SJA hears from Judith Borts, Senior Director of Rogers Cybersecure Catalyst, Toronto Metropolitan University‘s nation center for training, innovation and collaboration in cybersecurity.
Ask anyone working in cybersecurity right now, and you’ll hear the same thing: it’s not just the volume of threats; it’s the speed.
Everything is moving faster than most organizations can realistically keep up with.
Across North America and around the globe, critical infrastructure is under constant pressure.
Energy systems, water systems, healthcare networks, and financial institutions are not abstract targets; they’re being probed, tested and in some cases, actively disrupted.
The volume and sophistication of attacks have reached a point where many cybersecurity teams feel like they’re “drinking from a firehose.”
As in, there’s just too much coming at them, too quickly, to process, prioritize and respond in real time.
And that’s really the starting point: we’re not preparing for a potential cyber crisis.
We’re already operating in one.
One of the biggest shifts right now is how fast everything is moving.
Threat actors are leveraging AI to scale attacks in ways we haven’t seen before.
They’re automating reconnaissance, refining phishing campaigns and identifying vulnerabilities faster than most organizations can respond.
At the same time, defenders are trying to adopt more AI tools to keep up.
But not all critical infrastructure sectors move at the same pace.
Large, well-resourced organizations can keep up, but many others can’t move quickly. These are complex, highly regulated environments often built on legacy and frequently analogue systems.
That gap, between how fast attackers move and how slowly defenders can adapt, is where a lot of risk lives.
Operational technology (OT) is a perfect example.
These systems run our power grids, manufacturing lines and transportation networks, yet visibility into them is still underinvested and underdeveloped.
This shows us what happens when that vulnerability is exploited.
Take the recent attack on a US-based medtech company, Stryker.
A data-wiping incident linked to an Iran-affiliated group didn’t just hit one organization; it erased data across more than 200,000 systems in 79 countries. That’s the scale we’re talking about now.
Or the disruption of industrial control systems, like the targeting of Rockwell Automation programmable logic controllers (PLCs), which are foundational to how industrial environments operate.
These aren’t isolated events; they’re signals of how vulnerable globally connected systems really are.
Even more concerning is the idea that some threat actors aren’t trying to cause immediate damage.
They’re already inside critical infrastructure environments.
They are “living off the land,” embedding themselves quietly, and waiting for the right moment to act.
This isn’t hypothetical. We are already under attack.
With the arrival of Mythos, an advanced, general-purpose LLM developed by Anthropic, we’re seeing a new kind of way that AI can potentially help organizations identify security weaknesses in their systems and suggest ways to fix them.
Technology like this, also capable of autonomously identifying and exploiting vulnerabilities, highlights the fine line between tool and threat.
Mythos compresses the time between discovery and exploitation, demonstrating how vulnerabilities can be chained and weaponized with minimal input.
What previously required sustained human effort can now happen faster and on a much larger scale.
This introduces a new reality: the process of discovery, access and misuse no longer needs to be sequential or manual.
It can be continuous, automated and increasingly difficult to detect.
For years, we’ve debated the risks of artificial intelligence in abstract terms, including bias, misinformation and labour disruption.
Mythos forces a more immediate reckoning.
When AI can autonomously discover and weaponize vulnerabilities in foundational software, cybersecurity is no longer a technical issue confined to specialists.
It becomes a matter of national security, economic stability and public safety.
The response so far has been uneven.
Rather than broad coordination, access to advanced defensive insight has been concentrated within a closed network of large technology firms.
That may help secure parts of the ecosystem, but it leaves large segments, particularly non-technology sectors and smaller organizations, exposed.
In that sense, Mythos doesn’t just represent a technological shift – it exposes a structural one: who has access to defence and who does not.
If there’s a positive trend, it’s that cybersecurity is finally getting more attention. T
here are more conversations happening now than ever before.
But here’s the issue: the urgency isn’t matching the reality.
We are still treating cybersecurity as something isolated that not everyone has to be engaged in, but it has to be a whole-of-organization discussion.
Whether it’s risks to healthcare systems, energy grids or even emerging technologies, the boundary between physical and digital threats is vanishing.
When everyone across an organization is involved, digital infrastructure becomes part of the bigger picture.
One that takes into consideration the cyber, physical and human capabilities needed to protect and defend critical infrastructure.
Another area of concern is innovation.
We’re investing heavily in innovation (particularly start-ups), but not always asking the right question:
Where things are really shifting is on the policy side.
Governments in both Canada and the US are increasing expectations around cybersecurity.
We’re seeing more legislation, more enforcement and more accountability, particularly for critical infrastructure and the defence industrial base.
In Europe, legislation like the General Data Protection Regulation (GDPR), NIS2 and the AI Act are already driving change with real consequences for organizations that fall short.
In Canada, provinces like Ontario, Quebec, Alberta and British Columbia are actively introducing or strengthening cybersecurity and data legislation.
There’s also a huge amount of funding flowing into defence and cybersecurity right now.
The intention is clear: raise the bar at the top and it will push improvements across supply chains and the broader economy.
But we’re not seeing enough being done to support the massive segments of our economy that can’t afford cyber teams, tech upgrades and investments.
We’re not seeing enough being done to make sure all arms of government and the private sector are working together; cybersecurity doesn’t work in silos, even if policy leans that way.
The reality is that our infrastructure is deeply interconnected and crosses international boundaries.
Financial systems, telecommunications, transportation systems and energy grids don’t stop at borders.
Trying to secure them in isolation doesn’t work.
There are already strong examples of collaboration.
Canada’s role in the Five Eyes intelligence community, participation in Information Sharing and Analysis Centers (ISACs) and joint exercises like GridEx all show what’s possible when countries work together.
But we are still falling short when it comes to alignment.
Different countries have different standards, different certifications and different reporting requirements.
For multinational organizations, that creates real friction.
At the same time, decisions about how to respond to emerging capabilities are increasingly being made by a small number of private actors, without meaningful public oversight or international coordination.
This is where governments can have a real impact: by aligning regulations, harmonizing intelligence and incident reporting and making cross-border collaboration easier, not harder.
Because this isn’t the moment to build walls; it’s the moment to strengthen partnerships.
One of the biggest misconceptions is that organizations need to anticipate every possible geopolitical or economic shift.
They don’t.
The reality is much simpler: you can’t reliably predict everything.
The threat landscape is too dynamic, and the barriers to entry for attackers are too low.
The emergence of capabilities like Mythos changes the cybersecurity calculus as well, and the pace of frontier AI isn’t going to slow down.
Instead of trying to anticipate every technological and geopolitical shift, anticipating the technological, organizations can focus on their own resilience, preparedness and defence.
That starts with understanding what’s actually at risk, your data, your systems, your operations and putting in place the baseline controls to protect them.
Identity and access management, vulnerability management, network visibility, incident response and third-party risk aren’t advanced strategies anymore.
They’re the minimum.
As well, the speed and breadth of capabilities emerging in AI based tools such as Mythos necessitate greater emphasis on resilience.
Whether you’re a start-up, a small business or a major infrastructure provider, you are a target.
And while political and economic shifts can make things more complex, they don’t change that fundamental reality.
What is changing is the expectation around responsibility.
Governments are starting to define more clearly who is accountable for protecting data, systems and supply chains.
Legislation like Canada’s Bill C-8 points to a future where designated operators (and likely their suppliers) will be held to specific cybersecurity standards.
If there’s one thing holding us back, it’s not a lack of technology or even awareness.
It’s alignment and prioritization.
Alignment between countries. Between public and private sectors. Between policy and execution. And prioritization of resources to build resilience.
We still have fragmented frameworks, inconsistent standards and barriers to information sharing, both domestically and internationally.
In a threat environment that moves this quickly, fragmentation is a liability.
We are also seeing the emergence of a two-tier system of cybersecurity: one for organizations with access to advanced capabilities and coordinated defence, and one for everyone else.
At the same time, the cybersecurity talent gap continues to grow.
The skills we need are evolving, especially with AI in the mix; organizations are struggling to keep up.
It’s been said for years, but it’s time to put it into practice – cybersecurity is no longer just a technical issue; it is a strategic business matter.
It’s tied to economic growth, innovation, national security and public trust.
As more of our world becomes digital, the systems we rely on become more exposed.
Both the challenge and the opportunity are to stop thinking about cybersecurity as something separate. It’s not separate from infrastructure, policy or global collaboration.
We’re operating in a borderless threat environment, where the difference now is that the stakes – and the capabilities – have changed.
And the priority is clear, we need to catch up to the risks already here while preparing for what’s next.
Security Journal Americas is a publication of Centurian Media Limited
Registered office: 71-75 Shelton Street London Greater London WC2H 9JQ UNITED KINGDOM
Operating office: The Maidstone Studios, New Cut Road, Vinters Park, Maidstone Kent ME14 5NZ
Centurian Media Limited (CML) is committed to creating a diverse environment and is proud to be an equal opportunity employer. Our clients, suppliers, along with all qualified applicants that we receive for employment, fixed contract or freelance projects receive consideration without regard to race, colour, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. CML is also committed to compliance with all fair employment practices regarding citizenship and immigration status.
Website hosted and maintained by Grass Media Web Design
Company number (GB): 11730376
VAT Number: 314 7817 00
ICO registration number: CSN0536342
