Montreal is built on an island at the confluence of the St. Lawrence and Ottawa rivers. The city has always been a crossroads where trade, ideas, and cultures meet. That same geography is a useful metaphor for modern cyber risk, as threats arrive where networks, people, and technology intersect and the consequences flow outward, often faster than we expect. This made Montreal a perfect backdrop for INCYBER Forum Canada 2025.

Hundreds of security, compliance, and governance professionals came together for two full days of sessions and networking. The selection of 230 speakers and panelists ranged from CISOs, military leaders, ambassadors, government ministers from multiple countries, and many private practitioners. Together, they brought a wide breadth of knowledge, helping us all see how interconnected our systems are. The focus was on how legislation, compliance standards, and international cooperation are being shaped by the need for a common defense against a world of adversaries.

One interesting feature of this event, which other events could benefit from, was live transcription and translation. The sessions were delivered in both French and English, and a website per stage allowed attendees to see real-time transcription and, through their headphones, hear a pretty good translation with only a few seconds of delay. Making the live event content more accessible is always a good thing. 

Here are just a few highlights from this edition of the INCYBER Forum.

The Service Account Is Your New Insider

In the session "The Overlooked Playground: An Attacker’s Journey Through GCP," Clément Cruchet, Cybersecurity Solutions Consultant at Palo Alto Networks, focused on Google Cloud Platform and the silent sprawl of machine identities. He believes that GCP is often left out of our cloud security discussions, as many teams are focused on AWS and Azure instead. 

Clément demonstrated how service accounts, often overlooked in favor of user identities, form a high-value lateral movement path in GCP environments. Persistent, overprivileged tokens that don’t expire give attackers a quiet lane to move between projects with almost no detection. This operational risk lives in most CI/CD systems and cloud-native pipelines.

He stressed that in the age of cloud automation, your most dangerous “users” aren’t human. Non-human identities like service accounts and API keys must be governed with the same rigor as employees, if not more so. In his conclusion, he believes secrets security, in this context, becomes the first layer of identity control, not an afterthought.

Supply Chain Risk Isn’t A Category. It’s Your Entire Network.

Cassie Crossley, author and VP of Supply Chain Security at Schneider Electric, asked us all, "Should I Trust My Supplier?" With many thousands of suppliers in large manufacturing ecosystems, she argued that third-party and Nth-party exposure needs immediate review and action.

The scope of the problem makes visibility extremely challenging. The software bill of materials (SBOM) movement, she said, isn’t about regulatory optics; it’s about knowing what’s in your own infrastructure. Proprietary, commercial, and open-source code swirl together to form opaque packages that no single vendor truly understands. You can’t secure what you can’t describe. That is especially true when you consider all the CI/CD integrations and infrastructure-as-code templates at play.

Cassie's call to action was for teams to adopt continuous supplier vetting, complete with penetration testing of partner systems and automated disclosure pipelines. Systems as complex as our supply lines must strive for composable trust, where each component can prove its trustworthiness, rather than relying on central authority. In modern DevSecOps, governance can no longer be about gatekeeping; it must shift to system design.

Culture Is The Real Compliance Engine

In "Beyond Compliance: How Threat Intelligence and Automation Build a True Security Culture," Rached Fetiti, Technical Solutions Manager at CIRA, tackled the foundational issue that so many organizations make a false equivalence between being compliant and being secure. He believes that too many enterprises view compliance as a finish line rather than a foundation. His solution was to reframe the existing frameworks rather than replace them yet again. 

Real protection comes from a culture that treats threat intelligence and automation as daily practice, not paperwork. Training helps, but knowledge must live in the workflow of how teams use tools, respond to alerts, and share context. Misused platforms and sloppy habits are open invitations to attackers. The goal is it’s to shrink the threat landscape until incidents become manageable rather than existential.

Small and midsize businesses don’t need to start big. A few automated playbooks and clear escalation paths go a long way. Build gradually, layering automation to replace repetitive manual steps. Over time, that steady discipline turns compliance into resilience. The point teams need to get to is where response is not a panic movebut seen as another chance to learn, adapt, and keep everything running.

AI In The Governance Layer

In the session from Dale Hoak, Senior Director of Information Security at RegScale, "Audit-Ready in Record Time: Real-World GRC Automation With AI," we saw a glimpse into what governance at cloud speed really can look like. His live demonstrations showed AI tools parsing regulatory frameworks, collecting evidence across distributed systems, and mapping controls to dashboards that CISOs could actually use in real time.

Dale said that as a CISO, he wants to look at a dashboard and know controls have not moved overnight. With real-time updates, we can turn compliance into a strategic advantage, showing where we need to focus to reduce the most risk moment to moment. There is no way human effort alone can scale to keep up with the scale of data to parse, and here is where AI can become a force multiplier.

Dale does not believe that governance slows innovation. He positioned GRC automation as the mechanism by which innovation can scale safely. AI can be applied to normalize data, enforce policies, and detect compliance drift continuously. In this model, governance becomes a living system, not a collection of stale and aging artifacts.

No One Defends Alone

Throughout this edition of the INCYBER Forum, we were often reminded that cyber threats have outgrown the borders of any single nation or institution. From government officials to private-sector leaders, resilience must be a team sport. State-backed actors, ransomware groups, and supply-chain exploits now target everything from hospitals to research facilities in the Arctic.

Canada’s Bill C-8, the Critical Cybersecurity Protection Act, aims to strengthen that defense through closer public-private coordination, but legislation alone won’t close the gap. The talent shortage, inconsistent standards, and a rapidly evolving threat landscape make collective defense not just desirable, but unavoidable.

AI: Frenemy Of The Year

Artificial intelligence stole the spotlight, and not always for the right reasons. Speakers warned that attackers are adopting AI tools faster than defenders, using large language models to automate reconnaissance and bypass protections. 

AI is also reshaping defense, helping us automate triage, normalize data, and speed up investigations from minutes to where it once took days. Across the sessions, everyone agreed that AI is a co-pilot, not an autopilot. It demands human oversight, transparency, and ethical guardrails, especially in industrial environments where unpredictability can endanger lives. 

The Human Variable

People remain both the last line of defense and the weakest link. Panels on social engineering and AI-assisted scams showed how fatigue, distraction, and digital illiteracy undermine even the best tools. Once-a-year trainings do not work. We need continuous learning, contextual motivation, and cultural reinforcement. 

Supply Chains and the Transparency Test

Attackers have learned to weaponize trust. We must answer that challenge with increased visibility. Supply-chain sessions pressed the need for software bills of materials (SBOMs), real-time vendor monitoring, and smarter contracting that defines access, disclosure, and recovery before something goes wrong. 

Automation is now essential to track vulnerabilities across third-, fourth-, and even fifth-party suppliers. You can’t defend what you don’t understand, and you can’t recover what you can’t see.

Throughout the forum, one idea kept resurfacing: compliance is not security. The future of cybersecurity lies in continuous validation. Real resilience happens when compliance turns into curiosity, when leaders, engineers, and users all share responsibility for the systems they depend on. The tools matter, but trust and collaboration matter more.

Closing the Loop on Culture and Curiosity

Your author had the privilege of contributing two talks, covering the State of Secrets Sprawl and introducing many attendees to the concept of Non-Human Identity (NHI) Governance. The conversations that followed confirmed that the industry is ready to mature its thinking about machine identities and automation risk. 

Across the event, whether in panels, hallway chats, or late-night debriefs, the shared conversation reminded me that security is something we build together. As humans. Our strength lies not in isolation, but in the networks we choose to protect and the people we choose to include.

The needed shift in security is a cultural one. Every conversation, from AI governance to third-party risk, revolved around shared accountability and the need to turn awareness into action. Collaboration, not compliance, is what drives resilience. The most effective organizations are the ones that learn in motion, testing, adapting, and communicating constantly. Montreal, with its mix of languages and layered history, was an apt reminder that our digital world thrives the same way: through connection and translation across boundaries.

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Take Control of Your Secrets Security authored by Dwayne McDaniel. Read the original post at: https://blog.gitguardian.com/incyber-forum-canada-2025/