The Cyber Readiness Institute is incorporating an understanding of the human factors of cybersecurity into its engagements with state and local governments and small businesses, according to recently named managing director Sasha Pailet Koff, to drive low-cost improvements.
“The biggest cause that we see of intrusions happens to be human-centered, and that's what we're trying to address,” Koff told Inside Cybersecurity in a May 1 interview.
CRI announced in March that Koff would take the reins as managing director, bringing a supply chain-focused perspective to the nonprofit cyber hub for state, local, tribal and territorial governments and small businesses.
Koff is stepping into a role previously filled by cyber luminaries Kiersten Todt, who went on to serve as CISA chief of staff during the Biden administration, and Karen Evans, who was appointed in February as CISA’s executive assistant director for cybersecurity and then nominated in March to be the next Department of Homeland Security undersecretary for management.
Koff penned a CRI blog post on April 25 providing 10 tips for shoring up cybersecurity at the SLTT level. The guidance emphasizes the role of public-private collaboration, targeted workforce training and supporting under-resourced organizations to improve cybersecurity statewide.
The guidance demonstrates CRI’s focus on human factors, according to Koff. She said, “There's this awareness piece in terms of just being able to talk about the fact that we're all responsible for it, and making it digestible.”
“One of the reasons we’re focused on human behavior versus the cyber technology piece is that these are things that organizations can be doing with very little resources,” Koff said.
She added, “Where and if there are capacity and capital investments that can be made, that’s great, but there's a huge amount of opportunity to just address the human components to begin with. That should be accessible to everybody, regardless of how many people and how many dollars you've got.”
The tips for SLTT entities also address “a very large shift from the typical roles and responsibilities we've seen at a federal level versus now what is being asked of local and state governments [to] play a pretty active role,” Koff noted.
Cuts to CISA’s cyber workforce and programs thus far have included the elimination of regional advisors who provided targeting assistance to SLTT entities, and public and private sector entities alike are impacted by reductions to information sharing resources.
DHS Secretary Kristi Noem on March 13 made official plans to formally axe the Critical Infrastructure Partnership Advisory Council, which provided the structure for sector coordinating councils and government coordinating councils for each critical infrastructure sector.
CISA funding cuts also resulted in the Center for Internet Security deciding to shutter the Elections Infrastructure Information Sharing and Analysis Center in March, while the larger Multi-State ISAC is searching for alternative funding models to fill a gap left by the reduction in federal support.
Further, the coming expiration of a cyber grant program jointly administered by CISA and the Federal Emergency Management Agency is expected to leave SLTT stakeholders without a key source of funding and an important mechanism for driving collaboration on long-term cyber planning.
Koff said future engagements with SLTT entities will be geared toward “trying to navigate through how they think about the problem, how they can start to learn from best-case studies that are out there already and make sure they have an opportunity to secure the populations they’re responsible for.”
Water pilot
Another area where Koff and her team are incorporating a focus on human factors is a Microsoft-sponsored water sector pilot program CRI is leading with the Foundation for Defense of Democracies.
Results from the first phase of the program were published in December 2024, demonstrating successes from the first 59 utilities that were engaged in the pilot.
With phase two seeking to recruit “about three hundred utilities,” according to a progress report, Koff said it will be important to amplify awareness of the program and make the materials widely available to water sector entities.
“Water utilities are all focused on making sure that they're providing water and sewage efforts, so cybersecurity has not necessarily bubbled to the top for them,” Koff said.
Person-to-person engagement is a crucial aspect of the initiative, according to Koff, which assigns cyber coaches to each utility enrolled in the program. She said, “One of the big pieces we’ve been focused on in phase two is making sure that we’re able to amplify and then lean into some of the lessons learned out of the first phase in terms of using the coach for these utility organizations.”
AI, emerging tech
CRI is also examining the role of artificial intelligence and emerging technologies in cybersecurity, according to Koff.
She said the nonprofit is looking into questions of “How do small and medium sized businesses start to think about what they're leveraging and what they're using? Do they really understand what it means to ask a question in a public space, and how might that impact their own security footprint?”
In asking these questions, Koff said CRI is continuing to focus on “human behavior and making it really consumable,” while providing “bimodal engagement” by simultaneously partnering with small businesses to drive awareness and aiding large businesses in securing their procurement portfolio.
Part of this work will include engaging with organizations worldwide, according to Koff. She said, “As we think about just the maturity of our organization and our footprint, we are not just a U.S.-based organization. We're global.”
Koff explained, “One of the areas that we’re really focused on is how to think about this constellation of value around the world in securing small and medium-sized businesses that are touching upon multiple supply chains.”
Multifactor authentication
CRI found in November that small and medium-sized businesses around the globe are implementing multifactor authentication at an alarmingly slow rate.
The nonprofit sees MFA as “a pretty significant opportunity for security” at a relatively low cost, according to Koff.
A key piece of driving MFA adoption goes back to the “human factor” focus, she said. “If you speak to a small organization, they may not even understand what you mean by multifactor authentication.”
Throughout May, which is small business month, Koff said CRI’s content will focus around “heavily stressing” awareness of MFA and its benefits. -- Jacob Livesay (jlivesay@iwpnews.com)