It Takes More Than Awareness: Building a Resilient Cybersecurity Culture

Canada has built an impressive cybersecurity foundation. The Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security (CCCS) have developed tools, systems, frameworks, and the partnerships needed to establish an impressive foundation for its cyber defence posture. But the gap between their alert and support system, and the operational capabilities of the departments, ministries, and institutions, remains Canada’s defining cybersecurity challenge. At the federal level, organizations have Shared Services Canada to monitor, mitigate and manage risks, but not all governments have similar capabilities. And even the most prepared public sector entity is light years behind the cyber strength it needs today. 

Every public sector organization has ambitious goals for protecting its critical infrastructure, but all face a simple problem: having the resources (money and people) needed to mitigate risks so they can invest in real-time tools and the people needed to protect the organization. Bridging that gap requires a full-spectrum approach that spans both Left of Boom—the period before an incident when prevention and anticipation matter most— and Right of Boom—the period after an incident, when response and recovery determine whether the country emerges stronger or weaker.

Left of Boom: From Awareness to Action

Left of Boom thinking is about anticipation rather than reaction—recognizing the warning signals before networks fail, hospitals go dark, or pipelines halt. Every major cyber incident begins long before the explosion point. Adversaries probe, map, and test systems for weeks or months before striking.

Canada understands this. CCCS works across federal, provincial and territorial governments along with regulated industries to support intelligence capabilities and remediation efforts.  These organizations run the systems Canadians depend on daily, yet many lack the funding and resources to be on the Left Side of Boom.

Moreover, our economy is such that we are encouraging public sector entities to drive productivity and save on costs by harnessing the power of artificial intelligence. But without the resources to secure the public sector’s AI initiatives, it just becomes another attack vector.  

The path forward lies in building a national culture of intelligence, where cyber awareness is not confined to Ottawa or large corporations but extends to every public sector institution, regulator, operator and employee in the country’s critical infrastructure ecosystem. While intelligence sharing through CCCS and the Canadian Cyber Incident Response Centre is a daily habit, organizations still need the real-time monitoring tools and people to monitor and mitigate risks daily—it cannot be a crisis-driven exception.

That requires what we at SecurityScorecard call a unified asset intelligence layer—a near real-time picture of an organization’s digital infrastructure that combines their own organization, the ecosystem they reside in, and private-sector telemetry to identify where vulnerabilities exist and which ones are being actively weaponized. If Transport Canada considers the department, its portfolio (CATSA, VIA Rail, etc), the broader transportation infrastructure (airlines, vanlines, etc.) beyond its control and third-party suppliers (embedded technological systems), this capability would transform cyber defence from a static exercise in compliance to a dynamic model of continuous monitoring.

Technology is only part of the equation. Human awareness remains the first and last line of defence. Most successful breaches still start with a human click, such as phishing emails, credential reuse, or social engineering. Embedding cybersecurity into organizational culture through onboarding, realistic drills, and red-team exercises builds the muscle memory required to respond instinctively rather than reactively when threats emerge.

Right of Boom: Building a Culture of Resilience

As much as prevention matters, incidents are inevitable. That is the essence of Right of Boom thinking. The true measure of resilience lies in how governments and organizations respond when disruption occurs.

The 2022 Rogers Communications outage was a wake-up call. When the internet, phone, and payment systems went down nationwide, millions of Canadians were unable to access banking services or call 911. What appeared to be a technical failure quickly became a national security and public safety crisis.

Similar lessons can be drawn from recent ransomware attacks on Canadian hospitals, which forced the postponement of cancer treatments and critical surgeries. A notable federal hack at the Financial Intelligence Transaction Agency on March 5, 2024, had the department down for months, impacting their ability to get much-needed bank transaction reports submitted to investigate fraud and human trafficking. These incidents underscore that cyberattacks don’t just freeze data—they disrupt lives, endanger health, and erode public trust.

To meet these challenges, Canada must strengthen its joint response playbooks—not just on paper, but in practice. Federal agencies, provinces, and regulators must have shared real-time visibility into vulnerabilities, exposures, and vendor dependencies so that cascading failures can be prevented.

Effective Right of Boom responses require continuous visibility across entire ecosystems, extending into third-, fourth-, and even fifth-party supplier dependencies. It also demands transparent communication with citizens. Restoring systems is important, but restoring trust is essential.

Building Back Stronger

Every incident must catalyze systemic improvement. Treating disruptions as isolated crises ensures they will happen again. The Rogers outage spurred overdue discussions around telecom redundancy; attacks on hospitals and municipalities now has Public Safety Canada funding national cyber security programs, and Budget 2025 announced the creation of the Canadian Cyber Defence Collaborative to spur greater dialogue and partnership across the cyber ecosystem.

These lessons need to be hardwired into policy, procurement, regulation, and governance. Suppliers must be accountable for resilience. Redundancy must be built into system design. Transparency across supply chains must become the norm. Supported by continuous monitoring and evidence-based risk assessments, these practices can transform recovery from a reactive exercise into an opportunity to harden the nation’s critical infrastructure.

Operationalizing Canada’s Vision

Bill C8 (formerly C26), titled Canada’s Critical Cyber Systems Protection Act, is a strong foundation. It sets the stage for continuous defence rather than periodic compliance. But simply following the rules isn’t enough—real security means making cyber safety part of everyday operations. That includes using technology to automatically check for software updates, fix weaknesses, and protect identities on an ongoing basis.

To Get Cyber Safe, Both Sides Matter

October is Cybersecurity Awareness month, and becoming an organizational champion to help everyone Get Cyber Safe is critical. 

The cost of visibility and preparedness is far less than the human and economic toll of recovery. But no prevention is perfect. Right of Boom readiness ensures Canada can recover decisively, restore essential services, and rebuild trust when disruption inevitably occurs.

Cyber resilience is not about avoiding every boom; it is about ensuring that when they happen, Canada is ready to prevent the preventable and recover from the rest.

Michael Centrella is Head of Public Policy at SecurityScorecard and a former United States Secret Service agent specializing in cybersecurity policy and resilience.

Ryan Sherstobitoff is Field Chief Intelligence Officer at SecurityScorecard, leading global threat intelligence operations.