The Institute for Security and Technology (IST)‘s Chief Strategy Officer, Megan Stifel, member of the Common Good Cyber secretariat, discusses cybersecurity challenges, IST’s milestones as an outstanding convener, the importance of measuring impact, and views on funding for nonprofit organizations to ensure sustainability.  

Can you start by introducing the Institute for Security and Technology (IST) and its role in addressing global security challenges, particularly in cybersecurity?

The Institute for Security and Technology is a United States, Bay Area-based nonprofit critical action think tank that unites technology and policy leaders to create practical solutions to emerging security challenges in a rapidly shifting technology and policy landscape. We are uniquely positioned to identify and execute the essential steps needed to achieve specific, strategic results at a crucial moment in time when outcomes can be maximized. And we can’t do it alone—we rely on a global network of policymakers, technology experts, and industry leaders to provide input from their own experiences and backgrounds. 

We believe that technology has the potential to unlock greater knowledge, enhance our collective capabilities, and create new opportunities for growth and innovation. However, we also recognize that insecure, negligent, or exploitative technological advancements can threaten global security and stability. Our work—whether in the realm of cyber, quantum, artificial intelligence, biotechnology, or clean energy—seeks to identify potential security challenges associated with these emerging technologies and guide the development of more trustworthy technology. 

Cybersecurity has been a core focus since IST’s founding in 2016. We’ve tackled key challenges like Distributed Denial of Services (DDoS) attacks—when hackers flood websites with traffic to crash them—and ransomware, a type of malicious software (malware) that locks people out of their systems until they pay a ransom. Increasingly, we are focused not only on specific types of threats, but also the systemic security risks of societal dependence on digital technologies. Our work to advance the Future of Digital Security seeks to find new ways to provide direct, tailored cybersecurity resources and guidance to those who need it most, while also exploring the role of available incentives to promote better security from the ground up.

IST is known for convening diverse stakeholders to tackle complex issues. The Ransomware Task Force has been one of IST’s standout initiatives. Can you share the story behind its creation and highlight its most significant success to date? How does this collaborative approach set IST apart from other organizations in the cybersecurity space?

We began the work of convening the Ransomware Task Force in December 2020. We were convinced that ransomware no longer presented just a financial risk, but an acute national security risk that threatened schools, hospitals, businesses, and governments across the globe. Using the same convening model we apply across many of our projects, IST brought together over 60 experts from industry, government, law enforcement, civil society, and international organizations for a five-month sprint to synthesize a clear framework of actionable solutions. 

The resulting framework—which put forward 48 recommendations to deter attacks, disrupt the ransomware business model, and help organizations prepare for and respond to attacks more effectively—remains a guide for the Ransomware Task Force’s ongoing efforts. This year marks four years since the establishment of the Ransomware Task Force. In that time, we have had significant global impact. 

• We’ve seen governments in the United States, United Kingdom, Singapore, Brazil, and others adopt policy and legislation put forward by the RTF. As one U.S. cybersecurity journalist described it, “IST’s work has become a lodestar for federal ransomware policy.”
• 50% of the recommendations put forward by the Ransomware Task Force have seen significant progress as of April 2025. 
• Demonstrating our role as a trusted convener and source of expertise, IST team members have testified before the U.S. Senate and U.S. House of Representatives four times on the topic of ransomware.
• In 2024, IST became the only U.S.-based member of the international Counter Ransomware Initiative’s Public-Private Sector Advisory Panel. 
• We continue to engage stakeholders from over 60 organizations across the cyber ecosystem in ongoing working groups, zeroing in on international engagement, preparedness, the payment ecosystem, and the role of cyber insurance. With stakeholder input and expertise, we have mapped threat actor behavior in the ransomware payment ecosystem; published a cyber incident reporting framework; created a Blueprint for Ransomware Defense and translated it into Spanish and Portuguese; launched a Brazil Ransomware Task Force; explored information-sharing in the ransomware payment ecosystem; released a roadmap to potential prohibition of ransomware payments; and investigated best practices in public-private partnerships. 

Our approach is rooted in collaboration across sectors, bringing together a diverse group of experts to assess the problem of ransomware from all angles and leverage the collective might of government, civil society, and industry to help put an end to this destructive form of malware. 

IST operates with what we call a “bias towards action” that sets us apart from other organizations also working at the intersection of technology and security. This means that we are constantly leveraging our analytical insights, deep experience, and network of experts to anticipate what’s ahead. And once we identify and begin to address potential risks–and opportunities–of technological innovation, we operate with agility and a sense of urgency. In the case of the Ransomware Task Force, we convened the task force within a matter of weeks. Guided by a team of eight co-chairs, the group put together its comprehensive report in only four months. And beyond issuing recommendations, the RTF continues to track recommendation progress, spin out lines of effort to facilitate their implementation, and reassess what is needed to defeat ransomware. These progress reports not only celebrate achievements, but also pinpoint areas for improvement and targeted action that guide subsequent RTF efforts. 

How does IST measure the impact of initiatives like the Ransomware Task Force, and what lessons have you learned from its outcomes?

IST measures its impact through influence on policies, legislation, and initiatives in both the public and private sectors. In the United States, IST played a key role in elevating ransomware as a national security threat and influencing the creation of cyber incident reporting laws and the DHS-led Joint Ransomware Task Force.

In April 2024, I had the opportunity to testify again before Congress, emphasizing ways to reduce ransomware risks in the financial sector and highlighting relevant RTF recommendations, including those on payments and cryptocurrency.

IST’s influence also extends internationally. Governments such as Singapore have cited our work, and IST continues to support the Counter Ransomware Initiative through research and engagement. IST has championed harmonized ransomware reporting, contributing to international alignment efforts including a framework developed with major partners and adopted by U.S. and European authorities.

What are the biggest challenges in driving policy change or operational improvements through initiatives like the Ransomware Task Force?

Whenever we work on pushing policy forward, we recognize that progress may not be linear. Of the 48 recommendations we published in our original RTF report, we have seen significant progress on 24. However, the other 24 recommendations continue to see little to no known action. This evolution is natural, as our proposals include many activities that take time to develop. Several recommendations involve coordinating across multiple stakeholders both domestically and internationally, and may even require legislation in certain contexts, a factor which has made it difficult for them to move forward.  

Some elements of combating ransomware remain challenging to implement. In 2024, IST published the Roadmap to Potential Prohibition of Ransomware Payments, developed by the RTF Co-Chairs, to explore what conditions would need to be in place for such a policy to be considered. However, even getting to that point requires coordinated, sustained investment by both public and private sector actors: we must ensure victims have viable alternatives and robust support mechanisms in place, and that organizations reach a baseline level of cybersecurity maturity. 

Funding is a common challenge for nonprofit organizations. What resources are essential for IST to sustain its efforts and scale its impact?

Flexible multi-year funding, as we have been advocating for since we launched Common Good Cyber, is crucial for nonprofits like the IST to sustain project activities and scale impact. It provides financial stability and predictability, allowing nonprofits to plan and execute long-term projects. This funding flexibility enables IST to adapt to changing external factors, expand programs, and invest in programmatic capacity-building—all essential for scaling impact. Additionally, it reduces the administrative burden of routinely applying for new grants, enabling the team to focus more on its mission and long-term goals. Multi-year funding ensures that IST can maintain a steady course toward achieving its objectives while responding effectively to new challenges, and meet overhead costs, like fringe benefits (i.e., healthcare), operational support (i.e., bookkeeping, annual organization audit, human resources), equipment (i.e., computers), and facilities (i.e., office space and meeting/convening venues). 

Overall, multi-year funding ensures IST can provide strategic direction to industry, civil society, and global governments, foster conversations that might otherwise fall through the cracks, and push for a democratic world that is secured and empowered by technology built on trust–ultimately helping us to shape the future we seek.