The Layer We Are Not Training

If this edition reached you by email, thank you for reading. The full piece runs below.

Edition Two | Saturday, April 25, 2026

We are training the operator. We are not training the executive.

That is the pattern I want to put on your desk this Saturday morning. Canada is building cybersecurity capability at the wrong altitude. The training and capacity-building infrastructure available to municipalities, utilities, ports, and other critical infrastructure operators is built for the people who run the systems. The executives accountable for governance, board reporting, and what happens when a cyber event becomes an operational one have no equivalent infrastructure. The gap is not about curriculum quality. It is about layer.

I sat in a session this week that made the pattern visible.

It was a senior-led municipal cybersecurity webinar. The marketing positioned it as critical infrastructure focused. Twelve people identified themselves in the chat. Most were municipal IT operators and cyber administrators from small and mid-sized municipalities. Three CIOs. Two policy and legal counsel. Two consultants observing. One critical infrastructure operator. Zero CEOs. Zero CAOs. Zero elected officials.

The audience that converted was the audience the training landscape is built to serve.

The audience that was named in the marketing — the audience accountable for what the session was supposed to address — was not in the room. And if you are one of those executives reading this, the absence is not an oversight. It is a structural feature of the market you operate in. This edition is about the layer that did not show up, why the room is built to keep it that way, and what is going to be asked of you in the next twelve months that the current arrangement is not preparing you to answer.

The marketing for the session named the audience the training market wishes it could reach. Critical infrastructure. Senior leaders. Decision-makers. The audience that actually arrived was the audience the training market consistently reaches. IT operators. Cyber administrators. Technicians from municipalities small enough that one person carries the whole portfolio.

This is not a marketing failure. It is a pattern.

When a session is offered free, on a Wednesday at midday, on a webinar platform, with content pitched at an introductory level, the audience that converts is the audience that has the time, the autonomy, and the operational interest to attend. You do not have that combination available to you. Your time is gated. Your autonomy is shaped by board agendas and regulatory calendars. Your interest in cybersecurity is filtered through risk, exposure, and capital allocation, not through curiosity about cloud shared responsibility models.

The result is a self-selecting room. Operators show up because the format and the content are built for them. You do not show up because nothing about the format or the content signals that it was built for the questions you are accountable to answer.

This is the audience problem. The capacity exists at the operator layer. It does not exist at the executive layer. The rooms being built are recruiting the audience the format was always going to recruit. And the questions being asked of you are not questions that room is preparing anyone to answer.

Partway through the session, the facilitator made a statement that I have been thinking about ever since.

The facilitator stated, openly and without hedging, that critical infrastructure outside the municipal office and the broader ecosystem of partner organizations were deliberately out of scope. This was not an aside. It was a stated boundary. The session was about the office itself. Not the port the municipality manages. Not the utility it owns. Not the hospital authority it partners with. Not the airport, the water system, the transit network, or the regional emergency coordination function. Just the office.

That boundary names exactly the space where most cyber events in Canadian critical infrastructure actually live.

A municipal ransomware event rarely stops at the corporate firewall. It moves through the connections between the municipal office and the operating entities the municipality is responsible for. The water utility runs on a network the municipal IT team partly administers. The port authority shares an identity provider with the municipal corporate environment. The MSP that supports the office also supports the operational technology environment of three other entities in the same region. The interconnections are where the exposure lives. Naming them out of scope does not make them disappear. It only makes them invisible to the people in the room.

This is the observation you should not let pass.

The training infrastructure available to your staff is, by design, scoped narrowly enough that the operational and partner exposure you carry is not part of the conversation. You do not have the option of declaring the partner ecosystem out of scope. Your board does not. Your insurer does not. Your regulator will not. The exposure follows the relationships you are accountable for, not the curriculum your team was sent to.

A boundary stated openly is more honest than a boundary that goes unsaid. But a boundary still concedes a gap. And the gap is on your desk, not theirs.

Here is the part of this edition I want you to sit with.

You have been in the room I am describing, even if you were not in this particular session. You have approved the cybersecurity training line item. You have signed the budget. You have assumed the team that came back was equipped to help you answer the questions the board would ask next quarter, the questions the insurer would ask at renewal, the questions the regulator is preparing under Bill C-8.

That assumption is the exposure.

The session I sat in this week was good at what it was designed to be. It introduced concepts. It oriented participants to language they would encounter in vendor conversations and policy documents. AI governance was introduced. Cloud shared responsibility was introduced. Shadow IT was introduced. The facilitator stated openly that baseline controls would not be covered. Strategies were named. Strategies were not unpacked.

That is appropriate for a foundational briefing. It is not the capability you need on your desk.

When your audit committee asks whether the organization's AI governance is defensible under Bill C-8, the answer they want is not "our team attended a session that introduced AI governance." They want evidence that the controls behind the language are operating. Your insurer wants the same. Your regulator, when Bill C-8 obligations land, will want the same. And the consequences of not having that evidence are no longer abstract. A denied insurance claim. A regulator finding. A board that loses confidence in the leadership of the cyber program. None of those outcomes are recovered by an awareness session, and none of them wait for you to catch up.

The executives accountable for the largest cyber exposures in this country are being trained by their IT teams. That is not a sustainable arrangement. It is the arrangement we have. And it is the arrangement you are inside, whether you have looked at it that way or not.

In the next twelve months, you will be asked questions your team was not trained to help you answer.

Your board will ask whether the organization's AI use is governed, documented, and defensible. Your insurer will ask for evidence — not assertion — that cloud shared responsibility is operating across your MSP and SaaS estate. Your audit committee will ask what your exposure looks like if a partner organization is compromised, and they will not accept "we have a vendor management policy" as a sufficient answer. Your regulator, under Bill C-8, will ask for documented governance that traces from the board down through the controls.

These are not hypothetical questions. They are the questions executives in Canadian critical infrastructure are answering right now, with capability they did not build because they did not know they needed to.

The training market is not coming to fill that gap. It is not built to. The capability you need is not a webinar away. It is a discipline that has to be built deliberately, at the executive layer, with the same seriousness the operator layer has been built with for the past decade.

That work is yours. The board is not going to do it for you. The insurer is not going to wait for you to do it. The regulator is not going to grade on a curve.

The room I sat in this week was the room the market is built to fill. The room you need is not yet being built at the same scale. That is the layer we are not training. And until we do, the exposure will continue to live in the gap between what your operators learn and what you are accountable to know.

Return on Trust, at the executive layer, is built by closing that gap deliberately. By treating governance, board reporting, and regulatory readiness as a discipline that requires its own infrastructure. By recognizing that the questions on your desk are not the questions a foundational briefing was designed to answer. By being honest, internally, about where the addressable capability ends and where your accountability begins.

You are not behind because you have not paid attention. You are behind because the market has not built what you need. That is a fixable problem. But it is not fixable by sending more people to the same rooms.

This section is for you, the subscriber. It does not run on LinkedIn.

Cybersecurity training is one of the easiest line items to approve and one of the hardest to evaluate. The session is on the calendar, the team attends, the certificate is issued, and the budget is closed. The harder question — whether the training is doing what your organization actually needs — rarely gets asked.

Four questions to put on the table before the next session is approved.

One. The scope question. When you send staff to cybersecurity training, what is being learned, and what is being assumed already known? If the session is foundational, do not assume the team is being equipped to answer board-level questions. If the session is specialized, be confident the prerequisite layers are already in place.

Two. The coverage question. Most cyber events in Canadian critical infrastructure live in the interconnections between an organization and its partners, vendors, and operating entities. What portion of the training you invest in actually addresses that interconnection layer, and what portion stops at the corporate office boundary?

Three. The depth question. Concepts introduced are not the same as controls implemented. AI governance, cloud shared responsibility, and shadow IT are vocabulary. Can your organization demonstrate, with evidence, that the controls behind the vocabulary are operating? If the answer is uncertain, the gap is not awareness. The gap is assurance.

Four. The audience question. Who in your organization is being trained to answer the questions a board, a regulator, or an insurer will ask? If the answer is "our IT team," pause. The IT team may be able to operate the controls. They are rarely the right audience to translate those controls into the language of governance, exposure, and capital allocation.

These four questions do not require you to attend a webinar. They require you to look at the training portfolio you are already investing in and ask whether the altitude matches the accountability.

That is a different conversation than the one most organizations are having today. It is the conversation Bill C-8 is going to force, on a timeline you do not control. The advantage goes to the executives who start it before they have to.

If AI governance and institutional risk are on your agenda, a private 30-minute executive briefing is available to you. No deck, no pitch, no follow-up sequence. One conversation, strictly in confidence.

Book your AI Governance Executive Briefing: portsecure.ca/strategy-session

The Meridian Signal publishes every Saturday morning. If this edition reached you through LinkedIn, subscribe for direct delivery at themeridiansignal.com

Cheers,
Walter Anderson
Founder and Strategic Advisor | PORTSECURE
[email protected]