Firestorm GlobalBook a conversation
← All insights
Risk Programs

What a Member-Centric Cyber Risk Program Includes.

Tim Femister  ·  8 min read

Most pools and JPAs now offer members some form of cyber risk service. The range of what sits behind that phrase is wide. At one end is the portal-and-discount model: members receive a login, a resource library, a list of discounted vendors, and an automated alert feed. At the other end is a member-centric program: a funded service that a team delivers in person, member by member, throughout the year.

The two models sound alike in proposals. Both describe assessments, training, monitoring, and incident support. The difference shows up in engagement data. In our experience, when a cyber benefit is delivered as a portal and a list, a small fraction of members ever use it, and the members most likely to engage are the ones with mature IT functions who need the help least. The members carrying the most risk rarely log in.

That pattern matters because loss control only happens at members that participate. A benefit that 10 percent of members use protects roughly 10 percent of the portfolio. The rest of the pool's exposure is unchanged regardless of what the program cost.

The components below define what member-centric delivery includes, so administrators have a working vocabulary for evaluating what is actually being offered.

The components of a member-centric program

Funded, unlimited assessments

The assessment is the front door to everything else. It establishes the member's posture, builds the relationship, and produces the roadmap the rest of the program executes against. A member-centric program funds assessments at the pool level and removes the per-use decision: any member can request one at any time, and the program's stated goal is to move every member through the cycle rather than wait for volunteers. When assessments are unlimited and funded, the conversation with a member changes from whether to buy one to when to schedule it.

A human contact model

The largest single difference between the two models is whether each member has a person. In a member-centric program, members know the name of the consultant who serves them, and that consultant knows the member's environment, history, and constraints. An alert feed can tell a member that something is wrong; a person who knows the member can explain what the finding means in context, say what to do about it, and follow up to confirm it happened. The posture attached to that person matters as much as the staffing. The programs that earn engagement are the ones that start with yes when a member asks for help, even when the request sits outside the formal catalog.

Embedded presence in pool operations

A member-centric program operates inside the pool's existing rhythms rather than alongside them. In practice that means joining pool meetings, presenting at member conferences, helping run IT committees, and standing up program resources under the pool's own brand, including program microsites members recognize as theirs. Embedded presence is how a program reaches the members who would never respond to an email from an unfamiliar vendor.

Training delivered where members are

Most programs include training content. The member-centric standard is delivery: staff awareness training, executive briefings, and help-desk-specific training, available in formats members can actually run, including LMS-ready packages for members with their own learning platforms. Recurring touch points, such as a monthly awareness newsletter and coordinated campaigns, keep the material in front of staff between formal sessions. The test is not whether content exists but whether it reaches people who would not have gone looking for it.

Monitoring with follow-through

External exposure scanning, continuous risk profiling, and dark web checks appear in most program proposals. The defining question is what happens after a finding. In a member-centric program, a finding triggers contact: a person reaches the member, explains the issue in plain terms, helps prioritize it against everything else on the member's plate, and tracks the remediation to a conclusion. Monitoring without that follow-through produces awareness rather than risk reduction.

Incident support across the full cycle

Incident capability in a member-centric program covers three phases. Before an incident, members receive response plans, readiness reviews, and tabletop exercises that give leadership practice ahead of the real call. During an incident, members get same-day guidance, because the first hours shape much of the outcome. Afterward, a post-incident assessment is included in the program rather than sold as a separate engagement, so the lessons are captured while they are fresh.

Measurement at the member and pool level

A program should be able to tell an administrator, at any point in the year, where risk concentrates across the membership and whether it is moving. Doing that well requires fusing external signals with member-reported data, keeping the picture current rather than annual, and expressing it in a form a board can use. Pool-level platforms exist for this purpose; ours ranks every member by cyber risk with drill-down to the detail behind each ranking. Whatever the tooling, the standard is the same: the administrator should not have to assemble the portfolio picture by hand.

Recognizing the difference in a vendor conversation

Proposals describe capabilities, but delivery models reveal themselves under specific questions.

  • Ask what share of a comparable pool's members engaged with the service in the past year, and how the vendor counts engagement.
  • Ask whether assessments are funded and unlimited, or priced and rationed per member.
  • Ask who a member calls with a question, and whether that person would recognize the member's name and environment.
  • Ask when the vendor last presented at a client pool's member conference or sat in on a member IT committee.
  • Ask what happens after a scan finding: who contacts the member, in what form, and who confirms the fix.
  • Ask whether post-incident assessment is included in the program or invoiced separately.
  • Ask to see the portfolio-level reporting an administrator receives, and whether it shows movement over time.

A vendor operating a member-centric program answers these questions quickly and specifically, usually with names and examples. A vendor operating a portal-and-discount model answers with platform features.

What changes when members engage

When engagement rises, the program stops being a benefit line and becomes a loss-control instrument. Assessments completed across most of the membership give the pool a real posture baseline. Findings get remediated because someone follows up. Training reaches staff at members that would never have scheduled it on their own. The administrator's role shifts from purchasing a benefit and hoping members use it to governing a program with visible results.

We have built our practice on this model, serving as the appointed cyber risk consultancy to more than 400 institutions and protecting more than two million students and more than 2.5 million people overall. The model itself is simple: a person who knows each member, backed by funded services and continuous visibility, operating inside the pool's own rhythms. The components above are how to recognize it, whoever is offering it.

Have questions or need support with evaluating a member-centric cyber risk program? Start a conversation.