The people behind CIMA+: Marc-André Gagnon – Director of Cybersecurity Services

1. Why did you choose consulting engineering?

CIMA+’s experts work with all critical sectors in Canada, including energy and utilities, finance, food, transport, government, information and communication technologies, health, water, security and manufacturing. Paradoxically, these sectors are increasingly targeted by cyber threats as they modernize and adopt new technologies. With CIMA+ already working in these sectors, there are great possibilities and opportunities in cyber security, and my team's work makes a real difference for our clients, as well as for our infrastructure.

2. Tell us about your career path and what led you to specialize in cybersecurity.

What first drew me to cybersecurity was my fascination with the subject. During university, I discovered that it was possible to compromise computer systems, sometimes in brilliant ways, and this sparked a deep curiosity in me: how was this possible?

This thirst for understanding naturally led me to dissect attacks, analyze intrusions, defend banking environments, perform intrusion tests, and above all, immerse myself in the logic of attackers. I spent years honing my technical skills. I learned their language, their methods, and their human and technological weaknesses.

But the further I went, the more obvious it became that the growing complexity of systems was beyond what one person could manage. Cybersecurity is not an individual sport: it is a multidisciplinary team sport that requires coordination, vision and trust.

That's when I realized that my greatest contribution would come not only from my technical skills, but also from my ability to engage teams, build solid defensive strategies, and create a culture of security so that this teamwork could generate positive outcomes.

3. What are the main cybersecurity challenges facing organizations today?

CIMA+ clients today face rapidly evolving and complex cybersecurity risks. These risks affect both traditional IT (information technology) and OT (operational technology) systems. The main challenges are:

• IT/OT convergence
  This means that our clients, particularly in the industrial, energy and municipal sectors, must integrate traditional IT services and technologies. However, these environments were sometimes developed 10 or 20 years ago and were not designed to face today's attackers. This convergence increases the attack surface and exposes critical infrastructure to sophisticated threats.
• The increase in targeted attacks
  Ransomware, compromised supply chains and state-sponsored threats pose major risks. These attacks target both control systems and sensitive data, often with significant operational impacts and even impacts on the population.
• Compliance and governance
  Regulatory requirements (NERC CIP, Law 25, etc.) are multiplying, as are recognized governance frameworks (ISO 27001, NIST CSF, NIS 2), and it is becoming a headache to determine what is really important and effective while maintaining day-to-day operations.
• Lack of internal resources
  Many organizations, especially medium-sized ones, do not have the internal cybersecurity teams or expertise to conduct penetration tests, cybersecurity audits, or even implement a cybersecurity program.

4. Can you tell us about a recent cybersecurity project that you are particularly proud of?

We carry out cybersecurity projects in various sectors. We are currently securing a network that controls autonomous mining trucks in mines in British Columbia. In the municipal sphere, we recently helped a client secure the network controlling its traffic lights and related equipment at intersections (cameras, pedestrian detectors, etc.). In the water sector, we have helped several clients increase their level of cybersecurity maturity by auditing their practices and providing recommendations to better protect their infrastructure against cyberattacks.

5. How does CIMA+'s approach stand out in the field of cybersecurity?

The approach we advocate is always based on the challenges and realities of our clients' sectors. Each sector has different technologies, different regulations and, above all, a different appetite for risk. It is always a question of finding the right balance for the client.

6. How do you collaborate with other CIMA+ experts to integrate cybersecurity into multidisciplinary projects?

When CIMA+ teams take on a technology project, regardless of the sector (construction, telecommunications, energy and resources, project management), they contact us so that we can quickly assess potential cybersecurity issues. For some low-risk projects, a simple consultation and general alignment are sufficient, while for others, our cybersecurity advisors will be involved throughout the project to ensure that cybersecurity is taken into account at every stage.

Even for our 100% cybersecurity projects, we always work with our engineers and experts in each field. This allows us to tailor our practice to the specificities of each sector and each technology.

7. What advice would you give to organisations wishing to strengthen their cybersecurity posture?

Invest in your people, not just in technology. The best technologies fall flat if teams are not trained or aware. Focus on continuous training and targeted awareness. And interdisciplinary collaboration is essential to building an active and sustainable defense plan.