Effective cybersecurity isn’t just a checkbox – it’s an ongoing investment in resilience. It starts from the top, where collaboration between IT and leadership paves the way for a secure digital future. In this episode, we have Seth Guntharp to shed light on the challenges and triumphs of achieving CMMC (Cybersecurity Maturity Model Certification). Seth spares no details— he discusses CMMC’s evolution, the changing landscape of compliance regulations, the crucial roles of CEOs, and more. Tune in and learn how to be ready to tackle cybersecurity challenges head-on!
Watch the episode here
The CMMC Evolution: A CEO’s Guide To Cyber Resilience With Seth Guntharp
In this episode, our guest is Seth Guntharp. I’m going to start here and give a little bit of background here on Seth. He lives next to the most dangerous river in the US with moose, coyotes, and bears. He also can climb mountains in a single day with his wife. Here we are with Seth. Welcome, Seth.
How are you doing?
Great. It’s good to have you here. We’re going to jump right in here. Coming from your background, how would you explain the difference between cybersecurity and cyber risk?
Cyber risk is all the threats that a company faces every day. Cybersecurity is what we do to mitigate, manage, assess, and respond to the potential threats that a company faces, whether that be an insider threat, a hacker on the outside, or social engineering, which is one of the bigger security threats.
One is a little more proactive than reactive, would you say?
From that standpoint, what’s the biggest risk that companies are facing when it comes to cybersecurity or cyber risk?
With cyber risk, I would think from what I have seen, it’s user awareness training or a lack thereof, social engineering. Everyone always talks about phishing emails and everyone is always trained on phishing emails. It’s hard to run into a company that doesn’t have some phishing campaign going on to train their users. When you come into contact with a real phishing email and it gets into a company from a user clicking yes to the $10,000 credit card they won, things happen quickly.
The thing you thought never happened starts to unfold in front of you. You’re faced with this whole new set of circumstances that, hopefully, you have prepared and trained for. The number one risk is a lack of user awareness in the cybersecurity headspace. Most people think of cybersecurity as the IT guy in the basement. They only see when there’s a problem. Nobody thinks of the end user, the CEO, or the CFO as being huge targets. A lot of times, they aren’t trained in the manner that they need to be to combat the risk.
They find that they’re busy or they’re trying to do other things that they think are more strategic. They become the target because they are the ones who are willing to click on those things. They’re moving quickly or distracted by something else. It causes that issue.
I often wonder about the challenges that executives face when it comes to something cybersecurity-related. If it’s something they’re not familiar with and they’re not trained at all, it almost seems like there’s a degree of not being able to understand whether or not they are experiencing phishing. They think it’s a regular message. I wonder if security awareness training is enough or if more intimate exercises are necessary for the executive teams. What are your thoughts?
In the beginning, we had generic awareness training. This is how to spot phishing alerts and scam emails. We found out that targeted training and one-on-one training, though they are much more intensive and much more demanding on the IT side, do help a lot better at real-world informing a CEO or an HR manager that this is a scam and fake and how to address it.
A lot of times, a user will come across an email that’s phishing. They’ll exchange 2 or 3 emails. They are testing the waters. “Is this real? Is this not?” Before they get to the point of talking to the IT guy or the SOC manager, they say, “This is suspicious. Let’s look into it.” By then, they’ve already exchanged information to some degree. We have found that the generic awareness training isn’t enough. Personal awareness training or the IT guy posing as a bad hatter to try to set up a real scenario, we found that trains users a lot more.
At this time, with the company that I’m with, all of our users are paranoid when it comes to emails. They’re afraid to click on any link. That’s how it should be. From where we were in 2022, we’ve come about a complete 180 in how we address user awareness training and how we train our users. We found that the more personal approach of sitting at the desk side by side with the higher executives tends to get a lot better results.
What did you do to make it a 180 besides adding personnel training? People had to get on board and almost change their mindset. What’s your secret recipe there?
The hardest part of IT is dealing with the end user and changing habits that have been ingrained for the last several years for some of them when it comes to how they treat a computer or an email. A lot of it was we took away a lot of the user’s ability to do certain things on the computer, whether they couldn’t go to certain websites, email certain things, or copy text from an email to another email. If they sent over a potential credit card, it would bounce the email back to them and say that you can’t send this information.
While that was incredibly annoying to the end user, they began to get the picture that this is something that they need to be paying attention to. They can’t send a password over a plain text email or even an encrypted email, and then inspect and expect it to be received successfully without being seen by someone else who shouldn’t see it. It’s a process that is not overnight.
Training users on how to do something differently that has been ingrained in their heads is one of the slowest things that I’ve seen coming into this position. I came from the school districts where we did this with 600, 700, and 800 teachers. It took us years before we got those few bad apples to figure out how to address emails or not to click reply when telling everyone what the password to the Wi-Fi is. A lot of times, the IT guy’s the bad guy and that’s not received well.
It made me rethink a simple assumption that you’re either using a carrot or a stick. There’s a third part there, which is the access. What can you and can you not do? Most users would see that as a stick. Were there any motivations from the executive, like using a carrot, “If you take this training, you get free stress ball toys?” Is there any of that going on?
The motivation behind it was from a level that we had to have training to meet compliance. There is a difference in security and compliance. You’ll hear any security guy say that being compliant is not necessarily being secure. What we found was that the level of compliance that we were shooting for with CMMC was so ingrained in the executive level that we had to find a way to trickle it down to meet everyone because it did affect everyone.
The executive level was very well-versed in the compliance nature. When you get down to the guys that carry the hammer, put on the tool belts, and drive the work trucks, they don’t care at all about it. All they care about is getting what’s on the plans into reality. It shouldn’t be their responsibility to worry about cybersecurity. When you’re faced with this user who has a laptop, this user can’t leave this laptop at McDonald’s like they used to anymore or can’t leave it unlocked in their work truck when they’re not there, that’s a real security threat and issue. The training had to make its way down there.
It was more with the stick than with the carrot. At the end of the day, the carrot works. In some instances, it looks good on paper because when you’re looking at that completed list of everyone who’s completed their awareness training and you see green checks for 700 employees, that looks great on paper and from an executive standpoint.
When you go up to this user and say, “Where’s your laptop right now,” they say, “It’s in my truck.” Did that training help? That’s what we started to see. That’s where the stick had to play a bigger role. It depends on the company and whether you’re a law firm or guys with hard hats walking around. It highly depends on the user and the nature of their work.
The experience reminds me of a gal who went through doing the same thing but for all the pilots at United Airlines. She was in charge of cybersecurity awareness training. It’s the same thing. “Where’s your laptop, pilot?” These things that they have access to are sensitive such as flight schedules and flight plans. How do you get those people trained? Her challenge was they’re in the air and there’s also collective bargaining. How do you allot that time to get those pilots cybersecurity awareness trained? Did you have similar troubles? Was it easier or more difficult?
It was difficult at first. Now that we’ve been doing it for a few years with a software company we’re with, it’s flawless. In the beginning, we were faced with rolling out awareness training to get the box checked for compliance. Eventually, we rolled it into the maturity of our cybersecurity, where we have quarterly or annual security training. We send out emails to all our employees saying, “You have to do this.”
If they go past their training by 1 week or 2 weeks, we start getting notified. It gets down to the point where they don’t work until that training is complete. They can’t carry a laptop onto a job site. They can’t drive a work truck until we see that training is complete and they proficiently know it. That’s the stick method.
I’m sure there are carrot ways that work but when you try to get an electrical engineer to sit down and watch a 45-minute video on cyber risk and mobile device management, I’ll be honest, there are much better things that I would rather be doing with my time than watching that video. It is necessary and the information in the video is good. It does stop threats in the real world if the user replies to it. That’s why with cybersecurity, there’s a layered approach. The first first line of defense is the user. If whatever makes it past the user, you have everything else technical to stand in the way of whatever bad thing he clicked on.
You mentioned before that you had done some CMMC items. In your opinion, how should CEOs prioritize cyber risk from that standpoint? It’s probably more than just a want at that point. Is that correct?
CMMC has been growing in the cyber landscape from 2015 to 2017. In large part, CEOs have been virtually silent on it, at least from my experience in talking with other companies and attending cyber conferences because there’s still so much ambiguity in the CMMC headspace. It’s still a moving target. “Here’s your compliance goal. We won’t tell you how to get there but you have to get there regardless.”
I can see where a lot of companies shy away from that because CMMC is one of those things that, for the small company up to the Fortune 500 company, the cost of implementing it is the same in terms of how the security controls were implemented and the upfront cost. A lot of small companies can’t make that jump, at least not overnight. A lot of companies can’t make that jump over the course of 2 to 3 years because the expense is great.
We’ve been talking about that and how the CFOs can create a budget. We helped a company that was a sub of a prime get with that prime. They were able to get some funding from the prime to continue what they were doing as a subcontractor. There are ways of doing it because finding the budget and understanding the need for those controls, there might be a business that’s being left on the table specifically by not following through with either CMMC or other compliance items, whether it’s SOC 2 or other frameworks. There’s a need for being able to protect data in this world. That’s becoming more apparent through the controls and frameworks. It’s not just the technology anymore.
It’s so much more than the IT guy in the basement and the firewall from 2006 that’s been running nonstop for several years. When you look at cybersecurity, especially in relation to CMMC or NIST 800-171 and 172, the mountain that you have to climb is almost astronomical. That’s exactly how our company went into it. We had that firewall from 2006. We were running all of that outdated. It was terrifying. Seeing where we started from where we’re at is not a quick process. You can throw all the money and resources in the world and it’s still going to take years.
I’m proud of how long a server’s been up without being updated or rebooted. The kernel is several years old and look at how great I know. We’ve had to change some of those views from a technical standpoint. Understanding it from the executive standpoint, they always want things up and available but understanding the risk of how to get there, what those controls need to be, and doing patching and all the rudimentary things to get there has always been a challenge for IT. There are things that are happening between AI, CMMC, and the compliance side of things. From your perspective, what emerging trends do you believe will have a profound impact on cybersecurity in the future?
Whenever this question is brought up, everyone always tends to jump to AI being the newest and greatest thing. Don’t get me wrong, I love AI. I love the AV platform SentinelOne. It uses behavioral AI. It’s awesome. It’s cool watching it learn from algorithms. With emerging trends, I’m seeing more companies pay a greater amount of attention to their cybersecurity posture.
I’ve started seeing this more in 2022. MSPs are becoming more popular. They’re popping up all over the place. They’re starting to learn how to cater to smaller businesses. I’ve seen CEOs start to pay attention to cybersecurity, not so much with compliance, CMMC, NIST, HIPAA, or whatever flavor of compliance you have but cybersecurity has been a trend that I have seen. Small businesses, nonprofits, and third parties are like, “We’re using Windows 7 laptops. We have a 2016 exchange server. We don’t need this anymore. This is scary.”
The introduction of AI has spurred more of a movement for companies who start paying attention to cyber because everyone knows that whenever the IT guy walks into the accountant’s office, it’s about to be a bad day for both of them. It is because it’s so expensive. A conversation that nobody wants to have with the IT guy and the accountant is the cost. If you’re asking what a trend I’ve seen, I’ve seen companies start to make more of a budgetary allowance for cyber, not so much tech but for cybersecurity.
There’s been a few folks that I’ve spoken to and they call it cybersecurity budget rate sizing. It’s top of mind. As far as the journey is concerned, in terms of emerging trends, you’re right in terms of the default being AI. A lot of people point to that. That has a lot to do with the number one focus of most folks fighting in the trenches in cybersecurity, which is stopping hackers. What we know we’ve seen is the CEOs, executives, and boardrooms are getting dragged into the caring corner. There are a couple of reasons why.
The number one reason is that a lot of the workforce is there is a younger generation, and they get it. Us, gray hairs, let’s face it. We grew up in a different mindset where the technology working was the most important thing. Every once in a while, cybersecurity was important. The younger generation of workers and some of the stats that are coming out are showing that there’s a greater concern for security in these new leading reports and results that are coming out of workforce development. That is one piece.
The other piece is that there are privacy laws that hold CEOs and board members accountable. They go after them personally and civilly. That’s going to shake the executive tree a little bit because the CFO and the CEO are like, “I can’t replace the guy who fixes all the things with blinking lights anymore. I have to be accountable.” There’s probably some of that going on.
That was something that we realized too. That was an unintentional tidbit of information. We found out going into CMMC compliance that the CEO is as responsible as the user down to who drives the work truck. When you deal with privacy laws, the Fair Trade Agreement, or the Freedom of Information Act, once you start throwing in all those clauses and regulations, it gets deep quickly.
That was always the part of the contract that the CEOs or the estimator always were like, “Fifty pages of clauses, skip.” It comes back to bite them later on. It wasn’t used to. That’s why everyone’s always skipped it for the whole last several years but now everyone’s starting to pay attention to it. Those clauses are starting to be enforced.
People get pulled over.
I still call that selective enforcement when everybody is doing 80 miles an hour down the freeway and they pull me over.
It might be that you’re driving a bright red car. You don’t want to be driving the bright red car. That’s when the IT expert comes in and says, “Red is not a good color. Let’s change the color of the car.”
When you think about a cyber disaster happening, what do you think that looks like from an executive standpoint? When I say cyber disaster, I mean losing data or having a hacker come in and steal it. Do you think that most executives are ready for that or practice and ready to go? Is it going to be something new that they’re going to be playing the Super Bowl against somebody that has done this a million times and they’re still playing on the peewee squad?
We’ve been going through this with our CEO and executives. One of the biggest parts of my job is creating a risk assessment and an incident response list form and training people and executives on how to handle an incident. Let’s say ransomware. That’s what everyone wants to talk about. Ransomware gets into a company. The whole file server and share point are encrypted. It’s a bad day. It is not the IT guy’s responsibility to inform the rest of the world that their company has been breached. It is not HR. It’s the CEOs. It’s everything under his watch. The box stops with him.
If he’s up in his office with no idea what to do, 1) That doesn’t look good from my company standpoint, and 2) That’s more wasted time on mitigating the threat. I would encourage all CEOs and CFOs to look into a SOC analyst on their staff or a SOC team as a service, whether that be an MSSP. The threats change so rapidly that it’s impossible for one guy to keep up with it all or manage loan survivors up at the top of the mountain.
When it comes to a threat and what the CEO does, having an incident response plan and testing it more than once a year is critical. If ransomware strikes, I would like my CEO to go to the compliance binder, the Holy Bible of compliance, turn to the incident response section, go to ransomware, and know who to contact, whether that be cyber insurance, the SOC team, me, or a news channel.
There are so many things that come into play when you deal with a company-wide breach. Unfortunately, a lot of it is politics or the public image of the company. This doesn’t play into a small mom-and-pop shop defense contractor but to a Fortune 500 company, they better have a statement out quickly and prepared. Have an instant response plan and test it thoroughly. The CEO needs to know who to contact as quickly as possible.
The interesting thing is the why for a CEO, which you explained rather clearly. The map is risk management for them. Every CEO is concerned about producing revenue, reducing costs, and dealing with substantial risk. Those are the three typical compartment areas besides innovation. I wonder about my initial comment on how there are two motivators for CEOs to be more involved. The third is revenue. It’s the court of public opinion or a customer saying, “We see that you had an incident. You’re not getting that contract.” That becomes a revenue problem for them. That’s the third motivator, revenue generation.
Dealing with compliance, depending on what clauses you have in your defense contract with the DOD, if there is a breach that is company-wide or even if it’s compartmentalized in some instances, you have only 24 to 48 to 72 hours, depending on the severity to report that to the DOD. That’s something that a lot of companies don’t realize that you have to do because there are very specific channels that you have to communicate to them with. You can’t call the FBI office and say, “We’ve been breached.” That won’t cut it.
There are specific regulated guidelines in dealing with defense industrial base contracts in the DOD. If you don’t follow those guidelines, you’re out of compliance. You could potentially lose any continuing contract awards because of negligence. Negligence is not an excuse for not knowing the contract that the company signed.
Something that we’ve noticed a lot is not getting into the nuts and bolts but talking about the nuts and bolts of how you deal with an incident. That’s time and time is money. If that company is down, they’re losing money. For an incident that you report to the DOD, you’re going to be offline for 72 hours minimum, even if the threat is mitigated, in dealing with all the compliance regulations around it. That’s something that a lot of companies don’t realize.
John, you may be more educated on this but there are sanctions for CMMC. If I remember correctly, it’s by the control. If control is found faulty, there’s a penalty associated with that if it gets into the weeds. It starts to cost you money. John, do you recall whether or not that’s happening? I know that under the False Claims Act, there’s an issue that can get a CEO in big trouble. What do you recall on that one?
It’s been proposed. I’m not going to say one way or the other, whether it’s been that way. What I can say is that even if you’re not doing CMMC, all 50 states have still passed breach legislation that requires you to report that you’ve lost data, especially if we contain PII data. This isn’t just a DOD thing. If you collect data and work within a customer’s data or anything else, you’ve got to be able to do that. Those controls become important, as well as the practice of what happens when you do get a breach and how to manage that.
I couldn’t remember whether or not that went through. That’s the other side of the coin. The accountant in the room is going to want to know that. What’s that actual financial risk? What was your experience like going to the accountant for what you needed? Was it pleasant? Were you on the same page? Was it a bit of a fight?
The CMMC roadmap in the very beginning has gone through several revisions, CMMC 1.0 and 2.0. You introduce NIST Revision 3, which is going to be finalized or may be finalized here soon. All that plays together and all that has changed so much. A few years ago, when I was looking at this CMMC journey in front of me, I had no idea what the actual cost was going to be. It was ambiguous as to how some of the language was interpreted.
The CMMC clearly states you need mobile device management. It’s like, “What kind? What’s acceptable? What’s not acceptable?” Your cost can be anywhere from $30,000 a year up to $180,000 a year for one satisfying control, depending on the size of your company. Planning that out while the target was still moving was difficult. It was one of those things where you’d walk into the accounting office once or twice a week and say, “I need another $30,000 or $50,000.”
It was hard for us as a company to budget it but looking back on it, I could budget it now that I’ve done it in hindsight 2020. A lot of it has firmed up in 2022. For a company that’s never heard of CMMC looking at it, it would be a lot easier for them to make a budget because a lot of it has firmed up. A few years ago, we had no idea what it would cost and need. You throw in FedRAMP compliance. That crosses off hundreds of potential software vendors that companies have been using forever. They have to move to something new. It takes time, energy, and money to train users on how to use new software.
We had to do that with 4 or 5 of our applications. It was a hard no. We can’t use it anymore. It took months to implement that, train them, and get us to a point where we felt like we were making money again with the software we had instead of it being a time-waster. I had no problem walking into my accounting office and saying, “I need to purchase this new server, Intune or SentinelOne. If we don’t have it, we don’t get contracts.”
The goal of the end of the tunnel was always that CMMC was going to limit the defense industrial base’s ability to market. If a company isn’t CMMC certified, it can’t bid on contracts. It’s great for the ones who are CMMC-certified. That marketing pool got a lot smaller. They could potentially win a lot more contracts. I’m all for that from the perspective of the guy who’s almost certified but the cost was a lot.
The light at the end of the tunnel was always, we’re going to win a contract with this. It’s going to hurt but at the end of the day, this will get us to that CMMC certification. This will allow us to keep bidding on contracts. Is there any other way around it? Not. Is there a cheaper way to do it? Probably, yes. If you were to ask me a year from now, was there a cheaper way we could do it? Yeah. Was I sure that it was going to get us to compliance at the time? No.
CMCC: It’s going to hurt right now but, at the end of the day, this will get us to that CMMC certification. This will allow us to keep bidding on contracts.
That balance is tough. When you’re breaking new ground, it’s especially tough. The lesson learned, in my opinion, is that whether you call it the cyber AB or the DIB, in general, no one has done it. Like you, I was like, “How do you know? How do I budget for it?” It’s got to be firsts and you’re right. Now, it’s going to be easier. It’s not simple but it’s going to be less difficult than it was.
I could look at a company that’s never heard of CMMC before. I go into their company. I could give them a list of all the tools and things they would need to achieve compliance with the FedRAMP-compliant tools and all the technical stuff they need. I could market that out easily. That’s not hard to do now that it’s done. The cost comes in with the number of users and specialized users you have and where your controlled information lives, whether it’s on-prem or the cloud. The algorithm for it is very straightforward but it’s a whole lot clearer than it was a few years ago.
What I find interesting is if you travel throughout the world in terms of tech and cyber, it is how other countries deal with cybersecurity. There are differences but also similarities. What resonates with me in that example is the concept of going through the exercise and looking at a company that has not traveled. You can look and know what to do.
What you learn in other countries is that there are specific guidelines that they tend to follow. There are roadmaps, blueprints for them to do some of these things and certifications. One of them is the ISO, International Standards Organization. Everyone still has the same problem, which is leadership and making sure from a budgeting perspective and leadership. They have to use these bodies of work in ISO to say, “This is what it says and what I have to do according to the certification.”
It is interesting because if I were to walk into someone building a bank and I was their IT guy for the bank, I’d follow FDIC standards. I have a plan-tested, try-and-true roadmap to follow. If I’m walking into a healthcare clinic, I’m following HIPAA. That’s a planned, tried, and tested true compliance tree that I follow. For CMMC, they’ve given us the roadmap and they haven’t given us the goal. It changes. It’s so much open for interpretation. From a CEO’s perspective, I see where they’re hesitant but I cannot stand the fact that they are so hesitant. I understand their perspective but I know that if they don’t get on the ball with this, it’s going to take years.
I’ve seen a lot of executives, me included, go through that emotional rollercoaster, especially when it comes to regulations, in California specifically, which I’m sure you’ve been watching the news. A lot of businesses are leaving the state. It’s because you’re told this and you do it, and you find out that they’ve changed the rules or that’s not going to work. You invested all this time and money.
Let’s face it. The CMMC with 1.0 had that problem. There were five levels. Surprise, it’s down to three. There were some challenges. If you were a CEO looking at CMMC a couple of years ago, you were on it, and you didn’t do it, you’re going, “They changed it. Are they going to change the rules on us?” That’s a compliance issue.
It’s double Dutch. “When do I jump in?”
It’s like exactly like that, John.
I liked your word choice. “When do I jump in?” From a CEO’s perspective, I can speak on that, not from my company but from other companies that are in the DOD headspace side by side with us. They’re asking that exact question. “When do I jump in?” A big incentive for them to jump in is the cost of the certification.
Let’s say a company jumps on board and it takes them three years to get CMMC certified. CMMC certified 2026 and 2027 if they’re lucky. Every other defense industrial-based contractor in the United States, which is over 200,000 to 300,000 individual companies, is thinking and wanting to do the same thing. How many C3PAO and RPO assessors are there in the world? It’s under twenty.
There was a time when there were three. That number is growing but that number will never get to the demand that it needs to be. What that’s going to do is push back certifications and time when you cannot bid on a contract. It’s going to skyrocket that price. If you get in with the CMMC world, that cost is going to be less upfront than the cost of that audit. For a company with 200 employees, if they’re competing with other companies for that price for that audit, time is money, and there are only many CPOs out there, that price is going to go up.
There is an advantage to jumping on the bandwagon early because that price is potentially going to be lower. I can’t say that for certain but how economics works, if there’s less demand, the price is lower, and with more demand, the price is higher. That is not lost in the CMC world at all. You see Microsoft doing that with their GCC high pricing. You saw that last November or September 2023 when they redid their contracts for a lot of their pricing schemes. The writing is on the wall in a lot of ways but there is an advantage to companies jumping in early. If you jump in early, you run the risk of maybe being the Guinea pig, which is what we’re doing.
One thing that we used to say quite often was GAP is to accounting and CSF is to cybersecurity in this country. What’s interesting is that, in accounting, you can look at what you look for, a CPA or Certified Public Accountant. There are guardrails there for that. In cybersecurity, the first iteration of something that can be audited is CMMC and FedRAMP in terms of smaller businesses in the DIB.
My other observation is that not only do you have this challenge of dealing with this certification process but you have to look at the few auditors that are out there. They changed the rules on auditors. They want you ISO 27001 certified, which I found very interesting because it’s almost like, “We’re doing okay but to be sure, we’re going to make the auditors go through ISO 27001.”
It is the first time that I’ve seen something like that, at least specifically within the NIST body of work, saying, “You have to do both.” If they’re going to require the auditors to do that, at what point do you think ISO 27001 will break through amongst the DIB? Not now clearly but there are signs there that the world is getting smaller in regulatory issues. That’s the issue we see when we talk to people that have gone through the CMMC. Some of them have these other lines of business. They may have HIPAA and issues with data privacy laws. We’ve got to stack all these things together. How do you track all of that stuff?
One of the greatest tools that we’ve used as a company was mapping where our controlled information was. If it’s not controlled, the government and the DOD don’t care about it. If it’s controlled, they’re paying attention to it. It’s scoping and making that scope and target of where that data is stored as small and constricted as possible. That will help companies that deal with HIPPA, NIST, and 7012 greatly in knowing where to keep and store their data. That brought the scope of a whole company down to bits and pieces of it.
That’s interesting because, in a way, that’s the difference between information security and cybersecurity. They can be different.
Seth, thank you very much. Tell us a little bit about you. Who are you? How did you get to where you’re at?
I moved to Alaska with my wife in 2020. I came from a school district background. I have a Bachelor’s in Cybersecurity. I have a couple of associates in Network Administration and Cloud Security on all those certs that go with it. Certs, in my mind, don’t prove knowledge. Experience proves knowledge. I’ve seen that many times. I’ve been burned many times by that.
I moved up here and started working for school districts. Eventually, I was brought on with the defense company I’m with because I knew a few people there. They said, “We have this thing called cybersecurity. You know compliance and security. We’re going to throw you into this.” I was like, “Sure, I’ll accept the challenge.” I have no idea what I signed up for.
It has been a rollercoaster ride understanding the compliance side of it. I was never a compliance specialist. I was always the guy that fixed the server or computer. I was a hands-on, nuts-and-bolts IT technician. I went from this role of hands-on work to writing policies and procedures. I’m still doing the hands-on work.
It was a great challenge dealing with doing it all in Alaska, where it’s 40 below outside 3 months out of the year, and driving to work at 1:00 in the morning because your server’s offline. Your truck won’t start because it’s 40 below and there are 5 inches of snow on the ground. I love it. It’s difficult but I wouldn’t change it for anything.
What piece of advice would you give our audience? If there’s a specific action item, what would you give them to reduce their regulatory risk?
One piece of advice I would give is to the network administrator, security officer, systems administrator, or whatever the company has for their IT team. They need to start having regular meetings with their CEOs and the accounting departments. They need to have a better relationship. The accounting department needs to know that cybersecurity is the company. That’s the nature of what it is. I would encourage CEOs and CFOs to look at cybersecurity as an investment and see it as something that is a process.
With CMMC, it’s a cybersecurity maturity model. Cybersecurity is great and it’s great only if it is mature, set in stone, and practiced every day. The IT guy can’t be the one to start that ball rolling. It has to start from the top and roll down. The IT guy is more of a facilitator. In my opinion, he needs to be. The real push behind making a company secure and getting everyone on board starts with the higher-ups and executives. They need to be on board. There needs to be good communication between the IT guy and the CEO.
Seth, how can people reach you if they want to reach out to you?
You can search for my name on LinkedIn. You’ll find an outdated picture of me. I’m also on Facebook. You can search for me on Facebook. I love talking about the nuts and bolts of IT. I am more than happy to share my experience on how we implemented certain controls and compliance. That’s fun for me because every compliance control that we’ve achieved is a little mountain that we’ve climbed. We did that. I enjoy sharing my pain and struggle on how we got there.
Seth, thank you very much. We appreciate your time. It’s been a great conversation. I’m pleased that you’ve made it through the CMMC. You’re not quite certified yet but you think you’re ready to be there for your company. It’s an amazing accomplishment. I’m happy to see it. Hopefully, more companies will take that journey. Thank you for being a guest here.
For our readers, I hope you’ve learned something. You laughed, cried, or thought about starting on the CMMC journey or some other compliance if you need it. This has been it. This is another great episode. We’ll see you next time. Thank you.
About Seth Guntharp
– Met his wife in Alaska
– Enjoys 4 wheeling, camping, and backpacking
– 22 days away from being a dad