Our distinctive
experience
Our distinctive
experience
Driven by collaboration between its members, Cybereco’s projects tackle the challenges of cybersecurity in concrete terms. By leveraging collective intelligence, the organization fosters the co-creation of innovative solutions, the development of concrete tools and a positive influence on the sector’s direction.
Its agile, impact-driven approach enables us to anticipate emerging challenges and sustainably strengthen the digital resilience of Canadian organizations.
Cybertrousse Community
The Cybertrousse community was created in response to a crying need: to offer small and medium-sized enterprises (SMEs) concrete resources to strengthen their cybersecurity posture. Too often left to fend for themselves in the face of growing threats, SMEs lack accessible tools tailored to their reality. This community brings together experts, practitioners and partners committed to co-constructing a clear, useful and directly applicable awareness kit.
Objective and main deliverable
The community’s flagship deliverable is a cybersecurity awareness kit, designed specifically for SMEs. This kit aims to :
– Raising companies’ awareness of the main digital risks;
– Guide them in adopting best practices;
– Offer simple tools to start or structure their cybersecurity approach;
– Promote a gradual, realistic and sustainable rise in maturity.
Why this approach
Cybersecurity is no longer a luxury reserved for large organizations. In a context where SMEs are becoming prime targets for cybercriminals, it is essential to provide them with concrete, understandable and actionable resources. The Cybertrousse community is part of this drive to democratize cybersecurity and foster a culture of vigilance and digital resilience within Quebec SMEs.
Kit contents
The kit comprises several key components, each addressing a fundamental issue:
Phishing
Recognize and react to fraudulent e-mail or messaging attempts
Password
Adopt secure access management practices
Data protection
Ensuring the confidentiality and integrity of sensitive data
Fraud by personification
Protecting against digital identity theft
Remote working
Supervising the safe use of mobile devices and teleworking
Ransomware
Understand the threat and implement preventive measures
Main contractor
Community Internal threats
The Internal Threats community has been set up to equip organizations to deal with a risk that is all too often underestimated: that which comes from within. As detection tools (SIEM, DLP, behavioral AI, etc.) multiply, governance, compliance and privacy issues become central. This community aims to provide a space for reflection and co-construction to better understand, frame and mitigate the risks associated with internal threats.
Main deliverable
The community is currently working on updating and enriching the internal threat protection guide. This guide aims to :
– Present the types of detection mechanisms used in organizations ;
– Draw up an overview of the ethical, legal and operational issues associated with their deployment;
– Offer concrete recommendations that can be applied in different organizational contexts.
Why this approach
The insider threat is a complex, multidimensional phenomenon that affects all organizations, whatever their size or sector. Managing it requires close coordination between security teams, legal departments, human resources and management. By pooling expertise within the community, we aim to :
- Promoting a shared understanding of the phenomenon ;
- Define a balanced framework for action that is both effective in terms of security and respectful of rights ;
- Provide organizations with the tools they need to implement prevention strategies tailored to their specific situation.
What we're working on
The guide is structured along the following lines:
Background and definition
Understand the nature of internal threats, how they manifest themselves and the impact they have on organizations.
Detection technologies
Exploration of tools such as SIEM, DLP, AI solutions, and their integration into IT environments
Privacy and surveillance
Balance between security and respect for fundamental rights, principles of proportionality, consent and minimization
Regulatory frameworks
Compliance with Bill 25 (QC), RGPD (EU), CCPA (California), etc.
Governance
Roles and responsibilities of CISOs, DPOs, management and partners in implementing an effective program.
Legal risks
Case studies, case law, consequences of non-compliance.
Practical recommendations
Practical tools (checklists, sample contract clauses, best training practices).
Main contractor
Community Third-party management
The Third-Party Management community was created to meet a growing need: to help organizations, particularly SMEs, structure and strengthen their management of suppliers, subcontractors and digital partners from a cybersecurity perspective. In a context where supply chains are increasingly interconnected, third parties now represent a major vector of risk. Incidents such as SolarWinds and MOVEit have demonstrated the extent to which an external breach can have serious internal consequences. Yet SMEs often lack the resources, time or expertise to implement robust practices.
Main deliverable
The community is working on a strategic and pragmatic white paper, specifically adapted to the context of Quebec SMEs. This document will aim to :
- Take stock of current third-party management practices;
- Analyze applicable legal obligations (e.g. Law 25) ;
- Integrate international standards (ISO, NIST, etc.) in a contextualized way;
- Propose concrete, actionable recommendations.
Why this approach
Because third-party management is now a pillar of organizational security, and without support, SMEs risk remaining weak links in the chain. This community wishes to :
- Offer a credible, applicable and localized reference in Quebec;
- Provide SMEs with practical tools to enable them to take action without the burden of jargon;
- Possibly lay the foundations for simplified certification mechanisms or concerted sectoral initiatives.
What we're working on
The community mobilizes its collective expertise in the following areas:
Identifying issues specific to Quebec SMEs
Regulatory analysis: Law 25, RGPD, sectoral obligations
Adaptation of international best practices (ISO 27036, NIST SP 800-161, etc.)
Production of pedagogical and operational content: templates, grids, tools
Definition of a progressive implementation path for low-resource organizations
Intended contents of the white paper
- Maturity self-assessment tools ;
- Standard contractual clauses to govern relations with third parties ;
- Threat catalogs by supplier type ;
- Maturity grids to guide organizational progress.
Main contractor
AI Community - Artificial intelligence and cybersecurity
The rise of artificial intelligence (AI) is profoundly transforming organizations, both in their operational practices and in their cybersecurity posture. While AI opens the door to major gains in efficiency, automation and threat detection, it also raises new risks: hallucinations, data leaks, adversarial attacks, deficient algorithmic governance, etc.
The AI Community was created to help organizations frame the adoption of artificial intelligence in a way that is responsible, safe and in line with their business and regulatory realities.
Objectives
- Assess the risks and opportunities associated with the use of AI in business processes and security functions;
- Share AI management and governance practices (internal policies, charters, evaluation mechanisms);
- Identify relevant use cases for AI in cybersecurity (SOC, DLP, EDR, GRC, etc.) ;
- Encourage the controlled adoption of generative AI in the enterprise, while respecting data confidentiality and integrity.
Why this approach
Artificial intelligence cannot be adopted blindly. It requires a rigorous, interdisciplinary and evolutionary framework to avoid excesses and maximize benefits.
This community enables organizations to :
- Share their initiatives, concerns and concrete experiences;
- Develop a responsible AI culture aligned with cybersecurity principles;
- Preparing for future regulatory requirements and society’s expectations;
- Harness the full potential of AI while minimizing risks to people and information assets.
Work in progress
The community structures its reflections and deliverables around the following axes:
Supervision of generative AI in companies
- Usage policies, access to tools, training and awareness;
- Risks linked to information leaks, misinformation and content manipulation.
IA supplier evaluation
- Selection criteria, contractual clauses, transparency and explicability requirements;
- Alignment with emerging regulations (EU AI Act, Canadian guidelines).
Governance and algorithmic accountability
- Traceability of automated decisions, right to explanation, algorithmic biases;
- Roles and responsibilities: ethics committee, AI management, security, legal.
Using AI to strengthen cybersecurity
- AI tools for behavioral analysis, anomaly detection, alert triage;
- Limitations and framing of the use of AI in critical contexts.
Main contractor
Health IoT Community
The growing deployment of connected objects (IoT) in the healthcare sector – medical sensors, wearable devices, remote monitoring equipment, smart pumps, etc. – raises major challenges in terms of cybersecurity, confidentiality and operational resilience.
In an environment where the availability, integrity and security of data can have a direct impact on patient health, it is becoming essential to manage the entire lifecycle of these devices.
The Health IoT community was created to bring together technical experts, clinicians, information security officers and managers to share concrete practices and build a common approach across the healthcare network.
Objectives
- Document the specific cybersecurity challenges of connected medical devices;
- Propose a governance framework for the deployment, management and decommissioning of IoT ;
- Share use cases, real-life incidents and feedback on the integration of connected objects in healthcare environments;
- Encourage cooperation between clinical, IT, biomedical and legal departments;
- Highlight the responsibilities of manufacturers, purchasers and operators.
Why this approach
The healthcare sector is a prime target for cyber-attacks, and the rapid increase in connected devices is multiplying the surfaces of exposure.
This community aims to :
- Strengthening digital security in healthcare establishments without holding back innovation;
- Provide equipment management teams with practical tools;
- Promote a multidisciplinary approach that takes into account clinical and operational constraints;
- Contribute to a shared vision of medical cybersecurity across the Quebec healthcare network.
Work in progress
The community’s reflections are structured around the following axes:
FramingInventory and classification of generative AI health IoTs in the enterprise.
- Equipment typology (diagnostics, monitoring, administration, etc.);
- Critical level, dependencies and network exposure.
Governance and safety frameworks
- Purchasing policies, minimum security requirements (firmware, encryption, updates, etc.);
- Device life cycle: installation, maintenance, removal.
Risks and vulnerabilities
- Unauthorized access, update failures, inadequate segmentation, unencrypted communications;
- Potential consequences for data confidentiality or continuity of care.
Integration with hospital IT environments
- Identity management, network segmentation, flow monitoring, anomaly detection;
- Collaboration between IT, biomedical and clinical teams.
Regulations and compliance
- Alignment with the requirements of Bill 25, ISO standards (27001, 27799), MSSS guidelines and FDA/EMA recommendations.
Main contractor
Imperial Project
Faced with the growing complexity of digital environments, public and private organizations in Quebec need to strengthen their ability to manage technological risks in a proactive, integrated and context-specific way.
The ImpĂŠrium project was born of a common desire on the part of institutional and sector players (Desjardins, BRP, Deloitte, etc.) to build a structuring and accessible framework to equip organizations in terms of governance, accountability and technological risk management.
This community aims to co-construct the foundations of a Quebec model of technological governance, aligned with international best practices while responding to concrete needs in the field.
Objectives
- Provide boards of directors, senior management and management committees with tools for understanding, assessing and managing technological risks;
- Clarify responsibilities and accountability mechanisms for cybersecurity, business continuity and digital transformation;
- Offer a common language and simple indicators for dialogue between technical experts, managers and decision-makers;
- Promote a cross-functional approach to risk management, including compliance, resilience, performance and innovation.
Why this approach
Technological risk governance can no longer be left to technical teams alone. It must be taken to the highest level, with concrete tools, clear accountability and the ability to arbitrate between performance, innovation and safety.
The Imperial Project enables organizations to :
- Structure their approach to digital governance without excessive complexity;
- Clarify who does what, why and with what resources;
- Increase their resilience and ability to anticipate technological crises;
- Create a culture of shared governance, based on concrete, scalable and contextualized tools.
Work in progress
The community is organized around several working groups, each responsible for a key aspect of the Imperial framework:
Governance framework
- Definition of roles and responsibilities: Board of Directors, Audit Committee, CIO, DPO, senior management;
- Governance models adapted to different types of organizations (SMEs, NPOs, large corporations).
Assessment of maturity and controls
- Self-assessment tools, maturity grids, interpretation guides;
- Links with existing frameworks (NIST CSF, ISO 27001, COBIT, etc.).
Monitoring indicators and dashboards
- Definition of key performance indicators (KPIs) and key risk indicators (KRIs);
- Visualization for management and governance committees.
Risk appetite and prioritization
- Frameworks for defining organizational risk appetite
- Alignment between technological, business and regulatory risks.
Technology implementation and integration
- Models for integration into existing CRM, ERP or dashboard tools;
- Best practices for gradual deployment.
Main contractor
Cloud and cybersecurity community
The accelerated adoption of the cloud is profoundly transforming the technological architecture of organizations. Cloud services, hybrid infrastructures, SaaS, PaaS, IaaS models: these are all opportunities… but also new risks in terms of governance, confidentiality, compliance and access management.
Quebec organizations have to navigate a constantly evolving ecosystem, often with limited resources or strong regulatory constraints.
The Cloud and Cybersecurity community has been set up to support this transition by promoting the sharing of expertise, the documentation of concrete practices and the development of guides adapted to the local context.
Objectives
- Provide a governance framework for public, private and hybrid cloud environments;
- Help organizations select, integrate and secure cloud services;
- Share architecture models, supplier evaluation criteria and essential technical controls;
- Meet compliance requirements (Law 25, RGPD, ISO standards) in a multi-cloud context ;
- Promote consistency between IT, security, legal and operations.
Why this approach
The cloud is often seen as a lever for transformation… as long as it is properly managed. Without a rigorous framework, it can become a source of confusion, cost overruns and even critical flaws.
This community enables organizations to :
- Adopt the cloud in a way that is secure, compliant and consistent with their business strategy;
- Accelerate their digital transformation without compromising risk governance;
- Share proven solutions adapted to Quebec realities;
- Create a culture of cloud-based cybersecurity, supported by all stakeholders.
Work in progress
The community is organized around several working groups, each responsible for a key aspect of the Imperial framework:
Cloud governance frameworks
- Shared responsibility models;
- Alignment between contracts, safety and operational processes.
Security in multi-cloud environments
- Basic controls: encryption, access management, audit logs, network segmentation;
- Configuration monitoring (CSPM), automation of secure deployments.
Choosing and evaluating cloud providers
- Evaluation grids, critical contractual clauses, audits and certifications;
- Vendor lock-in risk management.
Regulatory compliance and data sovereignty
- Data localization, cross-border export, contractual requirements;
- Integration of Law 25 obligations into cloud models.
Awareness-raising and support
- Popularized documentation for business teams;
- Self-assessment tools and in-house training.
Main contractor
Light manufacturing and cybersecurity project
Light manufacturing SMEs in Quebec are undergoing an accelerated digital transformation. However, this modernization is exposing their operational technology (OT) environments to major cyber risks: production interruption, tampering with CNC controls, uncorrected vulnerabilities, lack of segmentation, etc.
The Light Manufacturing and Cybersecurity project, supported by Cybereco and CNIMI, aims to design, test and deploy a solution for these companies that is robust, easy to integrate, affordable and developed locally using Quebec innovations.
Objectives
- Prototype and validate a cybersecurity solution focused on TO environments and designed for the specific needs of light manufacturing SMEs;
- Strengthen the resilience of these companies without undermining their productivity or imposing excessive complexity;
- Accelerate the integration of best practices from industry standards (NIST CSF, IEC 62443);
- Support the development of skills among Quebec technicians and engineers through practical training linked to the deployment of this solution.
Why this approach
- Most SMEs have neither the budget nor the internal resources to equip themselves with secure TO solutions;
- Conventional IT approaches are not compatible with industrial constraints (availability, equipment lifetime, etc.);
- Recourse to foreign solutions remains costly, not very contextualized and sometimes over-dimensioned;
- A locally-proven, modular, Quebec-based solution enables widespread, rapid and sustained adoption.
This project structures industrial cybersecurity as a strategic lever for competitiveness, while helping to raise the profile of Quebec’s cybersecurity ecosystem applied to Industry 4.0.
Technological components of the solution
The community is organized around several working groups, each responsible for a key aspect of the Imperial framework:
Intelligent TO perimeter protection
- Industrial micro-PCs acting as firewalls, with protocol filtering, segmentation and VPN tunnels.
- Deep packet inspection (DPI) adapted to industrial protocols (Modbus, OPC UA, etc.).
AI-based behavioral detection
- Analysis of "normal" equipment traffic (CNC, molding, robots) and automatic detection of deviations.
- Virtual protection of legacy devices via virtual patching.
Centralized TO safety management
- Unified interface for monitoring, security policy management and dynamic rule adaptation.
- Easy integration with existing production environments.
Main contractor
Post-quantum cryptography community
The Post-Quantum Cryptography community was created to support Cybereco member organizations in the face of a major technological transformation: the imminent arrival of quantum computing and the risks it poses for current cryptography.
The objective is clear: to put in place a structured and adapted transition framework to enable organizations to prepare for this revolution now, and thus mitigate the risks associated with the future compromise of traditional cryptographic algorithms.
Main deliverable
The community is working on a strategic and operational support framework to facilitate the migration to quantum-attack-resistant cryptography.
This framework will include :
- An inventory of the risks associated with the emergence of quantum computing ;
- Concrete mitigation measures (crypto-agility, asset management, prioritization) ;
- Transition planning tools ;
- Examples of progressive implementation (roadmap, best practices, multi-year migration plan).
Why this approach
Cryptography is the foundation of modern digital security. But this foundation will be undermined as soon as quantum computers reach a critical power threshold.
Waiting for the threat to become a reality means exposing yourself to retroactive attacks on sensitive data stored today.
By structuring the transition now, this community enables organizations to :
- Anticipating technological and regulatory impacts;
- Avoid rushing into decisions under pressure;
- Protect their assets, customers and reputation over the long term.
What we're working on
The guide is structured along the following lines:
Understanding the threat
Explanation of the impact of quantum on RSA, ECC and other classical algorithms; "store now, decrypt later" scenario.
Cryptographic asset mapping
Identification of systems, data and suppliers at risk.
Organizational impact assessment
Legal (Law 25, RGPD), technological (hardware, software) and operational (supply chains) aspects.
Migration plan to post-quantum cryptography (CPQ)
Definition of priorities, integration of crypto-agility, alignment with NIST recommendations.
Raising awareness among management and stakeholders
Get the subject recognized as a strategic risk that needs to be addressed now.
Main contractor
Community Data protection
The Data Protection community was created in response to the growing challenges associated with managing unstructured data, which today accounts for a large and growing proportion of all data. and often often neglected part of the organizations’ information assets. This data (documents, e-mails, images, videos, messages, etc.) is difficult to inventory, classify and protect, making it a major vector of legal, operational and strategic risk.
Main deliverable
The community is working on a practical guide to protecting unstructured data, with a particular focus on labeling, governance, compliance (Law 25, RGPD) and technological tools.
This guide is aimed at a multidisciplinary audience: CIOs, DPOs, security managers, IT architects, data managers and operational teams.
Why this approach
Regulatory obligations (notably Bill 25 in Quebec) demand rigorous control of personal information, including in unstructured formats. Yet most organizations underestimate the volume and sensitivity of this data.
This community aims to :
- Strengthen collective expertise on these technical, legal and organizational issues;
- Equip organizations with applicable practices and concrete models;
- Foster innovation in information security, based on a collaborative and evolutionary approach.
What we're working on
Understanding unstructured data
- Definition, use cases, distinctions with structured and semi-structured data;
- Specific problems: lack of schema, varied formats, accessibility, dispersed storage.
Why label data?
Legal reasons (Act 25, RGPD, NIST) and compliance issues;
Information security: classification, protection, encryption;
Efficiency: automation, archiving, lifecycle, risk reduction.
Taxonomy and labeling systems
Sensitivity, compliance and business labels;
Recognized standards (Microsoft Purview, ISO/IEC 27001/27002);
Integration into Microsoft 365, DLP, SIEM, etc. environments.
Stages of a classification project
Identification of sources, scope and objectives;
Selection of tools (manual, automated, classification AI);
Deployment, training, adoption and ongoing governance.
Best practices and pitfalls to avoid
Avoid under/over-classification;
Keep classification alive and relevant;
Align policies with business needs and legal requirements.
Main contractor
DevSecOps & AppSec community
This community aims to integrate cybersecurity into all stages of the software development cycle. By combining DevSecOps and AppSecIts mission is to strengthen application and infrastructure security, while adapting practices to the realities of Quebec organizations.
Objectives
- Create a forum for practitioners to share challenges, tools and best practices;
- Promote the adoption of “by design” security right from the software design stage;
- Identify relevant partners, tools and frames of reference within the Canadian ecosystem;
- Collectively evaluate centralization strategies, RACI models and remediation approaches ;
- Promote a culture of security among developers, with structuring support from the AppSec team.
Why it matters
At a time when software vulnerabilities account for a growing proportion of security incidents, this community enables :
- Aligning development and cybersecurity practices in a collaborative approach;
- Take advantage of feedback from organizations of all sizes;
- Develop practices pragmatically, in line with the constraints and operational realities of IT teams.
Deliverables and work in progress
The guide is structured along the following lines:
Thematic sessions based on real cases and AppSec roadmaps
Comparative analysis of centralized vs. decentralized approaches to safety in development
Discussions on integrating security models into CI/CD pipelines, including secret detection, WAF "as code" management and SBOMs
Development of recommendations on targeted training tools, threat modeling, partial remediation automation and internal CTFs as a culture lever.
Main contractor
Data Loss Protection (DLP) Community of Practice
The DLP Data Loss Prevention community brings together technical experts from the public and private sectors to collectively strengthen the security posture of organizations in the face of the risks of exfiltration, leakage or mishandling of sensitive data.
It aims to create a collaborative space for sharing configurations, testing innovative approaches, solving common challenges and supporting each other around data loss prevention platforms.
Objectives
- Create a forum for practical exchanges on DLP tools;
- Document and compare labeling, encryption and policy configuration strategies;
- Sharing learning from large organizations ;
- Pool knowledge to avoid recurring errors;
- Promote the adoption of technical best practices within cybersecurity teams.
Why it matters
As sensitive data is increasingly dispersed across hybrid environments (cloud, local, mobile), DLP tools need to be finely tuned and adapted to the business context.
This community enables organizations to :
- Share their successes and failures, to avoid duplication of effort;
- Co-construct a common base of useful configurations, adapted to their realities;
- Support innovation and operational agility, while maintaining strict compliance with regulatory obligations (Law 25, ISO standards, etc.).
Working shutters
The community is organized around several sub-themes and collaborative workshops:
Microsoft Purview & AIP pane
RegEx & detection section
OCR component & exfiltration monitoring
EDM / IRM component (information rights management)
SASE & new technologies
Main contractor
GIA Community of Practice
The GIA community was created to equip organizations in one of the critical foundations of their cybersecurity posture: identity and access management. As digital environments become more complex and distributed remote users, cloud access, third-party suppliers access control is becoming a strategic issue, as much to prevent intrusions as to comply with regulatory requirements (Law 25, RGPD, etc.).
The aim of this community is to bring together experts, architects, IT managers and governance professionals around concrete solutions adapted to the realities of Quebec organizations.
Objectives
- Promote the sharing of identity and access management practices, models and architectures;
- Clarify roles, responsibilities and processes related to the identity lifecycle (creation, modification, deletion);
- Explore key technologies (IAM, IGA, MFA, SSO, RBAC, etc.) and their integration in various contexts;
- Support alignment between IT teams, HR departments, security teams and management ;
- Help organizations build consistent, sustainable and compliant IAM governance.
Why this approach
Poor identity and access management is at the root of many security incidents. Yet it remains a major challenge, especially for organizations with limited resources or heterogeneous environments.
This community enables organizations to :
- Develop a structured approach based on real-life use cases;
- Improving resilience to internal and external threats ;
- Simplify audits and reinforce compliance;
- Reduce friction for end users, while increasing safety levels.
Work in progress
The community structures its exchanges and deliverables around the following axes:
GIA governance models
- Definition of roles (identity owners, approvers, operators, auditors);
- Stakeholder and process mapping.
Identity lifecycle
- Onboarding, internal mobility, temporary access management, offboarding;
- Integration with HR systems, ERP, CRM, etc.
Access control
- RBAC, ABAC models, principles of least privilege, separation of duties;
- Privileged Access Management (PAM).
Authentication and federation
- Implementation of multifactor authentication (MFA);
- SSO and identity federation (SAML, OAuth, OpenID Connect).
Audits and compliance
- Access monitoring, periodic reviews, anomaly alerts;
- Alignment with regulatory requirements (Law 25, ISO 27001, etc.).
Main contractor