BCIT audit praises strong cybersecurity governance

The Office of the Auditor General of British Columbia has concluded that the British Columbia Institute of Technology (BCIT) has a comprehensive governance framework to oversee and manage cybersecurity risks.

The audit found the framework includes established policies, defined roles and responsibilities, risk-informed processes, and performance metrics. It reported that BCIT's cybersecurity practices align with organisational goals and made no recommendations for improvement.

BCIT has about 45,000 students and nearly 4,400 employees, and treats the protection of personal information, research data, and critical infrastructure systems as a priority.

"Cybersecurity is rooted in the BCIT Strategic Plan - guiding our governance, operations, and culture," said Dr Jeff Zabudsky, BCIT President. "The findings from the Office of the Auditor General of BC affirm the deliberate and sustained work BCIT has undertaken to protect our community while modernising the way we learn and work."

Audit context

The auditor general highlighted the potential consequences of cyber attacks for organisations, including privacy violations, reputational damage, and financial loss. The report cited national figures, including total losses from fraud in Canada of $567 million in 2023 and an average ransomware payment of $1.13 million.

The report described a cybersecurity governance framework as a structured set of policies, processes, and standards that guide how an organisation manages risk and compliance. It also said governance provides the foundation for cybersecurity risk management.

BCIT said its cybersecurity efforts are embedded in its Strategic Plan, which it described as uncommon among post-secondary institutions in British Columbia. The audit described the institute's approach as aligned with its organisational objectives.

Sunny Jassal, BCIT Chief Information Security Officer, linked cybersecurity governance to organisational culture and confidence among staff and students.

"Cybersecurity is about trust - trust between the organisation and its people," Jassal said. "Earning that trust encompasses transparency, resilience, and a strong security culture."

Separation and oversight

BCIT said its Cybersecurity Office operates independently from its IT Services department, describing the separation as part of its approach to management oversight and risk governance.

The audit's assessment of defined roles and responsibilities is likely to draw attention from other public sector organisations. Many institutions continue to reassess reporting lines and accountability after high-profile ransomware incidents and data breaches across education, healthcare, and local government.

The findings also add to the debate over how post-secondary institutions should balance openness and collaboration with more restrictive controls over networks, devices, and research environments.

Training role

Alongside governance, BCIT positioned itself as a major training provider for cybersecurity skills in Western Canada. It offers a range of full- and part-time programmes and microcredentials in areas such as applied computer science, digital forensics, and industrial network security.

The institute also pointed to applied research and hands-on training as part of its approach to workforce development, with a focus on job readiness for graduates entering roles that require responses to increasingly complex threats.

BCIT cited specialist facilities, including a Critical Infrastructure Cybersecurity Lab, which provides virtual training focused on detecting and defending against attacks on critical infrastructure systems.

The institute also highlighted training for Canadian Armed Forces veterans, including a version of its Industrial Networking for Cybersecurity Professionals microcredential designed for veterans seeking entry into cybersecurity careers.

BCIT said the auditor general's report is available through the Office of the Auditor General of British Columbia and expects the findings to inform ongoing discussions on cybersecurity governance and education across the province.