What twelve cybersecurity controls does a Canadian oil and gas operator actually need?

For most of the 2010s, mid-market oil and gas operators in Canada operated on a quiet assumption: cyber threats targeted the supermajors. Pipeline operators. Refineries. National oil companies. The boutique 60-person operator in Calgary with 140 producing wells in the Montney was not, in the imagination of most CEOs, on the same threat surface as Saudi Aramco or Colonial Pipeline.

That assumption was always wrong. By 2024-25, it became dangerously wrong.

In July 2025, Zscaler published their ThreatLabz annual report. The headline number for the energy sector: ransomware attacks against oil and gas companies increased 935% year-over-year. Ransomware attacks in Canada specifically rose 194.5%. The Canadian Centre for Cyber Security's 2025-2026 National Cyber Threat Assessment named ransomware the top cybercrime threat to the nation's critical infrastructure, citing escalating attacks on industrial and public sector organizations.

In August 2024, Halliburton - the largest oilfield services firm in the world - was hit by ransomware and forced to take systems offline for several days. The incident was disclosed to the SEC. Costa Rica's state energy company RECOPE was forced to revert to manual operations after a separate incident. Industrial sector ransomware attacks involving energy companies increased 46% quarter-over-quarter from Q4 2024 to Q1 2025, according to Honeywell. By Claroty's count, credential-stealing malware infections on OT systems rose 3,000% in the same period.

And here is what most mid-market CEOs missed about that data. It was not just about the supermajors anymore. The 935% increase was distributed across the entire sector, with mid-market specifically targeted because attackers had learned three things during 2023-24:

• Mid-market operators have meaningful revenue, meaningful production data, and meaningful regulatory consequences if disrupted - but most don't have Fortune 500 security budgets or 24/7 security operations centers.
• The IT-to-OT bridge in mid-market is often less segmented than in supermajors, meaning a successful IT intrusion can reach SCADA, historians, and production telemetry in hours rather than days.
• Mid-market cyber insurance payouts are predictable, traceable, and profitable for ransomware groups. The supermajors fight harder. The mid-market pays faster.

The math of opportunistic ransomware now works against mid-market oil and gas. That math doesn't get better in 2027. It gets worse, because generative AI is becoming a force multiplier for attackers - automating phishing lure creation, scaling vishing campaigns, accelerating credential harvesting. The Zscaler 2026 predictions explicitly warn that AI-augmented attacks will become standard, with attackers using AI tools to scale multi-phase extortion campaigns and to mine sensitive datasets for use in social engineering.

What changed in the insurance and M&A markets.

The threat picture changed. The insurance market followed within months. By late 2025, cyber insurance carriers serving Canadian energy had tightened underwriting requirements significantly. Most carriers in 2026 now require, at minimum:

• Phishing-resistant MFA on privileged, executive, and remote-access accounts - FIDO2 keys or number-matching authenticator apps. SMS-based MFA is no longer accepted by major carriers.
• EDR (Endpoint Detection & Response) deployed across all endpoints - and the carrier specifically wants to know which product. Gartner Magic Quadrant Leaders pass. White-label antivirus increasingly does not.
• Immutable offline backups verified within the previous 90 days, with test restore evidence.
• Network segmentation between IT and OT with documented architecture diagrams.
• Tested incident response plan - with evidence of a tabletop exercise within the past 12 months.
• Documented vendor cyber attestation for top-tier vendors with system access.

The M&A market shifted in parallel. Cyber moved from a check-the-box diligence category to a primary deal category. Buyers in 2026 now structure $500K-$5M cyber escrow holdbacks routinely, sometimes with multi-year tails. Deals re-trade on cyber findings. Some walk entirely.

What this book is for.

This book is the playbook for catching up. It assumes you are running a drilling, service, or production company between 25 and 200 people in Canadian oil and gas. It assumes you know that cyber is now a primary business risk, even if you don't yet have the framework to address it systematically. It assumes you would rather build defensible posture before the incident than pay for it after.

The framework is built around twelve controls. They are not novel - they map roughly to the Canadian Centre for Cyber Security's baseline guidance, to the NIST CSF, and to what cyber insurance underwriters now require. What this book adds is the operational reality of deploying them in a mid-market Canadian oil and gas environment. What works. What doesn't. What it actually costs. What white-label MSPs will sell you that doesn't pass underwriter scrutiny. What Fortune-500-grade tooling looks like at mid-market scale.

The book is also direct about what good looks like - including what good looks like when you partner with someone to deliver it. Vencer Group runs cyber operations across multiple jurisdictions with named, industry-leading tooling. The recommendations in this book reflect what is actually deployed in production. That's not marketing. It is the difference between writing about cyber and running cyber, and the perspective matters for the recommendations.

The twelve controls in this framework are not new. They map to the Canadian Centre for Cyber Security baseline, to NIST CSF, and to what cyber insurance underwriters now require in 2026. What is novel here is the framing as twelve specific, actionable items in deployment order - with named industry-standard tooling that passes underwriter and M&A diligence scrutiny.

Twelve is the right number because it is enough to cover defensible posture and few enough to actually deploy. Most mid-market operators stuck at "we need a cyber program" can address all twelve in a focused 90-180 day program. Most operators stuck in five-year cyber roadmaps would deploy faster, simpler, and more durably if they reframed around these twelve.

The twelve, named.

Why this order matters.

Most cyber roadmaps put all twelve controls in parallel work streams and end up partway done on each. The twelve are designed to be sequential. Controls 1-4 (identity) come first because identity is the single most common attack vector and identity controls underpin everything else. Controls 5-6 (endpoint and email) come second because they stop the most common attack types. Controls 7-8 (resilience and segmentation) come third because they limit blast radius when prevention fails. Controls 9-12 come last because they require the foundation of 1-8 to function properly.

Operators who execute in this order finish faster and have working coverage sooner. Operators who try to run all twelve in parallel typically finish 18 months late with mediocre coverage everywhere and no single control that fully works.

The Fortune-500-grade-at-mid-market-price principle.

For each of the twelve controls, there is a named industry-standard product that passes underwriter and M&A diligence scrutiny. Most are Gartner Magic Quadrant Leaders. Mid-market operators have access to these products at meaningfully reasonable scale-appropriate pricing - either directly or through MSPs that licensed them properly. The gap between "what mid-market should run" and "what most mid-market actually runs" is mostly a function of which MSP they partnered with and what that MSP chose to license.

This book names products. Not as endorsements, but because the named products are what passes diligence. SentinelOne, CrowdStrike, or Microsoft Defender for Endpoint for EDR. Proofpoint, Mimecast, or Abnormal Security for email security. Veeam, Rubrik, or Cohesity for backup. Microsoft Entra (formerly Azure AD) or Okta for identity. These names appear on Gartner Leader quadrants in 2025. White-label products and rebranded MSP cyber stacks do not.

The chapters that follow detail each of the twelve controls - what it is, why it matters, what passes diligence, what to deploy, and what it costs. Chapter ten discusses how to choose your stack overall. Chapter nine addresses why the white-label MSP cyber stack is currently the single most common reason mid-market operators fail cyber diligence.

Controls 5 and 6 are the operational front line. Email is the most common attack vector. Endpoints are where the attack lands. Together they account for roughly 80% of compromise events that mid-market operators experience. Both have well-established Gartner Leader products. Both pass underwriter and M&A diligence scrutiny when deployed properly. Both fail diligence routinely when delivered as white-label MSP rebrands.

Control 5: EDR (Endpoint Detection & Response) on every endpoint.

What it is: Endpoint Detection & Response. Modern EDR is not antivirus - it is a behavioral monitoring and active-response platform that watches everything happening on each endpoint, detects suspicious patterns, and can isolate compromised machines automatically. The Gartner Magic Quadrant for Endpoint Protection Platforms is the authoritative reference for which products meet the modern definition.

Why it matters: Every modern ransomware attack lands on an endpoint. EDR is the difference between detecting the attack at minute one - when one machine is showing suspicious behavior - versus discovering the attack at hour eight when forty machines are encrypted. The 2025 Mandiant incident response data showed median dwell time (the time between initial compromise and detection) at 11 days for organizations without EDR and 1.6 days for organizations with properly deployed EDR. The order-of-magnitude difference is the whole story.

What passes diligence in 2026: A Gartner Magic Quadrant Leader product, named explicitly. As of 2025, the Leaders are SentinelOne, CrowdStrike Falcon, and Microsoft Defender for Endpoint (Plan 2). Coverage above 95% of endpoints (including servers and workstations). Active 24/7 monitoring of EDR alerts - either internal SOC or a managed service. The product name matters because underwriters and diligence teams verify against published Gartner rankings.

What does NOT pass: White-labeled EDR products sold by MSPs under their own brand. Traditional antivirus (signature-based detection). Free or low-tier consumer products. This is the single most common cyber finding in M&A diligence - the seller says they have EDR, the buyer asks for the product name, and the answer is a brand the buyer has never heard of. Diligence teams immediately escalate.

What Vencer runs and why it matters: Vencer's standard endpoint stack is SentinelOne - a 2025 Gartner Magic Quadrant Leader. The licensing is real, the threat intelligence is verifiable, and any buyer's diligence team can independently validate the posture. SentinelOne's behavioral AI engine catches threats before signatures exist for them, and the autonomous response capability isolates compromised endpoints automatically. This is the same EDR platform used by Fortune 500 SOCs. It is also the platform that lets a managed SOC scale across many clients without losing fidelity per client.

What to deploy in mid-market: Choose one Gartner Leader EDR product and deploy it across every endpoint - every workstation, every server, every laptop, every tablet that connects to the corporate environment. For mid-market operators on Microsoft 365 E5, Defender for Endpoint Plan 2 is included and is a credible choice. For operators without E5, SentinelOne or CrowdStrike with managed SOC service is the most common deployment. Pricing in 2026 ranges from $5-12 per endpoint per month for the EDR product itself, plus the cost of 24/7 monitoring if you don't have internal SOC capacity (which you don't, if you're below 200 people).

Common deployment pitfalls: Three. First, leaving endpoints uncovered - the contractor's laptop, the field tablet, the legacy server that "isn't really used much." Attackers find the gaps. Second, deploying EDR without 24/7 monitoring - the alerts arrive at 2am on Saturday and nobody sees them until Monday. Third, deploying EDR and leaving traditional antivirus in place creating conflicts and false positives. Pick the Gartner Leader, deploy it everywhere, monitor it 24/7, and remove conflicting tools.

Control 6: Email security (Gartner Leader) protecting all inboxes.

What it is: Advanced email security that goes beyond Microsoft 365's or Google Workspace's built-in protection. The 2026 Gartner Email Security category includes Proofpoint, Mimecast, Abnormal Security, and Microsoft Defender for Office 365 (Plan 2). The products use a combination of content analysis, sender reputation, behavioral analysis, and increasingly AI to detect phishing, business email compromise, account takeover, and malware delivery.

Why it matters: Email is the most common initial access vector across all three threat actor categories. Microsoft 365's built-in protection catches the obvious attacks but increasingly misses the targeted ones - the spear-phishing email crafted specifically for your CFO, the AI-generated business email compromise mimicking your CEO's writing style, the invoice fraud targeting your accounts payable team. The advanced products catch these. The basic products don't.

What passes diligence: A Gartner Leader email security product layered on top of (or replacing) the built-in protection of your email platform. Coverage on 100% of mailboxes. Evidence of active tuning over the past 12 months (false positive rate trending down, true positive catches documented). Optionally: DMARC, DKIM, and SPF properly configured to prevent spoofing of your domain.

What does NOT pass: Microsoft 365 or Google Workspace built-in protection alone - they are the floor, not the ceiling. White-labeled email security products. Email security from an MSP that you can't identify by product name. "We use the email security included with our Microsoft 365" is increasingly read by diligence teams as "we have basic protection only."

What Vencer runs and why it matters: Vencer's standard email security stack is Proofpoint - a 2025 Gartner Magic Quadrant Leader for email security. Proofpoint provides advanced threat protection, business email compromise detection, social engineering defense, and post-delivery remediation. The capability to retroactively remediate threats discovered after delivery is increasingly important as attackers increasingly use legitimate cloud services to host phishing payloads that activate after delivery. Microsoft's built-in protection cannot do this at the level Proofpoint can.

What to deploy in mid-market: Layer a Gartner Leader product on top of your existing email platform. For most Canadian energy operators on Microsoft 365, Proofpoint Essentials or Microsoft Defender for Office 365 Plan 2 are the most common choices. Pricing ranges from $3-8 per mailbox per month for the advanced layer. The deployment is non-disruptive - email continues flowing through your existing platform; the advanced layer adds inspection.

Common deployment pitfalls: Two. First, deploying email security without configuring DMARC, DKIM, and SPF properly - which leaves your domain spoofable by attackers and weakens the entire posture. Second, treating email security as a "set and forget" deployment - false positive rates need ongoing tuning, threat intelligence needs ongoing review, and the security team needs to act on the alerts that the product surfaces. An untuned email security platform produces alert fatigue and gets ignored.

Controls 9-12 are the operational disciplines that make the first eight controls actually work in production. Tooling without monitoring is theatre. Monitoring without response is observation. Response without governance is chaos. The four operational controls are what convert a static cyber program into a live cyber capability.

Control 9: 24/7 monitoring and detection.

What it is: Continuous monitoring of the EDR alerts, email security alerts, identity events, network logs, and OT telemetry - with human analysts available 24 hours a day, 7 days a week, to investigate and respond. The function is typically called a SOC (Security Operations Center). For mid-market operators, the SOC is almost always delivered as a managed service - operators below 200 people cannot economically run an internal 24/7 SOC.

Why it matters: The attacks happen on weekends, at night, during holidays - specifically because attackers know that's when defenses are weakest. The 2025 Mandiant data showed median attack timing peaks at 3am local time of the victim, with Sunday morning being the most common day. An EDR alert at 3am Sunday morning that nobody sees until Monday morning is the difference between containing an attack at one machine and recovering from an attack across forty machines.

What passes diligence in 2026: A named, contractually-defined 24/7 SOC. Documented SLAs for detection and response. Named analysts (or named provider). Evidence of actual incident response over the past 12 months - alerts handled, false positives tuned out, true positives investigated and contained.

What does NOT pass: "Our MSP responds during business hours" - increasingly read by underwriters and diligence teams as "no real 24/7 capability." "We have an EDR product that sends alerts to email" - alerts without humans are not monitoring. "After-hours we use voicemail" is the most damaging finding in cyber diligence in 2026. Most regional MSPs offering "24/7" actually offer business hours plus on-call escalation, which is not the same thing.

What Vencer runs and why it matters: Vencer's 24/7 monitoring is delivered by two sister entities running live NOC/SOC operations in Bangkok and Jakarta. Real infrastructure, real analysts on real shifts, real coverage 24 hours a day across multiple time zones. Live CVE response - when a perfect-score zero-day is announced, the response begins immediately, not on the next business day. This is not unique among Fortune 500 SOC operations - it is unique among mid-market managed services providers, where most "24/7" claims dissolve under inspection. The buyer's diligence team can verify the physical infrastructure, the named analyst rosters, and the documented incident response history.

What to deploy in mid-market: For operators above ~60 people, a managed 24/7 SOC service is the right answer. Cost typically ranges from $3-8 per endpoint per month, in addition to the EDR licensing. The total cost of EDR + 24/7 SOC monitoring for a 50-person operator is typically $25K-50K per year - meaningfully less than a single cybersecurity FTE, with meaningfully better coverage.

Control 10: Tested incident response plan.

What it is: A written incident response plan that addresses the most likely incident types - ransomware, business email compromise, OT incident, data exfiltration, insider threat. The plan names roles (incident commander, technical lead, communications lead, legal counsel, executive sponsor), defines escalation triggers, and includes runbooks for the most likely scenarios. It has been tested in a tabletop exercise within the past 12 months, with documented after-action notes.

Why it matters: Incidents are stressful. The middle of an incident is not when you want to be figuring out who to call, what to tell your insurance carrier, when to involve law enforcement, or how to communicate with partners and customers. The plan exists to provide structure when stress is highest. The tabletop exists to discover the gaps in the plan before the incident, not during.

What passes diligence: A written plan with named roles, defined triggers, and documented runbooks. A tabletop exercise within the past 12 months with documented participation by senior leadership (CEO, CFO, IT lead, operations lead, legal counsel). Documented after-action items with completion evidence. A named external incident response firm on retainer for high-severity incidents. The retainer matters because in the middle of an incident is the wrong time to negotiate terms with an IR firm.

What to deploy in mid-market: Use a published template (NIST SP 800-61 is the canonical reference) and adapt it to your environment. Bring in external help for the first tabletop - fractional CISO support or a dedicated incident response consultancy. Schedule the next tabletop within 90 days of the first. The first tabletop typically surfaces 15-25 gaps in the plan. The second one verifies that the gaps were closed. By the third one, the plan is mature.

Control 11: Vendor cyber attestation.

What it is: A structured program for assessing and documenting the cyber posture of vendors with access to your environment or your data. The vendor categories that matter most: your IT/MSP provider, your production accounting platform, your JIB platform, your remote support tools, your monitoring services, your accounting firm, your law firm, your engineering consultants who access your data.

Why it matters: Supply chain attacks are increasingly common because the math works for attackers. Compromise one vendor, reach dozens of customers. The 2025 attacks on Sitecore, Sisense, and several MSP platforms each reached hundreds of downstream customers. If your vendor is compromised and you have no attestation program, you have no documented basis for understanding what happened to your environment when the vendor's environment was breached.

What passes diligence: A documented vendor risk register. SOC 2 Type 2 reports collected from your top vendors. Documented vendor security questionnaires completed within the past 12-24 months. Contract terms with key vendors that include cyber breach notification, audit rights, and reasonable cyber posture requirements. For partners with persistent access to your production environment, ongoing monitoring of the vendor's cyber posture.

What to deploy in mid-market: The full vendor risk management framework can be expensive. For mid-market operators, the practical approach is a tiered program: for tier-1 vendors (those with persistent access to production or critical data), full SOC 2 review and quarterly check-ins; for tier-2 vendors (those with access to corporate but not production), annual questionnaires and contract review; for tier-3 vendors (low-impact), contract review only. This is one of the controls where mid-market is allowed to be selective - full enterprise-grade vendor risk management is not expected, but documented selectivity is.

Control 12: Cyber governance and tabletop discipline.

What it is: The operational discipline that ties all eleven other controls together. Named accountability - usually a CISO function (internal or fractional). Defined cadence for reviewing posture, alerts, incidents, and metrics. Regular tabletop exercises. Executive-level reporting cadence - typically quarterly to the CEO and board. Annual cyber strategy review aligned to business strategy.

Why it matters: Cyber programs without governance drift. The controls deployed in 2026 degrade by 2027 because nobody is actively maintaining them. The 2025 Verizon Data Breach Investigations Report identified "lack of governance" as the leading contributor to material breaches across the energy sector. Governance is the discipline that prevents the controls from becoming security theatre over time.

What passes diligence: A named CISO function (internal or fractional). A documented cyber strategy aligned to business strategy. Quarterly board reporting evidence over the past 12-24 months. Annual tabletop exercises with documented results. A metrics dashboard that tracks the 12 controls and their status over time. For operators above 100 people, this becomes a formal program with documented governance artifacts; for operators below 100, fractional CISO support delivering the same outputs is acceptable.

What to deploy in mid-market: For most mid-market operators, a fractional CISO function is the right answer. Cost: typically $4,000-8,000 per month for the right level of engagement. That's meaningfully less than a full-time CISO at $250K+ all-in, and meaningfully more capable than "the IT lead also handles cyber" which is the default at most mid-market operators. The fractional engagement provides the governance discipline, the strategic guidance, the board-level reporting, and the relationship with carriers, auditors, and diligence teams that the controls require to function.

The cyber insurance market in 2026 looks meaningfully different from the market five years ago. Premiums have stabilized but underwriting requirements have tightened significantly. Mid-market operators who could buy cyber insurance with a basic questionnaire in 2021 now face detailed technical attestations, occasional pre-binding audits, and material deductibles. The market is more disciplined and the insurance is more valuable - but only if you can pass underwriting.

What changed between 2022 and 2026.

2022 was a hard market. Premiums spiked, capacity contracted, exclusions multiplied. Carriers lost money on the ransomware wave of 2021-22 and responded by tightening underwriting across the board. By 2024, the market had stabilized - premiums normalized, capacity returned, but with new minimum control requirements that became table stakes for any meaningful coverage. 2025-26 added another layer of tightening driven specifically by the energy sector ransomware surge and the post-Halliburton incident environment.

The current state: carriers want to see specific controls deployed and documented before they bind coverage. "We have antivirus and a firewall" no longer qualifies for serious cyber coverage. The detailed underwriting questionnaires now include 80-200 specific questions about controls, products, and operational practices.

The 2026 underwriter checklist.

What carriers serving Canadian energy mid-market are looking for in 2026, organized by the same twelve controls framework:

• Identity (Controls 1-4): SSO with MFA on at least 95% of accounts. Phishing-resistant MFA (FIDO2 or number-matching) on privileged, executive, and remote-access accounts. Documented offboarding with evidence. PAM for privileged accounts. SMS-based MFA is increasingly being flagged or excluded.
• Endpoint (Control 5): EDR deployed on every endpoint, with the carrier wanting to know which product. Gartner Leader products pass. Coverage above 95%. 24/7 monitoring of EDR alerts.
• Email (Control 6): Advanced email security beyond built-in protection. DMARC enforced. Phishing simulation training conducted at least annually.
• Backup (Control 7): Immutable backups verified within 90 days. 3-2-1 minimum, 3-2-1-1-0 preferred. Documented test restore evidence.
• Segmentation (Control 8): Documented IT/OT segmentation for operators with OT. Network architecture diagrams available on request.
• Monitoring (Control 9): 24/7 SOC capability - internal or managed. Named provider. Documented SLA. Evidence of actual incident handling over the past 12 months.
• Incident response (Control 10): Written incident response plan. Tabletop exercise within past 12 months. Named external IR firm on retainer for high-severity incidents.
• Vendor (Control 11): Vendor risk register. SOC 2 reports for top vendors. Contract terms including breach notification.
• Governance (Control 12): Named CISO function (internal or fractional). Board-level cyber reporting cadence.

Operators who can answer all of these affirmatively get the best rates and the broadest coverage. Operators who can't either pay materially higher premiums, accept narrower coverage with broader exclusions, or - increasingly - get declined for serious coverage entirely.

Coverage details that matter.

Beyond underwriting, the actual policy terms matter substantially. Things to look for in your 2026 cyber policy:

Coverage limits. Most mid-market policies range from $1M to $25M aggregate limit. The right limit depends on revenue, operational scale, and concentration risk. For a $50M revenue operator, $5M-$10M aggregate is the typical comfortable range - enough to cover ransom plus remediation plus business interruption for a meaningful incident.

Ransomware-specific limits and sub-limits. Some policies cap ransomware coverage separately from other cyber events. Read carefully. The sub-limit can be meaningfully lower than the aggregate limit.

Business interruption coverage. Cyber incidents that disrupt operations - even briefly - generate business interruption costs. Coverage exists but the trigger conditions vary significantly between carriers.

Waiting periods. Most policies have waiting periods before business interruption coverage kicks in. Common waiting periods are 8-24 hours. If your operations are time-sensitive and a 12-hour disruption causes substantial loss, a long waiting period materially reduces the coverage value.

Dependent business interruption. Coverage for losses caused by cyber incidents at your vendors or partners. This is increasingly important as supply chain attacks become more common. Most older policies don't include this coverage; newer policies vary widely.

Regulatory exposure. Coverage for regulatory fines and investigation costs. The Canadian Centre for Cyber Security and PIPEDA exposure makes this meaningful for Canadian operators. International operations add complexity - your Bangkok or Houston exposure may not be covered by a Canadian-issued policy.

Reputation harm. Coverage for the costs of managing reputational damage post-incident. Communications consultants, customer notification, partner reassurance. Often a sub-limit; sometimes excluded.

What carriers are doing differently in 2026.

Three trends worth knowing:

Pre-binding cyber audits. For larger limits or operators with risk profiles that warrant it, carriers are increasingly requiring a pre-binding cyber audit conducted by their nominated provider. The audit can either confirm coverage or generate findings that require remediation before binding. Plan for this in your renewal timeline.

Active monitoring during the policy period. Some carriers now offer (or require) ongoing monitoring of your external attack surface during the policy period. New vulnerabilities, exposed services, or compromise indicators trigger notifications to the insured. This is closer to a security service than traditional insurance, and it's increasingly common.

Coverage for ransom payments is becoming conditional. Some carriers are limiting ransom payment coverage to specific circumstances - for example, requiring law enforcement notification, requiring the carrier to negotiate the ransom, or excluding coverage for payments to specific sanctioned threat actor groups. The mid-2025 OFAC sanctions guidance on ransomware payments accelerated this trend.

Mid-market operators choosing a cyber stack - whether internally managed or delivered through an MSP - face a real selection problem. There are dozens of vendors in each category. Most claim Gartner Leader status (the ones who actually have it, and the ones who interpret the language creatively). Pricing is opaque. Comparisons are hard. This chapter is the framework for making the choice with confidence.

The framework: six categories, six choices.

For mid-market operators, the cyber stack reduces to six product categories. Pick one product per category from the Gartner Leader quadrant, deploy them properly, manage them with discipline, and you have a defensible cyber posture.

The selection criteria that matter.

Beyond Gartner Leader status, four criteria distinguish good choices from bad choices in mid-market:

One - operational scale of deployment. Does the vendor have meaningful mid-market customer base in Canadian energy? Vendors who serve enterprise primarily often have under-resourced mid-market support. Vendors who serve mid-market primarily sometimes lack the depth of enterprise capability. The sweet spot is vendors with serious capability in both segments.

Two - channel partner quality. Most mid-market operators interact with these products through an MSP or solution provider. The quality of that partner matters as much as the product. A great product delivered by a weak partner produces weak outcomes. A good product delivered by a strong partner produces strong outcomes.

Three - total cost of ownership including operations. The product license is rarely the largest cost. Implementation services, ongoing tuning, alert investigation, incident response - these are often two to three times the license cost. Comparing products on license cost alone is the wrong comparison.

Four - integration with the rest of your stack. The products that work well together produce compound value. Microsoft Defender for Endpoint integrated with Microsoft Entra produces a different outcome than SentinelOne integrated with Okta - different doesn't mean better or worse, but the integration shape matters. Pick products that work well with each other, not just the best products in isolation.

The MSP selection framework.

For most mid-market operators, the cyber stack is delivered through an MSP. The MSP selection is therefore the cyber stack selection. Six criteria for evaluating an MSP for cyber-heavy mid-market work:

• Named Gartner Leader products. Not white-label. The MSP delivers the products under the vendors' real names, with verifiable licensing.
• Real 24/7 SOC. Not "business hours with on-call escalation." A documented 24/7 operation with named locations, named analysts (or named provider partnerships), and contractual SLAs.
• Energy sector experience. Specifically Canadian oil and gas mid-market. Knowledge of OT/IT challenges. Experience with the regulatory environment.
• M&A experience. Can they support a transaction - buyer side or seller side - through the cyber diligence process? Have they done it before?
• Incident response history. Documented history of incidents handled in client environments, with appropriate references (anonymized).
• Multiple engagement models. Bundled for operators who want full ownership; co-managed for operators with internal IT who need reinforcement; fractional for smaller teams. An MSP with only one engagement model is rigid and usually overpriced for some segment.

The questions to ask in the evaluation:

• Show me the Gartner Magic Quadrant for each of the six categories. Tell me which product you would deploy in each. Tell me what the licensing model looks like.
• Where is your SOC physically located? What hours does it cover? How many analysts do you have on shift at 3am Sunday?
• Show me three recent incidents you've responded to. Anonymize the clients. Walk me through detection, containment, recovery.
• What other Canadian energy clients can I speak with as references? How long have they been with you? What was their cyber posture before vs. after?
• What does the engagement look like in the first 90 days? What does it look like in year two?

The answers tell you everything you need to know. Strong MSPs answer crisply with specific names, specific numbers, and specific references. Weak MSPs answer with marketing language and generalities.

The right cyber 90-day plan depends on where you are starting. Three honest starting postures cover most Canadian energy mid-market operators in 2026. Each posture has a different 90-day plan. Pick the one that matches your actual situation and execute it.

Posture A: Catching up - control coverage below 60%.

You are below the floor. Your cyber insurance renewal is at risk. Your M&A readiness is poor. Your actual incident risk is elevated. The 90-day plan is the catch-up - get to defensible posture across the twelve controls in three months, then iterate from there.

Days 1-30: Foundation. Deploy Controls 1-4 (identity foundation). SSO with phishing-resistant MFA on every account. Documented offboarding. Inventory of privileged accounts. This is the foundation everything else depends on; nothing else compounds without it.

Days 31-60: Front line. Deploy Controls 5-6 (endpoint and email). Gartner Leader EDR on every endpoint with 24/7 monitoring. Gartner Leader email security on every mailbox. This stops 80% of opportunistic attacks.

Days 61-90: Resilience and operations. Deploy Controls 7-10 (backup, segmentation, monitoring, IR). Immutable backups verified. IT/OT segmentation documented and enforced. 24/7 SOC operational. Written incident response plan with first tabletop scheduled. You now have defensible posture across the most critical controls.

Days 91+ continue with Controls 11-12 (vendor attestation, governance) and the deeper work on the controls deployed in the first 90 days.

Posture B: Hardening - control coverage 60-85%.

You have the basics but the controls are not yet diligence-defensible. Identity is mostly deployed but MFA coverage has gaps. EDR is in place but the 24/7 monitoring is weak. Backups exist but immutability is uncertain. The 90-day plan is hardening - close the specific gaps that prevent diligence pass.

Days 1-30: Gap assessment. Honest audit against the twelve controls with specific deficiencies identified. Engage external review if possible - fractional CISO or external cyber assessor. The audit produces the gap list.

Days 31-60: Critical gap closure. Close the top five gaps identified in the audit. Common patterns: extending MFA coverage to remaining accounts, upgrading EDR product to a Gartner Leader, configuring backup immutability properly, implementing real 24/7 monitoring vs. business-hours-only.

Days 61-90: Documentation and validation. Document the deployed posture comprehensively. Run a tabletop exercise. Schedule a third-party validation if possible. Posture B operators are usually 60-90 days of focused work away from diligence-defensible state; the program just needs structure and execution.

Posture C: Maturing - control coverage above 85%.

You have defensible posture and need to keep improving. The 90-day plan is maturation - deepening the existing controls, increasing the operational discipline, and addressing the long-tail risks that distinguish good from excellent.

Days 1-30: Threat intelligence integration. Connect your SOC operations to current threat intelligence. Tune your detection rules based on actual threat actor TTPs targeting Canadian energy. Run a red team exercise or penetration test.

Days 31-60: OT/IT depth. Deepen the OT/IT segmentation. Implement OT-specific monitoring if not already in place. Run an OT-specific tabletop exercise. Address the supply chain depth that most mid-market operators don't reach.

Days 61-90: Governance maturity. Implement board-level cyber metrics. Run a comprehensive incident response exercise. Refresh the cyber strategy document to align with current business strategy. Posture C operators are not catching up; they are differentiating on cyber as a competitive advantage.

The honest cost of each posture.

For a 50-person operator, executing one posture properly over the first 90 days, with external advisory and tooling support:

• Posture A (catching up): $80K-$150K in the first 90 days, then $80K-$150K per year ongoing.
• Posture B (hardening): $40K-$80K in the first 90 days, then $60K-$120K per year ongoing.
• Posture C (maturing): $30K-$60K in the first 90 days, then $80K-$140K per year ongoing.

For all three postures, the ongoing cost is roughly $60K-$150K per year. That's meaningfully less than a single cyber FTE at $200K all-in. It's meaningfully less than the cost of a single ransomware incident. It's meaningfully less than the M&A multiple impact of failing diligence on cyber. And it produces underwriter-defensible, diligence-defensible, attack-defensible posture.

Vencer Group is Calgary's managed IT, M&A technology, and cybersecurity partner - built for energy, advisory, and regulated businesses with international ambitions. Nineteen years in business. Two oil price collapses survived alongside our clients. Eleven years of managed security operations with zero data breaches. Thirty-plus M&A transactions delivered. More than $12 billion in transaction value guided. Delivery across four continents - with live infrastructure under management right now in Calgary, Bangkok, Jakarta, and Singapore.

Most MSPs sell hours. We deliver outcomes the operator, the CFO, the underwriter, and the board all need.

Most managed IT firms force you into one shape. Vencer meets you where you are - whether you want full ownership, you already have an IT person who needs reinforcement, or you're a smaller team scaling fast.