Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The recent rise of ransomware attacks has shown that even small and medium-sized organizations have to worry. For several years, the Cyber Readiness Institute, a nonprofit led by some of the nation’s industrial giants, has provided resources to help small businesses deal with cyber threats. Now, the CRI has a new managing director, someone well known from her long Federal Information Technology and Cybersecurity Experience. Karen Evans join Federal Drive with Tom Temin for more discussion2 fact.
Tom Temin: Karen, good to have you on.
Karen Evans: Thank you so much for having me, Tom.
Tom Temin: And let’s begin with the institute itself. Who is it and what does it specifically do?
Karen Evans: Well, the Cyber Readiness Institute is focused on helping small and midsize businesses address cybersecurity risk. And what I think is really unique. And what really attracted me to this group is that it’s focused on human behavior. As we’ve talked in the past, you know that I’m very focused on people. And so the whole thing with this is, how can you make a difference? How can you address this? How can you take scarce resources in small and midsize businesses and really focus on that change management, cultural behavior that you need to have, so that you can be cyber ready? So that you can take advantage of technology, use all what’s available for your business so you can grow it, but also be aware of the risk and be able to manage it appropriately?
Tom Temin: And does that behavioral aspect also extend to employees? I mean, if you look at large federal agencies, or large companies, they have a lot of training of people so that people understand a phishing attack when they see it. For the most part – small businesses, small organizations often don’t, and their employees might be less sophisticated from a cyber standpoint. So just the resources that you offer extend to that aspect of it of how people literally behave when bad emails come in.
Karen Evans: Well, of course it does. And you would think that I gave you these questions, but I’m so excited that you asked that. Because CRI is focused – they have four core principles, four core areas – we call them the four core pillars, one of which is dealing with phishing. So it’s passwords, phishing, USB, and then doing automated updates. And so it’s focused on what we would call in the public sector, cyber hygiene. But the human element of that. And so what is another thing that is really exciting that came forward is that they have a cyber readiness organizational program. And what we do with this is that you have organizations go through this take the training and the training is free, the commitment that you have to make is your time to really understand what’s going on. So it’s your time. And then in May of this past year, they also did a cyber leader certification program. So if you had the opportunity to go through a time you should go through it. I’ve been going through it. And what it does is this really take some of these really complex issues. And what you want to do is just really put it in plain speak, practical applications, and anyone can be a cyber leader. And that really is what the certification program shows. It’s pretty exciting. It lays out three different types of organizations from a small business that only has five people, too, and [a] human capital person who’s running the human resource department of a business of about 100 people. And really addresses that change culture, the things that you need to think about and how you train your employees to be aware in these four core areas.
Tom Temin: We’re speaking with Karen Evans, she’s former CIO of two federal agencies and former Office of Management and Budget e-government administrator, now managing director of the Cyber Readiness Institute. And let me ask you to cross a bridge here, and I’m hoping it’s not a bridge too far but the Cybersecurity Maturity Model Certification program, recently highly revised from the way it was started, nevertheless, does have some burden on small businesses that are contractors or subcontractors to federal business, to federal agency procurements. Is there a way that this type of training that you offer, this type of development can somehow be tied to CMMC declarations of readiness to be in the CMMC program, and therefore keep getting contracts?
Karen Evans: I’m really glad you asked about that. Because the CMMC program as you know, could be very intimidating for small and mid-sized businesses, and really trying to understand all the different aspects associated with that. So in July of this past year CRI entered into a pilot with Cyber Ready Hawaii program to address the CMMC level one, which I think most of us realized when we started really reading and looking at what DoD intended with that program that even the evolution of that was going to lead to some type of self-certification at level one. When you look at level one there are 17 practices associated with that. You go back to the four core pillars of the CRI program. Most of those are dealing with cyber hygiene type of practices. Again, back to – are you aware of the risk? Are you doing passwords? Are you – have policies in place to deal with using removable media? Pretty much you don’t want to use removable media. But if you have to, because you’re a small business, do you have compensating controls? And so CRI has been working directly with Cyber Hawaii working on the program, leveraging what we have in our cyber readiness program with small and mid-sized businesses so that they would be prepared. It’s also addressing the FAR 52.204-21. A lot of this is dealing with the information and the management of information. As you know, it gets a little complex, when you start talking about controlled but unclassified information, how are you putting those protections around it? And again, the value of CRI is breaking it down, so that you don’t have to be a FAR expert. But when you’re ready to participate in supply chain activities with DoD people, or DoD acquisitions, that you already have the business practices in place, and that you can self certify that you can protect that information appropriately.
Tom Temin: And somehow the pandemic of course, has affected the cybersecurity scene as much as the ransomware wave has, with everybody working remotely. More and more people, I guess, are going to stay remote if you follow the trends, and therefore you have different endpoints, different networks in people’s homes, and so forth. Has the Institute kind of updated the training and updated the resources it offers to take into account this endpoint access that so many people will continue to have?
Karen Evans: I’m coming in at a good time because this is toward the end of the year. And so we’re getting ready to really evaluate what are the next things that we’re going to take a look at, as you are indicating, you have to make sure that the content stays up to date dealing with the situation that small and mid-size businesses are facing, right? And so sometimes they really are the endpoint in dealing in the overall supply chain. And again, this gets back to, when you look at all of these different things associated with it, a lot of it is still passwords, how you deal with passwords. And so one of the areas that we’re going to be looking at going forward into the new year is multi-factor authentication, and making sure that it’s distilled down into a way that is not intimidating. Sometimes when – like my husband is a small business owner, and when I talked to him about multi-factor authentication, his eyes glaze over. So I know that I need to really put it in practical business terms, so that that business owner understands the value of why you want to do it, especially if most of their business is done online, right? That they really have to have those right business plans in place, that they’re ready, that they have resilience. And I think another area that we’re gonna make sure we really look at is data recovery, because you hit on the ransomware issues. And one of the key areas is to make sure you have good data backups, so that you are resilient, so that you have data recovery processes in place, and that they really take a look at that from a business continuity perspective.
Tom Temin: And when you bring up two-factor authentication, that reminds me of the Biden administration’s executive order on cybersecurity. And I’ve heard some big agency and some small agency CIOs comment that, yeah, it’s a great order but it was kind of the path we were on anyhow. How does the executive order tie into what you’re doing? And does it require any kind of rethinking of the efforts that you provide or do the executive order simply underscore best practices that people should be doing in the first place?
Karen Evans: There’s a lot in that question, Tom. So with the executive order, I think the executive order was really groundbreaking from the aspect of it brought everything into one location. And the other part of it is that it really has the accountability up the line, right, all the way up to the National Security Council. So that’s true. I mean, I look at the executive order and say, well, we haven’t finished that yet. Because a lot of those things were things that were started in the Bush administration or actually goes back to some areas like I’d say, as far as the Clinton administration, but each of those build upon each other for good cybersecurity practices. When you look at the executive order, and then you look at things such as the supply chain risk management and those types of areas and then you look at our member companies that we have – Microsoft, Mastercard, Apple, GM – we get into supply chain risk management, which is directly aligned with what CRI is doing. And so we have some pilots with our co-chair companies dealing with supply chain risk management, because in that are a lot of small and midsize businesses. And you’re only as strong as your weakest link. And so you have to think about how do their actions affect upstream? And how do their actions affect downstream. And so this really is the sweet spot for CRI. Really working on those cyber hygiene, lifting up everyone to a certain level so that we can take a lot of noise out of the system, and that the public sector, the federal government can focus on what it does best, which is adding that context around what’s happening in the ransomware area. Is it nation state? Is it a criminal element? And we continue on with businesses that need to drive local economies. What is happening geographically. And the other thing that I think is really exciting about CRI is that it’s global. So when you’re looking at this, we’re looking at small and mid-size businesses globally. So if we can really raise that up, we would help with the norms across the board that the administration is looking at, and lead by example, and that the material is already there, and that businesses can use it today.
Tom Temin: Karen Evans is former CIO of two federal agencies – former Office of Management and Budget e-government administrator. She’s now managing director of the Cyber Readiness Institute. As always great speaking with you.
Karen Evans: It’s great talking to you too, Tom