In this interview, Pam Smith, CISO, Citizen Services, Government of British Columbia explains that evolving cybersecurity awareness starts with communication, relationships, and making cyber risk relatable to the programs and services public servants deliver. Years of ingrained behaviour make change difficult, so the work begins with demystifying cybersecurity and helping employees understand how it directly connects to service continuity.
Effective shared responsibility requires cybersecurity teams to show up as partners—meeting program areas where they are, understanding their service delivery realities, and mapping risks across interconnected systems and downstream partners. Building these relationships takes time, but it is essential for weaving cybersecurity into everyday operations rather than treating it as an isolated function.
She emphasizes that annual training alone will never build a lasting culture of security. Real learning happens in the moment—when incidents occur, when mistakes like clicking a phishing link happen, and when teams openly discuss cause and effect. Cybersecurity must be a daily mindset reinforced through short, relatable touchpoints, not a once‑a‑year obligation.
Linking cybersecurity to business continuity reframes attacks as core service disruptions that threaten public trust. This shift requires regular practice, tabletop exercises, and repeated, meaningful engagements—not annual checkboxes. When a real incident happens, stress and emotion take over, so repetition is key to preparing teams to respond effectively and confidently.
Help your peers
Share what you've learned with fellow public servants
