Transcript
Matthew Howard
Good afternoon. My name is Matt Howard. I'm the chief marketing officer at Virtru, and I wanna welcome everybody to another edition of Hash It Out.
Today, I have the great honor of hosting my friend Stuart Itkin, chief security analyst analyst, sorry, evangelist at FutureFeed. Stuart Itkin. Stuart, welcome.
Stuart Itkin
Matt, thanks very much for having me.
Matthew Howard
Yeah. It's great to see you again, and, excited to kinda catch up and and compare notes. It's, we we chatted not too long ago and a couple of times over the last few years as this world of, all things CMMC has been evolving.
I know that, upcoming in Florida from February is an important conference called QEcon. And that at that conference on February 12, you will be moderating a panel called architectural approaches to CMMC.
Kinda curious at a high level, what's that all about?
Stuart Itkin
Well, I think the conference as a whole is really about educating defense contractors about their requirements under the CMMC program and really educating them about the alternatives, the best practices that exist for being able to address those. And this is a session that that really is going to kind of drill down into a number of the key choices that organizations need to make, choices with respect to their IT infrastructure or the architecture, but also decisions that they can make with respect to service providers and even with respect to some of the tools that are available.
For many contractors, it's really a journey that they're taking for the first time. And, you know, many of them, you know, don't know where they're going, and and others aren't even sure where they're starting from.
It's kinda hard to get to where you need to be if you don't know where point a and point b is. And this is really a conference to be able to provide people that background and certainly to educate them about the alternatives, the tools, and the support that's available to them.
Matthew Howard
So, you you know, I I I've been, you know, following, I would say, tangentially, maybe sometimes closely, the evolution of CMMC for the last few years. And, you know, I'm not nearly as close to it as you are and don't have nearly the expertise, and history that you do with such matters, but I'm I'm curious.
Like, thinking about the DIB, you know, and learning about it over, you know, over time, it is a like, 80 plus percent of it is kinda small and ultra small business. I mean, so much of the DIB is is really small business.
And, I mean, it's hard for small businesses with limited resources to do a lot of things. I gotta.
imagine it's really hard for small businesses in the dib to kinda get grounded around CMMC. Is a lot of that true, and and how much of this is just kind of a challenge of, you know, enabling small businesses to see the big picture in in simple clear ways that kind of allow them to go, to your point, from a to b to c, along.
the c m c journey?
Stuart Itkin
Absolutely. The requirements or the underlying requirements for CMMC that exist within NIST eight hundred one seventy one is a combination of technical requirements and nontechnical requirements.
But they're very specific, and they're kind of wrapped in a lot of compliance speed. They're wrapped in a lot of technobabble.
And kind of the small business owner who, you know, who knows how to, you know, fabricate a particular part or to design certain things or to do construction knows what they know how to do really well, but they're certainly not a compliance expert or they're not an IT expert or an information information security expert. And, you know, that's why approaches, tools, prebuilt solutions that really reduce the complexity for these organizations, that take the cost out of it for these organizations, and simply, you know, avoid the need for them to have that expertise internally that they're really not going to be able to afford or or, in some cases, even find.
Matthew Howard
Yeah. Yeah. I mean, that's the thing. I mean, it's like, you know, you think about every business in America, whether it's in the DIB or not, and there's kind of, like, three types of businesses.
There's the ones that have the big sophisticated IT department with the chief information security officer, the CTO, the CIO, and lots of resources. I'll call that I resource rich.
And. then you have sort of, like, resource constrained businesses where they're literally they have people, but they're just not enough, and they're just trying to figure out how to make it make ends meet. And then there's the kind of IT less, which.
is the smaller organizations where literally IT is not a competency that exists in the business. And and to the extent that that's a significant portion of the dib, you know, organizations like QECON, the conference itself, folks like yourself, and the panel that you'll be moderating are such a critical resource just to kinda give, all three of those organizations sort of context with respect to what's really at stake in terms of just making basic decisions to kinda get your house in order around basic governance, basic control to protect, you know, CUI and sensitive information in in the best interest of the country.
As you think about that, you know, scale of one to 10, kind of, you know, we're we're like, 10 is we are, like, fully processed, ready, mature, you know, kind of, to hit the ground running with c m all things CMMC. One is, you know, the the the world is still kind of on a journey to kinda get their heads unwrapped around it and figure it out.
Where would you put us collectively as a as an industry at this point? Are we a a three, a four, or how would you grade that?
Stuart Itkin
Yeah. Unfortunately, I think we're closer to the bottom end of that scale than we are to the top end of that scale. There were a lot of people that, that were nonbelievers, you know, felt this program would never come to fruition.
You know, there's others that said, well, they were going to wait until they saw these requirements come in. What they don't appreciate is just, you know, the time that's involved, the expertise that's involved in being able to bring their organization into compliance with these regulations.
An organization that is really starting from ground zero, you know, may take between twelve and eighteen months to get to the point where they've built an environment that is compliant, where they put in place the policies and procedures and are following them that enable them to be compliant, and that they've gone through the steps to be prepared to go through the c three PAO assessment that's going to be necessary for them. So, unfortunately, I think that, you know, there's more work to be done by organizations within the defense industrial base.
And, again, it it really accentuates the need for solutions that make it easier, make it less expensive, and take the risk out of it for them.
Matthew Howard
Twelve to eighteen months. That sounds like a long time.
That sounds kind of daunting, if I'm honest. If I try to put myself in the shoes of, like, a a small business just trying to, quote, unquote, make ends meet and then IT constrained or IT less organization, you know, I'm looking at twelve to eighteen months.
I mean, it just feels like a lot. Can it be shorter?
Can it be six months? Can it be three months? Is it possible?
Or yeah. That's my first question. Can it be shorter than 12 to 18?
That sounds like a lot.
Stuart Itkin
Yeah. I mean, I think there are ways that it it can be reduced.
Again, as I said, this is a journey that people are taking for the first time. And one of the things they can do is they can find a guide who's been in that journey before, who can kind of lead them and take them through the process.
There's the option of using managed service providers who have prebuilt solutions. They.
bring prebuilt policies and procedures that can be tailored to that organization. And and those are certainly the kind of steps that will reduce the timeline or reduce the cost.
And these are all things that we'll talk about in the panel. And and certainly architecture is a big part of it as well.
There's a lot to be able to put together an IT environment that really provides the security that's, you know, that's required to ensure that, access is controlled effectively and to ensure that, there's no means of, just being able to well, for data to exfiltrate from that, you know, from that system. So, certainly, you know, prebuilt solutions, solutions that have been purpose built for the requirements of CMMC, again, are all things that make that journey a little bit faster, little bit easier, a little bit less expensive for organizations in the DIB.
Matthew Howard
So a couple things on that front. So so wanna just kinda get your thoughts on this, you know, people process technology.
I mean, I I think you've said this many times before and a ton of truth to this. I mean, you know, when when you just think about, like, okay.
I'm an organization, and I have good governance and control with respect to CUI and, you know, basic competency around IT systems. My people know how to use it.
They know what to do. They understand the regulations. And then I have a compliance regime that allows me to sort of check a box and, know, have a conversation with a c three PAO auditor and pass an assessment.
So people, process, and technology. When you think about the lift of going from, you know, maybe zero to, you know, passing a level two assessment with a c three PAO, is it a third a third a third?
Is a third of it kinda getting your people up to speed? Is a third of it getting the technology into place?
And is a third of it kind of process? Or or how would you kind of equate that?
Stuart Itkin
Yeah. So so I I think that's a great question. I think a third a third a third is is is probably about right.
You know, again, you know, it's it's not about being compliant. It's about being secure.
And, you know, one of the misnomers is that this is a cybersecurity program. It's not a cybersecurity program.
It's an information security program and the recognition that information can exist in several forms. You know, not only is it digital or virtual, but information that can also be physical.
And ensuring that physical information is protected, access is protected, just, you know, not to the IT environment, but also to the physical environments in which controlled unclassified information is going to be handled. And so it really is about, you know, ensuring that the policies are created that are going to provide the hygiene that's required, the security that's required, and that people, in fact, are following those procedures or adhering to those policies, and an organization has documented it.
You know, the assessment that an organization is going to go through is not just a matter of saying, hey. Show me your system security program.
Let me see that you've come up with a way of addressing these requirements. It's not only having the description of what you're doing, but it's being able to demonstrate that you're actually doing what it is that you've said, and that what you've said is actually working and producing the outcome and that you're achieving the level of cyber hygiene that is expected to be able to protect the sensitive information with which the Department of War is entrusting you.
Matthew Howard
Yeah. So you that's understood. I mean, I think you said something there that that I wanna, you know, pull on a little bit, which is, you know, it's not about compliance.
It's about being secure. Know, not not not to, sort of be, you know, contrary for for, you know, this conversation, but I certainly have encountered a lot of folks in the last few years looking at this big picture and sort of saying, no. I'm just trying to check a compliance box.
And, you know, whether or not security is really the point is perhaps perhaps neither here nor there because I just need to get compliant. I just need to pass an assessment, and I'm not really that concerned about security.
And and I'm not and, you know, I I I don't think that's often, you know, the case, but it's sometimes the case. And I do think there's a difference between what we would call compliance theater and real security.
I'm curious to kinda get your take on that. Is it really about security, or is it about compliance or both?
You know, it's a it's an interesting question. I'm curious to get your thoughts.
Stuart Itkin
Yeah. Well, mean, the intent of the program is about security. It's ensuring that the sensitive information that the government produces, that defense contractors produce, does not find its way, in the hands of our adversaries.
And there's only a number of documented cases. The one that gets pointed to quite a bit is, you know, the f 35, which.
took a decade to develop. And in two years, the Chinese had a j 32, which was, for all intents and purposes, a carbon copy with the same design flaws that existed in the in the f 35. The security is important to maintain the technological advantage that The United States has had.
It's about, you know, national security. And I think the big challenge is getting people to to develop that security mindset
Matthew Howard
Yeah.
Stuart Itkin
rather than looking at this as as as compliance either. You know, it's interesting.
I think it's we think we're going on three years ago now. There was an incident where there was a weather balloon that was just kind of floating, across The United States.
And, yeah, every time you turned on the news, articles and stories about people wanting that shot down and, yeah, how can we allow the Chinese to attack us in that way to try to steal information. And yet, there are probably tens of thousands of cyber attacks launched by China every single day, and we don't seem to have the same outrage, the same concern about it.
And I think there's you know, people can understand the things you can see, touch, feel, that you can hold in your hands, but, you know, those things that are invisible, the information that may exist in the cloud, the information, you know, on your devices, is just something that people can't get their arms around and appreciate the value of it. And this is really what, you know, the program is about is to ensure that it is about security, not about compliance.
Matthew Howard
Yeah. No. It's well said, and and, you know, we certainly agree with that view. You know, ultimately, you know, you're going to have to, back to people process technology, train your people.
You'll have to have the process defined to kind of get to the outcome with respect to, an assessment and an audit.
Stuart Itkin
Right.
Matthew Howard
And then at the same time, though, none of that really matters unless the information itself that you've been entrusted with is being governed and protected in a way where it's not being, you know, sort of stolen by, state actors like PRC, because, ultimately, that's that's where the rubber hits the road. And, you know, from that perspective, it's really exciting to see you hosting this conversation down at QAcon, in February in Orlando.
You know, maybe one last question kind of, like, for the benefit of this quick preview. Like, what what's the what are you hoping to accomplish with the panel, and who do you have on it?
Stuart Itkin
So we we have a I I had a really good panel. Noel Vessel from Aethon Security.
They are both an MSP, and Noel is a, I believe, a lead assessor. Dave Bedard from KTL, Toby Muster from the MSN group, and Peter Nankaro from Virtru on the panel.
And, you know, the objective is really to to kind of lay out some of these choices that are available, some of the alternatives, and letting people understand kind of where they fit best. It's not a one size fits all.
You know, when one may look at and say this approach really works better for the type of business they have, than perhaps another approach. So we wanna make people aware of what the alternatives are.
We want them to understand the tradeoffs between those alternatives and to educate them to make really an informed decision about which may be the best approach for them to be able to pursue.
Matthew Howard
And cost. Cost matters a lot.
Stuart Itkin
Absolutely. Cost. is always important.
Matthew Howard
Yeah. For sure.
Well, you know, as someone who's, you know, sort of, you know, watching, you know, from you know, with great interest, the evolution of of CMMC and and our, you know, country's ability to protect, you know, QE in the context of the DIB, it's really great to see the ball is moving forward. The the, you know, the train is rolling.
That's for sure.
Stuart Itkin
Right.
Matthew Howard
There's a journey yet ahead, but but, you know, conferences like QECON and panels like yours are an important part of just keeping everybody, I think, up to speed and informed and honest about, you know, how you're gonna get there. And and I think the thing you said that's that's most important is, you know, there's lots of options.
And and those options are on the table, and you have to just you know, to the extent that you can look assess assess the options as someone in the DIB and make the best choice for your business, then that's that's what matters most. I mean and, getting to a place where that information is then subsequently controlled and secured, you know, aligned with the the intent of the program, you know, everybody wins.
The US wins. You win as a as a as a company in the DIB, and, you know, every we win as as taxpayers and citizens of the country. So, thank you for organizing that panel and for hosting it.
I know Peter is is personally excited to participate in the conversation, and, we're certainly looking for being at QA Con as well. So, great to see you, and thank you again for taking the time to join us today, and best of luck in Orlando.
Stuart Itkin
Great. Absolutely. Matt, thanks very much, and I look forward to seeing you soon.
Matthew Howard
Alright. Take care.
Stuart Itkin
Alrighty.
Thanks for listening. If you enjoyed this episode, leave us a five star review, and don't miss us the next time we Hash It Out. Like, follow, and subscribe to us on YouTube, Spotify, and Apple Podcasts, all linked below.
