Network Monitoring |
14. Security Awareness Training | 4.3 Security Training | Security Training | Staff Training | Security Awareness |
15. Service Provider Management | 6.2 Cloud Services | Third Party Management | Supply Chain | Service Management |
16. Application Security | 6.3 Secure Websites | Application Hardening | Application Security | Application Security |
17. Incident Response | 5.1 Incident Response | Incident Response | Incident Management | Incident Response |
18. Penetration Testing | Not Covered | Not Covered | Not Covered | Security Testing |