Bow Valley College’s security leader argues Canada’s biggest cyber gap is not technology, it is talent.
On a weekday at Calgary’s Bow Valley College, James Cairns moves from a meeting on AI governance to a hallway chat with students about their first security jobs. The rhythm fits his own path. He started on the engineering side, learned the realities of infrastructure and data, and now serves as the College’s Chief Information Security Officer, a role that blends policy, operations, and a lot of teaching moments.
His entry point into security was equal parts sting and spark. Early in his career, a security analyst made a habit of breaking what Cairns’ team had just shipped. That weekly stress test changed how he looked at technology. “Not only am I building code,” he recalls, “but somebody’s actually figuring out how to break it, how to use it for their purposes. That kind of started the journey.”
Over the years, Cairns built a toolkit that spanned software development, ERP platforms, database administration, and systems operations. The turning point came when defending against SQL injection taught him the value of secure design. In recent years, as Bow Valley College formalized its security function, Cairns moved into security full time, drawing on the breadth he had built across roles.
Ask Cairns about the sector’s most basic constraint and he does not start with ransomware or tooling. He starts with staffing. “In the industry we are shy with boots on the ground,” he says. “We are outmanned, outgunned… As it stands right now, you could consider that we are in fight‑fire mode.” Tools help, but capacity in well‑trained people decides outcomes.
His response is practical and repeatable. Create Tier 1 on‑ramps that let students and new graduates handle essential work in real environments. “Getting students out of school and into these Tier 1 jobs is crucial,” he says. By Tier 1, he means the entry‑level front line in a security operations centre (SOC), where analysts monitor alerts and triage incidents before escalation. The model solves two problems at once. Organizations get help on critical tasks that rarely make headlines. New professionals get the repetitions that turn knowledge into judgement.
Bow Valley’s own story supports his case. In 2024 the College became the first and only post‑secondary institution in the world recognized by the Cloud Security Alliance as a Trusted Cloud Provider, a signal that security is an operating principle rather than a bolt‑on. The College’s announcement quotes Cairns on why the recognition matters to current and future students.
Cairns often credits community for sharpening his practice and opening doors for others. He helps lead BSides Calgary, which gathers students, seasoned practitioners, and employers on campus for two days of talks, workshops, and live problem‑solving. The event has become a high‑energy snapshot of the field and a hiring pathway in plain sight. In 2023, the capture‑the‑flag competition flipped in the final 11 seconds, a detail that conveys the stakes and the learning value for newcomers and hiring managers alike.
The people behind those events, he says, have become a support system. When things get difficult, they are the ones he calls first. That sense of belonging is not an extra, it is part of how you build a resilient career and a resilient team.
Cairns views today’s threat picture through the lens of decision quality. Defenders must reason about complex systems at scale while attackers iterate fast. Instead of relying on slogans, he looks at how institutions make choices about risk and accountability. At Bow Valley, that shows up in AI governance. In 2025 the College adopted the AI Trustworthy Pledge and published a policy framework that puts real‑world impacts at the centre. The governance committee has 13 members, only two of them technical, a design choice that brings ethics, education, and student outcomes into the room alongside engineering. He describes the pledge as a public line in the sand: state how you will use AI, check reality against that promise, and correct course if needed.
Cairns’ advice to newcomers is to start broad. Learn networks, systems, identity, scripting basics, and data. Learn how to read logs and how change control works. Later, specialize if a domain keeps pulling you in. Over‑specializing too early can turn a market shift into a career stall, while fundamentals travel with you. He is also a firm believer in learning by doing. That can be a Tier 1 rotation in the SOC, a help desk where identity issues are real, or a co‑op that pairs you with a builder. Community events make it easier to find mentors and opportunities, and they help students see themselves in the field.
Security is demanding work, and teams last when people have lives outside the on‑call schedule. Cairns writes in his spare time, tinkers with cars, restores old furniture, and keeps a garden the way he learned as a farm kid. He jokes about a long‑term vineyard in southern Alberta. The message underneath is simple. Craft and patience matter. Those habits are good for the person and, by extension, for the work.
For Cairns, security is a team sport, and teams are built with intention. He points to three levers that work: a college that treats security as a public commitment, a community that connects students and employers, and leaders who develop people by design. “We need to get these people out there in droves,” he says.
To connect with James, visit his LinkedIn profile here.