Meet GI's Cybersecurity Champion: Joanna Murphy, Director General, Canada Sovereign Technology Strategy, Chief Technology Office Branch, Shared Services Canada

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does.

I am responsible for developing a Canadian Sovereign Technology Strategy to foster resilient and secure IT systems and boost made-in-Canada digital capabilities to promote economic growth. The goal of the strategy is to protect Canadian data and intellectual property rights, enabling innovators and researchers to pursue groundbreaking research and production, ultimately delivering Canadian-made solutions.

What kind of cyber threats does your organisation face on a regular basis?

Canada faces state-sponsored network attacks that utilise online information campaigns to influence public opinion and target critical infrastructure, pre-positioning for possible future destructive cyber operations. Ransomware is the top cybercrime threat facing Canada’s critical infrastructure.

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally?

The public sector supports the smooth operations of a country’s government. State-sponsored actors seek to disrupt governments. The biggest challenge lies with exploiting human weaknesses (e.g. phishing scams, social engineering), and exploiting vulnerabilities such as unpatched systems or weak passwords.

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defence. What is your view?

Absolutely. AI is making it easier for more actors to carry out cyber threat activity. AI is also making cyber threat activities faster and more precise. In the same way, cyber tooling is becoming more sophisticated by using AI to fine-tune orchestration and understand undesirable patterns. AI will also allow us to replace human repetitive tasks in incident response, allowing cyber experts to focus their efforts on treating sophisticated attacks.

Cybersecurity is often described as a team sport, whereby a network's vulnerability is often defined by its weakest link. In this context, how important is having a whole-of-government or whole-of-country cybersecurity posture?

In Canada, we have a risk-based, whole-of-government approach to enable a resilient cybersecurity posture and effectively respond to and recover from cyber events on time. Shared Services Canada, the Treasury Board of Canada Secretariat Office of the Chief Information Officer, and the Communications Security Establishment all work together to protect government systems.

To subscribe to the GovInsider bulletin, click here.

This whole-of-government approach is critical because we need to be laser-focused to protect Canadians who rely on public institutions like the Government of Canada to deliver important programmes and services.

An often-repeated point in the cybersecurity sector is what your Plan B is after your network is breached. Can you share your point of view on this aspect?

We must always be ready to respond to a breach. It is a certainty, so the job of the cybersecurity professional is to lessen the impact when it happens by adding layers of defence, protecting critical data and systems, and having a robust cyber event response and communication process.

If your organisation gave you an unlimited budget for cyber defence, what would you spend it on?

I would invest in implementing quantum-secure cryptography throughout our network and systems, complete our zero-trust architecture network to minimise attack surfaces and improve threat detection, develop AI-powered systems for threat detection and prediction and AI to streamline incident response - all the while having an eye on building a sovereign Canadian technology stack.

What brought you to this profession, and what do you love the most in your job, and what would you like to improve?

My introduction to cybersecurity was in implementing a public key infrastructure in the Government of Canada. I loved the idea that you could use math (cryptography) and technology (key infrastructure) to protect sensitive information and manage risk. What I love most about my job is finding technology solutions to protect Canadians (our democratic institutions, our personal information, and our peaceful lives).

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome?

AI is transforming the labour market. The World Economic Forum anticipates a net loss of 14 million jobs globally by 2027, with 83 million positions eliminated and 69 million new ones created. There is an opportunity in re-skilling and up-skilling to help fill the cybersecurity skills shortage.

If you had a chance to restart your career from scratch, would you still want to be a cybersecurity professional and why?

Technology has always played a main part in my career journey, whether it was in IT consulting, IT audit, running a cyber security programme, or now building a sovereign Canadian technology strategy. Cybersecurity should be and will become a part of everyone’s job. If I had a chance to restart my career, I wouldn’t change a thing!