INCYBER Forum Canada 2025 Highlights Shift from Compliance-Driven to Collaborative Cybersecurity

Read full article here: https://blog.gitguardian.com/incyber-forum-canada-2025/?utm_source=nhimg

Held in Montreal, a city built where rivers and cultures converge, the INCYBER Forum Canada 2025 captured that same spirit of intersection. Over two days, more than 230 speakers and hundreds of professionals from government, defense, academia, and industry gathered to examine how cyber resilience is built through cooperation rather than regulation.

The forum’s bilingual sessions, complete with live translation and transcription, made technical and strategic conversations accessible to all. This inclusivity set a tone for what would become the event’s central message: security only works when everyone can participate.

Machine Identities Take Center Stage

In his session “The Overlooked Playground: An Attacker’s Journey Through GCP,” Clément Cruchet, Cybersecurity Solutions Consultant at Palo Alto Networks highlighted how service accounts and tokens often act as invisible insiders within Google Cloud environments.

He explained that non-human identities—service accounts, API keys, and automation agents—now form the backbone of cloud operations yet remain largely unmonitored. When these credentials are persistent and over-privileged, they allow attackers to move laterally across projects undetected.

Cruchet urged organizations to elevate secrets management and machine identity governance to the same level of scrutiny as human access control, noting that “secrets security is the first layer of identity control, not an afterthought.”

Supply-Chain Security as a System Problem

Cassie Crossley, VP of Supply Chain Security at Schneider Electric, reframed the traditional third-party risk discussion in her talk “Should I Trust My Supplier?”

Crossley warned that with thousands of vendors in a single ecosystem, supply-chain risk is no longer a category, it’s the network itself. She emphasized that software bills of materials (SBOMs) are not just compliance checkboxes but visibility tools essential for knowing what actually runs inside your infrastructure.

Her call to action: adopt continuous supplier vetting, automated disclosure pipelines, and composable trust models where each component can prove its own integrity.

Culture as the Real Compliance Engine

In “Beyond Compliance: How Threat Intelligence and Automation Build a True Security Culture,” Rached Fetiti, Technical Solutions Manager at CIRA challenged the idea that compliance equals security.

He argued that too many companies treat frameworks as finish lines instead of starting points. Real resilience comes from habit, not headlines. Embedding automation and threat intel into everyday workflows transforms compliance from bureaucracy into capability.

For small and mid-sized businesses, Fetiti advised starting simple: automate repetitive responses, clarify escalation paths, and let gradual discipline evolve into resilience.

AI in the Governance Layer

Dale Hoak, Senior Director of Information Security at RegScale, gave a live demonstration of AI-driven GRC automation that turns compliance from reactive reporting into real-time assurance.

His session “Audit-Ready in Record Time” showcased AI tools that parse regulations, collect evidence, and map controls across distributed systems. The result is a dashboard where CISOs can instantly see compliance drift and risk posture changes.

Hoak framed AI as the accelerator of safe innovation—governance that evolves as fast as development cycles, ensuring agility without sacrificing accountability.

Collective Defense and Global Responsibility

A recurring theme across the conference was that no organization defends alone. Cyber threats now cross national borders and institutional lines. Canada’s proposed Bill C-8 (Critical Cybersecurity Protection Act) aims to strengthen defense through public-private coordination, yet speakers agreed that legislation alone cannot solve workforce shortages or unify standards.

The consensus: collaboration not compliance, must define the next decade of cyber strategy.

AI: Frenemy of the Year

AI dominated the conversation, both as a tool and a threat. Experts warned that attackers are weaponizing AI faster than defenders, using large language models to automate reconnaissance and exploit APIs.

Yet, AI is also empowering defenders through faster triage, data normalization, and automated incident response. The shared perspective: AI should be treated as a co-pilot, never an autopilot, and must always operate under human oversight and ethical boundaries.

The Human Variable and the Transparency Test

Speakers repeatedly returned to the human factor, still both the strongest and weakest link. Social engineering, fatigue, and digital illiteracy continue to compromise even advanced defenses. The remedy is continuous education and cultural reinforcement, not annual training slides.

On supply chain transparency, participants echoed: “You can’t defend what you don’t understand.” Real-time vendor monitoring and smarter contracts defining disclosure, access, and recovery terms must become standard practice.

Closing the Loop: Culture and Curiosity

Your author contributed two sessions on Secrets Sprawl and Non-Human Identity Governance, finding that the community is ready to tackle machine-identity risk head-on.

Throughout INCYBER Forum Canada 2025, one idea kept resurfacing: security is a collective practice. Compliance may set the floor, but collaboration raises the ceiling.

Montreal’s blend of languages and histories reminded attendees that our digital ecosystems thrive the same way, through connection, translation, and shared accountability.