Lester Chng

Rogers Cybersecure Catalyst, Toronto Metropolitan University

Corporate Training & Cyber Range
- Tabletop Exercises (Cyber, IT, Emergency and Crisis Mgmt)
- Cyber Risk Advisory services (Workshops, Bootcamps)
- Cyber Range Scenarios (Individual, Team Training)

https://cybersecurecatalyst.ca/

Senior Cybersecurity Advisor

The Essential Cybersecurity Exercise Playbook

https://lesterchng.gumroad.com/l/The_Essential_Cybersecurity_Exercise_Playbook

Part I - Executing a single exercise
Chapter 1 - How to develop objectives for your exercise
Chapter 2 - How to run joint exercises with 3rd party
Chapter 3 - How to decide the modality of the exercise
Chapter 4 - How to create injects for your exercise
Chapter 5 - How to facilitate a cybersecurity exercise
Chapter 6 - How to encourage discussion during an ex
Part II - Establishing an exercise program
Chapter 7 - How to establish a cyber exercise program
Chapter 8 - How to write a business case for your prog
Chapter 9 - How to create a 5 part ransomware exercise
Part III - Bonus information
Chapter 10 - 120 facilitation questions for your exercises
Chapter 11 - 30 objectives for your exercises
Chapter 12 - 3-part Ransomware exercise deck

Book Author - The Essential Cybersecurity Exercise Playbook

BMO Financial Group

I built a cybersecurity and crisis management exercise program from scratch for one of the largest financial institutions in North America.

Execution of >50 cybersecurity, fraud, physical security, and crisis management exercises

Execution of Financial Crimes Unit Exercise and Drill Program
• Design and execution of exercises and drills to operationalize the Financial Crimes Unit Fusion Centre
• Scenario creation and exercise execution for Information Security, Enterprise Fraud Management, Physical Security, and Global Crisis and Continuity Management teams 
• Providing effective challenge of incident response readiness through exercise observation
• Execution of enterprise-wide Purple Team Exercise


Cybersecurity Exercises: Purple Team, Ransomware, DDoS, Malware, Data Corruption, Data Breach, 3rd Party Incidents
Fraud Exercises: ATOs, Attack on Payment systems, Business Email Compromise, PII Breach
Physical Security Exercise: Active Assailant, Civil Unrest, Bomb Threats
Crisis Exercises: Disaster Recovery, Business Continuity, Operational Resilience, Fire Incidents, Natural Disasters, Utilities Disruption

Senior Advisor, Financial Crimes Unit Exercises. BMO Fusion Centre

Managed technological delivery of TD's anti-money laundering project
• Proactive management and engagement of multi-faceted team of architects, vendors, developers
• Established work plan, identified project deliverables and motivated team to deliver projects
• Prepares daily reports and presentations to executive groups
• Highly complex project involving IT infrastructure build, code deployment, and data and app migration
• Detailed risk identification and assessment and performed active risk mitigation
• Directed and coordinated project activities across various teams to ensure adherence to schedule

Project Manager - Enterprise Enabling Technology Solutions (AML)

Driving project delivery excellence through portfolio governance and quality assurance practices
• Championed and responsible for standards and procedures across PMO
• Represented the PMO for all enterprise level project methodologies issues
• Delivery of training program for project management practices
• Conduct analysis of project trends and risks to enhance PMO delivery excellence
• Provide direct support to projects on methodology, adherence to standards, and policies
• Led the development of Portfolio Key Performance Indicators, Benchmarking, and Dashboard development

PMO Governance Lead - Technology Risk Management and Information Security PMO

Ministry of Defence of Singapore

Project Manager
- Represented the Navy and delivered the award winning state of the art training facility.

- Developed all security and safety procedures as the Unit Security and Unit Safety Officer.

- Established new training scenarios for Navigation, Maritime Security and Naval Warfare.

Project Manager [Major] Naval Simulation Centre

- Designed and delivered turnkey training solution to generate 240 crew and 8 leadership teams for 8 new ships.

- Streamlined work processes of the new vessel and promulgated best practices.

- Executive coaching on leadership, communication, team dynamics, and effectiveness.

Head of Training [Major], Littoral Mission Vessel Squadron

- Directed exercises as “Enemy Force” to test Operational Plans of the Navy.
- Led a team of 19 senior military experts to operate key training facility of the Navy.
- Project advisor of instructional video which saved 90% manpower resource.
- Coached participants on leadership, communication, team work and professional knowledge.

Directing Staff, Wargaming and Simulation Centre [Major]

- Second in Command of a Patrol Vessel (30 Officers and Military Experts).
- Unit Security Officer responsible for all aspects of security including IT, physical security and info security. 
- Responsible for the safety, discipline, training, morale, operational readiness and security.
- Coached junior officers in leadership, watch-keeping duties and naval warfare.
- Prepared the ship for operational duties and responses to maritime incidents.

Executive Officer and Unit Security officer [Captain], Patrol Vessel

Unit Security Officer responsible for all aspects of security including IT, physical security and info security.

Assistant Operations Officer and Unit Security Officer [Captain]

Navigating Officer [Captain]

Combined Maritime Force, Bahrain

-Held the appointment as Liaison Officer (Intelligence) in the Combined Maritime Force (CMF) 
- Headquarters in Bahrain under the US-led Task Force
- Main intelligence link between the Singapore Led Command Team and the CMF HQ.
- Involved in in-depth analysis of Somali pirate operating models.

Intelligence Analyst

Cyber CEOs Brand Strategist. I build your brand as you build your business. | Senior Cybersecurity Advisor | Author | Naval Officer | CISSP | 🇨🇦🇸🇬 |

You head a leading cybersecurity firm.
But your online presence doesn't reflect it.

In fact, being invisible is damaging. 

You understand the power of thought leadership.
You know LinkedIn shapes deal flow and adds credibility in the industry.
You just don’t have the cycles (or the copy) to share your expertise and experience.

You have stories worth telling.

The insights from being in the trenches.
The deep conversations with your ace teams.
The hard discussions with your clients. 

Don’t let this wisdom go to waste.

That’s where I come in.

--------------------------------------------------------------------------------------------

How we work together.

Profile & Positioning
=> Rebuild your LinkedIn profile so visitors see industry authority, not “another vendor.”

Content engine
=> Ghostwritten posts that leverage your insights and expertise into engaging LinkedIn posts. 

Outreach campaign
=> Targeted DM campaigns and audience-building strategies that build your authority and land you on podcasts and conference stages.

--------------------------------------------------------------------------------------------

You focus on growing your firm and protecting your clients.
And we will ensure the industry, clients, prospects, and investors can’t ignore it.

Let’s build the personal brand that commands the cybersecurity conversation and drives business.


Worked with global client portfolio 
- MSPs
- MSSPs
- Agentic AI SOC
- AI-powered GRC 
- Operational Resilience 

Execution of Financial Crimes Unit Exercise and Drill Program
• Design and execution of exercises and drills to operationalize the Financial Crimes Unit Fusion Centre
• Scenario creation and exercise execution for Information Security, Enterprise Fraud Management, Physical Security, and Global Crisis and Continuity Management teams 
• Providing effective challenge of incident response readiness through exercise observation
• Execution of enterprise-wide Purple Team Exercise


Cybersecurity Exercises: Purple Team, Ransomware, DDoS, Malware, Data Corruption, Data Breach, 3rd Party Incidents
Fraud Exercises: ATOs, Attack on Payment systems, Business Email Compromise, PII Breach
Physical Security Exercise: Active Assailant, Civil Unrest, Bomb Threats
Crisis Exercises: Disaster Recovery, Business Continuity, Operational Resilience, Fire Incidents, Natural Disasters, Utilities Disruption

I joined the Catalyst 2 years ago. 
Headcount has doubled since then. 

That’s remarkable in a climate where layoffs are still visibly happening. 

We are a nonprofit organization. 

And the demand for our services are increasing and there is unwavering support for the change we bring. 

20+ ongoing programs
65 full time staff 
1 vision

Cybersecurity for all 

The work continues. 
Come by the booth at Security Education Conference Toronto (SecTor) to learn more. 

Join us at 115pm Thursday at the Community lounge for Aurn’s session. 

See you there!

No alternative text description for this image

How to use LinkedIn - the 90 day roadmap for cyber professionals. 

LinkedIn is going to be increasingly important for your cybersecurity career, business, and organization. 

You can’t deny you need attention for:

Promotion in career
Promotion in product
Promotion in cause

But how do you actually execute it. 

Here is your roadmap. 


Phase 1: Foundation (Days 1–30)
1.	Audit your presence. 
Google yourself. 
Review LinkedIn. 
Ask a friend. 

What does your profile say?
What impression are you leaving?
Is it even interesting enough to read?

If your headline reads like every other “Cybersecurity Specialist,” that’s a missed opportunity. 

Rewrite it with clarity:
– Weak: Cybersecurity Consultant
– Strong: Helping healthcare CISOs prepare their boards for ransomware attacks

2.	Define your niche + specialization. Sharpen it to one problem you solve exceptionally well for one audience. 

– Cloud misconfigurations for fintechs
– Translating cyber for biz executives
– Preparing organizations for crisis 

3.	Craft your signature position. 
One disruptive message that makes people stop scrolling:
– “Your incident response plan is useless if you don’t exercise it”

4.	Research on yr target audience.
What keeps them up at 3AM？
Regulatory fines, ransomware, or insider threats? 

Document three core pain points and keep them visible.

⸻

Phase 2: Content (Days 31–60)
5.	Build a PPP content cycle. 

These provide endless content ideas:

Pain: Call out the frustration or blind spot (e.g., “Most board reports on cyber risk get ignored.”)

Problem: Break down why it happens (e.g., “They’re too technical, too long, and don’t answer the question leadership cares about: ‘Are we safe?’”)

Position: Share your stance and solution (e.g., “Boards don’t need a 40-page report, they need a 4-slide narrative. Here’s the framework I use.”)

6.	Publish weekly. 
Min: 3 post per week. 
I know it’s hard. 
No one said this is easy. 

⸻

Phase 3: Active Networking (Days 61–90)

7.	Engage daily with PPP in comments. 
Instead of “Great post,” use mini-PPP:
– Pain: highlight what’s being overlooked.
– Problem: explain the real issue.
– Position: add your perspective.

8.	Targeted outreach. Each week, DM 5 industry peers, mentors, or potential clients. Share one relevant insight, not a pitch. 

Example: “Saw your post on ransomware insurance. Most orgs I work with find policies useless without tabletop exercises. Curious how you handle that?”

9.	Scale what resonates. 
If one post gets traction, expand it:
– Pain → Checklist: “5 reasons your board ignores your cyber updates.”
– Problem → Guide: “Why technical reports fail with leadership.”
– Position → Asset: “A 4-slide board briefing template.”

You will repeat yourself (same content pillars, diff words and stories) to the point where you feel icky. 
Get over it and keep at it. 
⸻


Still there or have I lost you?

Hope to see your presence grow. 

P.S what do u others struggle with?

Every day should be Thanksgiving.

Cause it's something we just don't do enough.

Over the last 2 years, we embarked on a cybersecurity program to train small and medium businesses in Ontario across automotive, life sciences, advanced manufacturing, smart infrastructure, mining, and agri-food.

This required us to establish new relationships across sectors that are highly complex and operate very differently from each other.

• Industry associations
• Govt and Quasi-govt bodies
• Cluster, Eco-system, Corridor
• Council and regulatory bodies
• Research and innovation hubs
• Community and nonprofit organizations

And the list goes on.

Countless sessions on industry mapping, content brainstorms, conference and event attendance, finding expert speakers, scheduling and marketing the webinars and boot camps.

𝗧𝗼 𝗱𝗮𝘁𝗲: 
473 Small and Medium Organizations
30 expert panelists and facilitators
36 boot camp sessions
945 participants

Two people played a key role in this. Anita and Avleen.

Thank you.

You spend $50K on an RSAC booth.

But always felt that it is a waste of money.

That’s the unspoken pain most cyber CEOs realize halfway through the conference.

You have the team.
You have the tech.
You have the story.

But the only people who stop by your booth are students collecting swag.


Here’s what’s actually happening.

You’re showing up too late.
RSAC convos start online months before San Francisco.
Other CEOs build visibility long before they book flights.


If your first touchpoint is the expo floor, you’re already behind.

Visibility is not a marketing expense.

It’s a business advantage.

The CEOs who show up consistently on LinkedIn before RSAC don’t need to “pitch.”

Their meetings are booked.
Their prospects are familiar with their voice and values.
Their reputation precedes their handshake.

If you’re a cyber CEO heading there in 2026, the real preparation starts now.

Not with another banner.

But with authority, consistency, and strategy.

I’m helping cyber CEOs build that presence before RSAC 2026.

Profile revamp.
Three months of content.
Collaboration posts that amplify reach.

So you can walk into RSAC visible and fully booked.

DM me “RSAC” if you want the details.

Things are moving fast in the cyber and AI.

How do you manage that conversation w leadership?

This is a topic that many organizations have to tackle as they scale with all the benefits of artificial intelligence while leaving security teams to pick up the risk.

I interviewed my friend Mary Carmichael, a leading voice in this space, to learn from her experience and what she is hearing from organizations.

1. Where do you see the biggest gap between how executives describe cyber risk and how it actually plays out inside organizations?

𝘛𝘢𝘭𝘬 𝘐𝘴 𝘊𝘩𝘦𝘢𝘱

Executives often call cyber risk their top priority, but the gap shows up in everyday operations. Patching gets delayed, MFA is inconsistent, and third-party risks slip through. The real measure of cyber resilience is in what teams do every day, not what leaders say at the top.

2. What leadership behaviors have you seen make the strongest difference in the success or failure of security programs?

𝘈𝘤𝘵𝘪𝘰𝘯𝘴 𝘚𝘱𝘦𝘢𝘬 𝘓𝘰𝘶𝘥𝘦𝘳 𝘛𝘩𝘢𝘯 𝘞𝘰𝘳𝘥𝘴

The leaders who make the strongest impact treat security as an organizational change, not just an IT project. They explain why it matters in business terms, linking MFA or patching to uptime, customer trust, and resilience, and they consistently ask questions like, “What risk are we accepting if we delay this control, and who is accountable for that decision?”. Those actions make it clear that security isn’t optional, it’s built into every decision

3. What’s one traditional risk management rule you think won’t survive in an AI-first world?

𝘈𝘐 𝘥𝘰𝘦𝘴𝘯’𝘵 𝘸𝘢𝘪𝘵 𝘧𝘰𝘳 𝘺𝘰𝘶𝘳 𝘈𝘯𝘯𝘶𝘢𝘭 𝘢𝘶𝘥𝘪𝘵

The rule of “periodic assessments” will not survive because AI risks emerge and evolve continuously. Waiting for the next audit cycle will leave organizations blind to models that are drifting, vendors that are silently updating, or AI features being “switched on” without notice. In practice, organizations will need continuous monitoring and real-time reporting.

4. Looking five years out, what new risk do you think leaders are underestimating today?
   
𝘛𝘩𝘦 𝘈𝘐 𝘚𝘪𝘯𝘨𝘭𝘦 𝘗𝘰𝘪𝘯𝘵 𝘰𝘧 𝘍𝘢𝘪𝘭𝘶𝘳𝘦

Leaders are underestimating concentration risk in the AI supply chain, as most organizations are leaning on the same few foundation models and cloud providers. If one of those models fails, is compromised, or its terms of use are suddenly changed, entire industries could be disrupted. The practical takeaway is that boards need to start asking today:
Who are we dependent on?
What’s our contingency plan?
How fast could we pivot to another AI provider?


_____________________________

If you enjoyed this interview series, please follow Mary. She is an ex-President of ISACA Vancouver Chapter and an extremely cherished partner of Rogers Cybersecure Catalyst, Toronto Metropolitan University.


P.S What's your fav AI Cyber pet peeve?

The vision for the Catalyst is Cybersecurity for All.

The clearest manifestation of that is the Cyber Clinic.

Rogers Cybersecure Catalyst, Toronto Metropolitan University is the first Canadian member of The Consortium of Cybersecurity Clinics.

The team has worked tirelessly over the last months to prepare for the pilot launch of our program that will help non-profits and other community organizations.

They will receive free actionable cybersecurity support.

21 Catalyst Consultants
6 Client Organizations
9 Expert Mentors

This will anchor years of Catalyst-led cybersecurity support for Canada’s underserved organizations that protect vulnerable populations.

Putting Cybersecurity for All into action.


Powered by Okta and Mastercard

The Agri-Food sector is designated as critical infrastructure. But severe cyber underinvestment leaves it vulnerable.

I interviewed my friend Ritesh Kotak, who is going to co-facilitate our upcoming Agri-Food Cybersecurity Bootcamp. 

We looked at the cybersecurity risks in the agri-food sector and the unique responsibility producers, processors, distributors, and technologists share in keeping our food supply secure.

Here is the first part of the interview.


𝗤: 𝗪𝗵𝘆 𝗶𝘀 𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗻𝗼𝘄 𝗮 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗶𝘀𝘀𝘂𝗲 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗮𝗴𝗿𝗶-𝗳𝗼𝗼𝗱 𝘀𝗲𝗰𝘁𝗼𝗿?

A: Technology has increased efficiency, but it has also increased exposure within the agri-food sector. With recent high-profile cybersecurity incidents targeting the sector, we have witnessed the devastating impact these breaches are having on our supply chain and economic security.

𝗤: 𝗪𝗵𝗮𝘁 𝗰𝘆𝗯𝗲𝗿 𝘁𝗵𝗿𝗲𝗮𝘁𝘀 𝗺𝗼𝘀𝘁 𝗼𝗳𝘁𝗲𝗻 𝗵𝗶𝘁 𝘀𝗺𝗮𝗹𝗹𝗲𝗿 𝗳𝗮𝗿𝗺𝘀, 𝗰𝗼-𝗼𝗽𝘀, 𝗼𝗿 𝗽𝗿𝗼𝗰𝗲𝘀𝘀𝗼𝗿𝘀

A: Smaller farms and processors are increasingly targeted by phishing scams and ransomware attacks. It’s important to note that the farmer/processor not only serves as the producer but also as accountants, IT managers and many other hats within the organization. 

Hackers try to exploit this through complicated and sophisticated targeted attacks.

_______________________

If you enjoyed this interview series, do give Ritesh a follow. He is a technologist with roots in the food manufacturing industry and a career spanning legal, cybercrime, IoT, and public safety innovation. 

We are hosting a free 6-week Cybersecurity Bootcamp curated for the Agri-Food Sector.

If you work in Ontario's Agri-food sector, sign up and join us for the upcoming 𝘄𝗲𝗯𝗶𝗻𝗮𝗿 and 𝗯𝗼𝗼𝘁𝗰𝗮𝗺𝗽!

Register now: https://lnkd.in/gEq6_TBD

_______________________

𝗪𝗲𝗯𝗶𝗻𝗮𝗿: 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻 𝗔𝗴𝗿𝗶-𝗙𝗼𝗼𝗱
Date: Mon, Sept 29th, 2025
Time: 10:00 AM – 11:30 AM ET
Topics:
- Key cyber threats and risks 
- Cybersecurity trends and strategy 
- Cybersecurity technology adoption

Panelists:
Gord Howells  
Chuck Baresich
Sem Ponnambalam  
Janos Botschner, PhD (He/Him) (Moderator)

𝗕𝗼𝗼𝘁𝗰𝗮𝗺𝗽
Every Thursday from Oct 2 - Nov 6, 2025
Time: 10 AM – 12 PM ET
Topics:
- Foundational cybersecurity risks
- Introduction to Cybersecurity in Agri-Food
- Regulatory Framework and Standards
- Cybersecurity Risk Management
- Security-by-design and IoT Security
- Emerging Technologies and future trends
- Incident Response and Cyber Resilience

Co-facilitated by:
Ritesh Kotak and Lester Chng

Most people think cybersecurity is just for tech companies.

But even farmers depend on it now.

Farmers use GPS tractors, weather apps, and online banking every day.

If a hacker breaks in, they could mess up crops, steal money, or give false info.

Cybersecurity isn’t just “IT stuff.” It’s like locking up your tools at night.

Simple steps, like strong passwords and double-checking emails, can protect your whole business.

If you use tech, you need cyber.

Ever seen a simple tech mistake cause big problems?

_______________________

Rogers Cybersecure Catalyst, Toronto Metropolitan University and Canadian Cyber Threat Exchange (CCTX) are hosting a free 6-week Cybersecurity Bootcamp curated for the Agri-Food Sector.

If you work in Ontario's Agri-food sector, sign up and join us for the upcoming 𝘄𝗲𝗯𝗶𝗻𝗮𝗿 and 𝗯𝗼𝗼𝘁𝗰𝗮𝗺𝗽!

Register now: https://lnkd.in/gEq6_TBD

_______________________

𝗪𝗲𝗯𝗶𝗻𝗮𝗿: 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻 𝗔𝗴𝗿𝗶-𝗙𝗼𝗼𝗱
Date: Mon, Sept 29th, 2025
Time: 10:00 AM – 11:30 AM ET
Topics:
- Key cyber threats and risks 
- Cybersecurity trends and strategy 
- Cybersecurity technology adoption

Panelists:
Gord Howells 
Chuck Baresich
Sem Ponnambalam 
Janos Botschner, PhD (He/Him) (Moderator)

𝗕𝗼𝗼𝘁𝗰𝗮𝗺𝗽
Every Thursday from Oct 2 - Nov 6, 2025
Time: 10 AM – 12 PM ET
Topics:
- Foundational cybersecurity risks
- Introduction to Cybersecurity in Agri-Food
- Regulatory Framework and Standards
- Cybersecurity Risk Management
- Security-by-design and IoT Security
- Emerging Technologies and future trends
- Incident Response and Cyber Resilience

Co-facilitated by:
Ritesh Kotak and Lester Chng

I only had 4 jobs in my life. 
This is my 2nd favourite job. 
You already know my favourite. 
(I’ll share at the end if u can’t guess)

Here is an excellent opportunity to join Rogers Cybersecure Catalyst, Toronto Metropolitan University and even better our team (the other teams are awesome too but ours is awesomer)

Here are 5 reasons to join us:

- you enjoy working on new projects
- the team pushes the status quo
- work w large variety of clients
- are fiercely independent
- say more yes than no
(But also alot of NOs, don’t worry)

We are going to shape and influence cybersecurity for individuals and also for our clients. 

From Canada to the world.  

As other are diversing, we are uniting. 
But I’m also digressing. 

So take a look and join us. 

P.S my first job allowed me to drive a $300MM Frigate. So guess that’s #1

Cybersecurity and Emerging Technologies Content Developer (2 Positions)

AI Tool for this, AI Tool for that. Let's go.

Is there a way to understand the risk that it comes with?

Mary is developing an AI Procurement & Supply Chain Risk Toolkit to support municipalities in adopting AI responsibly. The toolkit improves visibility into third-party AI systems by integrating standards and accountability measures into procurement and vendor oversight.

I interviewed my friend Mary Carmichael to learn about her fellowship with @rogers cybersecure Catalyst.

_____________________________

4. How can risk and compliance teams get visibility into shadow AI and third-party tools they do not directly control?

𝘠𝘰𝘶 𝘊𝘢𝘯’𝘵 𝘔𝘢𝘯𝘢𝘨𝘦 𝘞𝘩𝘢𝘵 𝘠𝘰𝘶 𝘊𝘢𝘯’𝘵 𝘚𝘦𝘦

Shadow AI often shows up because people want to move faster, not because they’re trying to bypass rules. Risk and compliance teams gain visibility by pairing monitoring tools like network scans and procurement reviews with open conversations where staff feel comfortable sharing what they use.

5. When municipalities buy AI solutions, what hidden dependencies should public sector leaders be most concerned about?
   
𝘛𝘩𝘦 𝘋𝘦𝘷𝘪𝘭 𝘪𝘴 𝘪𝘯 𝘵𝘩𝘦 𝘋𝘦𝘵𝘢𝘪𝘭𝘴

When municipalities buy AI, the risk isn’t just the “shiny tool” in front of them; it’s the hidden web of dependencies underneath. Cloud hosting providers, API connections, training data sources, and open-source components can all introduce vulnerabilities or liabilities that leaders don’t directly control, yet will be held accountable for if they fail.
Tip: Public sector leaders should require vendors to map their AI supply chain. Transparency up front is the primary way to protect citizen trust.

6. What outcome would you like to see from your fellowship toolkit, and how do you imagine municipalities using it in practice?
   
𝘈 𝘔𝘢𝘱, 𝘕𝘰𝘵 𝘢 𝘔𝘢𝘻𝘦

The outcome I’d like to see is municipalities using the toolkit as a checklist they can pull out during procurement; to ask vendors the right questions, flag hidden dependencies, and score AI proposals consistently. The toolkit should be a hands-on decision aid; simple enough to use in the moment, but structured enough to make AI choices transparent and defensible.

_____________________________

If you enjoyed this interview series, please follow Mary. She is an ex-President of ISACA Vancouver Chapter and an extremely cherished partner of Rogers Cybersecure Catalyst, Toronto Metropolitan University cybersecure Catalyst.


P.S What is a dream AI tool that you want?

Everyone is racing to adopt new tech.  
But almost no one talks about the cyber risks that come with it.

Most companies move fast.
New systems, new tools, new platforms.  

Everyone’s excited about what this tech can do for business.  
No one is really thinking about what could go wrong.

Nobody likes to slow down for cyber risk assessments.  
"That won’t happen to us," is the most common response.

But here’s the truth: threats don’t wait for you to catch up.

We see teams roll out new systems in weeks without a single conversation about security.  

Simple things like access controls, patching, or data backups are skipped.  

All in the name of speed.

It’s not just an IT problem.  
It’s a leadership problem.  
It’s an awareness problem.

One incident can stop everything.  
Lose data. Lose trust. Lose business.

Adopting new tech isn’t the risk.  
Ignoring the risks, is.

How do you make sure cyber is on the table in your company?

_______________________

Rogers Cybersecure Catalyst, Toronto Metropolitan University and Canadian Cyber Threat Exchange (CCTX) are hosting a free 6-week Cybersecurity Bootcamp curated for the Agri-Food Sector.

If you work in Ontario's Agri-food sector, sign up and join us for the upcoming 𝘄𝗲𝗯𝗶𝗻𝗮𝗿 and 𝗯𝗼𝗼𝘁𝗰𝗮𝗺𝗽!

Register now: https://lnkd.in/gEq6_TBD

_______________________

𝗪𝗲𝗯𝗶𝗻𝗮𝗿: 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻 𝗔𝗴𝗿𝗶-𝗙𝗼𝗼𝗱
Date: Mon, Sept 29th, 2025
Time: 10:00 AM – 11:30 AM ET
Topics:
- Key cyber threats and risks 
- Cybersecurity trends and strategy 
- Cybersecurity technology adoption

Panelists:
Gord Howells 
Chuck Baresich
Sem Ponnambalam 
Janos Botschner, PhD (He/Him) (Moderator)

𝗕𝗼𝗼𝘁𝗰𝗮𝗺𝗽
Every Thursday from Oct 2 - Nov 6, 2025
Time: 10 AM – 12 PM ET
Topics:
- Foundational cybersecurity risks
- Introduction to Cybersecurity in Agri-Food
- Regulatory Framework and Standards
- Cybersecurity Risk Management
- Security-by-design and IoT Security
- Emerging Technologies and future trends
- Incident Response and Cyber Resilience

Co-facilitated by:
Ritesh Kotak and Lester Chng

It’s conference season again. Here are
5 Easy Conference Networking Tips. 

1. Research on who is attending. 
2. Message them before the event.
3. Don’t be weird. Say hi first. 
4. Listen with genuine interest. 
5. Speak at the conference 😄. 

Rogers Cybersecure Catalyst, Toronto Metropolitan University will be sponsoring or be represented at these upcoming conferences. 

Pop by to say hi to the team!
We are a friendly bunch and don’t worry we not after your lunch.  

- Cyber Supply Chain Risk Management (C-SCRM) Summit

- Security Education Conference Toronto (SecTor) 

- Forum INCYBER (FIC) Montreal

- Elevate

- Ontario Disaster & Emergency Management Conference  

- Municipal Information Systems Association, Ontario (MISA Ontario) Infosec

And our very own Cataylst Summit!

Which ones are you attending?

P.S I should be at SecTor Day 2!

I know Junior, Morgan, Aurn will be there for sure. Who else?

Ever thought hackers could mess with your dinner? It actually happens.

A while ago, JBS, the biggest meat supplier in the world, got hit by a ransomware attack. 

Suddenly, meat vanished from shelves. Farmers got stuck waiting. 

All because their systems were locked up and hackers wanted millions.

Food sounds old-fashioned, but it runs on tech now. If hackers stop the tech, they stop the food.

Most people think hacks only target banks or software companies. The truth is, food is perishable and companies can't afford to significant downtime.

So these cyber criminals are impacting everyday lives and we owe it to our clients and customers to do our due diligence. 

_______________________

Rogers Cybersecure Catalyst, Toronto Metropolitan University and Canadian Cyber Threat Exchange (CCTX) are hosting a free 6-week Cybersecurity Bootcamp curated for the Agri-Food Sector.

If you work in Ontario's Agri-food sector, sign up and join us for the upcoming 𝘄𝗲𝗯𝗶𝗻𝗮𝗿 and 𝗯𝗼𝗼𝘁𝗰𝗮𝗺𝗽!

Register now: https://lnkd.in/gEq6_TBD

_______________________

𝗕𝗼𝗼𝘁𝗰𝗮𝗺𝗽
Every Thursday from Oct 2 - Nov 6, 2025
Time: 10 AM – 12 PM ET
Topics:
- Foundational cybersecurity risks
- Introduction to Cybersecurity in Agri-Food
- Regulatory Framework and Standards
- Cybersecurity Risk Management
- Security-by-design and IoT Security
- Emerging Technologies and future trends
- Incident Response and Cyber Resilience

Co-facilitated by:
Ritesh Kotak and Lester Chng

Congrats if you made your obligatory “I attended xxxx conference” post. 

Guess what it reads like?
An obligation. 

The buzz from the post dissipates. 
Almost as soon as the conf ends. 

And when is your next post?
The next conference? Event?
Congrats. You are now known for attending events. 

Perhaps that is good enough if you are working full time for someone else

You just need to keep it warm and appear active in the network. 

But if you are a Cyber CEO who is constantly stressed about the quality of your leads and having to always chase, your obligatory conference LinkedIn post is not good enough. 

All the missed opportunities to position you and your company in the minds of those who need yr solution.

Attending RSAC in March 2026?

You should have a full content calendar from Jan onwards leading to the event. 

Otherwise, you are wasting another conference. Lying to yourself that all the random leads led to something.  

If u want to be ready for RSAC. 
DM me 2026.

The AI Risks for large enterprises are not different for small organizations.

How do small firms manage AI Risks?

I interviewed my friend Walter Haydock, Founder of StackAware and Marine Veteran, to learn how he helps AI-powered companies manage cyber, compliance, and privacy risk so they can innovate responsibly.

𝗤: 𝗟𝗮𝗿𝗴𝗲 𝗲𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲𝘀 𝗰𝗮𝗻 𝗯𝘂𝗶𝗹𝗱 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗽𝗿𝗼𝗴𝗿𝗮𝗺𝘀. 𝗪𝗵𝗮𝘁 𝘀𝗶𝗺𝗽𝗹𝗲 𝘀𝘁𝗲𝗽𝘀 𝗰𝗮𝗻 𝘀𝗺𝗮𝗹𝗹𝗲𝗿 𝗳𝗶𝗿𝗺𝘀 𝘁𝗮𝗸𝗲 𝘁𝗼 𝗺𝗮𝗻𝗮𝗴𝗲 𝗔𝗜 𝗿𝗶𝘀𝗸?

For smaller firms building their AI governance or evidence program, I recommend starting with three key steps:

1. Establish a Policy: Define your organization’s risk appetite. Clearly articulate which AI-related actions are acceptable and which are not. This becomes the foundation for decision-making across the organization.

2. Conduct an AI Inventory: Identify all AI systems and models currently in use. This includes both internally developed tools and any third-party services being used across teams.

3. Perform a Risk Assessment: Evaluate each system and model against the risk appetite defined in your policy. This helps you determine which uses are aligned with your organization’s standards—and which fall outside acceptable risk boundaries.

𝗤: 𝗦𝗶𝗻𝗰𝗲 𝗔𝗜 𝗼𝗳𝘁𝗲𝗻 𝘁𝗼𝘂𝗰𝗵𝗲𝘀 𝘀𝗲𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗱𝗮𝘁𝗮, 𝘄𝗵𝗮𝘁 𝗯𝗮𝘀𝗶𝗰 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀 𝗮𝗿𝗲 𝗲𝘀𝘀𝗲𝗻𝘁𝗶𝗮𝗹?

Artificial intelligence often interacts with sensitive data—especially in highly regulated industries like healthcare. When deploying AI, I recommend three essential controls:

1. Prevent Unintended Model Training: Ensure that your data isn’t being used to train third-party models like ChatGPT. Many of these systems continuously improve based on submitted prompts unless you’ve explicitly opted out or are using a business or enterprise version with proper safeguards.

2. Review Data Retention Policies: Understand how long the AI system retains your data. Make sure the retention policies align with your organization’s requirements and that you’re not inadvertently allowing indefinite storage of sensitive inputs.

3. Validate Output Integrity: Regularly assess whether the AI’s outputs fall within acceptable parameters for your specific use case. In sensitive fields like healthcare, it’s critical that error rates are comparable to—or better than—those of traditional, human-driven processes.


_____________________________

If you enjoyed this interview series, do give Walter a follow. He dishes out straight shooting advice and guidance on managing AI Risks, ISO 42001, NIST AI RMF, HITRUST AI security, and EU AI Act.


P.S Any other tips for small organizations?

Sponsorship and mentorship can change lives.

And we need more of that in Cybersecurity.

I interviewed my friend Mary Carmichael to learn about her leadership experience and her time as President of ISACA Vancouver.

_____________________________

7. As an ex-President of ISACA Vancouver, what was one memorable story from that experience?

𝘓𝘪𝘧𝘵 𝘢𝘴 𝘠𝘰𝘶 𝘊𝘭𝘪𝘮𝘣

One of my most memorable moments as ISACA Vancouver President was watching a mentee I had coached step on stage to deliver her first presentation. Seeing her confidence on stage reminded me that leadership is less about being in the spotlight yourself and more about creating space for others to shine.

Tip: The legacy of leadership isn’t the titles you hold, it’s the people you lift along the way.



8. What barriers still hold women back from senior security roles, and what approaches have you seen work to overcome them?

𝘉𝘳𝘦𝘢𝘬𝘪𝘯𝘨 𝘉𝘢𝘳𝘳𝘪𝘦𝘳𝘴

Far too often, women are steered toward the “invisible work” that keeps organizations running but goes unrewarded (e.g, documentation and coordination), while others are positioned for the high-visibility, strategic roles that lead to promotions.

What I’ve seen work is intentional sponsorship: leaders who say “she’s ready” and back it up by putting women into visible, stretch assignments where their impact can’t be overlooked.

Tip: Skills aren’t the barrier, opportunity is.
Women advance when organizations actively sponsor them into strategic, executive-facing roles.

_____________________________

If you enjoyed this interview series, please follow Mary. She is an ex-President of ISACA Vancouver Chapter and an extremely cherished partner of Rogers Cybersecure Catalyst, Toronto Metropolitan University.


P.S What is 1 way you have seen others provide support?

As technology transforms the agri-food sector, the cyber risks are left unmitigated.

I interviewed my friend Ritesh Kotak, who is going to co-facilitate our upcoming Agri-Food Cybersecurity Bootcamp. 

We looked at the cybersecurity risks in the agri-food sector and the unique responsibility producers, processors, distributors, and technologists share in keeping our food supply secure.

Here is the final part of the interview.


𝗤: 𝗪𝗵𝗮𝘁 𝗱𝗼𝗲𝘀 𝗴𝗼𝗼𝗱 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗹𝗼𝗼𝗸 𝗹𝗶𝗸𝗲 𝗳𝗼𝗿 𝘀𝗺𝗮𝗹𝗹 𝗮𝗴𝗿𝗶-𝗳𝗼𝗼𝗱 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀𝗲𝘀?

A: A strong incident response plan means you are able to keep your business safely operating during a cyber incident. It is critical to identify and isolate the issue, preserve evidence and notify key stakeholders. 

Equally, It’s important that as an organization you are prepared by having conducted tabletop exercises and having a clear communication plan.

𝗤: 𝗪𝗵𝗶𝗰𝗵 𝗳𝘂𝘁𝘂𝗿𝗲 𝘁𝗲𝗰𝗵𝗻𝗼𝗹𝗼𝗴𝗶𝗲𝘀 𝗽𝗼𝘀𝗲 𝘁𝗵𝗲 𝗯𝗶𝗴𝗴𝗲𝘀𝘁 𝗰𝘆𝗯𝗲𝗿 𝗿𝗶𝘀𝗸𝘀 𝗶𝗻 𝗮𝗴𝗿𝗶𝗰𝘂𝗹𝘁𝘂𝗿𝗲?

A: IoT connected equipment, cloud-based systems and autonomous machinery pose the biggest cyber risks in agriculture. As these systems become increasingly interconnected, a breach can disrupt supply chains, production processes and compromise food safety.

𝗤: 𝗪𝗵𝘆 𝗶𝘀 𝗶𝘁 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝘁𝗼 𝗽𝗿𝗼𝘁𝗲𝗰𝘁 𝗼𝘂𝗿 𝗳𝗼𝗼𝗱 𝘀𝘂𝗽𝗽𝗹𝘆?

A: Imagine a consumer walking into a grocery store only to find empty shelves. Inevitably, this will trigger mass panic and widespread fear within our community. 

Hence, protecting our food supply is critical to our national and economic security and sovereignty. 
_______________________

If you enjoyed this interview series, do give Ritesh a follow. He is a technologist with roots in the food manufacturing industry and a career spanning legal, cybercrime, IoT, and public safety innovation. 

If you work in Ontario's Agri-food sector, sign up and join us for the upcoming 𝘄𝗲𝗯𝗶𝗻𝗮𝗿 and 𝗯𝗼𝗼𝘁𝗰𝗮𝗺𝗽!

Register now: https://lnkd.in/gEq6_TBD

_______________________

𝗪𝗲𝗯𝗶𝗻𝗮𝗿: 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻 𝗔𝗴𝗿𝗶-𝗙𝗼𝗼𝗱
Date: Mon, Sept 29th, 2025
Time: 10:00 AM – 11:30 AM ET
Topics:
- Key cyber threats and risks 
- Cybersecurity trends and strategy 
- Cybersecurity technology adoption

Panelists:
Gord Howells 
Chuck Baresich
Sem Ponnambalam  
Janos Botschner, PhD (He/Him) (Moderator)

𝗕𝗼𝗼𝘁𝗰𝗮𝗺𝗽
Every Thursday from Oct 2 - Nov 6, 2025
Time: 10 AM – 12 PM ET
Topics:
- Introduction to Cybersecurity in Agri-Food
- Cybersecurity Risk Management
- Security-by-design and IoT Security
- Emerging Technologies and future trends
- Incident Response and Cyber Resilience

Co-facilitated by:
Ritesh Kotak and Lester Chng

How are you managing AI risks?

Do you have a coherent response to that?

I interviewed my friend Walter Haydock, Founder of StackAware and Marine Veteran, to learn how he helps AI-powered companies manage cyber, compliance, and privacy risk so they can innovate responsibly.

𝗪𝗵𝗮𝘁 𝗼𝗻𝗲 𝗽𝗶𝗲𝗰𝗲 𝗼𝗳 𝗮𝗱𝘃𝗶𝗰𝗲 𝘄𝗼𝘂𝗹𝗱 𝘆𝗼𝘂 𝗴𝗶𝘃𝗲 𝗖𝗜𝗦𝗢𝘀 𝘄𝗵𝗼 𝘄𝗮𝗻𝘁 𝘁𝗼 𝘀𝘁𝗮𝘆 𝗮𝗵𝗲𝗮𝗱 𝗼𝗳 𝗔𝗜 𝗿𝗶𝘀𝗸?

The most important advice I have for Chief Information Security Officers managing AI risk is this: don’t bury your head in the sand.
It’s undeniably challenging to keep up with the fast-moving landscape—between the constant release of new AI models and tools, and the growing number of vendors embedding AI into products you may have already approved through your third-party risk management process.

That said, the right approach is a tiered, risk-based framework. Evaluate your systems and data flows to determine which use cases warrant heightened scrutiny due to their risk profile, and which ones can be subject to lighter oversight. 

This allows you to allocate resources intelligently and maintain control without creating unnecessary bottlenecks.


_____________________________

If you enjoyed this interview series, do give Walter a follow. He dishes out straight shooting advice and guidance on managing AI Risks, ISO 42001, NIST AI RMF, HITRUST AI security, and EU AI Act.


P.S Will AI still be a hot topic in 2026?

Facilitating a cyber tabletop can be easy if you keep these 3 tips in mind. 

Running an exercise is always stressful because of many factors. 

- multi-directional discussions
- unfamiliar stakeholders
- different environment 
- tone and culture 
- sensitive topics 

I was reflecting on a recent exercise and these are some tips to help elevate the experience for the participants and gain the maximum value. 

Tip 1:
Use “Let’s bring it back a few steps”

When you introduce the scenario and injects, the participants will very enthusiasticly provide their thoughts, actions, and consideration. 

Very often, there will be a mixture of the thoughts in their heads, jumbled up with assumptions, and half an eyeball on what they wrote in their playbook 8 months (hopefully not years) ago. 

This repeats for the next 3-6 people that chime in, all waiting for their time to “perform”. 

This results in a hot mess. 

One tip is to bring it back a few steps. 

Clarify who exactly will receive the information, what will they do with the information, and connect it with the next team’s action. 

This reduces the assumptions and the stream of consciousness that they somehow verbalized as they responded. 


Tip 2: 
Use “Let’s park that topic”

In the heat of discussion, there will be many offshoots that will arise. 

- our vendor can do this
- I’ll inform everyone and their mom
- our team will investigate and report 
- We have an ongoing project that will solve this and this won’t be an issue 🙄

To politely control the discussion without hurting their feelings, highlight that these are important and that we would like to park that aside and you can note that in the report. 


Tip 3:
Use “Let’s recap and move ahead”

Exercises compresses time and information. There is a lot going on which is useful for training and education. But this means that everyone will be overloaded with info. 

At opportune times, call a recap, do yr best to summarize, ask for confirmation from the teams, thank them and move to the next inject. 



What other tips will you add?

Let me know if u tried any of these ⬆️

Leverage AI to increase productivity.
That has been your marching orders.

This has been the focus for the last couple of years as organizations drive AI adoption to gain a competitive edge and cut costs.

I interviewed my friend Walter Haydock, Founder of StackAware and Marine Veteran, to learn how he helps AI-powered companies manage cyber, compliance, and privacy risk so they can innovate responsibly.

𝗤: 𝗪𝗵𝗲𝗻 𝗰𝗼𝗺𝗽𝗮𝗻𝗶𝗲𝘀 𝗳𝗶𝗿𝘀𝘁 𝗰𝗼𝗺𝗲 𝘁𝗼 𝘆𝗼𝘂, 𝘄𝗵𝗮𝘁 𝗮𝗿𝗲 𝘁𝗵𝗲𝗶𝗿 𝗯𝗶𝗴𝗴𝗲𝘀𝘁 𝗰𝗼𝗻𝗰𝗲𝗿𝗻𝘀 𝗮𝗯𝗼𝘂𝘁 𝗔𝗜 𝗿𝗶𝘀𝗸?

When companies come to StackAware, they’re typically concerned about three categories of AI-related risk:

1. Data Security and IP Protection: 
Many are worried about exposing sensitive data or intellectual property—whether through unintended training of third-party AI models or through indefinite data retention by external providers.

2. Reputation Risk: 
For organizations with customer-facing chatbots or similar interfaces, there’s concern about accidental or malicious misuse that could harm the company’s public image.

3. Regulatory and Compliance Exposure: Especially in domains like HR, companies are increasingly aware of the growing number of laws and regulations governing AI use—many of which carry significant penalties for noncompliance.


𝗤: 𝗪𝗵𝗮𝘁 𝗱𝗼 𝘆𝗼𝘂 𝘀𝗲𝗲 𝗮𝘀 𝘁𝗵𝗲 𝗺𝗼𝘀𝘁 𝗺𝗶𝘀𝘂𝗻𝗱𝗲𝗿𝘀𝘁𝗼𝗼𝗱 𝗿𝗶𝘀𝗸𝘀 𝗼𝗳 𝗮𝗱𝗼𝗽𝘁𝗶𝗻𝗴 𝗔𝗜 𝘁𝗼𝗱𝗮𝘆?

A majorly misunderstood risk in deploying artificial intelligence—especially in human resources—is regulatory compliance. Many tools on the market use AI for sensitive tasks like screening job candidates or evaluating their skills. These activities often fall under existing laws such as New York City’s Local Law 144, as well as upcoming regulations like Colorado’s SB-205, which takes effect next year.

Vendors frequently claim their tools are exempt from these laws because they include a “human in the loop.” However, none of the regulations mentioned provide exemptions based on human oversight. The presence of a human reviewer does not remove the requirement to comply. 

Unfortunately, there’s a lot of misinformation in circulation—even among legal and compliance professionals—who mistakenly believe that human involvement automatically places these tools outside the scope of applicable HR regulations.


_____________________________

If you enjoyed this interview series, do give Walter a follow. He dishes out straight shooting advice and guidance on managing AI Risks, ISO 42001, NIST AI RMF, HITRUST AI security, and EU AI Act.


P.S What's your fav AI security fear?

Taplio

Lester Chng's Linkedin Analytics

What is Lester talking about?

Who is engaging with Lester

's Best Posts (last 30 days)

Want to drive more opportunities from LinkedIn?