At Teranet, trust and security are central to the work we do. In this edition of Leadership Connect, we’re featuring David Hosey, Vice President, IT and Chief Information Security Officer (CISO), whose role focuses on protecting systems, strengthening resilience, and helping ensure confidence across the property ecosystem.
Tell us about your role at Teranet
As the Chief Information Security Officer at Teranet, my role is pretty straightforward. I’m responsible for making sure our systems are secure, resilient, and actually work when people need them. That includes protecting our data, but more importantly, protecting the trust people place in us every time they rely on land and property records.
A big part of the job is also making sure the business can move forward without friction. Security and IT shouldn’t slow things down. They should give people the confidence to operate, make decisions, and deliver for customers.
Day to day, it spans a lot of areas from identity and access management to security operations, threat detection, compliance, AI governance, and the unglamorous but critical work of building a security culture across the company. I also spend a good amount of time at the intersection of IT operations and security, because those two worlds are converging quickly, and Teranet is well positioned to do that well.
The role sits at the crossroads of technology, business risk, and people leadership. That’s what makes it interesting, and on some days, a bit messy in a good way.
What first drew you to a career in information security, and what has kept you passionate about it over the years?
Honestly, I was drawn in the way a lot of people of my generation were: curiosity about how systems work, and then the realization that understanding how something breaks is just as important as understanding how it runs. Security stuck because it forces you to think like an adversary while acting like a guardian, and that tension keeps you honest.
What has kept me here is that information security never sits still. The problems you solve today are not the ones you’ll be dealing with a year from now. Whether it’s ransomware, supply chain attacks, AI-driven threats, or the rise of non-human identities across enterprise environments, each wave brings a different kind of complexity. You have to keep learning or you fall behind, and I like that.
There’s also a sense of purpose to the work. Security isn’t abstract. When it’s done well, real people are protected. When it isn’t, the impact is immediate and tangible: disruption, loss of trust, and sometimes worse. That’s what keeps it grounded, especially in sectors like ours where public confidence really matters.
Since joining Teranet, what has stood out to you most about the role trust and security play in the property ecosystem?
Property transactions are some of the most significant financial and legal events in a person’s life. When someone buys a home, refinances, or transfers title, they’re placing a lot of trust in the systems and institutions behind those transactions. Teranet sits right at the core of that infrastructure.
What stood out to me early on was how deeply that responsibility is felt across Teranet, not just in IT or information security. It shows up in how our people approach their work, the care that goes into data integrity, and how seriously risks to the registry are taken. That’s not something you build through policy. It’s cultural here at Teranet.
The fraud landscape in the property sector has also sharpened my perspective. Title fraud, mortgage fraud, and identity-driven property crime are not theoretical in Canada. They’re active. Especially after moderating Teranet Market Insight Forum I’ve seen firsthand how Teranet, regulators, legal professionals, and financial institutions all need to work together to stay ahead of those threats. It reinforced that security in this space is very much a team sport.
You’ve spoken about resilience as something that must be built into day-to-day operations, not just plans on paper. What does that look like in practice?
A business continuity plan that lives in a SharePoint folder and gets reviewed once a year is not resilience. It’s paperwork.
Real resilience shows up in small, repeatable moments: how quickly your team detects an anomaly at two in the morning, whether your runbooks are current enough to be useful under pressure, and whether people have practiced the decisions they’ll need to make instead of facing them for the first time in the middle of an incident.
In practice, it means investing in detection and response capabilities that are built into operations, not bolted on. It means running tabletop exercises that include leadership, not just the IT and security teams. It means measuring recovery time against what actually happens, not what’s written on a slide. And it means creating an environment where people feel empowered to escalate and act, because hesitation during an incident is a real risk.
We’re also modernizing the way we watch for and respond to threats at Teranet. Better tools give us better visibility, but it’s the discipline around how we use them that actually builds resilience over time.
As AI becomes more embedded in business operations, what do you think is most important for organizations to keep in mind when it comes to security and trust?
The first thing is that AI doesn’t change the fundamentals of security. It amplifies them. If your identity controls are weak, AI agents working on behalf of users will expose that. If your data governance is unclear, AI will ingest and act on data it shouldn’t have access to. So the basics still matter, maybe more than ever.
Second, companies need to treat AI governance as a security function, not just an ethics or compliance checkbox. That starts with understanding where AI is actually operating in your environment, including the shadow use you probably don’t have visibility into yet, what data it can access, and who is accountable when something goes wrong. Non-human identities are already one of the fastest-growing attack surfaces in environments, and agentic AI is adding to that quickly.
Finally, there needs to be some discipline around adoption. It’s easy to feel pressure to deploy AI because everyone else is doing it, but that’s the wrong driver. The better question is not “are we using AI,” it’s “do we understand what we’ve deployed, what it can access, and how we would detect a problem?” That’s harder to answer, but it’s the question that actually builds trust.
What is one leadership lesson that has shaped the way you lead through complexity and change?
Clarity is an act of respect.
When things are complex or uncertain, there’s a temptation to hedge, to leave room for every possible interpretation, to avoid saying something definitive. I understand the instinct. But people navigating change need to know where they stand. They need direction, even if not every detail is figured out. Ambiguity doesn’t protect anyone. It just pushes the stress down to the team.
I learned early that being clear and honest about what I know, honest about what I don’t, and direct about what I need from the team isn’t the harsh version of leadership. It’s the more respectful one. People can handle hard truths. What wears teams down is uncertainty without context.
That lesson has held up in technology transformations, organizational change, and especially in security incidents, where clear communication under pressure often makes the difference between a manageable situation and a chaotic one.
As technology continues to evolve and new challenges emerge, David’s perspective is a reminder that security is about more than systems and processes. It’s about people, trust, and creating environments where teams can confidently move forward. Whether discussing resilience, AI governance, or leadership, his approach reinforces that staying adaptable and continuing to learn are essential in a constantly changing landscape.
