When a small water authority in Virginia struggled to turn its cybersecurity plans into action, Christopher Cruz stepped in. As a newly certified Cyber Coach with the Cyber Readiness Institute (CRI), Cruz helped the organization simplify its roadmap, prioritize critical steps, and finally implement long-delayed security measures.
“They were able to implement some of those controls they had been struggling with by reframing the problem and how they approached it,” he recalls. “It was really cool to see the program not just educate, but turn into tangible wins for organizations.”
For Cruz, who serves as Cyber Program Manager for the Virginia State Police, moments like these demonstrate why coaching matters. Cybersecurity can feel intimidating, especially for resource-constrained organizations. But with the right guidance, even the most complex problems can be made manageable.
Cruz’s day job involves working with state and local government partners and critical infrastructure operators across Virginia to strengthen digital defenses. He was drawn to the CRI coaching program because it extended that mission in a new way.
“I was inspired to take on this coaching role because it overlapped with a lot of my work,” he explains. “But it gave me the opportunity to work directly with partners in the water sector—an area law enforcement hasn’t traditionally focused on. I learned a ton about how they operate, and I got to share my knowledge to help guide them through the process.”
The certification process itself was designed to be practical, not burdensome. Coaches-in-training completed CRI’s Cyber Readiness Program, practiced mock sessions, and met with peers to refine their skills.
“It wasn’t difficult or overwhelming,” Cruz says. “There’s a level of commitment, of course, but the trainers made it realistic. We practiced the most important parts—building rapport, asking the right questions, and keeping partners accountable. The tools and guidance we got really did translate into the real-world experience.”
One of Cruz’s biggest takeaways from coaching is how much relief participants feel once cybersecurity is discussed in clear, simple language.
“Some of the biggest benefits are making complex topics digestible,” he explains. “Whether I’m talking to industrial control system experts or someone in finance suddenly asked to handle security, there’s always discomfort at first. CRI does an amazing job of making cybersecurity understandable for a wide audience. I can see the relief on people’s faces as they realize it’s not as scary or technical as they thought.”
This clarity quickly leads to progress. By breaking down CRI’s “core four” security practices— passwords+ (multi-factor authentication), software updates, phishing awareness, and secure file sharing and storage–into actionable steps, organizations that once felt stuck can move forward with confidence.
Cruz emphasizes that cybersecurity isn’t just about technology—it’s about people. In fact, most cyberattacks exploit human error, not technical flaws.
“The targeting of the human is still such a huge part of why attacks succeed,” he says. “Doing cybersecurity well is just as much about culture as it is technology. You can have every firewall and intrusion detection system in place, but if people don’t follow procedures, you’ll always have gaps.”
That human-centered approach is one of the reasons Cruz values the Cyber Readiness Program. It helps organizations build not only stronger defenses, but also healthier security cultures.
Initially, Cruz admits, he was unsure whether he had the right background to serve as a coach for water-sector organizations. But feedback from participants quickly changed his mind.
“The coaching model really is a big reason why organizations enjoy the program,” he says. “Having a trusted partner to go to—even just someone to vent to—is huge. It becomes a real partnership where they can ask questions, explore ideas, and get connected to resources they didn’t know about.”
That trust often fills a critical gap. Many small organizations lack internal cybersecurity expertise, leaving them isolated as they confront increasingly sophisticated threats. Coaching gives them not just guidance, but also a peer relationship.
“One of the biggest things I hear from under-resourced organizations is, ‘If we can’t have more money and more stuff, we need more partners,’” Cruz explains. “Coaching fills that need.”
Cruz’s dedication to coaching extends beyond cybersecurity. He also teaches cybersecurity policy at Virginia Commonwealth University and volunteers as a running coach.
“The same way I coach a runner to get stronger, better, faster, the Cyber Readiness Program helps organizations get stronger, better, faster in cybersecurity,” he says. “The rewarding part is building relationships and seeing how investing in those partnerships generates tangible outcomes.”
The parallels are clear: whether in athletics, academia, or cybersecurity, effective coaching means simplifying complexity, building confidence, and providing encouragement.
Cruz believes the coaching model has a bright future in cybersecurity. The lessons learned through CRI, he says, are “100% applicable” across critical infrastructure sectors, making them a powerful tool for building resilience at scale.
“Coaching in cybersecurity has long been overlooked,” he reflects. “It’s not widely available, but it’s needed. This model provides the partnerships, connections, and input that help organizations move forward. That’s powerful.”
For Cruz, coaching is more than a professional responsibility—it’s a way to empower communities. By helping under-resourced organizations build cyber resilience, he is ensuring that more partners across Virginia, and beyond, can face today’s threats with confidence.
