BTEX 2025: What’s Working, What’s Missing, What’s Next in Canadian Cybersecurity

Ivo Wiens (Left), Field CTO, Cybersecurity and Ben Boi-Doku (Right), Chief Strategist, Cybersecurity Services

This year, CDW released our 2025 Canadian Cybersecurity Study, the 10^th year of this study focused on cybersecurity trends for Canadian organizations. At BTEX 2025, Ivo Wiens, Field CTO, Cybersecurity, and Ben Boi-Doku, Chief Strategist, Cybersecurity Services, presented some of the study’s key findings in an interactive format.

The Canadian focus of the study is what makes it unique in the industry. But this year was also a bit different. “I’ve been involved in the study for the last 10 years,” said Boi-Doku. “This is the very first time that we asked respondents to talk about the maturity of their organizations. As we look at the survey results, we can see how they graded themselves in terms of cybersecurity maturity.”

“One thing that was really interesting was there’s a real difference in terms of maturity and organization size,” said Wiens. “Those who have money to spend in cybersecurity seem to do better. But there’s a little bit of nuance as well as to how that money is spent.”

“It’s about making better decisions with your security spend,” said Boi-Doku. “And there’s ways to really ramp up your maturity without necessarily spending hundreds of millions of dollars.”

5 key findings of the 2025 CDW Canadian Cybersecurity Study

1. AI adoption is stalling at the proof-of-concept phase

A lot of organizations want to adopt and implement AI use cases; however, they were stalled in the proof-of-concept phase. Not all of them moved on to production.”

- Ben Boi-Doku, Chief Strategist, Cybersecurity Services

“It’s astonishing how many AI proofs of concept have happened in organizations, an average of 17 AI proof of concepts per organization,” said Wiens. “We surveyed 704 organizations, and you multiply that by 17… I have no idea what the number is, but it was much higher than when we first introduced the cloud, for instance. So there is a lot of push from the business to do AI.”

“The main barriers to adoption were privacy and compliance, and the lack of skilled resources,” said Boi-Doku. “Those were the top two reasons why organizations found that their AI implementations weren’t making it into production.”

“When we talk about GenAI and the impact of GenAI on business risk, most organizations want it for decision-making and automation, which tells me that there’s a lot of hope for AI helping us with our technical debt,” said Wiens. “We’ve always had a gap in terms of people in cybersecurity and there’s a lot of hope that the improved decision-making and automation from AI can help.”

“The good news is that 41 percent did say AI was a benefit towards their business risk versus a risk itself,” added Boi-Doku.

2. Security testing pays off for Canadian organizations

The more you test within your system, the more you run penetration tests, the better you’re going to be from a security perspective. In the past, organizations might have done these once a year, with a different vendor every time. And that landscape has changed.”

- Ivo Wiens, Field CTO, Cybersecurity

“There’s always been a conversation around organizations hesitating to even do a pen test. ‘Why would I do a pen test if I know I’m going to fail terribly?’ We used to hear that a lot from customers,” said Wiens. “And it’s the same as saying ‘Why would I go to a doctor if I know I’m sick already?’ But you have to get those tests.

“The correlation between how often you test and how often you get breached speaks to why you should get tested more often.”

“I wouldn’t necessarily say that penetration testing should be continuous,” said Boi-Doku. “But there’s a lot of technologies and organizations that can help you with a pretty deep penetration test on a more consistent basis. So whether it’s weekly or continuous, there’s a lot more options available to us today than there were even a year ago.”

“We also found that a lot of people were using the same processes for on-premises and cloud penetration testing,” said Wiens, “and it’s a very scary stat, because the cloud is getting attacked more than on-premises. The attackers are moving away from the endpoint because EDR is doing such a great job. They’re moving onto the next attack area which could be your IaaS, your PaaS or even your SaaS systems. So not doing the right kind of security testing makes a little cloud sad.”

“And we don’t want the cloud to be sad,” added Boi-Doku. “Cloud security testing is different than traditional penetration testing, so making sure that you are engaged with whoever’s doing your testing, and that whoever’s doing your testing has the practices to do both types of testing.”

3. Not all organizations are equal in detection and response times

“Organizations are doing better at detecting breaches and infiltrations, and we’re responding to them a lot faster as well,” said Boi-Doku.

“We’re seeing an improvement across all organizations,” said Wiens. “But we have a gap when it comes to detection. Small and medium businesses in Canada have a real gap when it comes to mean time to detect. We’re not seeing the same level of improvement for all organizations in Canada.”

4. Zero trust is not being adopted as much as it’s being discussed

“A lot of organizations want to implement zero trust architectures,” said Boi-Doku. “They want to implement the tools, they want to make sure they have segmentation. However, they are having struggles taking recommendations and putting them into practice, whether it’s identity and access management infrastructure, legacy systems, scalability, cloud, managing the data flows, these are common concerns and challenges.”

“How do you make the rubber meet the road?” asked Wiens. “It’s a challenge that a lot of organizations are seeing, and we have clients coming to us all the time, saying ‘Help me fill the gap.’”

“Whether it’s interoperability challenges, unclear capabilities, complexity, new technologies on legacy systems, trying to implement zero trust is quite challenging,” said Boi-Doku. “So make sure you have an organization or individuals on your staff who can assist you with that journey.”

5. Canadian organizations are adopting managed detection and response

Organizations are finding that if they’re using managed detection and response, they’re getting better, more favourable outcomes. And a lot more organizations are going the managed route for detection and response.”