Episode 140: DIB/CMMC Cybersecurity - Interesting Observations from a Significant Study w/ Chris Peterson

July 3, 2024

In this episode of The Virtual CISO Podcast, host John Verry chats with Chris Petersen, co-founder of LogRhythm and CEO of Radical, about the changing world of cybersecurity. With over 20 years of experience, Chris shares valuable insights on industry challenges and advancements. Key topics include:

Key findings from Radical’s DIB Cybersecurity Survey, including the gap between perceived and actual security skills.
The crucial role of proper scoping in System Security Plans (SSPs) for effective security monitoring.
Why some organizations delay CMMC certification despite recognizing its complexity and upcoming deadlines.

John Verry (00:00.)
And I hit record and it’s recording you probably see it on your side Well, listen, you should be warmed up If nothing else, all right, let me just get my notes up and we’ll

Chris Petersen (00:09.66)
Totally.

John Verry (00:16.464)
Okay, are you ready?

Chris Petersen (00:19.452)
Yeah, yeah, good.

John Verry (00:20.528)
You were born. You were born ready, right? Hey there. sorry. Go ahead.

Chris Petersen (00:24.54)
Yes, sir.

Chris Petersen (00:28.028)
Yeah, go ahead. Sorry.

John Verry (00:28.784)
Okay. Okay. Hey there and welcome to yet another episode of the virtual CSO podcast with you as always your host John Berry and with me today, Chris Peterson. Hey Chris.

Chris Petersen (00:39.9)
Hey, John. Happy to be here. Thanks for having me.

John Verry (00:42.928)
Yeah, looking forward to chatting. I always like to start simple, tell us a little bit about who you are and what is it that you do every day.

Chris Petersen (00:52.348)
Yeah, you know, long time cybersecurity guy, you know, began Pricewater, I’ll see why when cybersecurity is becoming a thing. And, you know, I had a, you know, great, you know, good career work with great people, eventually found myself wanting to go my own path. And I founded LogRhythm along with my co -founder Phil Vellella. And we spent…

quite a bit of time building what we think became one of the best SEM platforms in the world, as well as forwarding advancements and fields like SOAR and NDR and even UVA. So I had a good run there, sold that in 2018 and took some time off and then started Radical about three years ago, looking to focus on a new mission. I serve as the CEO and…

spend a lot of my time focusing on our platform or product and building a team that can achieve our mission.

John Verry (01:50.896)
Well, I wish you the same luck you had with LogRhythm. I will echo that it was an industry leading platform. We did a lot of work in the SIM space over the years. If you remember the folks from e -security at one point and ArcSight, e -security got bought by Sentinel and then with Portigo Mars, Portigo got bought by the Cisco Mars. I think you guys got it right before other people got it right. Like everyone in those days was trying to jam stuff into a database and that became sort of the

Chris Petersen (02:03.76)
yeah. Yep.

Chris Petersen (02:09.82)
Yeah, that’s right.

John Verry (02:19.792)
the downfall of it all and they all started going in your direction eventually going more towards appliances. So I wish you the same level of success that you have with logarithm but that will be hard to duplicate, sir.

Chris Petersen (02:30.716)
Well, we intend to. But it will not be easy. But, yeah, of course, we have a great team. A lot of the…

John Verry (02:32.108)
No, no, no, no, you don’t want to go in the opposite way, right? Like a little bit of success than the massive say, you know, when you have the really big success, it sets you up for failure on the next one, even if it’s a even if it’s a moderately big success, right? Well, best of luck with it, sir. So I always ask what’s your drink of choice.

Chris Petersen (02:49.628)
Thanks.

Chris Petersen (02:54.46)
Well, you know, I enjoy a variety of drinks, John. you know, so, I, I do enjoy, enjoy a nice bourbon and Scotch. We have a tradition actually at radical, the three founders we, we do, we do, books and smoke where we will smoke a cigar and drink a bourbon or Scotch and talk. but my, you know, so I enjoy that. My favorite drink though is probably a martini. So it’s hard to pass a dirty martini up then I like them up in the, in the,

in the summer months and I like them on the rocks as well. Three olives.

John Verry (03:29.52)
Yeah, my wife has slowly converted me to drinking gin. I’ve been more traditionally a beer, wine, a lot of bourbon guy, not scotch. Scotch is just good whiskey, ruined by Pete. So yeah, so she’s got me kind of getting into the gins a little bit. So yeah, it’s definitely a fun world. I’ll drink it with a martini and I really favor the, I’m a Comparifan, so I like a good Negroni.

Chris Petersen (03:43.772)
Ha ha.

Chris Petersen (03:49.372)
It is.

Chris Petersen (03:57.308)
yeah, very nice, absolutely.

John Verry (03:59.728)
All right, so thanks for coming on. And the reason that I was excited to chat with you is that I thought you guys did a really interesting survey of companies with an industrial base where you talk with them about the state of their cybersecurity programs. I thought there was some really interesting data and I thought there was some great insights that other folks in the Dib can draw from. So to set the foundation for the discussion, I just make sure everyone’s on the same page, like when we use the term Dib.

What do we mean? And we’re going to at some point talk about CMMC. Tell us what that means as well.

Chris Petersen (04:30.78)
Yeah. Yeah, sure. Yeah. So the, the nib or the defense industrial base, you know, is a collection of, you know, 200 to 300 ,000 companies that form the supply chain for the defense industry. Most are familiar with the prime contractors, Lockheed, Raytheon, Boeing, et cetera. They’re the big boys. But, you know, underneath them are, you know, are, you know, you know, tier two primes. And then, you know, then just a collection of companies that.

that participate in big projects and make little components that might go into next generation fighter or spacecraft, tiers like hypersonics, build proprietary software, technology, AI is a big thing right now, robotics, et cetera. And so this is companies that really make up the heart of our defense industry. And they range from one person who maybe is a consultant or

small shop to companies that have tens of thousands of employees.

John Verry (05:33.968)
Yeah, it’s remarkable to me how many are in that smaller group, especially the bodies on bases kind of guys. We see three, four, five, seven people, firms that are like, we got to get CMMCL too. It’s not fair to us. It’s like, yeah, it is because you’re touching controlled and classified information. It’s the way it is. So talk about CMMC, define CMMC and just let people know what that is.

Chris Petersen (05:46.3)
Yeah.

Chris Petersen (05:58.3)
Yeah, so CMC is a compliance mandate that came out a few years ago by the DOD. The intention of CMMC is to create a framework and structure around which a baseline of security is implemented and then also audited and verified on a periodic basis. And that’s really the big thing with CMMC is the independent audit component through a third party assessment organization.

And, you know, currently the ruling is, you know, CMC level two is based on this date, 100, 171. And, you know, the ruling is expected to go into effect maybe early next year, but it’s kind of been in flight and in motion for many years now. It does keep getting pushed back, but hopefully this date is going to stick and we’ll begin to see enforcement of this baseline security for these companies who desperately and truly need to achieve a higher level of cyber.

Threat resilience.

John Verry (06:58.832)
It was kind of funny to me as we all talk about, you know, CMMC going into effect, but effectively CMMC is in effect and has been in effect since, well, like December of 2016. You know, cause yeah, and I know that it’s kind of been up and down, but you know, we are exactly where we were then, right? It, it, CMMC now is just the logically the enforcement of 800 -171, which is something which you, if you are subject to the DeFar’s clauses, like specifically the 7012 clause.

Chris Petersen (07:03.452)
Yeah.

John Verry (07:28.752)
you’ve been beholden to that for the entire time. And theoretically, you should already be certifiable. You know, anytime you send an invoice, you’re asserting that you actually are in compliance, correct?

Chris Petersen (07:39.74)
That is true and it’s a bit of a mystery around all of this.

John Verry (07:44.048)
Yeah, it’s always, you know, I’m always, you know, lately, it’s, you know, it’s fast forward back to where we were. It with the exception of like you said, we now have an enforcement program, which was terribly needed, right? Because, you know, realistically, you and I, you know, we both end up speaking with a lot of people in the div. And they’re all complaining about, we’ve got to get there. And we’ve got a long way to go. And it’s going to take us a long time. It’s going to cost us a lot of money. And my argument, my conversation was like, wait a second, you supposed to have been this way for, you know, for the last

Chris Petersen (08:11.836)
Yeah.

John Verry (08:13.968)
eight years.

Chris Petersen (08:15.58)
Yeah, I mean, I think just, it just goes to show that compliance, you know, absent and enforcement mechanism and audit mechanism and consequences doesn’t actually really move the needle. You know, like PCI, you know, it was kind of, you know, prove that out. You know, I mean, what’s it been now? Almost 20, almost 18, 20 years ago, you know.

Only once companies are going to be audited and held to a standard of can’t do business anymore, do they actually begin to move.

John Verry (08:47.024)
Yep. Yeah, so let’s talk about the survey. I was surprised by some of the answers in part one of the survey where you talked with the orgs about their overall cybersecurity program. Most notably, there were a couple of answers that got me interested. So if you don’t mind, I’d like to get your thoughts on each of them. The first which surprised me was that only 62 % considered cybersecurity to be a high or very high priority.

Chris Petersen (09:15.164)
Yeah, I think it’s good that 62 % said high or very high. It probably needs to be high or very high for all of them. I think some of this, I think, is evidence that, and we’ve seen this in conversations we’ve had, that there are a class of leaders who I don’t think really understand cybersecurity all that well.

or they’ve just decided to accept the risk. And we’ve seen this conversations where it’s like, look, you know what? Somebody is going to come after me, they’re going to come after me. I can’t stop. It’s too hard. It’s too hard. What am I really going to do about this? I don’t have the resources to actually tackle this in any realistic way. So why even try? And I do think that is, you know, that’s…

I think there are some just, you know, leaders out there are a bit discouraged in terms of this is a hard problem to solve and so we’ll accept the risk and just hope for the best and just hope that they don’t find themselves in the crosshairs of an adversary, whether that be a nation state or cyber criminal.

John Verry (10:24.848)
Yeah, but it goes, it kind of flies in the face of another one of the findings, right, from your survey, which was that nearly half had cyber incidents that cost the company a hundred thousand or more. And I think, you know, the number that was quarter million and half million was also significantly high. So when you think about those two, they seem to be sort of opposed to each other, don’t they?

Chris Petersen (10:37.468)
Yeah.

Chris Petersen (10:45.308)
Well, opposed to our maybe had maybe very much a line maybe the 60 % who had incidents are the same 60. He said now higher very high. You know, so maybe they’re the ones that got hit and you know, they felt in their pocketbook and now they’re, you know, we should probably do something about this. Or maybe they just had very, very good insurance, insurance policies and it all worked out for them.

John Verry (10:51.428)
I hadn’t thought of it that way.

Chris Petersen (11:08.924)
But yeah, yeah, and I think that to me was an interesting finding just near the amount of incidents that actually had financial consequences and 29 % said they had consequences of term $50 ,000 or more. That’s a significant bill to pay and keep in mind this you know, this survey was a survey of the SMB segment, you know, you know radical we’re focused on the SMB kind of sub 500 segment because we think that is the most vulnerable segment in the in the supply chain.

And for a sub 500 person company a quarter million dollars in an unexpected cost is meaningful to their operating budget bottom line.

John Verry (11:49.2)
Yeah, and putting foundational cybersecurity elements in place that you’re supposed to have based on your obligations anyway would cost you less than that, significantly less than that, right? And would have offset the probability or likelihood of that happening by a pretty fair amount.

Chris Petersen (12:06.972)
It would, it would. And I think that goes to just I think another, let’s say, anecdotal finding that we’ve had in this data and also in our conversations is that I think a lot of these companies, they don’t really know what good looks like. They’re not a large enterprise that has been thinking about zero trust security, defense in depth architecture.

understanding the product landscape and how these products fit, you know, to build a very mature, you know, cybersecurity operation and resilient infrastructure. You know, they think about it, you know, think a bit more still in terms of endpoint security, network security, and, you know, multifactor authentication is, man, that’s a big step forward. You know, that’s, you know, they’re not thinking about the vulnerability management program and attack surface management and…

detection analytics and 24×7 IR. I think those are things that aren’t really on their mind in terms of that’s what strong security really looks like. And sometimes reflect it in the findings around the cost of these impacts, where we found that for that almost 60 % of companies had four or more endpoints or accounts compromised in the past year.

Now that’s likely how those incidents happen, how those costs were incurred, especially when you consider that the same amount, so they would take a week or longer to detect a threat in their environment. 27 % instead of taking a month or more, right? So, I mean, if you have a compromised account or an endpoint and it’s allowed to stay compromised for more than a week or a month, you likely have an embedded adversary in your environment at some point it’s gonna result in an incident.

John Verry (13:59.28)
Yeah, I think there’s a component of that. You don’t know what you don’t know. But it was interesting to me because I do feel that there is a component of you don’t know what you don’t know. And that’s been my experience with the Dib. But yet the other piece which surprised me was that 67 % of your respondees rated their security skill level as high or very high, which is incongruous with everything we’ve spoken about.

Chris Petersen (14:05.5)
Yeah.

Chris Petersen (14:25.916)
That’s true. Yeah, yeah, I mean, I tend to think there’s probably a little human psychology play here and, you know, folks don’t want to admit to being, you know, weak in an area. I think coupled with this also is not really knowing what higher good looks like. And, you know, I think the benchmark by which they’re assessing themselves, I think is a much lower benchmark than what it needs to be. And…

And I think that’s likely also why this is likely overinflated. I mean, these companies, most of them are not doing 24 by 7 monitoring, very little in the area of more advanced detection analytics and IR and immature vulnerability management programs. And so I think if they understood those capabilities are necessary,

they likely wouldn’t rate themselves as high. Or they’re also just trusting that their MSP’s got them covered and they don’t really understand maybe what their MSP is or is not able to do for them at a high quality level.

John Verry (15:33.68)
Yeah, now in fairness to them, and I don’t know how to interpret their responses here, I think even some of the better run organizations that we’ve both been in, this idea of detecting within a week or a month, I think if you look statistically at a lot of the data that’s out there, many of the breaches of most significance, the perpetrator was in the network for many months, sometimes a year, year and a half in some of the most famous breaches. And those were orgs that have…

Chris Petersen (15:39.996)
Yeah.

John Verry (16:02.608)
do have a lot more mature programs.

Chris Petersen (16:07.868)
Well, absolutely. I think one of the best examples of that and why we’re focused on the SMB segment and the Dib, is the solar winds breach from a few years ago. You speak about hundreds of companies that were actively compromised.

where these are some of the biggest companies in the world that spend millions on cybersecurity programs have, you know, some cases, hundreds of dedicated personnel, you know, Microsoft and FireEye and Department of Treasury. You know, they, you know, they were compromised for seven months, you know, by, you know, a nation state adversary before it was, before it was ever discovered. And that’s the same class of adversary that’s coming after these, you know, after the, after the defense supply chain.

And so when we look at that, you know, that the fact that, you know, that, you know, that threat was able to go in those for seven months and companies that have invested everything that can be invested. I mean, they, whatever can you, whatever you can do, they’ve tried to do. They were, they were still blind to it. And so it tells you, it just tells, it just speaks to the, you know, how hard this is to do well. And also the need to keep doing it better. And.

John Verry (17:23.472)
Yep, absolutely. So in the second part of the survey, you focused on the outcome. And this is one where it was interesting to me that where in that first section, I was like, wow, these results don’t align with what I see. In the second one, it was the exact opposite. I was like, wow, these results align with exactly what we see. You know, that the vast majority of the defense industrial base that we work with, they…

Chris Petersen (17:39.292)
Yeah. Yeah.

John Verry (17:51.696)
are reliant on outside organizations. They use MSPs, they use MSSPs. However, they don’t feel that they’re getting what they needed in terms of their ability to respond, the value proposition of the support that they’re receiving, and interestingly, the support with CMMC compliance. Thoughts?

Chris Petersen (18:12.892)
Yeah, yeah, I think naturally it makes sense that these companies would look to outsource certain aspects of their program. And they are. 71 % said they outsourced to an MSSP. And they’re getting some level of monitoring and response. We tend to hear that that level is more like a lurk pass -through versus them actually taking it end -to -end. But.

You know, I think, you know, the outsourcing, you know, the more complicated functions of a security program, you know, is definitely, I think, a requirement for this segment. You know, these companies can’t, they don’t have the staff nor the budget to build their own SOC, you know, for example. So I think it makes sense that we’re seeing some outsourcing. I think what needs to happen in this segment, you know, we believe is that the quality, you know, of what’s being delivered in that

kind of managed to remodel these two significantly improve. And I think it’s been challenging to have a high quality offering to segment because the segment is so price sensitive. And it’s been hard to provide something that operates at a very high level of efficacy when it comes to these more advanced security operations, threat detection, tax and risk management capability sets at a price point that’s affordable.

We tend to think the time is now that this can be done with the advancements in technology, AI that can allow us to build something that can be a game changer in terms of what can be delivered to the segment for a price point that is attainable. And that’s a big part of our mission is how do we bring high grade cyber threat protection at a price this segment can actually afford.

And I think one of the data points in here in this section was that 82 % would say that they plan to change providers, which would indicate a level of dissatisfaction, which I tend to believe that goes hand in hand with kind of expectation setting and sometimes over -promising and under -delivering around what some of these providers can actually do. And perhaps the segment also getting a little bit more

Chris Petersen (20:36.38)
aware of what they really want a provider to do in terms of that quality and efficacy of capability.

John Verry (20:44.496)
Yeah, I think one of the challenges there is that we have a tendency to conflate security and compliance. Yeah. I’ve always said from back in the SIM days, I used to talk with clients about security is about the needle in the haystack and compliance is about the haystack. And trying to do both with the same tool, sometimes trying to serve two masters can be problematic.

Chris Petersen (20:50.364)
Yeah, yeah, sure.

Chris Petersen (21:08.796)
Right.

John Verry (21:11.728)
So I do think you have that same challenge there. I agree with you that I would say the vast majority, virtually all of the, except for the large sentencies, are gonna be relying on somebody to help them from a monitoring perspective. They’re not gonna be able to staff a full -time operation to kind of deal with the stuff that they need to deal with. But I think that, like you said, anyone that’s offering security monitoring at that price point, the likelihood that they are able to support

Chris Petersen (21:23.63)
Yeah.

John Verry (21:39.984)
and have the deep expertise required to address the compliance side is going to be a bit of a challenge, which is where maybe some of that dissatisfaction is coming into play.

Chris Petersen (21:48.572)
Yeah, yeah, I think so and I think that’s you know, yeah, it’s a good analogy, right? Because you know, you look at the haystack like log management, you know, you know log management is the haystack sure we’re managing logs reflecting all we’re dumping into into or dumping into a giant repository and What really you know, that’s fine for compliance check the box but from a security perspective it’s how do you look at that haystack? Right? It’s what what do you you know, what do you know? What are you?

looking for in those data points, those signals that might indicate a threat is present. And to do that is expensive. It’s expensive analytics -wise, and it’s expensive also that every single piece of hay you go look at, every indicator you look at requires today largely the involvement of a human. And that is where the game needs to be changed. And that’s where we see the advancements of an AI being a potential game changer in terms of the cost model here, right? Because that haystack needs to be looked at aggressively.

And it can’t be, and I think that’s one of the challenges a lot of MSSP’s and MSP’s faces is the cost of operation to actually, you know, to investigate and to look into to practically have threat hunts. Those are currently human heavy operations. It requires a lot of money to staff that up and to maintain that where the path through of those costs, I think is often untenable.

The price point of that is untenable for this market. And that’s the fundamental shift that we seek to change.

John Verry (23:20.176)
Yeah, I think some part of that, you know, so we see the same thing where a significant percentage of the people that are coming to us are coming to us because they weren’t happy with the first consultant group they work with or the first time they went through, you know, 8171 SSP development. So is the problem, sometimes I think the problem is it’s a bit of the blind leading the blind. So let’s say that we’re talking about implementing the security operations center, the monitoring that’s necessary.

Chris Petersen (23:48.732)
Yeah.

John Verry (23:49.904)
In order for that group to be effective, you have to have a clearly defined enclave. We have to know which systems are CUI relevant. We have to know which logs on those systems we need to monitor. We need to know which events on those systems in those logs we need to monitor. The applications, application log, application event types. That’s the kind of information that you’ve got to give to the security monitoring folks in order in compliance monitoring folks to be able to do this for you.

Is part of it the blind leading the blind or whoever was doing that initial implementation didn’t get to the right information to support the folks on the back?

Chris Petersen (24:32.348)
Yeah, I think it is. I think there’s probably a mixture of both in there. But I do think it’s, this requires some upfront planning. And I think people are looking at CMMC or 8171, understanding how do you carve out that enclave and how to make decisions around, are we going to consider the full?

your corporate IT footprint in scope, or can we carve out an enclave and protect and monitor that? That’s a meaningful conversation to have, one that can actually significantly reduce your cost exposure in terms of what you need to implement and implement where and what you need to monitor. But that is a…

But that is not an easy conversation or decision to navigate if you don’t understand the frameworks, the regulations, what is considered QE, what is not. And that’s where a lot of our consulting partners can help out a lot.

John Verry (25:43.856)
Yeah, definitively on the CUI. I mean, you know, that’s arguably one of the biggest challenges that you have during scoping is, you know, folks don’t know exactly what is their CUI, what isn’t. It’s not properly labeled. You know, many times they don’t understand the difference between CUI basic and CUI specified, right? Things with higher requirements like, you know, CTI or ITower and things of that nature. So yeah, I agree. It’s a challenge. So you mentioned CMMC there. So that was what part three of the survey actually focused on.

Chris Petersen (26:01.468)
Yeah.

John Verry (26:13.584)
And I thought this was really intriguing to me. Some of the data there was surprising. It was surprising to me that folks had such a good picture, an accurate picture, but their picture didn’t align with what I thought their picture would be. So 36 % said they think it’s gonna take them between one and two years to become CMMC L2 compliant. And another 20 % believe it will take them more than two years. So that’s interesting. But.

When you map that against the fact that, you know, CMMC is on the precipice, let’s say, you know, we’re going to start seeing this late this year, early next year in actual contracts. We know that they’ve already been obligated to be NIST 8171, which is CMMC compliant, like we talked about for the last eight years. And now we’re seeing with our client base that many of the primes are pushing them towards being demonstrably CMMC compliant prior to the actual lawmaking going into effect.

I thought it was weird that they acknowledged that, yeah, we’re not going to be ready.

Chris Petersen (27:17.724)
It’s weird. It’s something that’s, it’s been a, it’s a big head scratcher for us internally. And we talk about this or it’s like, well, wait a minute. Aren’t they all supposed to already be kind of effectively compliant? and, and a lot of them would say, if you ask them, are you nisting a hundred one 71? They say, yes, yes, yes, we’re good to go. but then, you know, a breath later, a different conversation later, they would say,

we’ve just begun CMMC and we’re a year away from compliance when CMMC level two is based on 8171. So it seemed to imply that there’s a disconnect in the comprehension around what CMMC really is and perhaps maybe some overreporting of a posture on 8171. Again, coming back to…

You need enforcement, you need audit, independent audit, and you need some enforcement mechanisms.

At least in my opinion.

John Verry (28:22.128)
Yes, some folks that I know in the ISO 9. Sorry about that, you cut out for a second.

Some folks that I know in the ISO 9001 space talk about when that became really the hot topic and manufacturers had to move in that direction, that at one point there was like a 15 to 18 month queue to become ISO 9001 certified. Given that you mentioned that there’s 300 ,000 clients in the DIV and I don’t know what percentage of those, maybe a third probably will need to be CMMCL2 compliant. Are the…

In your mind, are the organizations that are not yet moving forward on this potentially putting themselves in a bad spot where there’s going to be a queue? A queue if you need to get into Microsoft 365 GovCloud, a queue if you need to get prevailed implement stuff, a queue if Radical needs to do stuff for you, a queue if you need to get your C3PIO assessment done. Thoughts?

Chris Petersen (29:23.42)
Yeah, I think it’s going to be a real problem. There are only so many C3PAOs that are ready to go. And once the rule goes fully into effect, they will take time to process this backlog of companies all trying to get through.

I think that’s going to create opportunity and risk, you know, for infre -companies, you know, companies that are ready that have kind of pre -planned and have got, you know, their C3PAO, you know, lined up and they’re on the, on the schedule and they’re already top, you know, near the top of the queue. I think they’ve got a unique business opportunity in a window where once they get through, they will have a unique ability to compete in the market. versus those that are lower in the queue or who are not really even ready. And so when they.

get through the rod if they’ve got a lot of remediation work to do and a lot of findings to go address. They’re going to have a period of time when their ability to do business is going to be impacted. And so I think we’ve committed that we’re going to be CMC level two. We’re working on that right now. We’ve got a partner risk point that we’re working with. And we’re teed up, right? So we want to be one of the first through.

because there’s also rules around cloud service providers as well in the ruling. So we want to make sure that we’re able to serve this class of a customer. But our own experience is that, what we’re hearing is that there’s going to be a backlog. And these companies are, they’re asking for commitments. If you want to make sure that you have a date ready to go and we’re there for you, that commitment needs to be made now.

John Verry (31:11.824)
You mentioned that you guys are looking to go towards CMMCL2. I think that’s another interesting challenge point that I don’t think enough folks are talking about is that for many of the organizations, the flow down requirements are going to cause a problem. So if you’re working with an MSP and that MSP is, let’s say, providing security protection assets on your behalf,

if they’re not properly certified to do that, right? Or if you’re using a cloud service provider and they’re not FedRAMP modded or equivalent. So I think that’s the other challenge is I think people are going to get to what they think is the finish line and not understand that based on the way that their system security plan is written, that core supporting components are not yet where they need to be. And they’re going to have to…

figure out, either wait for those components to actually achieve that state, or they’re going to have to actually switch components out.

Chris Petersen (32:14.556)
For sure. That’s going to be a big shakeout as well. And so we’re looking to get ahead of that. And we are seeing companies who I’d say both the MSPs, and so we’re talking MSPs, and they are aware of this. And many of them are proactively looking at their vendor relationships and who is committed to getting there. And so I think that’s going to change the market dynamics up over the next.

over the next 12 months. And we’re also are hearing some might say more, you know, knowledgeable customers who are also looking at their vendor list that they’re directly managing, that they’re directly managing visibility to as well to see where they are. But I think there’s a lot of companies who aren’t thinking about this yet. And they, you know, will likely have a very unwelcome surprise when they realize that their MSP…

is not where they need to be, therefore they cannot actually achieve certification. And they may need to scramble to go find a new provider. And those things take time. You can’t just go swap in a new MSP overnight, right? So that is a business disruption that if it’s not… Sorry.

John Verry (33:24.784)
Even worse if it’s an MSS.

John Verry (33:30.224)
I said even worse if it’s an MSSP, right? Because I mean, I think the time that it takes to onboard an MSSP and get them all the information they need, get everything operationalized, get all the reporting in place, you know, soak periods, you know, clean up periods, yeah, it’s six months.

Chris Petersen (33:33.628)
Absolutely.

Chris Petersen (33:45.244)
Yep.

Chris Petersen (33:50.524)
Yeah, to get it all running well, it can be. Yeah, absolutely. So yeah, I think there’s a big shake up. And we’ll see what happens with the rule. I wouldn’t be surprised if it provides some grace in terms of some of the cloud service providers and the service providers. Hopefully, what they will not do is provide grace around audibility and enforcement, because that needs to get moving.

John Verry (34:19.504)
Yeah, I think, you know, you hear that there’s going to be this concept of being able to actually be certified with a poem in place. And I know that a lot of the purists were like, you can’t do that. I kind of take a more practical view of it and say, A, I think it’s somewhat necessary in order for us not to break things completely. And then B, I think it might have an additional valuable impact in that one of the things that I’m concerned about with CMMC is the fact that, you know, it’s a once every three years.

Chris Petersen (34:37.372)
Yeah. Yeah.

John Verry (34:48.08)
And my experience with people has been if there is no enforcement, they don’t do it. So to some extent, someone poking their head in to make sure that the poems are progressing provides at least some level of ongoing initiative to keep the program compliant.

Chris Petersen (35:01.852)
I agree. I mean, from just a pragmatic perspective around, there does need to be some reasonable phase in of this so that business can continue because in the end we’re managing risk, right? I mean, there’s cyber threat risk, there’s lots of IP risk, espionage risk, but there’s also a risk if the defense industrial based supply chain comes to a grinding halt. That’s also a risk.

And so there needs to be a pragmatic approach to how this gets rolled out. I think that’s a very reasonable compromise. And I also think having an annual check -in is going to be very important because if it’s simply every three years, we’re going to go do an audit and a verification, there’s going to be significant erosion in that three -year period.

John Verry (35:51.632)
Yeah, no question about it. In part four, you asked companies about their future priorities. Anything surprise you there in their responses?

Chris Petersen (36:00.988)
You know, not too much. I think a lot of that aligned. What did you think?

John Verry (36:15.92)
I thought it squared logically with some of the other stuff. Although, again, my overwhelming thought process was, we’re going to implement multi -factor authentication, which is sort of a basic protection that I’d expect to have in place anywhere. But I figured what the number was, a third or somebody, which means a third haven’t yet done that. So I thought the priorities were good. I just thought they spoke to a level of immaturity that didn’t align with the number of people they said were dedicated to security. And then,

Chris Petersen (36:33.468)
Right.

John Verry (36:45.968)
and that high, very high capability.

Chris Petersen (36:49.34)
Yeah, and I guess that is, I guess I say I wasn’t surprised and part of that is my expectations have been, I guess not lowered, I guess, but they’ve been somewhat met and I assume that this segment didn’t really know what good was yet. That’s, the SMB is still kind of riding up the maturity curve of overall cybersecurity.

And so, I mean, ideally, it would have seen more prioritization. I think things like vulnerability management, vulnerability management, tech service management, threat monitoring, IR, things that are further along the curve of a defense in depth architecture versus a lot of it still being the tactical stuff, right? MFA, better network protection, deploying better endpoint protection. Those are…

John Verry (37:36.784)
access control, but you have more basic block and tackle as well.

Chris Petersen (37:40.572)
Yeah, important things, but it is. It’s more just doing basic security well and just getting some more modern capabilities in place from a protection perspective. And like this segment, this segment’s being targeted by nation -state threats. It’s industrial espionage, and these companies have got to move beyond just kind of core IT security.

John Verry (38:07.952)
So in part five, I thought you had some interesting actionable takeaways. One was if you’re outsourcing cybersecurity needs, be wise about choosing a service provider. That’s a hard thing to do, especially if you are a little, it would be like me figuring out a doctor in a particular specialty. How do you figure out a good doctor, right? So how can someone in the DIV find a good service provider?

Chris Petersen (38:37.052)
It is tough. And I think some of it begins with, I think, increasing the education level within the DIV and at a CEO level or whomever has been an executive level mandated to overall lead this effort. I think there needs to be increased education around what really good looks like.

John Verry (38:37.904)
Yeah.

Chris Petersen (39:04.06)
from a security perspective so that they can actually assess their third party provider through a lens of higher expectations and also know what to look for. So if somebody says, yes, we’re going to do threat hunting, be able to ask the next set of questions that actually can help determine are they really doing threat hunting or they turn on some correlation rules and call that threat hunting. And.

And that’s certainly what we’re trying to help with is helping the broad markets and folks we talk to kind of understand how do you really assess this? Because for a lot of folks in these companies, it’s just this is not what they live and breathe. And they tend to not have somebody often who’s focused purely on security. And so we’re trying to help generally educate on what does that next layer of security level look like? And how do you assess if a third party provider is actually

able to really do that or not, or if it’s, they’re more given a lip service.

John Verry (40:07.28)
Yeah, and I think as many of them are potentially going to require some level of flow down, right? So, you know, so security protection assets, you know, anyone that’s actually providing security protection assets as part of the solution, you know, I think to your point, asking them how they’re achieving the requirements, you know, is going to is going to be a pretty good indicator. You know, if they stumble and are not able to enumerate.

Chris Petersen (40:13.82)
Yeah.

John Verry (40:33.136)
the implementation of these controls in their environment, if they’re not able to provide any artifacts or evidence or speak intelligently on it, I think that’s gonna be a red flag and should be a red flag.

Chris Petersen (40:42.972)
I absolutely agree. And that is another just great, great place to start a conversation to have, you know, is how do you intend to yourself get to level two murderiness?

John Verry (40:56.592)
Yeah, the second one you had was, I smiled when I read this. If you haven’t started your CMMC compliance journey, get it yet.

Chris Petersen (41:04.156)
Yeah, yeah, it’s time to get going. I mean, this takes time. It’s not easy. There are just getting the basics in place in terms of your policy and procedure and documentation and getting your access control locked down and group marketing. I mean, there’s a lot to do here, a lot of work.

When we look at, we drive, part of what we do is we help to drive the compliance operation for our customers through our platform. And we say six months is kind of what we target for a timeframe, but that’s with us actively driving it through our platform, providing guidance and help and some nudges along the way. Six months is not easy. And so…

You know, you know, it’s, you know, it’s, it’s May right now. The rule could be, if you know, in fact, the end of Q1 and you know, that’s not, there’s not much time to close the gap in terms of getting through a, you know, figuring out where, you know, where you are and getting that first pass remediation is done.

John Verry (42:07.568)
Yeah, I think six months is aggressive. And I think you can be more aggressive given the fact that you’re taking on a lot of the, I think, most challenging elements of this. So if, I don’t know what the exact number is, but I would say either directly fulfilling a requirement or supporting or partially fulfilling a requirement.

Chris Petersen (42:21.852)
Right. Yeah.

John Verry (42:36.048)
I would say the stuff you’re experts in, the same system audit, logging, blog monitoring, reporting kind of components, incident response SOC, that’s got to be what, 40 % of the overall requirements? So yes, you guys have the potential of getting it done in six months, and I think you’d even say that’s challenging, even with your expertise and it being sort of one throat to choke. If an organization is trying to piece together best to breed, you know…

Yeah, that’s going to get even a little bit harder, right? I mean, I think a lot of the organizations we’re working with have been working on this, you know, six months, nine months a year, you know, and getting all those pieces in place, getting the different vendors on boarded, you know, making sure they understand exactly, you know, getting the information that they need to be successful, etc. Yes, it’s not an easy lift.

Chris Petersen (43:22.3)
Yeah, it’s not. I mean, that’s the radical offering. What we built, our mission ultimately is to, we want to bring nation state threat defense to our customers. A degree of, I would say, proactive attack service management and detection sophistication that we can actually keep a nation state threat actor out for as long as possible. And if they do get in, we will see them and get them back out.

That’s our fundamental mission. We also help manage the compliance side and drive that, but part of what we do on the compliance side also, as you alluded to, is we take some of the hardest to do things off the table. CMC requires you do log management, requires you to be able to detect threats, to investigate them, to respond to them, to manage vulnerabilities, to have security awareness training.

Those are things that we’re also just taking off the plate and saying covered, it’s done. Which is also why we can help to accelerate it. And for us, it’s really about doing those things really at a very high quality level and then also helping to manage the other kind of blocking and tackling and seeing that get done well also, which is good for the customer and then also good for us because it means there’s likely to be less things to investigate and to have to chase down.

John Verry (44:49.36)
Yeah, and your last point aligns with something that we use the term trusted ecosystem and I think you’d agree that what you say sort of aligns with that idea. Our trust ecosystem is the right people and right products at the right time to fulfill the mission. And you guys use the term the right tools and technology as well as those with the expertise to use them or to key to better security.

Chris Petersen (45:08.38)
Yeah, yeah. Yeah, I mean, this kind of comes back to, I’ve had a long time, a long standing frustration with kind of the notion of cybersecurity, silver bullets, where there’s always been this, I think, hope that this magical technology would be invented and just make all this go away. We can just solve this with a product. And it’s never been true. Maybe it’ll be.

John Verry (45:35.152)
Until radical, until radical it was never true, but you’ve come up with the silver bullet for CMMC. That’s what you’re telling me today, right?

Chris Petersen (45:36.988)
Antiradical, yeah.

I wish I could say that, but it’s, yeah, there, you know, I mean, we want to get to a more silver bullet and we think, you know, we think AI is going to be a game changer there for us, you know, because, you know, part of what we’re trying to do is for us fundamentally, we have to build a technology platform capability that can deliver a, you know, very sophisticated level of threat detection and response at speed.

John Verry (45:44.816)
I’m going to go ahead and close the video.

Chris Petersen (46:10.204)
that can be affordable for the segment. And the ability to automate workflow, to have AI take an increasingly large part of that is how we’re going to get something that is affordable at scale and also continues to improve from an efficacy perspective. But there is still, we’re a long way from taking humans out of the equation and operations out of the equation. And security is a broad landscape. And so for us, it’s just for the domains we’re going after,

Yes, we want to be as strong as silver bullet as possible, but there are no true silver bullets that can cover the whole spectrum, right?

John Verry (46:48.304)
I wish I wish they were. Although it would be better if it comes out right after I retire. I still have a couple more good payments left to make. Silver Bullet comes out, it might put me out of business, right? It might put me out of work. So I think we beat this up pretty good. Anything we missed? Anything you wanted to add, Chris?

Chris Petersen (46:50.332)
Yeah, a lot of people do, it’d be nice.

Chris Petersen (46:56.032)
Right.

Chris Petersen (47:09.788)
No, no, I don’t think so. I think it’s been great and really appreciate the time.

John Verry (47:13.872)
Yeah, same here. It sounds like you guys are, I can see the value prop, like I’m kind of envisioning what you guys are doing and it’s almost the value prop of what you did with logarithm but more purpose -built to address a particular market and to address a particular set of requirements which kind of even simplifies it a bit, right? Because where a logarithm was a tool that could be used in hundreds of industries and from small to large companies.

It’s nice when you’ve got a more constrained solution target. So I gotta imagine that you guys are gonna do some great things.

Chris Petersen (47:52.06)
We certainly intend to, yeah. We’re off to a good start and we intend to just do better by our customers and just increase their security every single day.

John Verry (48:06.256)
If somebody was interested in your study, if somebody was interested in your services and product, how would they get in touch with you?

Chris Petersen (48:14.14)
I mean, you know, the other website is probably a great, you know, a great place to start. you know, you know, hit me up on LinkedIn. and, yeah, you know, email Chris at radical .com. You know, you should email directly as well. Happy to talk.

John Verry (48:27.12)
Right, and just anyone listening, radical is spelled R -A -D -I -C -L. Well logarithm, I mean both words were spelled properly, they were just glued together. Yeah, you know, radical, radical is, you know, the spelling is radical of radical, right?

Chris Petersen (48:30.268)
yes, I only like companies that have hard to spell names, you know, logarithm. That was a good one.

They were, and you know, concatenate. I think RADC was a little bit easier. You just drop the A, R -A -D, I -C -L, a little bit easier than spelling rhythm, but we’ll see.

John Verry (48:55.536)
Well listen, this has been great man. Thank you.

Chris Petersen (48:59.708)
Yeah, thanks, John. Appreciate it.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 140: DIB/CMMC Cybersecurity – Interesting Observations from a Significant Study w/ Chris Peterson

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

Top 5 Insights from Radicl’s DIB Cybersecurity Maturity Report 2024

How Should Crisis Management Connect with Incident Response?

CMMC Certification vs. CMMC Compliance: Which One Do You Need?

CMMC Certification: How Long Does It Take to Get Certified?

What Privacy Roles Does My Business Need?

What is a Secure Web Gateway and How Does It Support Zero Trust?

18 US States Have Now Passed Privacy Laws – Time to Start Building Trust

Risk Tolerance: To Avoid, Transfer, Mitigate or Accept—That Is The Question!

10 Most Important Steps to Build a Data Privacy Program

What are SaaS Providers Doing with Your Data?

How can we help you?

Services

Compliance

Insights

Pivot Point Security