Q: Please tell me a little about yourself and how you came to work for the Cyber Readiness Institute.

[Sasha Koff]: As a supply chain practitioner with more than 25 years of experience and having the opportunity to lead several large global teams, I’ve seen firsthand how risks evolve and where vulnerabilities can cause the greatest disruption. I joined CRI because I believe cyber readiness is the single greatest threat supply chains will face in the coming decade. Global supply chains are only as strong as their most vulnerable link, and often that risk lies with the smallest businesses. By equipping SMBs with the tools and knowledge to be cyber ready, we not only safeguard them but also protect the resilience of the most complex, interconnected supply chains. For me, this work is about ensuring trust, continuity, and security across the global economy.

Q: For those who may not be familiar with CRI, can you share a little history about the organization.

[Sasha Koff]: The Cyber Readiness Institute (CRI) was launched in July 2017 by senior leaders in government, industry, and cybersecurity who served on the Commission on Enhancing National Cybersecurity. This bipartisan Commission was tasked with developing recommendations to secure the digital economy and provide a roadmap for the incoming Administration.

CRI was created to build on those recommendations, with a specific focus on delivering prescriptive, accessible, and free tools and resources to improve the cyber readiness and resilience of small and medium-sized businesses (SMBs). By doing so, CRI helps secure global value chains.

Q: While your original focus was on small and medium businesses, CRI also launched a pilot initiative on Resiliency for Water Utilities. Why was this made a priority?

[Sasha Koff]: Microsoft, a CRI founding member and co-chair, identified the health and safety risks posed by the limited cyber readiness of water and wastewater utilities across the United States. With Microsoft’s leadership, and in partnership with the Foundation for

Defense of Democracies’ Center on Cybersecurity Technology and Innovation, CRI launched the Resiliency for Water Utilities Pilot Program. This initiative addresses the growing cybersecurity crisis across our nation’s critical infrastructure by delivering the Cyber Readiness Program and Cyber Coach support directly to utilities.

Q: The program focuses on small utilities, many of which don’t have cybersecurity staff and may not even have IT staff. We know that many times there is only one person that handles a multitude of tasks at a small utility. What kind of resources or programming do you provide to help these utilities become more cyber aware and ultimately resilient?

[Sasha Koff]: Participants receive free Cyber Coach support as they complete the Cyber Readiness Program and Playbook, a customized Incident Response Plan, along with an array of workforce training materials. These resources are designed to change human behavior and create a culture of cyber readiness across all employees. As a result, water and wastewater utilities can significantly improve the resilience of the organization. Importantly, the values instilled by the Program often extend beyond the workplace and can change behavior at home.

Q: Staffing is one challenge, but small utilities also have funding challenges. How much does it cost to participate in the program?

[Sasha Koff]: The only cost is time. Both the Cyber Readiness Program and Cyber Coach Support are provided free of charge. On average, participation requires about one hour a week for 6 weeks. The exact time may vary depending on the size and complexity of the utility.

Q: That’s impressive. Can you share some examples of actionable recommendations utilities receive through the Program?

[Sasha Koff]: Of course! One of the Program’s key outcomes is helping utilities draft Cyber Policies, which are central to changing human behavior. We call these the Core Four: Passwords+, Software Updates, Secure Storage and Sharing, and Phishing. For example, the Passwords+ Module teaches participants about secure password management, multifactor authentication, and the effectiveness of long, 15-character passwords that only need changing after an incident. Actionable recommendations like this help reduce risky workaround and eliminate the burden of periodic password changes.

Q: CRI emphasizes reducing human error and careless behavior. In the age of AI and advanced digital capabilities, why are people so important in preventing cyber intrusions?

[Sasha Koff]: People remain the first line of defense. Reports consistently show that ransomware and attacks exploiting outdated software are among the most common cyber incidents. Yet, these intrusions are easily preventable by instituting simple policies and training employees to recognize phishing attempts, an organization can drastically reduce their risk and raise confidence in their cyber defenses.

Q: Thank you for sharing a case study with us. Where can people find additional information about your program?

[Sasha Koff]: We are continuing to recruit water and wastewater utilities to participate in the program. More information is available by visiting our website at: Resiliency for Water Utilities - Cyber Readiness Institute. We encourage people to read our case study about a small Texas utility that completed our program, as well as our recent commentary on New York’s proposed cybersecurity regulations for water and wastewater utilities.