Why Alberta's Cybersecurity Act Should Embrace Performance-Based Standards

Reflections from Cyber Alberta 2024 on building security programs that actually work

Alberta is developing a cybersecurity act that will integrate with our rewritten privacy legislation, with Cyber Alberta positioned to support and enforce compliance through incentive-based approaches. This represents a critical opportunity—and a potential misstep that could undermine the very infrastructure we're trying to protect.

The Playbook Problem: Why Prescriptive Standards Are a Security Risk

Here's the uncomfortable truth about prescriptive cybersecurity requirements: they become instruction manuals for adversaries. And the requirements may no meet the size or maturity of small-medium businesses.

If Alberta mandates that all cyber security business unites must follow a checklist of 100 specific requirements—whether based on NIST CSF, MITRE ATT&CK, or any other prescriptive framework—we've essentially published a comprehensive guide titled "How Alberta Protects Its Cyber Systems (And How to Circumvent Those Protections)."

Nation-state actors like China and Russia don't need to guess about our security posture anymore. They can simply download the legislation and build advanced attack playbooks that either exploit the gaps between requirements or systematically work around each mandated control.

This isn't theoretical. It's exactly what happens when security becomes a compliance checkbox exercise instead of a strategic defense capability.

The Alberta Advantage: 20+ Years of Proven Performance-Based Security

Fortunately, Alberta doesn't need to reinvent cybersecurity regulation. We have something better: two decades of proven performance-based security standards that have successfully protected critical infrastructure in petroleum and natural gas operations.

The foundation already exists:

  • Alberta AR84/2024 references CSAZ246.1 for critical infrastructure

  • CSA Z246.1 offers performance-based security program methodology

These aren't untested frameworks. They've been battle-tested in some of Canada's most critical infrastructure for nearly 20 years, and they work precisely because they're performance-based rather than prescriptive.

How Performance-Based Security Actually Works

Instead of mandating specific controls, performance-based standards require organizations to:

  1. Conduct comprehensive security risk assessments that identify actual threats to their specific operations

  2. Develop tailored security programs based on those identified risks

  3. Demonstrate effectiveness through measurable outcomes

  4. Continuously improve based on changing threat landscapes

This approach forces organizations to think strategically about security rather than simply checking boxes. More importantly, it creates diverse defense postures that are much harder for adversaries to systematically defeat.

Building Security Programs That Actually Work

Whether you're a small manufacturing company or a major pipeline operator, effective security programs start with honest assessment and end with integrated operations. Here's what that looks like in practice:

Start with Current State Assessment

  • Physical security programs and their effectiveness

  • Cybersecurity capabilities and existing resources

  • IT business unit structure and integration points

  • Gap analysis between physical and cyber protection

For Alberta's energy sector, cyber-physical security integration isn't optional—it's existential. Starting with unified security governance ensures gaps between digital and physical protection are systematically identified and addressed.

Build Four Foundational Components

  1. Security risk assessment tailored to your specific threats and vulnerabilities

  2. Training and exercises that test real-world response capabilities

  3. Incident response procedures that actually work under pressure

  4. Management system integration that makes security part of daily operations

The beauty of performance-based approaches is that these components adapt to organizational needs while maintaining consistent security outcomes.

The Right Role for AI in Security Compliance

As Alberta develops its cybersecurity framework, artificial intelligence will undoubtedly be part of the conversation. But there's a critical distinction between AI as a tool versus AI as a decision-maker.

Appropriate AI applications:

  • Data filtering and pattern recognition for threat detection

  • Survey and form processing for compliance documentation

  • Process automation for routine security monitoring

Inappropriate AI applications:

  • Prescriptive decision-making without human oversight

  • Final security determinations where explainability is required

  • Audit-critical functions where transparency and accountability cannot be maintained

The principle is straightforward: AI should enhance human judgment in security programs, not replace the explainability and accountability that effective regulation requires.

Looking Forward: The Canadian Context

Alberta's cybersecurity act won't exist in isolation. The development of Canadian national cybersecurity standards will influence how provincial legislation evolves, creating opportunities for organizations that build adaptable, performance-based security programs now.

More importantly, Alberta has the chance to demonstrate that thoughtful, performance-based regulation can protect critical infrastructure without creating systematic vulnerabilities. This approach respects the complexity of modern threats while acknowledging that different organizations face different risks and require different solutions.

The Bottom Line

Security through obscurity is dead. But security through diversity—where each organization develops tailored defenses based on their specific risk profile—remains one of our most effective strategies against sophisticated adversaries.

Alberta's cybersecurity act should embrace the performance-based standards that have successfully protected our critical infrastructure for two decades. The alternative—prescriptive requirements that create systematic vulnerabilities—isn't just ineffective. It's actively dangerous.

The choice is clear: we can hand nation-states a playbook, or we can require organizations to build security programs that actually work.

Let's choose wisely.

Lisa Zhao is the Director of Batik Systems, a Calgary-based consulting firm specializing in governance, risk, and compliance for complex regulatory environments. Her background spans electrical engineering, cybersecurity, and cross-industry compliance program development.