Cybersecurity at a university is a different kind of challenge. Every year, tens of thousands of students log on and log off, researchers run their own servers, and the network never stops moving.
For Brent Fowles, Western University’s director of cybersecurity and CISO, protecting that environment means balancing freedom with control and turning security into a shared responsibility.
That approach recently earned him the CanadianCIO CISO of the Year Award, presented by CIO Association of Canada nd sponsored by Infolaser.
Western’s cybersecurity story reflects a challenge facing many organizations today. As digital systems grow more distributed, protection depends on coordination as much as technology.
Fowles and his team have strengthened monitoring, governance, and communication across faculties to safeguard a campus built on independence. The result is a model of collaboration that other complex institutions can learn from.
Securing a decentralized and transient enterprise
Western runs on a federated IT model, where technology decisions are made across departments instead of through a single office. It allows researchers and faculty members to innovate quickly but also makes standardization difficult. For cybersecurity leaders, it creates an environment where coordination depends more on trust and collaboration than on control, which is an approach rarely seen in corporate settings.
Central IT sets the rules, while faculties and departments retain the freedom to choose the technologies and tools that best support their work. The structure supports academic independence but adds complexity, with multiple systems and approaches coexisting across campus.
Managing that environment requires balancing autonomy with central oversight.
“It’s like running a small city,” says Fowles. “You have students who might also be teaching assistants or staff. Role management and access control are much more complex than in a corporate setting.”
Fowles’ team uses software and external partners to keep watch over the university’s entire IT environment. They’ve rolled out extended detection and response software (a type of cybersecurity tool that collects and analyzes threat data from multiple sources) across most computers and devices, and they work with a third-party security service that monitors the network around the clock.
“We never had that in the past,” he says. “Now I sleep better at night and over the weekends.”
Awareness and education have been another focus. Quarterly phishing simulations have given the team better insight into where vulnerabilities exist.
“We expected people to be coming in with better awareness, but it wasn’t true,” says Fowles. “Every new crop of students was giving too much trust to the things coming from a university email.”
That insight has reshaped Western’s training programs. New and international students now receive cybersecurity guidance as soon as they receive their campus email accounts, and the team works closely with residence and orientation staff to reach them before classes begin.
“We try to get to them before they even start classes,” he says.
To reach students more effectively, Western’s cybersecurity office teamed up with interns from the Faculty of Information and Media Studies to rethink how it shares security advice on campus.
“They come up with stuff we’d never think of,” says Fowles. “They were even talking about sponsoring a movie night to get cybersecurity messages in front of students.”
Translating risk into institutional priority
Most organizations struggle to make cybersecurity more than a technical checklist. Western’s experience shows what it takes to turn protection into policy.
That shift began with the introduction of a Crown Jewels Analysis (CJA). This process required Fowles and his team to meet with people throughout the university to identify the assets most essential to their operations.
“It required us to go out and have conversations not only with the IT folks across campus, but with every unit, every faculty, every administrative unit, and deans,” he says.
The CJA is a methodology developed by MITRE to help organizations identify their most valuable digital assets, the “crown jewels” whose loss or compromise would cause the greatest harm. It reframes cybersecurity from protecting everything equally to protecting what matters most, translating technical risk into language executives and boards can act on.
Rather than focus on well-known systems like the enterprise resource planning or learning management platforms, the exercise revealed overlooked vulnerabilities.
“When you think about what a crown jewel is, it’s not just what are your most important systems,” says Fowles. “It’s what are your most important systems that somebody is going to try and compromise, either for disruption or financial gain.”
That analysis surfaced unexpected risks, including the camp software used to manage youth programs on campus.
“It popped up and came to the top of the list because we have a lot of camps that collect a lot of information, health data, payment data,” he explains. “These systems were often not well protected. The data was retained too long. They held a huge cache of data that was a really big target.”
The findings gave university leaders a clearer view of how cybersecurity ties into institutional risk and decision-making. That alignment matters for any organization trying to secure resources, because once leadership sees the stakes, security stops being a background task and becomes a shared priority.
“We were able to come up with three high-priority items that were high risk, high impact, and very likely to be compromised,” says Fowles. “It allowed us to take a risk-based approach and work top down through the list.”
Leading through accelerating risk
The pace of cyber threats keeps accelerating, and that speed is reshaping how leaders think about protection.
“Phishing campaigns are so much better,” he says. Advances in generative AI have made phishing attempts more convincing and personalized. Attackers can now generate realistic messages and mimic trusted voices at a speed and volume that overwhelm traditional defences.
Zero-day exploits are another example of how quickly the threat landscape is changing.
“A few years ago, you might have had weeks to deal with a zero-day vulnerability,” says Fowles. “Now we’re seeing attacks in the wild starting within 15 minutes of a zero-day being discovered.”
A zero-day vulnerability is a software flaw attackers exploit before a fix is available. Because the developer is unaware at the time of discovery, organizations have zero days to prepare, which makes early detection and rapid response crucial.
That level of risk changes the role of cybersecurity from defence to anticipation. That pace reinforces the need for a zero-trust mindset.
“It’s really more about the mindset,” says Fowles. “We’ve had to sell a culture that says this is not an IT problem. We can’t protect you unless we think about zero trust in a conceptual way.”
External partnerships have helped Western scale its response capacity.
Collaborations with CrowdStrike, Mandiant, and ReliaQuest have expanded its technical capabilities, while networks with other universities have improved collective defence.
“The number of other university CISOs and CIOs I can reach out to in a given day is incredible,” says Fowles. “When somebody’s under threat, we can let others know they’re probably going to face it in the next couple of hours.”
That interconnected approach to security reflects a wider shift across the technology ecosystem.
“Every endpoint matters, whether it’s a server, a laptop, or a printer,” says Marc Joly, president of Infolaser, sponsor of the CISO of the Year Award. “Organizations are realizing that cybersecurity isn’t just about software. It’s about every device and every person connected to the network.”
Fowles sees the same mindset extending to new frontiers of risk. AI-driven attacks are testing defences in real time, and quantum computing poses a longer-term challenge to encryption.
“The encryption problem we all face with quantum is really a risk that I’m not sure any of us are ready for,” he says. “We don’t know what data has been collected and hoarded, waiting for quantum to become a reality.”
What’s at stake for Canada’s digital resilience
“When you showcase the best CISOs in the country, you’re not just celebrating success,” says Joly. “You’re creating examples others can learn from — and that strengthens cybersecurity across Canada.”
For his part, Fowles credits his team for the recognition the award represents.
“It’s less about me,” he says. “My team is the core of all the good work we’re doing here.”
But the implications of his work extend beyond one university. As Canada’s research institutions and enterprises become more connected, cybersecurity has become a foundation for economic competitiveness and public trust.
The same decentralized systems that fuel innovation can also expose vulnerabilities if governance, collaboration, and investment don’t keep pace.
Western’s experience shows that building resilience depends on leadership as much as technology.
The ability to translate technical risk into institutional language, align diverse teams around a shared strategy, and act quickly in the face of uncertainty are now essential skills for any executive.
In Canada’s innovation economy, leaders like Fowles are demonstrating how cybersecurity strengthens trust, ensures continuity, and enables growth in an era where digital infrastructure supports nearly every aspect of progress.
Final shots
- Cybersecurity is governance, not just IT. Western’s success shows that protection improves when security risk is framed as an institutional and leadership issue, not a technical function.
- Decentralization demands collaboration. The more distributed your systems and teams, the more critical trust, communication, and shared accountability become.
- Prioritize what matters most. Using a Crown Jewels Analysis to identify high-impact assets helps leaders direct limited resources toward the risks that truly threaten continuity.
- Culture beats compliance. Awareness programs that reach people where they are, before incidents happen, create lasting change more effectively than mandatory checklists.
- Leadership drives resilience. Executives who can translate technical risk into business language and act decisively under pressure are key to protecting competitiveness in Canada’s digital economy.
Digital Journal is the national media partner for the CIO Association of Canada.
