The Policy Playbook for Cyber Resilience

An interview with Jeff Le, public policy and national security expert

---

Cybersecurity used to live in the server room: abstract, technical, and largely invisible to the average person. Today, it sits at the center of modern life. It governs whether hospitals can deliver care, whether fuel reaches cities, whether financial systems remain stable, and whether individuals can trust the digital world they rely on every day.

Few people have had a front-row seat to that transformation quite like Jeff Le.

Over the past two decades, Le has operated at the intersection of public policy, emerging technology, and national security—advising governments, shaping legislation, and helping private sector organizations navigate an increasingly complex digital landscape. From state capitols to Washington, D.C., and across global institutions, his work reflects a fundamental shift: cybersecurity is no longer just an IT concern. Rather, it is a public infrastructure issue, a workforce challenge, and increasingly, a human one.

Because for all the sophistication of today’s threats, one truth remains unchanged: the most advanced systems in the world are still operated, and sometimes compromised, by people.

In this conversation with Le, we explore how cybersecurity has evolved from a technical discipline into a core pillar of public infrastructure, why human judgment remains the most persistent vulnerability, and what it will take to build more resilient organizations in an AI-driven threat landscape.

NINJIO: You’ve worked at the intersection of technology, government, and public policy for more than two decades. How has the role of public policy evolved in shaping cybersecurity strategy across both the public and private sectors?

Jeff Le: Cybersecurity used to be largely industry-driven. Innovation moved fast, and policy followed slowly behind. But as technology became embedded in every part of daily life—from healthcare to agriculture to transportation—it stopped being a niche issue and became everyone’s problem.

Now policymakers recognize that technology is foundational to economic growth, national security, and public trust. You’re seeing this reflected in everything from the White House’s national cyber strategy to a surge in state-level legislation focused on emerging technologies. There are now thousands of bills being considered across the country related to AI, data security, and cyber resilience.

At the same time, we’re seeing a much closer partnership between government and industry. The federal strategy is increasingly focused on shared responsibility—where private sector operators play a role not just in defense, but in actively deterring cyber threats.

NINJIO: From your vantage point, how important is the human element when thinking about cyber resilience?

Jeff Le: It’s critical. At the end of the day, people are still driving decisions, strategy, and execution. And when I look at breaches or cyber incidents, there’s almost always a human component.

Whether it’s phishing, social engineering, or credential theft, these attacks often succeed because of human judgment. No amount of tooling can fully compensate for that. Culture and training matter. Awareness matters. Even something as simple as pausing for a few seconds before responding to an email can make a difference.

NINJIO: What policy shifts have driven cybersecurity from an IT issue to a matter of national security?

Jeff Le: The biggest shift has been the realization that critical infrastructure is constantly under attack. Energy, water, healthcare—these systems are essential to everyday life, and about 80% of them are operated by the private sector.

When something goes wrong, the consequences are massive: service disruptions, economic loss, even risks to human life. Events like WannaCry, SolarWinds, Colonial Pipeline, and the Change Healthcare breach made it clear that cybersecurity failures aren’t isolated incidents—they’re systemic risks. Those moments forced policymakers to recognize cybersecurity as a public infrastructure issue, not just a technical one.

NINJIO: How should organizations rethink third-party and supply chain risk?

Jeff Le: Most organizations don’t have full visibility into the security posture of their vendors, subcontractors, or partners. But if you’re connected to those systems, their vulnerabilities become your vulnerabilities.

That’s especially concerning in environments with outdated infrastructure—like operational technology systems in utilities—where you still see basic security gaps. Organizations need to prioritize vendor transparency, continuous monitoring, and redundancy planning. In many ways, this is common sense; but it’s not consistently applied.

NINJIO: Why are cross-sector coalitions so critical in cybersecurity?

Jeff Le: Different sectors operate with very different constraints. A rural hospital doesn’t face the same challenges as a large urban system. Coalition building allows similarly situated organizations to share insights and solutions that actually make sense in their context.

At the same time, we’re seeing more cross-sector collaboration—transportation, universities, utilities—all advocating together for funding, smarter regulation, and better information sharing.

NINJIO: What are the most promising approaches to closing the cybersecurity talent gap?

Jeff Le: There are roughly 500,000 unfilled cybersecurity jobs in the U.S., and likely more. The issue isn’t demand, it’s the pipeline. We’re starting to see progress in a few areas: expanding vocational and alternative training pathways, reducing unnecessary credential barriers, and leveraging AI to lower the entry point for meaningful technical work.

Some states are even rethinking degree requirements altogether. The goal is to broaden access and bring more people into the field, because the traditional pathways alone won’t close the gap.

NINJIO: How can policymakers ensure cybersecurity keeps pace as more communities adopt digital technologies?

Jeff Le: This is one of the hardest challenges right now. We’ve made progress on access (broadband expansion, for example) but resilience is a different issue.

Many community systems, like public libraries, are underfunded and lack basic cybersecurity infrastructure. These are often the primary access points for underserved populations, yet they’re operating with outdated systems and limited protections. The next phase of policy needs to focus on sustaining and securing these systems—not just building them.

NINJIO: As threats increasingly target people, how should organizations rethink cybersecurity education?

Jeff Le: We need to start earlier and scale better. Cyber awareness shouldn’t begin in the workplace, it should start in schools. Basic digital literacy and cybersecurity hygiene are foundational skills now. At the same time, organizations need to recognize that human risk isn’t just about preventing clicks. It requires resilience; this means going beyond basic training, and offering programs that lead to behavioral change. People will make mistakes. The question is how quickly you can detect, respond, and recover.

And none of this works without executive buy-in. Cybersecurity has to be a C-suite priority.

NINJIO: What developments will shape the future of cybersecurity policy?

Jeff Le: AI is the biggest wildcard. There’s ongoing debate about how much regulation is appropriate, especially at the federal versus state level. It’s one of the few truly bipartisan issues right now, particularly when it comes to national security and protecting children online.

At the same time, we’ll see continued emphasis on data security, transparency, and resilience. The organizations that succeed will be the ones that treat cybersecurity not as a compliance function—but as a strategic imperative.

About Jeff Le

Jeff Le is Managing Principal of 100 Mile Strategies, a public sector navigation and technology consultancy, where he advises organizations at the intersection of cybersecurity, public policy, and emerging technology. With more than two decades of experience across government and industry, he has led public policy and government affairs functions for leading technology companies including SecurityScorecard, VMware, and Conduent, shaping strategy across cybersecurity, supply chain risk, and digital transformation.

Le previously served as Deputy Cabinet Secretary to California Governor Jerry Brown, overseeing government operations for 40 million residents and supporting initiatives spanning homeland security, disaster response, and innovation. His career also includes roles in Congress, global institutions, and international service in Afghanistan, giving him a uniquely comprehensive perspective on national security and public sector resilience.

Jeff Le Social:

LinkedIn: https://www.linkedin.com/in/jeffreyle/

X: https://x.com/JeffreyDLe

Frequently Asked Questions

Q: Why is cybersecurity considered critical infrastructure today?

A: Cybersecurity now underpins essential services like healthcare, energy, and financial systems. Disruptions can impact public safety, economic stability, and trust, making it a core part of national infrastructure rather than just an IT function.

Q: What role does human behavior play in cybersecurity risk?

A: Human judgment is a major factor in most cyber incidents. Attacks like phishing and social engineering succeed because people make decisions under pressure or without full context, making awareness and training essential.

Q: How has public policy influenced cybersecurity strategy?

A: Public policy has shifted from reactive to proactive, with governments now treating cybersecurity as a shared responsibility between public and private sectors. This includes legislation, national strategies, and increased collaboration.

Q: Why is supply chain risk a growing cybersecurity concern?

A: Organizations are interconnected with vendors and partners, meaning vulnerabilities in one system can impact many others. Limited visibility into third-party security makes this a major risk area.

Q: How can organizations improve cyber resilience against human-focused threats?

A: Organizations need to go beyond basic training and focus on behavior change, early education, and rapid detection and response. Building a strong security culture and securing executive buy-in are key to long-term resilience.

About NINJIO

NINJIO’s human risk management platform reduces cybersecurity risk through personalized security coaching, engaging awareness training, and adaptive testing. Our multi-pronged approach to risk mitigation focuses on the latest attack vectors to build employee knowledge and the behavioral science behind social engineering to sharpen users’ intuition. Our simulated phishing and coaching tools build a proprietary Emotional Susceptibility Profile for each user to identify their specific social engineering vulnerabilities and change behavior.