The Cyber Readiness Institute (CRI) empowers small and medium-sized organizations by providing them with free tools and resources to improve cybersecurity. It is a participant in Common Good Cyber, a global initiative aiming to guarantee sustainable funding so that nonprofits involved in critical cybersecurity functions can stay devoted to bringing value to the ecosystem. Karen Evans, the Managing Director of CRI, has over 30 years of experience in cybersecurity, national security, and technology innovation. In this interview, she discusses CRI’s work, the importance of metrics, and how efforts like Common Good Cyber help amplify resources and contribute to broader societal goals.

What is the Cyber Readiness Institute (CRI), and how does it help organizations improve their cybersecurity posture?

The Cyber Readiness Institute (CRI) is a nonprofit organization providing free, prescriptive, easy-to-use tools and resources to help small and medium-sized businesses (SMBs) worldwide become more secure and resilient. CRI’s mission is to advance the cyber readiness and resilience of SMBs to improve the security of global supply chains. 

CRI’s main program, the Cyber Readiness Program, is designed to be clear and accessible for SMBs regardless of size, technical expertise, and sector. Designed in collaboration with cyber experts from leading organizations, the Cyber Readiness Program focuses on human behavior, embedding basic cyber policies and processes into an organization. It guides a designated Cyber Leader to implement cyber readiness policies and a business continuity plan. These policies focus on four primary issues with the greatest impact on an enterprise’s cybersecurity: passwords and multifactor authentication, software updates, phishing, and secure storage and sharing. CRI approximates the Cyber Readiness Program can be completed within 4 hours. However, implementation of cyber readiness policies and development of a business continuity plan may take the Cyber Leader 6 to 8 weeks at their own pace. From posters to policy templates and training materials, Cyber Leaders have everything they need to engage their workforce and improve their cybersecurity posture. 

What are the unique challenges in promoting cybersecurity readiness to smaller organizations with limited resources?

According to CRI’s 2024 Global Multifactor Authentication (MFA) survey, cybersecurity costs remain the primary barrier to cybersecurity implementation. Coupled with a lack of time to dedicate to understanding cybersecurity measures, most small businesses abandon their quest for cyber readiness before it even begins. Therefore, the Cyber Readiness Institute developed clear, accessible, and easily digestible modules in the free Cyber Readiness Program focused on human behavior for small businesses to build a culture of cyber readiness regardless of technical expertise.

Collecting impact metrics in cybersecurity can be challenging. How does CRI track the real-world effects of its recommendations and initiatives?

CRI tracks the real-world effects of its recommendations and initiatives in two unique ways: the CRI Certified Cyber Ready certificate, and a Reassessment Survey. 

CRI offers a CRI Certified Cyber Ready certificate through a process known as Playbook Verification. This requires the Cyber Leader and the head of the organization to attest they trained 100% of their employees and contractors on their cyber readiness policies and incident response plan. CRI verifies the Playbook, and policies meet the minimum requirements outlined in the Cyber Readiness Program.

Approximately six weeks after completing the Cyber Readiness Program, SMBs are emailed a Reassessment Survey to assess the impact on their organization. For example, feedback from CRI’s Resiliency for Water Utilities Pilot helped inform improvements in the next phase of the program and confirmed the impact of the Cyber Readiness Program with one utility stating, “This Program is excellent and gives organizations small and large a great foundation.” 

Over 65% of the water utilities reported the Program had a “High” or “Very High” impact and more than three-quarters indicated they would recommend the Program to others. Participants noted the Cyber Readiness Program distilled complex information into manageable, action-oriented, learning modules for utilities to implement and be resilient. An overwhelming majority indicated they planned to take steps to implement new cybersecurity measures.

How does CRI’s work contribute to broader societal goals, such as economic resilience or reducing the global cost of cyberattacks?

CRI collaborates with strategic partners to raise the cyber readiness of SMBs by launching industry targeted pilots. In 2023, CRI, Foundation for Defense of Democracies (FDD), and Microsoft launched a phased pilot to implement the Cyber Readiness Program across small and medium-sized water and wastewater utilities nationwide. The pilot provides utilities with a free CRI Certified Cyber Coach trained to guide participants through the Cyber Readiness Program and foster a cyber ready culture. The goal of Phase 1 was to support 50 small and medium-sized water and wastewater utilities through the Cyber Readiness Program. 

In January 2024, the Cybersecurity Manufacturing and Innovation Institute (CyManII) committed to improving the cyber readiness of energy sector manufacturers by leveraging CRI’s Cyber Readiness Program and Cyber Coach Model. The team successfully trained the first cohort of Cyber Coaches, who began engaging with manufacturers in August 2024. CyManII is encouraging the manufacturers to join the pilot program and complete the Cyber Readiness Program and Playbook as a crucial first step toward Cybersecurity Maturity Model Certification (CMMC) compliance. Through this approach, CyManII aims to strengthen manufacturers’ cybersecurity posture, safeguard their operations, and enhance the resilience of national supply chains.

Are there funding or resource challenges CRI faces in sustaining its mission? What support mechanisms would be most impactful for your organization?

CRI operates on member contributions to update and maintain the free Cyber Readiness Program and Cyber Leader Program. These programs are available globally with the fundamental Cyber Readiness Program translated from English to Spanish, Portuguese, and Russian. However, scaling our programs to reach more SMBs remains a challenge. CRI would most benefit from a long-term awareness campaign with public and private sector partners, as well as other non-profit organizations such as the Global Cyber Alliance. This effort would amplify the resources and opportunities available for SMBs and help CRI contribute to broader societal goals.