NASHVILLE, Tenn.—If there's one thing Cynthia Hsu wants co-ops to know, it's that cybersecurity is everyone's job.

"I guarantee you, every single person has a role to play," said Hsu, cybersecurity program manager in NRECA's Business and Technology Strategies unit, at a breakout session during the association's 2018 annual meeting.

Hsu spearheads NRECA's Rural Cooperative Cybersecurity Capabilities Program, known as RC3.

"This is a program focused on what a lot of the co-ops are facing, which is very limited IT staff and, for some, no IT staff at all," she said. "How do we build tools to help those co-ops improve their cybersecurity?"

Thanks to a $7.5 million grant from the U.S. Department of Energy, Hsu and her team have developed a soon-to-be-released self-assessment toolkit to help co-ops begin or enhance their cybersecurity efforts. The toolkit starts with a self-assessment "maturity model," which is a list of questions guiding co-op staff from the CEO's office and each department to help them identify their current cybersecurity capabilities.

"The best way to start is understanding what you're good at now, and where you can improve," Hsu said.

Thirty-six co-ops field-tested the self-assessment maturity model via a day-and-a-half facilitated session. At the end of the session, the team gets "an understanding for themselves of what their role is," Hsu said. Again, she reminded the audience, every employee has a role to play in protecting their co-op.

The self-assessment maturity model yields scores in five categories that co-ops can use as a benchmark to measure improvement.

"Our smallest co-op had seven staff and was able to make progress," Hsu said. "It doesn't always take a lot of money. Sometimes it just takes focus, and resources, in terms of time and governance."

Another leg of RC3 is training. Hsu's team has hosted six cybersecurity summits for co-op employees outside of IT—two were at national labs, two with academic institutions, and one with the American Public Power Association and the Electric Power Research Institute. The RC3 Program plans to hold five more summits in 2018.

To attend an upcoming cybersecurity summit, or learn more about RC3, visit the RC3 page on or contact the RC3 Program team at

Need cybersecurity help before the release of the RC3 toolkit? This RE Magazine story can help.