This information is from the 2022 KPMG CEO Outlook survey. For the most recent results, read the findings from the 2023 KPMG CEO Outlook survey.

Budgets are tighter and economic forecasts less favorable, but now is no time to stick a pin in cybersecurity. If anything, the surging necessity for digital transformation among Canada's businesses underscores a need for technologies, strategies, and leadership to manage today's threats. In fact, KPMG's 2022 CEO Outlook reveals that two-thirds of Canada's business leaders intend to drive digital transformation rapidly to stay competitive for talent and customers, while 80 per cent are placing more capital investment in buying new technology instead of developing workforce skills and capabilities.

Which digital experiences does your firm expect to invest in as a priority over the next three years?

Source: 2022 Global Cybersecurity Survey (GSC2022)

No matter where companies land on their digital journey, the need to protect current systems and infrastructures has not diminished. Even CEOs planning to pause or cut back from their digital transformations recognize that diligence remains when protecting the data and IT infrastructure within their walls.

Lay of the land

A snapshot of today’s cyber threat landscape is all it takes to stress the necessity for living, breathing cybersecurity strategies. Cyber attackers are growing bolder and more sophisticated by the day, while incidents of data thefts, ransomware, and network incursions are becoming common headlines.

Insider threats are also taking focus. These are incursions in which cyber attackers either manipulate or incentivize employees to provide access to the organization’s networks (e.g., phishing scams, bribery, or social engineering). The fact insider threats are trending upward1 makes employee training, upskilling, and oversight the lynchpin to a well-rounded cybersecurity strategy.

Overall, the cyber threat landscape is only getting more severe and threat actors aren’t likely to let economic downturns or business slowdowns dissuade them from attacking. This makes cybersecurity more essential than ever as CEOs take more steps along their digital journeys.


63% of Canadian CEOs have engaged in the collection/analysis of structured data on customer transactions over the past year (+12% from global)

Purple Canadian maple leaf 2 out of 3
Two-thirds of Canadian CEOs feel geopolitical uncertainty is raising their chances of becoming a target for threats outside Canada’s border

A matter of trust

The good news is that Canadian CEOs recognize the need for cybersecurity, especially as it relates to safeguarding their operations and maintaining stakeholder confidence. According to KPMG's 2022 CEO Outlook, 85 per cent of Canadian CEOs agree that having a strong cyber strategy is critical to building trust with key stakeholders, while nearly the same amount recognize that the ability to prevent and respond to cyberattacks or data breaches – either internally or within their supply chain – is essential to maintaining that trust over the long haul.

A majority of CEOs say activity and investments around cybersecurity are set to increase over the next twelve months

The key word in this insight is "trust." Organizations of every size are going digital, giving customers and business partners unparalleled choice when it comes to who they do business with. Companies that win and maintain their trust are more apt to stay busy, while companies that fall short on cybersecurity – or break that trust altogether – stand to lose business and reputation, at the very least.

Chart: How important are the following in creating trust among stakeholders within and outside the business? (GCS2022)

Source: 2022 Global Cybersecurity Survey (GSC2022)

Questionable confidence

Canadian CEOs are aligned on the need for robust and adaptable cybersecurity programs, but that's not to say they are confident in their ability to deliver. Interestingly, KPMG's 2022 CEO Outlook reveals only 56 per cent are well prepared for a cyberattack (-17% from 2021), while 20% say they are outright underprepared (+7% from 2021). Additionally, 55% of Canadian CEOs say their organization is behind schedule when it comes to its cybersecurity activity, even if plans, a vision, and leadership support are in place.

Viewed in combination, these stats might indicate Canadian CEOs are falling behind in cybersecurity. A more optimistic view, however, is that they have become more mature in their understanding of the cyber threat landscape and are at a stage in their digital journey where new and evolving threats are coming into focus.

It's worth noting that Canadian CEOs have high degrees of confidence in their cybersecurity teams. Over 80 per cent have faith in their chief information security officer (CISO) infosec team's ability to identify "digital crown jewels", as well as investigate and mitigate the effect of cyberattacks and data breaches. The same amount (84 per cent) are confident that their CISO has implemented the right technologies to protect stakeholder data.

This confidence is well received but presents an interesting disconnect. On the one hand, Canadian CEOs are noticeably doubtful about their ability to thwart a cyberattack, but on the other, they are exceedingly confident in their team's cybersecurity capabilities. As always, the truth lies somewhere in the middle, and only when CEOs take a deep dive into their cybersecurity posture with CISOs and cybersecurity stakeholders can they get a clear and unbiased understanding of how protected they really are.

Driven by compliance

Canadian CEOs have ample reasons to keep cybersecurity on their front burner. Among them is the need to stay compliant with an evolving regulatory landscape. These include international regulations (e.g., General Data Protection Regulation (GDPR)) and domestic rules, such as the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Bill C-26, Critical Cyber Systems Protection Act (CCSPA), Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, or the recently tabled Critical Cyber Systems Protection Act (CCSPA).

All told, Canadian companies are being held to higher standards of data privacy and protection. As such, CEOs and their teams are compelled to obtain a deep understanding of the data running through their organization. That begins by collaborating with internal and external cybersecurity stakeholders and specialists to ask important questions, such as:

  • What data is coming into our organization? Is it the right data?
  • How are we collecting it?
  • Where is our data going within our organization?
  • How is it leaving or being destroyed?

The ability to address these questions and understand their implications will be key to voiding the operational, reputational, and financial penalties that can occur when running afoul of today’s regulations.


57% agree that information security at their company is shaped by compliance requirements rather than long-term business ambitions

Chart: Which of the following regulatory requirements is your organization most likely to struggle to meet in the next six months? (GCS2022)

Source: 2022 Global Cybersecurity Survey (GSC2022)

Calls to action

Canadian companies are making gains in their digital journeys. However, every new technology, digital service, or connected system, introduces a new cyber attack vector.

Ahead are some takeaways for staying ahead of the threats.

  • Nail the fundamentals: A good cyber strategy begins with securing the technical controls, processes, and people who can tackle the cybersecurity fundamentals like vulnerability management, patch management, configuration, compliance, and monitoring.
  • Prepare your people: Insider threats can occur when disgruntled employees are paid by cyber attackers to provide access to company data and systems or when employees give up their access unknowingly through phishing attacks and social engineering. In either case, keeping a vigilant eye on online activity and training employees in best cybersecurity practices will mitigate the human factor at the root of many cyber attacks.
  • Read the landscape: Cyber threats and threat actors are constantly evolving. Work with cybersecurity stakeholders to understand what risks your organization is exposed to and ensure that they’re accounted for in your cyber prevention and response plans.
  • Understand your data: Take a deeper dive into your data to understand what the organization is collecting and how it's managed across the entire data lifecycle. This will provide the insight needed to accurately classify and protect your “digital crown jewels” and get a clearer view of your risk exposure and compliance obligations.
  • Lock down third-party risks: It’s an old saying but never more true: A chain is only as strong as its weakest link. Conduct the assessments, reviews, and investigations necessary to ensure all parties in your supply chain are managing your data to the highest standards.
  • Consider automation: Organizations have started to use automation as a way of making operations more efficient. This alleviates workforce pressures and removes the possibilities for human error or insider corruption.

1 Cyber-related risk a top concern for audit committees, KPMG in Canada, Dec. 2021

How we can help

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Connect with us