For those who do not know, Cowbell Rx is a referral marketplace for our ecosystem of cyber risk management and security partners. It is a place to connect with trusted partners that want to work together to improve an organization’s cyber risk profile and in some cases, receive exclusive discounts on solutions and services. The Cyber Readiness Institute (CRI) is a Cowbell Rx partner. Under the leadership of Managing Director Karen Evans, CRI offers free, online tools and resources, specifically designed for SMEs, to demystify cybersecurity, create a culture of security in every organization, and secure global supply chains.
In this podcast episode, Karen shares her perspective on an array of relevant topics for both the insurance and cybersecurity spaces, such as the history behind CRI, why it was founded and by whom, the core tenets of the free tools and resources offered, key takeaways and action items SMEs can implement today, the effect SME cybersecurity has on global supply chains, and the gaps in knowledge that exist for SMEs about cyber insurance. Since this podcast episode is part of the Women’s History Month series, Karen also sheds light on her personal journey as well as her experience as a woman in the male-dominated field of cybersecurity.
Leading up to her current role as Managing Director of CRI, Karen has had an amazing career in federal government service for the U.S. government. It was back in 1996 that she knew cybersecurity was the field for her. A turning point for her was when she had the first federal government website ever to be hacked. Specifically, the hackers publicly defaced the Attorney General at that time – Janet Reno – by photoshopping her head on the naked body of Jennifer Aniston. This took over the front page of the Washington Post for some time, until two weeks later, when the CIA’s website was similarly hacked and supplanted the former incident on the front page of the Washington Post. Karen points to these incidents, in particular, and the lessons learned from them, when she reflects on what has shaped her career.
Throughout her career, Karen has held many prestigious positions, such as Chief Information Officer of the Department of Energy, Chief Information Officer of the Department of Homeland Security, and Chief Information Officer for the federal government as a whole during the Bush Administration. She says, “The lessons are the same. It’s the scale that keeps changing, and so it’s quite a journey to get to go that far. But the one lesson learned…that has stuck with me throughout my career [is] how do you manage these [events] in order to maximize what services you’re delivering, and minimizing the risk to those services as you’re delivering them.”
During Women’s History Month, Cowbell is featuring female guests, like Karen, on the Cowbell Factors podcast. For Karen, her experience as a woman in the male-dominated industry of cybersecurity is relatively typical: “It didn’t really hit me a lot of times that I was the only woman in the room. It just really didn’t hit me until somebody else would bring it up.” Karen entered the field of cybersecurity around the same time as the first dot-com boom. With so many new technologies becoming available, this begged the questions for Karen in her federal government roles, “Are we securing it upfront? What are the issues that we’re going to have to deal with? And how are we going to be able to instill that trust in our services going forward to really project out that we know what we are doing? Who would have realized how much this field [would grow]? It has grown so much and it means so many different things to so many people.”
Given that cybersecurity is such a growing field, there is plenty of opportunity for the current and next generation to make an impact. To the younger female professionals entering the cybersecurity workforce today, Karen says, “It’s a green field. It really is still an emerging, developing profession. In the cybersecurity world, you can write your own path forward right now and you don’t necessarily have to come out of computer science.” In Karen’s opinion, individuals with an understanding of human behavior can be very successful in the cybersecurity field. Specifically, those with psychology and communications backgrounds are “people who know how to use human behavior to be able to achieve the results that they need to.” Karen’s main advice to the next generation is this: “Don’t be limited. If you like to solve puzzles, cybersecurity is the field for you.”
The Cyber Readiness Institute is also very focused on human behavior when it comes to cybersecurity and demystifying the field for SMEs. CRI offers free content online that is specifically designed for an SME audience. Knowing that SMEs have limited resources, there are four core issues that CRI focuses on in its content: “passwords, software updates, phishing awareness, and proper use of removable media.”
The cybersecurity threat landscape is ever-changing and tactics are constantly evolving. “Right now, I would say the biggest threat is ransomware.” On the CRI website, anyone can easily access – for free – the Cyber Readiness Program, the Cyber Leader Certification Program, and the Starter Kit. “We really try to give tools for the small business to walk them through certain things.” In addition, CRI also has a variety of quick reference guides. One of the most popular guides is the “Ransomware Playbook,” which gives a step-by-step decision tree to follow if an organization is faced with a ransomware attack. “The time that the incident happens isn’t the time that you need to figure it out.”
When it comes to key takeaways that SMEs can implement today, CRI recommends identifying a “Cyber Leader” within the organization to spearhead the demystification of cybersecurity and act as the liaison between senior leadership and the rest of the workforce. “If you change the culture a little bit at a time around these particular four issues, you could probably prevent, some studies say, up to 90% of the attacks that could happen to a small business.” Furthermore, CRI recommends other straightforward changes like using passphrases instead of passwords and enabling auto-updates.
Since cyber insurance, as a concept, is less tangible than car insurance or building insurance, for example, one of the challenges that SMEs face is understanding when it becomes essential to purchase cyber insurance. CRI will be releasing new content on cyber insurance for SMEs, with the hope that they will become better informed consumers and ask the right questions of local insurance agents.
In an interconnected supply chain environment where large companies are routinely conducting business with SMEs, “you’re only as strong as your weakest link.” With that in mind, the large companies that founded and continue to sponsor CRI believe in the power of education, and specifically, free education. “Education for SMEs can continue and cost is not the reason why they can’t implement some of these things.” By encouraging investment of time, as opposed to money, CRI “takes cybersecurity and makes it into practical, actionable items that small businesses can do.”
Just as the cyber threat landscape is evolving, CRI is evolving as well. In 2022, you can expect to see CRI promoting widespread adoption and implementation of multifactor authentication as well as increasing awareness around cyber insurance to get as many SMEs insured as possible.
If you are interested in hearing Karen discuss these topics and more, or if you want to learn more about her professional and personal journey, listen to the podcast episode.
Visit the Cowbell Factor Podcast library to listen to last season’s episodes and stay up to date on upcoming ones. It is available on most podcast platforms (Spotify, Google podcast, Apple podcast, Anchor, Breaker, and Radio Public).