A merchant throws salt on an icy sidewalk along Main Street in Wilmington, Ohio. A new training and certification program seeks to help individuals at small businesses feel more confident as they take steps to secure their digital environment. (Photo by John Moore/Getty Images)

Lacking funds and specialized talent, operators and employees at small- and medium-sized businesses often must take a do-it-yourself approach to managing cybersecurity – even if the decision is to farm out the bulk of the work to a managed service provider. A new training and certification program launched to help individuals at these small businesses feel more confident as they take steps to secure their digital environment.

Last week, the Cyber Readiness Institute introduced what it’s calling the “first comprehensive professional credential program designed to train cyber leaders in small businesses to help secure supply chains and reduce risk of a cyberattack.” CRI officials say it helps address the lack of training and credentials programs that are designed specifically around members of the SME community.

“It absolutely fills a gap,” asserted Kiersten Todt, managing director of the Cyber Readiness Institute – particularly in the way the new Cyber Leader Certification Program is built around “challenges that small businesses have in educating themselves on what the basics are and, more importantly, distilling all of the information and the data that’s out there on cyber and making it relevant and accessible.”

Louis Evans, technical manager at Arctic Wolf, a security monitoring company that caters to many SMEs, found the announcement to be an encouraging development. “Historically, we’ve seen a focus on the technical aspects of cybersecurity certification, equipping cybersecurity practitioners to meet baseline requirements,” said Evans. But in this case, “the emphasis on cyber leadership in this program is a useful one. In many organizations of all sizes, cyber risks go uncontrolled because the teams responsible for tackling them don’t have robust executive sponsorship, and so providing leaders with the correct perspective to support these teams are vital.”

A four-hour self-guided training course replete with quizzes and assignments, the CRI’s new program will cover info issues broken into three key categories: people, process and technology. Core objectives of the program include learning how to manage risk through better cyber hygiene, design short-term cyber readiness projects, communicate with and evaluate third-risk IT service providers and explain the value of sound cyber practices to those who are not tech savvy.

To be eligible the certificate, participants must have previously led their respective companies through the CRI’s Cyber Readiness Program for businesses. “What we have learned as people have taken their companies through the program, a high percentage of those people have gotten interested in: How do I learn more? How can I be more valuable to my company? And what can I learn?” said Todt.

To earn the accreditation, participants must successfully complete all of the new program’s modules and pass the final test with a score of 100 percent. Only three attempts are allowed.

Those who enroll should be in a position to serve as a cyber leader and evangelist within their company, whether that be an owner, or someone in the HR or finances department, the CRI notes.

“Aspirationally, what we’re looking to do is get to a place where, when you say you’ve gone through the Cyber Readiness Program and/or your cyber leaders are certified, that that means something in the space… That that holds some weight, so that there is that output that ROI on the time and the investment,” said Todt.

That means a small business that completed the program might earn greater trust from a third-party partner, while a small-biz employee might give his or her resume a boost by completing the course and having gained an additional valuable skill, even if that’s not their core area of expertise.

“It’s like being a nanny, and being CPR-certified,” said Todt.  “It’s not one of these things that you’re not going to get the job if you don’t have it, but if you do have it, that’s a really great quality that you’re going to bring to the job.”

“It’s impossible to speak to the value of a specific certification until it’s out in the world and we see what the education contains and how it’s valued by organizations and peers,” said Evans. “That said, we’re seeing an environment where security is increasingly of business value to SMBs. Large organizations want their business partners, supply chain organizations, vendors, suppliers, etc., to achieve and demonstrate robust cybersecurity, and leaders who understand cybersecurity will be uniquely positioned to develop their teams and best practices, advocate for their orgs, and ultimately win business.” 

Moveover, those leaders who go through the program will be better prepared to pass on their knowledge to additional staffers.

“It’s all about creating the culture of cyber readiness. And that comes from people, so if you have somebody come into your organization who understands what that means and understands the prioritization of these issues, then that is this force multiplier that you then bring into your organization… so it’s one less weak link that you have.”

Course work includes key cyber terms and definitions, core technologies, working with outside vendors, creating secure processes. There’s also a focus on reducing human-based risk through phishing education, software updates, authentication and password management.

Todt said that in the future the cert curriculum could provide a key foundation for teaching small businesses concepts such as ransomware so “they’re not overwhelmed by what’s sort of a nuanced and abstract topic,” and they can distill it down to “it happens because you have a weak password that’s been compromised,” and other important takeaways.

Evans said in the future, he’d personally like to see SMB cert programs like CMI’s touch on “high-level content on shared cybersecurity frameworks such as the NIST framework”, and greater discussion of the business value of cybersecurity.”