Case Study: Strengthening Cyber Resilience in Government: Strategies to Support Reliable Digital Services in the Digital Age

"In today’s digital reality, now more than ever the GC must be cyber vigilant. By taking a proactive, risk-based approach and fostering strong collaboration, we can strengthen our defenses against the evolving cyber threats. Prioritizing cyber resilience is essential for secure government operations and ensuring the continued delivery of reliable digital services."

- Po Tea-Duncan, Chief Information Security Officer of the Government of Canada, Treasury Board of Canada Secretariat 

Quick Facts

Organization: Government of Canada Project Name: GC Enterprise Cyber Security Strategy 

Established: May 2024 

Main Objective: To strengthen Canadaʼs digital government through a whole-of-government approach, and a secure and resilient cyber security framework. 

Key Benefits: Improved threat detection and response, enhanced resilience across departments, coordinated cyber risk management, and protection of citizen data. 

Project Milestones: Launch of the GC Enterprise Cyber Security Strategy, establishment of a Target Security Operating Model (TSOM), and implementation of key initiatives related to the Strategy including the formation of a Purple Team and a compliance and assurance program supported by an integrated risk management platform and improved vulnerability management processes. 

Future Vision: Building a world-class, sustainable and resilient GC to reduce cyber security risks so that federal departments and agencies can enable secure and reliable digital service delivery.

Organisational Context

With the rapid digitalization of public services, the Government of Canada recognized a growing gap between citizen expectations and the reality of current service delivery. 

Increasing cyber threats - from state-sponsored espionage to evolving tradecraft and supply chain vulnerabilities - required a robust and coordinated response.

In response, the Treasury Board of Canada Secretariat launched the GC Enterprise Cyber Security Strategy in 2024, designed to modernize and secure digital government operations. It leverages a “secure by design” philosophy and unites federal departments around a single vision for enterprise-wide cyber resilience.

Challenges and Opportunities

The Cyber Security Landscape

• Evolving Threats: The National Cyber Threat Assessment (NCTA) identified state-sponsored cyber espionage, including the PRC, as a top-tier threat targeting over 20 federal departments.
• Legacy Infrastructure: Fragmented systems across departments limit visibility and increase cyber risks.
• Supply Chain Vulnerabilities: Threat actors increasingly target third-party providers, exploiting shared platforms.
• Information Risk: Federal departments hold vast troves of personal and research data, making them prime targets.

Opportunity for Transformation 

The GC Enterprise Cyber Security Strategy represents a shift from ad hoc protection to an integrated, standards-aligned, and risk-informed model. It embraces a data-centric approach supported by zero trust architecture principles, based on industry best practices, and a proactive approach to anticipating, mitigating, and recovering from cyber threats

Solution: Building a Resilient Digital Government

The GCʼs cyber strategy is built on four key objectives to help federal organizations take a broader, enterprise-wide approach to protect their systems against cyber risks:

1. Articulate cyber risk and its business impacts meaningfully for effective, action oriented, and accountable decision-making
2. Prevent and resist cyber-attacks more effectively towards a greater protection of GC information and assets
3. Strengthen capabilities and resilience across the GC to proactively prepare for, respond to, and recover from cyber events
4. Foster a diverse GC workforce with the right cyber security skills, knowledge and culture

Implementation is supported by a Target Security Operating Model (TSOM)—a blueprint for conducting cyber security operations including key processes with associated roles and responsibilities that are aligned with government policy requirements and strategic direction, guiding departments and agencies to better understand, manage, reduce, and communicate cyber security risks.

The Strategy and TSOM are grounded by the GC’s digital government’s policy framework, specifically the Policy on Government Security and the Policy on Service and Digital, which outline the baseline security controls that are foundational to strengthening the GC’s cyber security posture. 

Implementation and Impact

Governance Reform

• Strengthen the shared operational model between TBS, SSC, CSE, and departments.
• Streamlined investment in shared cyber security solutions to avoid duplication and maximise return.

Operational Security Upgrades

• Strengthened network security at the perimeter (edge devices) in response to advanced threat vectors.

Transparency and Preparedness

• Keeping the GC Cyber Security Event Management Plan up-to-date with lessons learned from cyber incidents and cyber simulation exercises.

Cyber Culture and Awareness

• Established standardized and mandatory cyber security awareness training across the federal government through courses available from the Canada School of Public Service

Future Outlook: Enterprise-Wide Cyber Resilience by Design

The Government of Canada is setting a bold path forward with a strategy that prioritizes security by design, real-time data visibility, and unified threat response. Future initiatives include:

• Centralised Data Asset Management - Creating end-to-end visibility of digital assets across departments.
• Implementation - Modern endpoint security, robust identity access management (IAM), and proactive vulnerability management.
• Third-Party Risk Management - Embedding cyber security clauses in all vendor contracts.
• Cyber Security as a Team Sport - Reinforcing cross-department collaboration and governance for consistent defence postures.
• Advanced Simulation Capabilities - Expanding purple teaming across departments to continuously test and evolve defences.
• Emphasize "trust but verify" - moving away from self-assessments toward continuous compliance and assurance approach (now operating within the existing cyber maturity self-assessment approach which has been implemented).

Lessons Learned and Key Takeaways

✅ Cyber Security is a Shared Responsibility – Cross departmental collaboration is essential to federal digital security. 

✅ Be Proactive, Not Reactive – Real-time detection, simulation, and monitoring are critical to preventing breaches. 

✅ Standardization Builds Strength – A unified framework ensures consistent practices across a diverse digital environment.

✅Transparency Builds Trust – Public sharing of decisions, and performance increases accountability and public confidence.

With its enterprise cyber strategy, the Government of Canada is positioning itself as a global leader in secure and resilient digital service delivery.