CyberVoices

As Executive Director of the Canadian Cyber Threat Exchange (CCTX), Jennifer Quaid is championing a people-first, share-what-works approach to cyber defence, one that treats resilience as a team sport and community as critical infrastructure.

If you want to understand what makes cybersecurity in Canada tick, spend an hour with Jennifer Quaid. She will talk about indicators and feeds, yes, but she’ll just as quickly pivot to something more fundamental: people. “True cyber security is more than data about past attacks, it’s people, process, and technology,” she says. “Resilience isn’t about putting up an umbrella so nothing hits your systems. It’s how quickly you recover when, because you will, something does.”

Quaid leads the Canadian Cyber Threat Exchange, a member-based non-profit that is nearly a decade old and now counts more than 200 companies from 16 sectors, representing over 1.5 million employees. The mission is straightforward and ambitious: enable members to collaborate on cyber threats in ways that measurably raise resilience. In practice, that means fewer silos, faster answers, and a community that treats hard-won lessons as shared assets rather than proprietary secrets.

From “what happened” to “what works”

CCTX runs a traditional portal, curated reports, standardized indicator feeds, operational updates. But the heartbeat of the organization is human: weekly threat calls where members compare notes on what they’re seeing right now, how they’ve mitigated it, and what they’d do differently next time. This isn’t broadcast; it’s peer-to-peer. Someone will ask, “What TTPs is this group using?” and another member replies with a full brief they’ve already compiled. “That’s collaboration at its finest,” Quaid says. “Ask a question; somebody else has an answer. You don’t waste resources chasing what your peers have already solved.”

It sounds simple. It’s not. It requires enough trust to speak candidly about incidents and near-misses. It demands discipline to translate experience into practical guidance. And it needs a forum where rivals on paper operate as allies against a common adversary. Quaid spends much of her time cultivating those conditions, removing friction, reinforcing norms, and reminding the community that the threat actors on the other side collaborate extremely well. “Why shouldn’t we?”

The case for resilience as a leadership function

Quaid is direct about a structural problem: in too many organizations, cyber still “lives” inside IT. “Any single issue that can bring a company to its knees cannot be tucked into one department,” she says. Cybersecurity, in her view, belongs with enterprise risk, with the CISO operating as a core risk leader who can translate technical realities into business decisions. That translation layer, turning complexity into clarity, isn’t a soft skill; it’s a leadership requirement. “If you can’t communicate the risk, the problem, and the solution to those higher up the food chain, you won’t get very far,” she says. It’s also how organizations move from control checklists to capability: understanding where they’re exposed, which mitigations create the biggest deltas, and how to recover operations fast when inevitably, someone gets through.

Quaid’s version of resilience is pragmatic. It recognizes that resources will always be constrained and that boards will periodically question “insurance” they haven’t claimed on. She counsels against false economies. Sometimes the reason you haven’t had an incident is precisely because you’ve invested in the right people, processes, and tooling plus a network you can lean on when the clock is ticking.

A vocation built on purpose (and interruptions)

Ask why she’s in cyber and Quaid doesn’t hesitate. “It’s the commitment. The feeling that you’re doing the right thing,” she says. It’s also not glamourized. “Nobody is in cyber for the money. If you look at the hours and the lack of predictable lifestyle, attacks don’t happen Monday at 9 a.m.; they happen Friday at 4 p.m. before a long weekend, you realize the only guarantee is interruption.”

What keeps her and many others at it is the generosity of the community. “You don’t see this willingness to share elsewhere,” she says. It's a tight-knit group that supports each other through calls, meetups, and quick responses when needed. “That’s why I’m in cyber.”

Building the habit of collaboration

Culture doesn’t happen by accident. Quaid encourages practitioners, veterans and newcomers alike, to make participation a personal commitment. “Go to the meetup. Get to know people outside your sector. Share what you can,” she says. It feels like an alumni group because, in a way, it is—people bound less by credentials than by shared experiences under pressure.

That “outside your sector” point matters. Many attacks move laterally across industries; many mitigations do, too. Limiting your horizon to your own vertical can blind you to patterns others have already mapped. CCTX’s cross-sector model is designed to break that bias, surfacing what’s relevant now from the broadest possible base.

Advice for breaking in and moving up

Quaid doesn’t sugarcoat the job market for early-career entrants, but she’s optimistic about those who stay with it. “Keep trying, once you’re in, it’s the best industry,” she says. Certifications can help at the start; they’re signals for hiring teams. But advancement depends on two complementary muscles: technical depth and the ability to explain risk and trade-offs clearly.

Her guidance for rising leaders echoes what CCTX practices every week. Treat communication as core. Turn incidents into institutional memory. Mentor relentlessly, because resilience scales through people. And cultivate the reflex to ask, “Who else has already solved this?” before you reinvent the wheel.

What collaboration looks like on a Tuesday

To understand the texture of the work, consider a typical CCTX threat call. A member flags fresh activity from a well-known threat group. Another shares TTPs they’ve observed, plus a short list of controls that actually moved the needle in their environment. A third contributes a post-incident playbook that shaved hours off recovery time. Within an hour, everyone leaves with better questions to ask their teams and fewer blind spots.

Multiply that across dozens of organizations and you see why Quaid champions community as a strategic asset. The value isn’t only in the indicators; it’s in the judgment members lend each other about what’s worth doing next.

The imperative and the invitation

Quaid’s closing message is consistent: no organization can do this alone. The threat landscape is too dynamic, the attack surface too sprawling, the adversaries too coordinated. The antidote is a coalition mindset, formalized through exchanges like CCTX and reinforced by everyday habits of trust and reciprocity. “We all need community in our personal lives and our professional lives,” she says. “In cybersecurity, the threat actors are already sharing and collaborating very effectively. Why aren’t we?”

It’s both a challenge and an invitation. For executives, elevate cybersecurity to the risk function where it belongs and measure resilience not by the absence of incidents but by the speed and quality of response. For practitioners, build your network, show up, and share what works. For newcomers, earn your credentials, then learn to tell the story of risk with clarity.

The payoff isn’t abstract. It’s the difference between a bad day and a defining crisis; between a quiet, routine recovery and a public, costly failure. Jennifer Quaid’s contribution is to make that difference collective embedding it in a community where asking for help is a sign of strength and giving it is the norm.

Reach Jennifer Quaid at the CCTX.