If we can build resilience in the water sector, one of the most challenging and under-resourced environments, we can apply those lessons to other sectors.

Small and medium-sized water and wastewater utilities represent some of the most resource-constrained environments in the nation’s critical infrastructure. They often operate under financial constraints, with legacy systems, limited staff who must wear multiple hats, and, in many cases, they lack the dedicated budgets required for even rudimentary cybersecurity.

Through our work at the Cyber Readiness Institute (CRI) on a pilot program sponsored by Microsoft, and in partnership with the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, we tested whether accessible, behavior-focused cybersecurity training paired with hands-on support could meaningfully improve cyber readiness among small and medium-sized water and wastewater utilities.

The most significant takeaway from our pilot program is not just about water; it is a blueprint for securing the US economy.

From Awareness to Operational Readiness

One of the most persistent challenges in cybersecurity is not awareness, but execution. Leaders across critical infrastructure sectors generally understand the threat landscape. What they lack is a clear, feasible path from recognition to action, particularly when technical expertise, and time are in short supply.

The pilot demonstrated that simplifying cybersecurity into a small number of high-impact behaviors can meaningfully lower this barrier. Rather than emphasizing complex technical controls, the approach centered on foundational practices: strengthening authentication, maintaining updated systems, recognizing phishing attempts, and securing data handling. These are not new ideas, but their consistent application remains elusive in many organizations.

The lesson is straightforward: in resource-constrained environments, clarity and prioritization matter more than comprehensiveness.

The Role of Human Infrastructure

A second insight is that cybersecurity is as much an organizational challenge as a technical one. The most effective participants in the pilot were not those with the most advanced systems, but those that identified an internal “owner” of cyber readiness—someone empowered to translate guidance into action.

This “cyber leader” role does not require deep technical expertise. Instead, it requires accountability, institutional knowledge, and the authority to implement change. In many ways, it mirrors how organizations have historically approached safety or compliance: by embedding responsibility within existing operational structures.

Equally important was the role of external guidance. Organizations that received ongoing mentorship were significantly more likely to translate training into formal policies and response plans. This suggests that scalable cybersecurity solutions may depend less on static resources and more on dynamic support models that help organizations operationalize what they learn.

Another lesson from the water sector is that free cybersecurity resources alone rarely translate into operational improvements. Many utilities struggle not with access to guidance (federal agencies such as the Cybersecurity and Infrastructure Security Agency and the U.S. Environmental Protection Agency already provide free materials), but with the cost, time, and expertise required to turn those resources into day-to-day security practices.

Utilities that completed the program reported a better understanding of cybersecurity basics and a significant advance in their ability to prepare for and respond to cyber incidents. Because of the pilot’s success, the program is now a permanent offering, providing water utilities with ongoing training and support to strengthen cyber resilience and better protect their communities from evolving threats.

Rethinking Scale in Cybersecurity

These findings challenge a common assumption: that effective cybersecurity requires significant financial investment and specialized talent. While those resources are undoubtedly valuable, they are not always available, particularly across the long tail of small and medium-sized operators that underpin much of the economy.

Instead, the pilot points to an alternative model for scale—one built on three principles:

• Focus on essential behaviors rather than exhaustive controls
• Embed responsibility within existing roles rather than relying solely on external experts
• Leverage shared resources and partnerships to extend reach and reduce cost

This model is particularly relevant beyond the water sector. Community hospitals, regional manufacturers, local energy providers, and transportation networks face similar constraints. In each case, the challenge is not simply adopting best practices, but doing so in a way that aligns with operational realities.

Closing the Readiness Gap

This is where public-private collaboration becomes essential. Governments, technology providers, and industry groups each play a role in lowering barriers to entry, whether by providing accessible tools, sharing threat intelligence, or supporting implementation at the local level.

The water sector offers an instructive example. Progress did not come from a single intervention, but from a coordinated effort to align resources, simplify expectations, and support execution on the ground.

The notion that cybersecurity is “too complex” or “too expensive” for smaller organizations has long been a barrier to action. What this work suggests is that the real obstacle is not complexity itself, but how it is managed.

By reframing cybersecurity as a set of achievable, behavior-driven practices, supported by clear ownership and practical guidance, it becomes possible to move from abstract concern to sustained operational resilience.

For leaders across critical infrastructure, the question is no longer whether improvement is feasible, but how quickly it can be scaled. The experience of the water sector indicates that meaningful progress can occur in months, not years, when the right conditions are in place.

The challenge now is to apply these lessons more broadly. Not by replicating any single program, but by embracing the underlying principles: simplicity, accountability, and collaboration. The blueprint exists. Now, we just need you to join us. Let’s close the readiness gap, one sector at a time.