Welcome to the new CyberVoices Newsletter
Happy New Year!
New year, new newsletter. We have refreshed CyberVoices with a cleaner simpler design and open access. No registration. Just insight that matters. Each issue brings together trusted voices, timely signals and practical ideas shaping cybersecurity and digital trust in Canada.
From insights to impact.
CyberVoices helps you understand what is changing and what to do next.
Article of the Month
CCN Launches New website!
This was not a redesign for aesthetics. It was a rebuild for scale.
As CCN grows, the way we deliver content, connect people, and support careers and businesses has to grow with it. The new site is structured around what matters most right now.
Over the past few months we have been building quietly.
You will see new applications across the site including the CCN Event Hub to centralize community and partner events, a business member directory that links directly to member websites and areas of expertise so companies can actually be discovered, and our national Find Your Community in Canada database. That last one came from a question asked during a Bsides presentation. Thank you to the community for pushing us to make it real.
You will also find our updated Media Kit and groundwork for Training Navigator, a new platform coming soon for businesses and individuals focused on practical up skilling across cybersecurity, AI, and digital leadership.
In February we will launch what many of you have been asking for. The CCN Circle Community. A dedicated space to connect, learn, and collaborate beyond social feeds.
On the research side, our work continues to accelerate.
Late January brings our annual State of Cybersecurity in Canada report.
April follows with our AI and Cyber report.
Fall will see the launch of our Defense and Cyber report.
We are also introducing CCN Insights. Short focused reports on a single issue designed to support leadership and board level decision making across cyber and digital. The first will be released at the IAM conference in January.
Oh and our newly rebuilt Newsletter launches this week (no more registration) and our new weekly podcast CCN Conversations also goes live with about 30 amazing interviews already completed.
A lot has been built in a short period of time.
Explore the site.
Tell us what works.
Tell us what does not.
We are not finished.
We are just getting started.
Stronger Together
CCN insights
AI Rescues Cybersecurity Practitioners from Adversaries…Sort of
Like many in the cybersecurity industry, we have great expectations for generative and agentic AI technologies to assist in our ongoing battle to detect and contain adversaries more effectively. Is it too good to be true?
Those expectations center on increasing capacity, augmenting already constrained teams and just maybe operating with reduced cybersecurity budget. Make no mistake, there is no option for cybersecurity practitioners as you must fully embrace these technologies, or you will fall behind.
Why? Because the battlefield has changed. While difficult to quantify precisely, we can see indicators that the unit rate of attacks per asset accelerated more than any time in the past. This acceleration is driven by several converging factors: AI-generated phishing lures that are far more compelling and effective, attacker infrastructure that can now scale cheaply and quickly, and the continued rise of malware-as-a-service, which lowers the barrier to entry for less sophisticated threat actors.
The result is clear: it’s game on. When combined, these factors lead to higher attacker success rates and by extension elevated risk posture. While threat researchers differ on opinions on time to achieve attacker objectives, eSentire’s Threat Response Unit’s research has observed is it is under 14 hours, the fastest it has ever been. Advanced AI technologies powered by more compute have become table stakes in cybersecurity operations.
So, what is the “too good to be true” part you ask? Modern AI technologies, while rapidly maturing, still hallucinate in unpredictable ways and models will drift. Not a lot, but just enough that they can’t be trusted to make the right decision 100% of the time. Blind trust in generative and agentic AI systems with no accountability will lead to catastrophe.
What is the solution? Trust but verify is emerging as the best practice. Every system you develop needs continuous human oversight. Think of this as perpetual governance and audit where trust itself becomes the control plane. The capacity gains are real in terms of eliminating massive amounts of repetitive human effort which frees up teams to work on more complex analysis and investigation. But without oversight and human expert validation, I am afraid you may come face to face with SKYNET.
Frameworks Won't Fix What Agents Will Amplify
Why your organization needs sound processes before deploying autonomous AI systems
AI agents are tools that do more than answer questions. They can take actions like drafting and sending emails, pulling data from systems, and triggering approvals. Unlike simple automation, agents can choose next steps based on context, which is powerful but harder to control.
Leaders should separate two needs: how you govern AI (ISO/IEC 42001) and how AI agents can fail in practice (OWASP's Top 10 for Agentic Applications). ISO/IEC 42001, published in December 2023, helps leaders set AI policy and oversight. The OWASP Top 10 for Agentic Applications for 2026, released December 9, 2025, lists what can go wrong, including Agent Goal Hijack, Memory & Context Poisoning, and Cascading Failures.
As a member of the SCC Mirror Committee for ISO/IEC JTC 1/SC 42, I watch these frameworks evolve. Frameworks matter. But neither addresses what most organizations lack: clear, documented processes for agents to follow.
Here is the risk: agents do not fix messy work. They make it run faster, including the mistakes. If your team relies on tribal knowledge or "ask Jane" to get things done, agents will scale that confusion quickly.
In one security operations engagement, the client wanted more advanced analytics. The work that mattered was clear ownership, a shared definition of "urgent," and an escalation path everyone followed. If we had added AI first, it would have created more alerts, more confusion, more wasted time.
Before deploying agents:
Start with process clarity, then add autonomy.
The Metrics Gap in Awareness Programs
Most security awareness programs are run with surprisingly little navigational data. In practice, we treat click rates, completion rates, and vendor “risk scores” as measures of effectiveness when they’re often just capturing activity. They tell you what happened inside the platform, not whether real behaviour is changing over time. I’ve seen teams do everything “right” and still be unable to answer a basic question: Are we actually improving?
Benchmarks compare campaign results with other organizations, but they say nothing about longitudinal impact inside your own environment. That requires true baselines. Without objective, consistent baselines, teams can’t tune their program with confidence. They can’t defend investments, compare quarters fairly, or determine the right amount of activity before diminishing returns set in.
Awareness platforms aren’t the problem. Measurement is. If we want programs that genuinely improve human security behaviour, we need metrics designed to prove impact independently, repeatably, and over time.
The Oxygen Advantage of the Canadian Cybersecurity Community
This immigration era is creating friction across Canada’s cybersecurity ecosystem. That friction isn’t a flaw. It’s the training ground for one of the most resilient communities in the world. This era is bringing a level of friction similar to what Canada experienced following World War II, when rapid growth, integration, and rebuilding reshaped the nation.
The Oxygen Advantage is not about comfort. It is about adaptation. Growth comes from pressure, not ease. And in Canadian cybersecurity, we are living through a rare moment where pressure is doing exactly what it should: strengthening the system.
This immigration era has introduced friction including cultural, professional, regulatory, and human challenges, amplified by government systems operating under sustained stress beyond their designed capacity. Processing delays, credential backlogs, and policy lag are not just administrative issues. They are pressure points that test patience, resilience, and intent.
Diversity brings different ways of thinking about risk, governance, execution, and resilience into the same rooms, teams, and communities. That friction is often uncomfortable, but it is also productive. It forces conversations that cannot be skipped. It exposes assumptions. It sharpens standards.
Newcomers arrive either battle tested in complex, high risk environments or get trained by world class institutions and global programs in Canada. Yet the friction of entering the Canadian market, credential recognition, local experience requirements, regulatory nuance, and cultural alignment filters relentlessly. Government system constraints add another layer of stress. Not everyone makes it through. Those who do are sharper, more patient, and deeply resilient.
Canada is quietly assembling one of the most prepared cybersecurity communities in the world, not because it is easy, but because it is demanding. Local professionals bring deep institutional knowledge, regulatory discipline, and long term thinking. Newcomers bring urgency, adaptability, and exposure to real world threats at scale. Together, they are learning to operate under constraint, ambiguity, and constant change.
This is the oxygen advantage.
Communities forged in pressure respond faster, think clearer, and recover stronger. Canada’s cybersecurity future is being built under stress, and that stress is oxygen.
Community
Don’t miss the Great Canadian CTF Tournament — Canada’s nationwide virtual cybersecurity showdown hosted on Hack The Box. Thirty two teams from coast to coast will compete in a March-Madness-style bracket starting February 14th 2026 testing skills solving real challenges and earning bragging rights and prizes along the way. Whether you’re a student professional or just levelling up this is a chance to learn sharpen your skills and see community talent in action. Register here.
Community Voices
“The perimeter did not fail because technology was weak but because human trust remains the most exploitable attack surface in any organization.” Femi Ogunji
“Successful Canadian cybersecurity companies create a flywheel, producing new founders, investors and the next generation of innovation.” Richard Stiennon
“Israel, Singapore, and Estonia prove that cybersecurity leadership is not accidental. It is designed. Canada has not yet designed for scale or urgency.” Francois Guay
Signals
Interesting insights from the Global Cybersecurity Outlook 2025 World Economic Forum organization. Great data to make you better understand CEO and CISO mindset as well as how small or enterprise businesses feel about their cybersecurity posture.
CCN Podcast-New
We are excited to announce our new podcast CCN Conversations, where Canada’s cybersecurity leaders are interviewed by Francois Guay and speak candidly about what is really shaping our digital future. Real stories real challenges real insight from the people on the front lines.
Our new episode drops soon. Subscribe to the podcast.
CCN Insights Reports
Developed with independent leaders, each Insight focuses on a single subject, helping boards, decision makers, and readers quickly identify action plans and critical tipping points.
If your organization has a perspective worth sharing, CCN Insights offers a thoughtful way to contribute to the conversation and help leaders across Canada navigate a complex and rapidly changing landscape. Get in touch.
Upcoming Report
The State of Cybersecurity Report in Canada is CCN’s flagship national report, bringing together real world insight on the threats trends and decisions shaping cybersecurity across the country. It is written for business leaders boards and public sector decision makers who need a clear view of where Canada stands and what comes next.
Authored by leading voices including Lina Dabit, Scott Augenbaum, David Masson, our sponsor from Darktrace, Amisha Parikh our sponsor from Mastercard, Jason Keirstead, Jennifer Quaid, Jonathan Weekes our sponsor from Boxx Insurance, Jaap Mantel, Femi Ogunji, Tracey Nyholt our sponsor from TechJutsu and many others, the report blends practitioner experience with strategic perspective to cut through the noise and surface what truly matters. Pre-register here. No more sponsorships are available but you can still get a full page ad in the publication, contact us.
CCN Event of the Month
Identity is now the fault line of cybersecurity. Most breaches and trust failures come down to one question who has access and should they. As organisations scale digital systems and AI adoption the pressure to secure human and machine identities has never been higher.
The NKST IAM Summit on January 28 in Toronto brings this challenge directly to C suite and security leaders responsible for balancing security compliance and business agility. Register here.
Partner of the Month
"Spinner Design has made our life at the Canadian Cybersecurity Network so much easier by bringing a high level of expertise and professionalism to our reports and packages. Jen is a pleasure to work with". Francois Guay, Founder CCN
Coming Soon
February - CCN Circle Community Launch
February - Training Navigator
February - New Mentoring App and Program
April - The 2026 State of AI & Cybersecurity National Report
Get in touch for advertising, sponsoring or contributing to the various sections of our newsletter.