Karen Evans is Managing Director at the Cyber Readiness Institute. Evans has been involved in cybersecurity policy for over 20 years, holding Congressional- and Presidential-appointed positions at the US Department of Energy, the Department of Homeland Security, and the Office of Management and Budget. She also established the US Cyber Challenge, a private non-profit that helped train several hundred cyber experts across the United States by partnering with universities.
In her role at the Cyber Readiness Institute, Evans uses her deep understanding of the challenges SMBs are facing to provide actionable solutions that help those businesses mitigate their cyber risk within the ever-shifting cyber threat landscape.
At RSAC 2022, we spoke to Evans to discuss some of the main cybersecurity challenges that small and midsized businesses are currently facing, and how they can find the solutions to those challenges amid a sea of noise and an ever-evolving threat landscape.
Could you give us an introduction to the Cyber Readiness Institute and the work you do within the security industry?
So, CRI is the Cyber Readiness Institute, a non-profit institute within the Center for Global Enterprise. The companies that formed CRI were part of the cybersecurity commission that was done by President Obama. Each administration builds off each other’s work, and one thing that we’re really thrilled about is that cybersecurity continues to be a bipartisan issue. Everybody’s focused on keeping things secure, helping small and midsize businesses, helping the critical infrastructure—those types of things. The companies that formed CRI were all part of making these recommendations for President Obama, and then also for the transition team when President Trump was coming in.
And, based on all of the recommendations that were being made, they formed the CRI and said, “Look, we need to be focused on these four core cyber hygiene issues, which are passwords, phishing, removable media and automatic updates, and we’re going to help small and midsized businesses.” Today, we work to develop content with our partners around these four key issues and our member companies—Mastercard, Microsoft, GM, Apple, Principal Insurance, and Exxon Mobil. And the idea is that the material is not technically oriented—it demystifies all of that and it says, “Hey, this is why this is important to you as a business and this is way you need to do it.”
We have two flagship programs: the Cyber Readiness Program, which Is designed to help all the people in your workforce to defend against cyberthreats, and the Cyber Leader Program, which helps the person within a company that takes ownership of their program to really change their organization’s culture.
CRI is focused on the human behavior aspects of security. So, you have to have that cultural change. You have to have the human element. If you do that, as you grow, then you’ll have a good foundation to be able to integrate some of those technologies and services you see as you walk the floor here at RSA.
And it’s free! Well, they don’t have to put out the dollars, but they do have to commit their time—in that sense, nothing is actually free, especially when you start thinking about small and midsize businesses.
In recent years, we’ve seen huge changes in the ways in which people work and engage with digital services. What are the main challenges and security risks that organizations are facing as a result?
The whole way that that landscape is changing is pretty sophisticated. During the pandemic, a lot of the small and midsize businesses had to shift and think about okay, now I’m going to do my business this way. We published guides on how they could navigate the changes they needed to make. For example, how do you decide whether to use a managed service provider, and what kind of questions you should be asking when you enter a relationship with your service provider? Or what is ransomware, and how can you do things like have your data backups, and have a playbook on how to respond to it?
Those guides are designed to help people understand the threat and what they can do about it. Because all of us are a target, now. I myself get some really interesting phishing emails. I mean, there are times where I have to stop and just look at it to make sure is this is really real, and then I’ll contact the company and then you’ll find out it’s not. And we use these as examples, because some of them are so good that a small company is probably going to fall for it.
We worked with all our member companies on that content, there is a starter kit, there’s the program, there are guides, and it’s all in one place for businesses to come and find easily. And again, it’s the investment of their time, but these are good materials that get to that cyber hygiene effort.
How does the Cyber Readiness Program make sure your content is accessible and engaging to employees at all levels? Do you offer different training depending on job role, for example?
It depends on which way you come into the program. The idea is, when you come to our program, you’re more than likely somebody who is in a small business looking for resources.
We’ve tried to put ourselves in different places. If you’re here in the United States, for example, people have a tendency to look at the National Institute of Standards and Technology, and they have a small business section on that. We made sure that our programs are loaded on their site, so when you go to the small business section, you find relevant content right there.
But when you actually dive down into the program, we have these video vignettes or personas. Whether you’re the five person company, or you’re the HR director in a bigger company, these personas walk you all the way through the program. And we’ve worked to make it relevant as to why that person is there, and how they can make a difference: “This is why you’re the Cyber Leader and this is how you can help your company grow and deal with this and still be focused on the growth of the company.”
It’s really defining these roles that people find themselves in.
Another thing we’re doing now with our member companies is running pilots of what we’re calling our Cyber Coaches. Think of them a little bit above Cyber Leaders in a company. Organizations identify different Coaches in different segments, then they implement our program, and they go through the playbook and they do the verifications, and they answer the questions that those small businesses or the Cyber Leader within that company would have. And this creates an ecosystem of people that know where the resources are, can get to the resources, and are always aware of the current materials and the current thinking around those core issues.
It’s important for Leaders and Coaches in your programs to foster a culture of security. What are some of your recommendations to help them do that?
When you go through the Cyber Leader Program, you’re learning how to be cyber ready and how to enable your business to be cyber ready. There are different steps that you go through, but a lot of it focuses on the alignment of your leadership of your organization with security. You need the management of your organization to be actively engaged in those processes.
And so, we make sure that we give examples of what our Leaders should talk about with that senior management. We give them potential presentations on some of the tech they might want to implement and what it does. And these are all very business oriented, not technology oriented, and very focused on why it matters to the CEO of the company so that they understand the potential risk and consider that when making businesses decisions.
We just did a study on multi-factor authentication. Nine times out of 10, the management doesn’t know what MFA is or thinks it’s too hard to implement. But then you start talking to them and telling them that they’re actually already doing it, like the code to your phone and so on. Our guides on those types of things help illustrate how it’s in the business’ best interest, as you’re starting to develop some of your services, to put that extra layer of security in.
And ultimately, they’ll begin making business decisions while saying, “Yeah, I’m going to go ahead and do that because I can hit a larger market segment, but here’s some of the other things I need to be able to do like make sure I have my backups, and my employees are trained so they’re not doing crazy things with email.”
And even as you continue to grow, you need to have policies in place and certain training, and we give you the templates and training modules for that so that you can continue to grow that culture within your organization.
Finally, what is your advice to small- to mid-sized organizations struggling to create a culture of security in the workplace?
Well, I would tell them to come to the Cyber Readiness Institute! I mean, the first steps are all there, we want to help you to be cyber ready and we give you all the resources you need to get there. And you don’t just have to listen to me! We’re multi-channel, we’re using Instagram and Facebook and YouTube to provide testimonials from companies that have worked with us on this, and demonstrate the value of this program through some of the benefits they’ve seen. Come to our social media channels and listen to people who are just like you, in the same areas, and watch the videos and they can tell you that this really works. This is digestible. This isn’t too technology oriented. And this really helped me get started.
Thank you to Karen Evans for taking part in this interview. You can find out more about the Cyber Readiness Institute’s training programs and research via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.