On January 22, 2025, the Center for Long-Term Cybersecurity (CLTC) and the CyberPeace Institute hosted the first of three plenary sessions to launch the Cyber Resilience Corps, a groundbreaking initiative focused on uniting cyber volunteer efforts from different sectors.
Cyber volunteers play a vital role in providing pro bono digital security assistance to nonprofits, rural hospitals and water districts, K-12 schools, municipalities, and other organizations that carry out vital missions, but have limited resources to defend themselves against cyber threats, such as phishing, ransomware, and data breaches.
Local cyber defense initiatives — including university-based cybersecurity clinics, volunteer programs, and state response corps — are making strides in closing the gaps, but they often operate independently, with limited reach.
The goal of the Cyber Resilience Corps is to align the efforts of cyber volunteer providers, as well as industry and government partners, and to develop a roadmap for community organizations to improve their cyber maturity in the face of limited resources.
“Together, we are shaping a future where cybersecurity support is not a privilege, but a fundamental right.”
Ann Cleaveland, Executive Director of the Center for Long-Term Cybersecurity (CLTC), introduced the event, highlighting the importance of strengthening the cybersecurity of high-risk organizations. Sarah Powazek, Program Director of Public Interest Cybersecurity, then gave an overview of the Cyber Resilience Corps and the initiative’s goals, including developing a new platform for coordinating volunteer networks, “This program is about creating a safety net for organizations that fall through the cracks of cybersecurity services. We are coordinating services across regions, sharing best practices, and working towards a roadmap where volunteer services act as on-ramps into the cybersecurity community for critical organizations that have nowhere else to go.”
Jessica Walton, U.S. Regional Officer of the CyberPeace Institute, highlighted the collaborative nature of the initiative, “bridging the cyber resilience gap requires a global, coordinated effort—one that is adaptive, inclusive, and rooted in trust. The Cyber Resilience Corps is demonstrating how volunteer-driven initiatives can scale impact while empowering those most at risk. Together, we are shaping a future where cybersecurity support is not a privilege, but a fundamental right.”
Following introductions, the session’s participants — including representatives from university cyber clinics, for-profit and nonprofit organizations, non-profit-focused managed service providers (MSPs) and managed security service providers (MSSPs), and government-led civilian cyber corps — were divided into three breakout groups to explore how existing incident response systems can be improved to better serve community organizations in need of help.
Key Takeaways
Throughout the discussions, several key takeaways emerged:
1. Word of Mouth is Key for Connecting Existing Resources with Clients
- Organizations often discover cyber resilience services through referrals, trusted relationships, and word of mouth due to limited marketing or fear of stigma.
- Government agencies (e.g., CISA, state entities) and large nonprofits also serve as critical referral sources.
2. Lack of a Clear Roadmap for Impacted Organizations During/After a Cyber Incident Creates Confusion
- Many organizations don’t know where to start or who to approach during or after a cyber incident.
- Marginalized, rural, and underserved communities often lack access to or awareness of available services.
3. Incidents Help Spur Appetite for Services
- Preventative services (“left of boom”) are less costly and more effective but are underutilized.
- Crisis response services often focus on critical infrastructure, leaving small organizations without support.
- Incident response gaps are evident for small businesses, nonprofits, and those outside critical infrastructure.
4. Volunteer Recruitment and Retention Continues To Be a Hurdle Across Organizations
- Recruiting, onboarding, and retaining skilled volunteers is challenging, particularly for incident response.
- Volunteer time constraints and legal complexities (e.g., NDAs, liability, and non-competes) hinder participation.
5. Meeting Organizations Where They Are At Is Essential to Establishing Trust
- Trust is a prerequisite for organizations to seek help. Proactive engagement builds credibility and relationships.
- Addressing digital literacy gaps in relationship-building, especially for less tech-savvy organizations, is a pathway to trust.
- Partnerships with trusted entities (e.g., local governments, schools, and utility services) help build trust.
6. State and Federal Roles Are Critical But Uneven in Their Capacity and Focus
- National Guard and Fusion centers are critical but not well-known outside public agencies.
- One-time State and Local Cybersecurity Grant Program (SLCGP) funding is running out, leaving states to foot the bill or leaving organizations now dependent on services and tools stranded.
7. Organizations Can Utilize Increased Support from the Private Sector
- Insurance and legal firms play a role in incident response but often cater to larger organizations.
- Partnerships with private firms, including pro bono legal work, could address gaps for smaller entities.
8. Privacy and Standardization Challenges Impact Metric Collection
- Lack of standardization when collecting metrics and incident data internally and externally across the ecosystem makes it challenging to quantify impact, which is especially important to advocate for funding.
- Persistent hurdles surround the management of personally identifiable information (PII) and where to house assessment data.
9. Client Handoff Is a Gray Area That Requires Strategic Attention
- There is a gap between funding for one-time proactive services and public services that are open for continued support.
- The continued risk of pay-to-play models or the expiration of free licenses creates a dependency on the volunteer service or a risk to the client.
Adrien Ogée, Chief Operating Officer of the CyberPeace Institute, wrapped up the session by highlighting the groups’ strengths, “Decentralized yet organized cyber volunteer groups have the power to raise the cyber poverty line at scale, ensuring no one is left behind. By addressing service gaps, legal barriers, and volunteer challenges, we can build a more resilient ecosystem. The Cyber Resilience Corps is a testament to this collective action, and I look forward to advancing these efforts together in the next plenary.”
Future Plenary Sessions will explore strategic actions to proactively improve high-risk organizations’ cyber hygiene and integrate resources and existing networks into a structured system. These discussions aim to result in more, faster, and better services for organizations in need.
Interested in learning more about the Cyber Resilience Corps? Stay up to date by subscribing to our mailing list.
