Michael Redman: Mapping Out Your CMMC Roadmap: Insights & Tips

runZero provides comprehensive visibility into an organization’s cyber assets and attack surface to empower risk and exposure management. By combining external scanning, internal asset discovery, cloud inventory, and API integrations, runZero maps all devices, software, vulnerabilities, owners, and other security attributes. This integrated view across IT, IoT, OT, mobile, and cloud contextualizes risk and priorities based on asset criticality and location inside or outside the network perimeter.

Barbee predicts major new vulnerabilities in 2024 that will catch security teams off guard as they remain overburdened dealing with patching and securing fundamental gaps. Additionally, more supply chain attacks will emerge from malware inserted through dependencies and software development pipelines over the last few years. He advises CISOs to focus on security fundamentals first, like comprehensive asset management, vulnerability management, and patching rather than getting distracted by the latest headlines on advanced persistent threats.

While compliance regulations provide helpful guardrails and budget for security programs, most organizations still struggle with basics like consistent vulnerability scanning, device monitoring, and patching. The smaller the company, the more they remain focused on backup, recovery, and threat detection rather than proactive security. Barbee highlights an energy company that resisted patching anything due to downtime risks, demonstrating the difficult trade-offs security teams face.

When submitting conference presentation proposals, clearly explain what you plan to discuss and why it matters to peers. Spend time refining the title and abstract from the selection committee’s perspective, rather than taking shortcuts. Ask colleagues or mentors to review and provide feedback to improve clarity and relevance before submitting.

For new security professionals, Barbee advises developing networking and communication skills instead of only focusing on individual skills development. He also encourages cementing core IT and networking fundamentals instead of only specializing in security too early in their career. He suggests considering complementary areas like risk management to broaden perspective beyond just vulnerabilities and controls.

LinkedIn Profile: https://www.linkedin.com/in/jhbarbee/

runZero: https://www.runzero.com 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Garrity has over 15 years of experience spanning various marketing, sales, and product roles for high-growth cybersecurity companies. For this Kitecast episode, he delves into detail on his expertise in vulnerability management.

To start the podcast episode, Garrity discusses the rapid evolution of vulnerability management over the past few years. He notes that vulnerabilities are growing exponentially in both volume and complexity, with over 25,000 new vulnerabilities identified in 2022 compared to just 5,000 several years ago. Despite this growth, many organizations still struggle to patch even known critical vulnerabilities in a timely manner. In response, Garrity emphasizes that organizations need to focus first on addressing externally facing, actively exploited vulnerabilities before attempting to tackle everything at once with their limited resources.

The podcast episode also covers the role of AI and machine learning in vulnerability management. While emerging AI tools show promise for use cases like prioritization of vulnerabilities and automated reporting, Garrity cautions that the underlying data feeding these systems needs stringent accuracy and validation. He advocates leaning on trusted threat intelligence from established providers to help inform data-driven decisions around vulnerabilities and incident response.

Shifting gears, Garrity reflects on seminal lessons learned from his experience rapidly scaling Duo Security before its $2.35 billion acquisition by Cisco in 2018. When asked by the hosts to provide career guidance to others pursuing work in the cybersecurity field, Garrity highlights the outsized importance of continually assessing the market landscape with an eye for evolution. Similarly, he stresses that individuals should embrace openness to filling a variety of roles in early-stage companies as they grow. Finally, Garrity emphasizes the urgent need for sustainable business models in cybersecurity rather than overvalued fundraising built predominantly on hype. Underpinned by this sobering perspective, he still goes on to express optimism about the industry's overall trajectory thanks to the advent of various “secure-by-design” initiatives.

LinkedIn Profile: https://www.linkedin.com/in/patrickmgarrity/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

As an author, podcaster, and field CISO focused on the public sector, Dan Lohrmann brings a wealth of experience spanning over two decades. This Kitecast episode includes a discussion of Lohrmann’s recent book, Cyber Mayday and the Day After, that he co-authored with cybersecurity expert Shamane Tan. The book shares ransomware stories and insights from executives who have faced major cyber incidents. It covers best practices for preparation, response, and recovery before, during, and after an attack. Lohrmann notes these firsthand stories reveal valuable lessons for organizations of all types. 

The podcast discussion then turned to the inevitable disruption faced by today’s CISOs and cybersecurity teams. Lohrmann emphasizes the need for continuous training, tabletop exercises, and preparation for unexpected curveballs. Building an organizational culture focused on resilience rather than blame is also critical.

As conversation shifted to artificial intelligence, Lohrmann pointed out that governing and securing AI remains extremely challenging for most security teams. The proliferation of free AI tools creates substantial risk of data loss and intellectual property theft. Enterprises need much greater visibility and control over how end-users are interacting with these tools. Over the next few years, more organizations are expected to invest in enterprise-controlled AI systems focused on security and privacy.

In discussing predictions for 2024 and beyond, Lohrmann highlights his annual report compiling insights from leading cybersecurity vendors and researchers. With cyber threats growing in scale and sophistication, he emphasizes the importance of continuous learning for security leaders. At the same time, Lohrmann notes that while specific predictions should be taken with a grain of salt, the research reports paint an informative picture of what trends are unfolding.

LinkedIn Profile: https://www.linkedin.com/in/danlohrmann/

Presidio: https://www.presidio.com/

Cyber Mayday and the Day After: https://www.amazon.com/Cyber-Mayday-Day-After-Disruptions/dp/1119835305/ref=sr_1_2 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

In this Kitecast episode, Alexandre Blanc, a Cybersecurity Advisor and Consultant, brings his extensive 15-year background in cybersecurity and risk management into focus. With a significant online presence established since 2018, Blanc has become a prominent LinkedIn influencer for over 70,000 followers by offering critical insights aimed at bolstering organizational resilience.

During the podcast, Blanc delves into crucial cybersecurity and risk management topics, emphasizing the vital roles of data governance, robust access controls, and reliable backup solutions in risk mitigation and regulatory compliance. He points out a common oversight within many organizations—the underestimation of the business implications that outages and incidents can have.

Blanc sheds light on the predicaments that arise from the prevalent use of SaaS platforms, such as diminished control and limited visibility regarding updates. Moreover, he casts doubt on the extent of protection cyber insurance offers in the aftermath of cybersecurity events.

The discussion also ventures into the realm of emerging challenges. Blanc examines Canada’s new data privacy laws, noting how compliance is propelling security enhancements. He raises concerns about the unchecked proliferation of Internet of Things (IoT) devices and their security implications. Looking forward, he addresses the potential disruption quantum computing may pose to current encryption standards, suggesting that tighter governance and minimizing sensitive data transmissions are key to lessening future risks.

Concluding his insights, Blanc champions the cause for transparency and the cultivation of trust in the evolution of novel technologies like artificial intelligence. By recounting instances where companies concealed failures, resulting in costly long-term repercussions, he calls on technology leaders to acknowledge and communicate the potential adverse impacts of their innovations. His advocacy for informed public discourse stands as part of his broader commitment to providing a measured perspective amidst the swift pace of technological advancement.

LinkedIn: www.linkedin.com/in/alexandre-blanc-cyber-security-88569022 

RCGT: www.rcgt.com 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

This Kitecast episode features Jason Rebholz who has an extensive background in cybersecurity. He is currently the CISO at Corvus Insurance, which he joined in 2021. He also serves as an advisor for NetDiligence and MOXFIVE. Previously, Jason served as the VP of Strategic Partnerships for ICEBRG, which was acquired by Gigamon, VP of Professional Services for The Crypsis Group, and Manager at Mandiant.

Jason founded the educational initiative, “Teach Me Cyber,” that is available on YouTube and LinkedIn with the objective of making cybersecurity topics more accessible to general audiences. This was motivated by often seeing technical news coverage using jargon and screenshots that average readers would struggle to comprehend. Through short daily lessons on platforms LinkedIn and YouTube, Jason breaks down cybersecurity topics in simple terms anyone can understand. His goal is to help even one more person gain practical knowledge to improve their organization’s security.

In the podcast interview, Jason discussed a recent high-profile ransomware attack and provided insight into the challenges of containing and remediating active attacks, noting that it is very difficult to fully kick attackers out of an environment within a short time frame. Jason emphasized the importance of having strong monitoring and rapid response capabilities in place.

Multi-factor authentication (MFA) was another topic Jason covered. He highlighted that while MFA is crucial, organizations must be thoughtful about which types they enable, as weaker forms can still be bypassed. He advocated for the adoption of the most secure MFA options available to get the full risk reduction benefit using zero-trust principles.

Managing third-party cyber risk was also discussed. Jason argued that current third-party assessments often provide a false sense of security. He recommended assuming vendors have poor security and mitigating the impact via actions like limiting data sharing, controlling where sensitive data goes, and ensuring you can revoke access.

LinkedIn: www.linkedin.com/in/jrebholz

YouTube: www.youtube.com/@teachmecyber 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

This Kitecast episode features an interview with Chris Rose, a Partner at Ariento, a leading cybersecurity, IT, and compliance service provider. He has extensive experience in cybersecurity, having previously served as an instructor at UCLA where he taught cybersecurity and privacy courses. Chris holds an MBA and a master’s in computer science from UCLA, as well as a bachelor’s degree from Cal Poly.

During the podcast interview, Chris provides an overview of the Cybersecurity Maturity Model Certification (CMMC) framework and its origins within the defense industry. He explains that CMMC builds upon existing NIST 800-171 requirements for protecting controlled unclassified information that contractors already must comply with. However, CMMC adds a critical component—independent third-party assessments done by C3PAOs (Certified Third-party Assessment Organizations).

Chris believes CMMC will likely gain final approval in early 2024 based on the rulemaking process. He notes that reciprocity with frameworks like FedRAMP could help ease the compliance burden for contractors. For companies using cloud services, Chris strongly advises leveraging solutions that have achieved FedRAMP Moderate Authorization or above.

When asked about readiness across the Defense Industrial Base (DIB), Chris indicates that primes are pushing their subcontractors to get prepared. However, smaller companies are still in a wait-and-see mode in some cases, trying to weigh the costs versus risks. He emphasizes that companies should focus first on proper scoping of assets and information that will be in scope for CMMC assessments.

Chris also provides tips for selecting a C3PAO, noting that risk mitigation and technical competence are top evaluation criteria for most mid-market and enterprise clients. He also discusses Ariento’s experience with adjacent standards like FedRAMP, ISO, and ITAR that provide relevant expertise for CMMC advisory services.

LinkedIn: www.linkedin.com/in/cmmc

Ariento: www.ariento.com 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Katie Arrington, former Chief Information Security Officer (CISO) for the U.S. Department of Defense and member of the US House of Representatives, discusses her experience as CISO, noting that the position was newly created in 2019 to address urgent cybersecurity threats. In the role, she aimed to establish consistent standards for cybersecurity across the Department of Defense, including weapons systems, critical infrastructure, and the defense industrial base. A key challenge was overcoming the different cybersecurity approaches between military branches and establishing a unified culture.

Regarding the Cybersecurity Maturity Model Certification (CMMC), Arrington explains it was initially conceived as a unified standard for defense contractors to demonstrate implementation of NIST 800-171 security controls. Hundreds of industry representatives helped develop CMMC 1.0. Arrington expresses that she regrets not fully eliminating the use of Controlled Unclassified Information (CUI) as an indicator of whether contractors needed certification, believing all defense contractors should adhere to CMMC standards given growing threats.

Arrington highlights the massive cyber threats posed by nation states like China, Russia, Iran, and North Korea, which she says are targeting U.S. defense contractors to steal key technologies and intellectual property. She points out that China has a dedicated cyber army aimed at making China the world’s economic superpower. Russia has shown its cyber capabilities already in interfering with elections. These adversaries are relentless in exploiting vulnerabilities across the entire supply chain.

For defense contractors bidding on DoD projects, Arrington authored a white paper that estimates per-employee costs for cybersecurity based on company size. She believes contractors should build these costs into project bidding. Arrington argues CMMC is now just about verifying NIST 800-171 compliance, not evaluating maturity, so she anticipates the name changing in the future. In preparation for CMMC 2.0 Level 2 compliance audits, she recommends that contractors proactively get audits now rather than waiting until CMMC becomes a DIB mandate to address urgent threats.

Regarding supply chain risks, Arrington indicates primes cannot fully see risks beyond tier-one suppliers. She urges primes to contractually require CMMC certification from all subcontractors to improve security against threats that can enter anywhere in the supply chain.

Arrington stresses that cyberattacks are constant and rapidly evolving. No organization can be 100% secure. However, by implementing standards like NIST 800-171, organizations can mitigate these risks. Adherence to cybersecurity frameworks is critical today, an important focus for national security as cyber threats continue escalating.

LinkedIn Profile: https://www.linkedin.com/in/katie-arrington-a6949425/ 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

CEO and Entrepreneur Jean Phillip Bernier, the CEO of AnniQ and Spin Quantum Tech, shares his enthusiasm for AI and Quantum Computing technology advances. Bernier tracks the progress of Quantum Computing, especially IBM’s rapid development from a 5-qubit machine in 2017 to a prediction of a 100,000-qubit machine by 2033. The staggering quantum processing power, he believes, could unlock problem-solving potential beyond our current imagination.

Bernier spotlights the role of cloud computing in democratizing technology. He reminisces about the early computing era when Sun Microsystems’ technologies were out of reach for many due to high costs. Cloud computing has flipped this narrative, transforming sophisticated, expensive technology tools to something affordable to organizations of virtually any size. Anyone with a credit card can delve into Quantum Computing capabilities. This, in turn, fosters a thriving community of quantum algorithm enthusiasts and learners.

Bernier explores three real-world applications of Quantum Computing: 1) business operations optimization, 2) AI algorithm acceleration, and 3) most significantly, a unique encryption method known as “entropic encryption.” This approach is a game-changer for data security. Traditional encryption relies on the secrecy of a single key, which is under threat with quantum technology’s ability to consider all possible solutions simultaneously. Entropic encryption offers a fresh perspective by harnessing the inherent chaos and entropy of quantum states, hiding data in a sea of what appears to be random noise. The data is unreadable without the correct pattern, providing a new layer of security and a multiplicity of decryption avenues.

To make sense of the complex Quantum Computing world, Bernier draws parallels between Newton’s concept of gravity and the superposition principle in quantum mechanics. Just as gravity influenced falling objects before Newton quantified it, Quantum Computing uncovers existing, yet previously unexplored data patterns. At the same time, Bernier acknowledges the nascent state of Quantum Computing, referring to recent incidents of broken algorithms as a part of the technology’s learning curve.

When it comes to cybersecurity, Bernier predicts a convergence of AI and Quantum Computing. He shares about an ongoing project Spin Quantum Tech is managing with a U.S. company, where they are leveraging both Quantum Computing and AI to develop a novel anti-ransomware solution. The team is capitalizing on the power of Quantum Computing to rapidly explore a multitude of decryption keys, paired with AI’s predictive and learning capabilities, to swiftly identify and implement the correct decryption pattern. This fusion of technologies is expected to create a dynamic solution, capable of not only recovering information held ransom but doing so in a manner that eliminates the necessity for victims to negotiate with cybercriminals. The project is pioneering in its approach and could radically reshape the cybersecurity landscape, providing robust defenses against the ever-evolving threat of ransomware.

LinkedIn: https://www.linkedin.com/in/jean-phillip-bernier-artificial-intelligenge-marketing-analytics-quantum-computing/

AnniQ: https://www.anniq.ai

Spin Quantum Tech: https://spinqtech.com/ 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Billy Spears, Teradata’s CISO since 2021, stresses reciprocal learning and community in cybersecurity in a Kitecast episode. He believes each interaction offers learning potential and guides his volunteering decisions based on potential mutual benefits.

Spears discusses the evolution of cybersecurity standards since his time at the Department of Homeland Security. Initial efforts focused on creating policies and frameworks, while today's challenge is managing an overabundance of inconsistent frameworks. Companies need to navigate from the least to most restrictive frameworks, factoring in their needs, risk tolerance, global economic influences, regional regulations, and data handling practices. Spears highlights that compliance, while important, is not the sole determinant of strong security.

Spears emphasizes resource and cost management in implementing new cybersecurity technologies. As a CISO, he believes in cross-functional thinking across IT systems, including product, engineering, and marketing. The impact of technology solutions on business decisions must be considered holistically, assessing financial aspects with procurement teams for a comprehensive impact evaluation.

The cybersecurity skills shortage continues, and Spears suggests three mitigation strategies. First, avoid bias in recruitment towards candidates who reflect hiring managers. Second, dispel the misconception that cybersecurity is solely technical and hire non-technical roles like auditors, project managers, and governance professionals. Finally, combat the retirement of senior leaders by thinking creatively in recruitment, promoting cross-training, community engagement, university partnerships, and succession planning.

Spears emphasizes understanding the variety in AI. It’s not a single product but an array of algorithms and models used for different outcomes. Awareness of these differences is critical in cybersecurity to discern the benefits and risks of each AI model, like understanding blockchain. He advocates for education as key to navigating AI’s advantages and potential hazards.

LinkedIn: www.linkedin.com/in/billyjspears/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Eddie Doyle, a renowned Security Strategist and Speaker at Check Point Software, has a fascinating career journey in the fast-paced field of cybersecurity. Doyle first understood the importance of cybersecurity in 2007 when he joined Check Point Software. Back then, it was a transformative phase; IT departments were just beginning to comprehend the concept of data centers to deal with the data influx post the dot-com era.

Interestingly, Doyle noticed that while these data centers were physically half-empty, they consumed immense power and cooling resources. Doyle navigated the rapidly evolving cybersecurity landscape, witnessing the rise of threat actors who managed to bypass physical security measures by infiltrating systems virtually—a phenomenon triggered by data outsourcing. This necessitated the introduction of network security, a critical aspect in the digital world today.

As technology advances at an unprecedented pace today, so does the acceleration of cyber threats and associated risks. Doyle is a firm believer in the effectiveness of defensive strategies over offensive ones. He points to the legal and reputational hazards of aggressive cybersecurity measures and emphasizes the need to maintain a defensive stand. Despite the challenges of the Digital Age, Doyle is very optimistic about cybersecurity’s future, especially considering the emerging industry trends. He believes that security measures, if comprehensible and straightforward, are more likely to be implemented.

Doyle uses various anecdotes from his career to illustrate his points and provide more context. Innovation can be inherently insecure, despite cybersecurity’s primary goal to protect and secure. He shares a valuable insight from a military representative who advocated for the concept of “failing forward.” This idea implies that once a cybersecurity threat has been identified and contained, it’s essential to continue looking forward and adapt, a perspective different from the typical commercial response that halts after containment.

Doyle highlights the complexity of legal issues arising from offensive cybersecurity measures, such as retaliation against a cyberattack. He also provides insight into the Dark Web’s reality, discussing the proactive measures taken by his team to stay a step ahead of potential threats. Discussing the role of private industries and citizens in cybersecurity, Doyle notes that while industries aim to defend against cyberattacks through their products and services, they generally avoid an offensive stance due to legal implications.

Doyle paints a grim picture for cybersecurity professionals. Expanding upon the methodology of cybercrime syndicates who exploit system vulnerabilities, he highlights the diabolical precision of their operations, frequently helmed by psychopathic individuals launching phishing emails and targeting victims.

Doyle reiterates the expansive global reach of such cybercrime syndicates, pushing for the creation and implementation of strategic cybersecurity tools to fend off such sophisticated attacks. He additionally emphasizes the potential of blockchain and artificial intelligence in fortifying cybersecurity measures. Acknowledging the current crisis of misinformation and declining trust in media and leadership, Doyle identifies blockchain technology—with its transparent, decentralized system for verifying authenticity and securing personal information—as a groundbreaking solution and the benefits of safeguarding personal data.

LinkedIn: https://www.linkedin.com/in/edwin

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.