Off the Rails: Why Cybersecurity Must Rethink Its Future
When Michelle Balderson began her career in technology more than 25 years ago, cybersecurity barely registered in the corporate lexicon. Today, it is one of the most pressing boardroom issues in Canada and abroad. Yet for Balderson, a seasoned expert in Operational Technology (OT) security, the industry she has helped shape is at a crossroads and not necessarily on the right track.
“The industry is off the rails,” she says with characteristic candour. “We’ve created an environment with 3,700 vendors all selling widgets, relying on fear, uncertainty, and doubt. What’s missing is the real conversation about business risk.” Balderson’s blunt assessment comes with authority. Her career spans from early tech sales to an 18-year tenure at Fortinet, where she was employee number 239 and part of the team that helped the company scale to a global cybersecurity giant of more than 15,000 people. Along the way, she has carved out a unique specialization in OT security, protecting the critical systems that underpin everything from energy grids to manufacturing plants. But her story is more than a résumé. It is a journey defined by foresight, resilience, and a relentless commitment to community and mentorship.
From Sales Floors to Cybersecurity Strategy
Balderson’s career began in an unlikely place: selling micro drives at Micro Drives Canada. She jokes that it was “widget selling,” but it gave her an early education in technology fundamentals. From there, she moved into distribution, representing dozens of product lines, before joining D-Link Canada.
What set her apart was foresight. She noticed that network interface cards and Layer 2 networking—products she was selling, were destined to become commoditized. “I realized I needed to be in a field that wouldn’t be commoditized. Security was the resounding answer,” she recalls. That decision led her to SonicWall and, eventually, to Fortinet. In 2003, she spotted the company’s placement in Gartner’s “visionary” quadrant and joined the then-nascent team. Over nearly two decades, she built deep expertise in OT security, helping industries transition legacy systems into the digital era, often before security was even on their radar. Her motivation was never about selling products for their own sake. “It was always about a love of society and love of technology, and wanting to influence the positive,” she says.
Building a “Unicorn” Skillset
At Fortinet, Balderson gained what she calls the “unicorn” skillset—a blend of business acumen and technical depth. She deliberately learned every part of the business cycle: product management, marketing, inventory, sales leadership, and financial due diligence.
Her mentors played a defining role. Former manager Phil Quaide, once of the NSA, taught her to slow down her fast-paced sales style and learn how to speak to executives. General Counsel John Whittle exposed her to mergers and acquisitions, teaching her how balance sheets and business due diligence affect cybersecurity decisions. Founders Ken and Michael Xie welcomed her ideas directly, shaping product strategy in areas like industrial control system (ICS) signatures. And on a personal level, colleagues such as Michelle Shear provided critical support during her gender transition, giving her the confidence to embrace her identity while leading in a high-stakes industry. “I learn something from every single person I work with,” Balderson says. “That’s how you build lifelong learning into your career.”
Community Builder and Mentor
Beyond corporate corridors, Balderson has poured energy into growing the cybersecurity community. She is a regular at BSides events in Calgary and New Orleans, grassroots conferences that spotlight local expertise. She also championed bringing international OT-focused events such as CS4CA and ManuSec to Canada, ensuring industries here had access to specialized knowledge. Mentorship is central to her philosophy. She speaks frequently to students at the University of Calgary, SAIT, and other institutions, encouraging them to consider foundational roles like technical support as stepping-stones into cybersecurity. For her, this is a corrective to a troubling trend: academic cybersecurity programs being cut because graduates struggle to find jobs. “If we don’t mentor and create clear pathways, we risk losing the next generation of cybersecurity professionals,” she warns.
A Stark Diagnosis of Cybersecurity Today
For all her optimism about talent and community, Balderson is unsparing in her critique of the industry’s current direction. When she began, there were only a handful of solid cybersecurity vendors. Today, there are nearly 4,000. Yet the proliferation hasn’t led to better outcomes. “The dominant sales model is based on FUD—fear, uncertainty, and doubt,” she says. “Companies push widgets, promise silver bullets, and deliver technical answers that don’t help executives understand the risk to business operations.”
She points to an exchange with Robert Martin, then CISO of Alberta Health Services, who asked her what a major technology investment did to help inform the board of business risk. “The answer was absolutely nothing,” Balderson admits. “Because it was a technical solution giving only technical answers.”
The Rise of the “Post-Breach CISO”
For Balderson, the future of cybersecurity belongs to what she calls the “Post-Breach CISO”: a leader who assumes breaches are inevitable and focuses on resilience, mitigation, and business risk.
She outlines the evolution:
- Phase One: Educating businesses that risk exists.
- Phase Two: Convincing leaders they are in a “constant breach state.”
- Phase Three (Now): Helping boards understand not if they will be breached, but when, and what that means for business continuity.
“Each technology isn’t a silver bullet,” she emphasizes. “Breaches will never end. The only viable path forward is to reorient everything to business-centric needs.” That means shifting away from siloed technology stacks and toward integrated platforms, underpinned by robust processes, policies, and intelligent data analytics to separate signal from noise. Artificial intelligence, she cautions, is no panacea, at its best, it is simply analytics reframed.
Looking Ahead
Balderson’s voice carries weight because it comes from experience across sales, operations, technical specialization, and leadership. Her message is clear: the industry must stop selling fear and start building context. It is also deeply human. Whether mentoring students, championing inclusive spaces, or challenging vendors to rethink their approach, she insists that cybersecurity is not just about machines or code. It is about people, processes, and the business outcomes they protect. As she puts it: “If you’re in security to sell widgets, you’ve missed the point. If you’re here to protect society and enable positive outcomes, that’s where the real future lies.”
You can connect to Michelle here.