Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

At the recent Conversations Live with Stuart McNish panel on cybersecurity — part of the thoughtful public affairs dialogue series produced in partnership with the Vancouver Sun — industry leaders gathered to unpack the real-world risks shaping organizational resilience and national security. The event, held on Dec. 10, 2025, brought together experts from across the cybersecurity landscape to go beyond headlines and explore strategies for responding to evolving threats.

Earlier this year, FedRAMP RFC-0012 signaled a coming shift in how cloud service providers (CSPs) working with the U.S. federal government are expected to handle vulnerabilities. It outlined plans to move FedRAMP away from simple CVSS-score thresholds and toward continuous, context-aware, exploitability-driven, and automation-first vulnerability management.

Like any other global industry, financial services companies face tremendous challenges of scale and complexity when it comes to managing cyber risk across their digital supply chain. The financial services supply chain is composed of more than 1.6M third-party relationships across the industry ecosystem.

Modern engineering teams ship fast. Attackers move faster. CI/CD pipelines are no longer just build systems; they are a critical part of production infrastructure. A compromised pipeline can allow attackers to inject malicious code, poison dependencies, leak secrets, or deploy compromised builds directly to production. As Engineering Managers, we’re expected to maintain high delivery velocity while reducing security risks.

Applicability thresholds of state privacy laws often hinge on size or scale. TDPSA is different. It puts no revenue thresholds like CCPA or CPRA. So if your business operates in Texas or reaches the state’s residents, you’re most likely inside the scope already. The law took effect on July 1, 2024, and by January 2025, the universal opt-out obligations became fully enforceable. That transition is what moved TDPSA from a policy update to a website-level requirement.

From intelligent chatbots to autonomous agents, innovation has never moved faster thanks to GenAI. But with the rate of velocity comes a massive new challenge: a class of complex, non-deterministic security risks that traditional cybersecurity methods are simply not equipped to handle. AI-native applications are already running in production. Across industries, teams are deploying copilots, RAG systems, autonomous agents, and AI-powered workflows faster than traditional security processes can keep up.

AI agents are moving fast. They book meetings, draft emails, summarize calls, search internal knowledge bases, and increasingly act on behalf of users. And as more teams adopt these systems, a familiar question surfaces almost immediately: How does GDPR apply to AI agents? What we’ve learned—working with startups rolling out AI features across support, sales, HR, and engineering—is that GDPR is not a blocker.