In this exclusive CanadianSME Small Business Magazine interview, Wayne Cuervo, Director of the Digital Impact Office (DIO) at Cisco Canada and founding leader of the Cisco Toronto Innovation Labs, shares how more than 20 years at Cisco have shaped his perspective on Canada’s cybersecurity talent gap, AI-fuelled threats, and digital resilience. He explains what’s really at stake when security roles go unfilled, how AI-powered Security Operations Centres and programs like Cisco Networking Academy can help organizations build internal capacity, and which concrete steps small and mid-sized businesses can take this year—from tightening fundamentals and consolidating tools to leveraging managed services—to reduce cyber risk while broader industry–education–government partnerships work to strengthen Canada’s security workforce and innovation ecosystem.
Many organizations say they “can’t find cybersecurity talent” while threats keep escalating. From your vantage point, what’s really at stake when critical security roles stay unfilled, and how does that show up in day-to-day business risk?
What I see working with organizations across Canada is that when cybersecurity roles stay unfilled, businesses lose their ability to respond to threats in real time. The work doesn’t pause when there’s no one to do it. It just doesn’t get done.
That means security teams can’t properly monitor their systems. Threats sit undetected in networks longer. When breaches happen, there aren’t enough people to contain them quickly, so what could have been a minor incident becomes a major disruption. Important security controls fall lower on the priority list because teams simply don’t have the capacity to get to them.
Day-to-day, this shows up as growing backlogs. Critical software updates that should have been applied weeks ago are still waiting. Compliance requirements slip. Teams shift from strategic planning to constant firefighting, forced to make tough calls about which risks they can afford to leave unaddressed.
Cisco recently found that 80% of organizations are facing talent shortages, and the problem is intensifying. The threat landscape moves faster than most companies can keep up with their current staff. Every unfilled role creates a wider gap in defences, and attackers are skilled at finding those gaps.
Cisco’s research shows AI is fuelling a new wave of cyber incidents at a time when most organizations are still early in their readiness. As businesses rush to adopt AI, what new risks concern you most when security teams are already understaffed?
Organizations are racing to implement AI across their operations, but many don’t fully understand the security implications. What’s most concerning is that AI introduces attack vectors we haven’t seen before, and security teams that are already stretched thin now have to defend against threats they’re still learning about.
AI systems can be manipulated in ways traditional software can’t. Attackers can compromise data, exploit model vulnerabilities, or use AI itself to launch more sophisticated attacks at scale. These aren’t hypothetical risks. They’re happening now.
The challenge is that securing AI requires specialized knowledge. It’s not enough to apply traditional security practices. Teams need to understand how these systems work, where vulnerabilities emerge, and how to monitor them continuously. For organizations finding it challenging to maintain baseline security controls, that added complexity can quickly push teams beyond capacity.
This is where AI-powered Security Operations Centres can help bridge the talent gap. By using AI to correlate signals, automate detection and response, and prioritize high-risk activity, an AI SOC allows smaller teams to operate at a level that previously required far more specialized staff. It doesn’t replace human expertise, but it helps teams focus on the threats that matter most.
You lead the Digital Impact Office and initiatives like Cisco Networking Academy that aim to close the skills gap. What practical steps can Canadian organizations take—beyond just “hiring more people”—to build cyber capacity and upskill the talent they already have?
Hiring alone won’t solve this problem, especially when everyone is competing for the same limited pool of talent. Organizations need to think differently about building capacity.
First, invest in your existing workforce. Many IT professionals already have foundational skills that can be expanded into security roles. Through programs like Cisco Networking Academy, we’ve seen people successfully transition into cybersecurity roles with focused training and hands-on experience. The key is creating clear pathways for internal mobility and giving people time to develop these skills.
Second, rethink what cybersecurity roles actually require. Not every position needs a decade of experience. Some organizations are having success building tiered teams where senior experts focus on complex threats while junior analysts handle monitoring and initial response. This approach develops talent while making better use of scarce expertise.
Third, leverage technology to multiply your team’s effectiveness. Automation can handle repetitive tasks, AI-powered tools can help less experienced analysts make better decisions faster, and integrated platforms reduce the complexity teams have to manage. Solutions like AI Security Operations Centres bring these capabilities together, giving smaller teams the ability to detect and respond to threats at a level that would otherwise require significantly more staff.
The reality is that Canadian organizations need to build rather than just buy their security capacity. That means committing to training, creating career progression, and using technology strategically to extend what smaller teams can accomplish.
For small and mid-sized businesses that don’t have large security teams or big budgets, what are one or two concrete actions they can take this year to reduce cyber risk while they work on longer-term talent and infrastructure investments?
For smaller organizations, the best starting point is getting the fundamentals right. That might sound simple, but most breaches exploit simple gaps that don’t require massive budgets to fix.
Multi-factor authentication is one of the most effective actions you can take. This single step blocks the vast majority of credential-based attacks, which are among the most common threats small businesses face. It’s relatively inexpensive and doesn’t require a large security team to manage.
The other concrete action is consolidating your security tools. Many smaller organizations have accumulated different point solutions over time, which creates complexity and gaps. Moving to integrated platforms means fewer tools to manage, better visibility, and less specialized expertise needed to operate them effectively. This actually reduces cost while improving security.
Beyond these tactical steps, smaller businesses should consider managed security services for capabilities they can’t build internally. You don’t need to hire a full security operations team if a trusted partner can provide monitoring and response.
The key is being realistic about what you can sustain. It’s better to do a few things well consistently than to attempt a comprehensive program you don’t have the resources to maintain. Start with high-impact, manageable steps and build from there.
Looking ahead, what gives you optimism about Canada’s ability to close the cybersecurity talent gap, and how do you see partnerships between industry, educators, and governments playing a role in strengthening our overall digital resilience?
What gives me optimism is watching real collaboration replace the usual talk. Industry, educational institutions, and government are starting to recognize they can’t tackle this alone.
The partnerships creating direct pathways into cybersecurity careers are what excite me most. Programs like Cisco Networking Academy work with colleges and universities across Canada to provide training connected to actual job opportunities. When employers help shape what’s being taught and provide hands-on learning environments, graduates show up ready to contribute from day one.
Government support matters too. Funding for skills development and programs that make training accessible helps us reach beyond the usual talent sources. Career changers, people returning to work, and diverse perspectives bring valuable experience to how we think about threats.
What encourages me is seeing the shift from identifying the problem to actually building solutions. Industry invests in training and commits to hiring. Educators adjust programs based on what the market actually needs. The government coordinates and supports these efforts. When it works, we create real pipelines of talent instead of everyone fighting over the same small group of experienced professionals.
