Mary Carmichael didn’t set out to work in cybersecurity — it found her.“If you told me years ago that I’d end up in cybersecurity, I probably would have laughed,” she says.Her early career as a CPA revolved around spreadsheets, controls, and financial statements. But while helping organizations modernize their finance operations and implement ERP systems, she began to notice a recurring pattern: the critical questions everyone asked weren’t just financial — they were about trust:“Who has access?""Who approved this?""What happens if the system goes down tomorrow?”That realization changed everything. For Carmichael, cybersecurity wasn’t an abstract technical discipline — it was an extension of the governance principles she’d practiced all along. “As accountants, we’re not just counting beans,” she explains. “We’re ensuring systems are fit for purpose, balancing performance with protection.”The same accountability and transparency that define sound financial reporting also underpin strong cybersecurity. That insight guided her evolution from CPA to cybersecurity and AI governance leader, helping her redefine how trust is built in a digital world.
At Momentum Technology and Toronto Metropolitan University, Carmichael exemplifies what modern cybersecurity leadership looks like — cross-disciplinary, collaborative, and grounded in trust. For her, securing systems is only half the mission; the real goal is safeguarding the confidence that allows innovation to thrive.
Bridging worlds: From accounting to cybersecurity practice
Today, as a cybersecurity and AI governance strategist at Momentum Technology and a Catalyst Fellow at Toronto Metropolitan University’s Rogers Cybersecure Catalyst, Carmichael’s work sits at the intersection of finance, technology risk, and emerging AI oversight. Her greatest contribution, she says, has been connecting two worlds that often don’t speak the same language — accounting and cybersecurity.“Governance, risk management, and assurance have always been part of accounting, but they’re equally vital in cybersecurity,” she notes. Through her leadership roles with ISACA Global — including authoring the organization’s widely read Tips column, contributing to updates of ISACA’s IT Audit Framework, and speaking at conferences worldwide — she’s helped expand how both professions think about risk.Her work draws clear lines between traditional financial oversight and the challenges of emerging technologies.“How do you measure value and accountability in AI?” she asks. “The answers often start with the same principles that have guided accountants for decades.”For Carmichael, cybersecurity isn’t just about preventing breaches; it’s about sustaining trust in systems that increasingly make life-and-death decisions. By uniting the disciplines of finance, governance, and technology risk, she’s helped broaden the industry’s definition of what cybersecurity leadership looks like — and who belongs in the conversation.Redefining leadership and overcoming perception
Throughout her career, Carmichael has also had to challenge assumptions — both about gender and background. “When people picture a cybersecurity professional, they don’t usually imagine a CPA,” she says. “I often heard, ‘You’re an accountant, what do you know about cybersecurity?’”Rather than fight for legitimacy on those terms, she used education as her tool, showing how financial controls strengthen AI assurance or how audit thinking applies to risk governance.She also acknowledges the broader challenges women face when stepping into the spotlight. “Women in leadership are often judged more harshly for being visible,” she notes, referencing Women in the Workplace research by LeanIn.org and McKinsey. Her solution: redefine visibility as service, not self-promotion. “Speaking up isn’t about attention — it’s about representation.”Carmichael is a firm believer that progress depends not just on mentorship, but sponsorship — having champions who advocate for women’s advancement into leadership roles. “We need to move from being the helpers behind the scenes to the people shaping the field.”Inclusion as a broader definition of diversity
For Carmichael, diversity, equity, and inclusion extend far beyond demographics. “True inclusion means recognizing every path into cybersecurity,” she says.She’s particularly vocal about professionals who immigrate to new countries and struggle to have their credentials recognized despite years of experience.“We say there’s a cyber talent shortage, but we overlook qualified experts because they don’t fit a narrow mold of what ‘qualified’ looks like.”Through her work with ISACA, the Rogers Cybersecure Catalyst, and in mentorship roles, Carmichael creates space to challenge those assumptions. Her message: cybersecurity’s strength lies in the diversity of minds protecting it.“When we bring in people with different perspectives, we solve problems faster and build systems that serve more people, more fairly.”Governing the AI supply chain
Looking ahead, Carmichael sees the next great cybersecurity challenge as governing the AI supply chain. As part of her fellowship at Toronto Metropolitan University, she studies how municipalities and public-sector organizations can prepare for third-party AI risk.“Most organizations won’t build models from scratch — they’ll procure them,” she explains. “That means the question becomes: how secure are our vendors and their vendors?”Her current work focuses on frameworks and toolkits for continuous AI governance — embedding accountability, transparency, and oversight throughout procurement and implementation.“AI is rewriting the rules of third-party risk,” she says. “The organizations that thrive will treat AI governance not as a one-time policy, but as a living practice.”At Momentum Technology and Toronto Metropolitan University, Carmichael exemplifies what modern cybersecurity leadership looks like — cross-disciplinary, collaborative, and grounded in trust. For her, securing systems is only half the mission; the real goal is safeguarding the confidence that allows innovation to thrive.
