What 13 Years in the CAF Taught Me About Security Culture
I joined the Canadian Armed Forces as a Military Police Non-Commissioned Member (NCM) in my early twenties. At the time, security meant physical things – controlled access points, proper identification, protecting people and assets from tangible threats you could see and respond to in real time.
I had no idea I was also starting a 13-year education in security culture. One that would fundamentally shape how I think about cyber defence today.
What I thought security was
When I started, security felt binary. Either a door was locked or it wasn’t. Either someone had proper identification or they didn’t. Either a perimeter was intact or it had been breached. The responses were clear, the threats were visible, and the procedures were written down and drilled until they were second nature.
I thought civilian security would work the same way. Clear rules, clear threats, clear responses. I was wrong about that in ways that took years to fully understand.
The gap I didn’t expect
When I moved into IT infrastructure, the cultural shift was jarring. Not the technical part – that was just learning. The jarring part was watching how differently organizations approach security when the threats aren’t physical.
In the CAF, security isn’t a department you call when something goes wrong. It’s a baseline assumption woven into every procedure, every briefing, every piece of planning. You don’t prop a door open because it’s inconvenient to badge in twice. You don’t share credentials because it’s faster. You don’t skip the checklist because you’ve done it a hundred times and nothing has ever gone wrong.
In civilian IT, I kept running into the opposite assumption – that security is a layer you add on top of operations rather than something built into them from the start. Patches get delayed because they might break something. Default credentials stay in place because changing them takes time nobody has. Multi-factor authentication gets pushed back because users find it inconvenient.
The military calls that complacency. And complacency, in any security context, is how things go wrong.
What the physical world taught me about cyber
Spending years in physical security gave me a mental model that translates surprisingly well to cyber defence – once you learn to see the parallels.
Access control is access control. Whether you’re managing who can enter a secure facility or who can authenticate to a privileged account, the principles are identical. Least privilege, need-to-know, proper identification and verification. Zero Trust architecture isn’t a new idea to anyone who has worked a controlled access point. It’s just the same concept applied to network traffic instead of people walking through a door.
Layered defence is real. A single fence doesn’t secure a base. Neither does a single firewall secure a network. In the military you think in terms of rings – each layer slowing an adversary down, buying time, creating detection opportunities. Defence in depth in cybersecurity is the same concept with different tools.
Insider threat is the hardest problem in both worlds. The most difficult security challenges in the CAF weren’t external threats – they were people with legitimate access making bad decisions, whether through negligence, poor judgement, or deliberate action. The same is true in cyber. The perimeter matters far less than what’s happening inside it.
How I see things differently now
When I started in the CAF, I followed security procedures because they were the rules and the rules existed for good reasons. I didn’t always understand the reasons, but I trusted the framework and I executed.
Now, after moving into IT infrastructure and working toward a deeper understanding of cybersecurity, I see the reasons behind the procedures much more clearly. And that changes how I approach both worlds.
In the CAF, I’m now the Unit Information Systems Security Officer. That role sits at exactly the intersection I’m describing – military discipline applied to information security in a way that most purely civilian security practitioners never have to think about. Classified information handling, operational security, the relationship between physical and digital access controls. It’s all connected.
When the stakes are real
The clearest example I can point to from my own experience is my deployment on Operation IMPACT in 2018. From February to July, I served as a Tactical Aircraft Security Officer attached to Air Task Force - Iraq, supporting Combined Joint Task Force - Operation Inherent Resolve out of Iraq.
That role put me responsible for the physical security of Canadian Armed Forces aircraft in an active operational theatre. The threat environment was real, the consequences of a security failure were unambiguous, and there was no margin for the kind of complacency I would later encounter in civilian IT.
What struck me most wasn’t the intensity of the environment – it was how naturally the security culture functioned under pressure. Procedures were followed not because someone was watching, but because everyone understood exactly what was at stake if they weren’t. Accountability wasn’t imposed from above – it was mutual and horizontal. Every person in that environment understood that their individual discipline was load-bearing for the people around them.
That experience gave me a reference point I’ve never lost. When I’m now assessing a security posture in an IT environment – reviewing access controls, looking at patch cycles, evaluating how policies are actually being followed versus how they’re written – I’m always measuring it against that standard. Not because I expect civilian organizations to operate like a deployed military unit, but because I know what genuine security culture looks like when it’s working, and I can recognize when it isn’t.
In my civilian role as a Windows Server Administrator, I find myself thinking like an MP more often than I expected. Who has access to what and why. Where the gaps are between what the policy says and what people actually do. What the blast radius looks like if a given account or system is compromised.
The thing most security training doesn’t teach
Procedures only work if the culture supports them. You can write the best security policy in the world and it will fail if the people following it don’t understand why it matters or don’t feel accountable for the outcome.
The CAF gets this right in a way most organizations don’t. Security culture isn’t built through annual training modules or compliance checkboxes. It’s built through repetition, accountability, and leadership that models the behaviour it expects.
That’s the thing I carry from 13 years in uniform into every security conversation I have now. Tools and frameworks matter. But culture is the thing that either makes them work or renders them useless.
If you’re building a security program and the culture isn’t there yet, start there. Everything else is secondary.