How the City of Toronto embeds security across governance and operations

In this Help Net Security interview, Andree Noel, Deputy CISO at City of Toronto, discusses how the municipality strengthens its cyber defense by embedding security into strategic objectives and digital governance. She outlines the City’s approach to addressing evolving threats and modernizing legacy systems.

Noel also shares how data-driven metrics guide leadership in advancing municipal cyber resilience.

How do you translate the City of Toronto’s strategic objectives into a cyber security risk framework?

The City of Toronto’s Office of the Chief Information Security Officer (CISO) was established as a dedicated division in January 2020 to strengthen the City’s cyber posture and mitigate the impact of cyber incidents and growing cyber pressures.

Grounded in industry recognized cyber security frameworks, the Office of the CISO has structured its approach around identifying, protecting, detecting, responding to and recovering from cyber threats. By embedding cyber security into strategic planning, procurement and governance processes, the City ensures that digital resilience is a driving force behind the achievement of its broader strategic objectives.

What major changes have you observed in the threat landscape over the past 3 years, especially for municipal governments?

Similar to many industries, the cyber threat landscape for municipal governments has continued to grow in complexity and volume. In this environment, the City continues to strengthen its defences against cyber disruptions to preserve the quality of life and uphold the seamless operation of essential services.

The Office has prioritized cyber resilience as a critical aspect of its operations and digital governance, proactively addressing emerging threats while embracing innovative technologies.

How do you address edge cases or legacy systems that are difficult to modernize?

The Office recognizes that legacy systems and edge cases present unique challenges to modernization, particularly within a complex and evolving threat landscape. The City of Toronto remains committed to strengthening its cyber resiliency to protect essential services and uphold public trust. Over the past five years, the Office has prioritized proactive defence, strategic innovation and collaborative governance to address these challenges.

The extended mandate adopted at City Council in 2024 (EX14.3) enables the Office of the CISO to collaborate more closely with the City’s agencies and corporations by providing baseline cyber security controls to improve cyber resilience aligned with cyber security industry standards and best practices. We continue to enable the City to modernize systems no matter the complexity, ensuring that even the most challenging environments are supported in their journey toward secure and sustainable transformation.

How do you balance data protection, privacy expectations, and open data mandates that many municipalities follow?

To balance data protection, privacy expectations and open data mandates, the Office partners closely with the City Clerk’s Office to conduct privacy assessments. This collaborative approach ensures that data governance decisions are informed by both cyber security and legislative perspectives. By aligning privacy requirements with transparency goals, we help the City responsibly share data while safeguarding sensitive information and maintaining public trust.

What metrics or key risk indicators (KRIs) do you use to measure the effectiveness of your cyber security program to senior leadership or elected officials?

The Office of the CISO advances the City’s cybers security posture through a data-driven approach that emphasizes transparency, accountability and operational impact.

During formal reporting processes, the Office provides updates on cyber services and program performance, including metrics such as incident response targets, service level agreements, compliance rates and cyber awareness training. These metrics, along with strategic Key Risk Indicators (KRIs), assist senior leadership and elected officials assess the effectiveness of cyber security initiatives and guide informed decision-making.