In this Kitecast episode, Michael Redman, who is a Knowledge & Learning Management Instructor at Schellman and is a subject-matter expert in various cybersecurity and compliance standards, spoke at length about Cybersecurity Maturity Model Certification (CMMC), the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and other topics that are pressing concerns for the Defense Industrial base (DIB). Redman asserts that businesses must approach cybersecurity as a risk management issue, just like any other business risk. Organizations must take proactive measures to mitigate cybersecurity risks and ensure they have a robust cybersecurity program in place.
Part of the podcast discussion with Redman involved the role of Certified Third Party Assessor Organizations (C3PAOs) and CMMC compliance. He explains that C3PAOs are an interesting entity and are being asked to shoulder a whole lot of responsibility with not a lot of reward. C3PAOs are swimming in murky water and need to be patient. As we proceed closer to CMMC implementation, the good, better, and best 3CPAOs will rise to the top, and the ones that aren’t fully invested will focus their energies elsewhere.
Midway through the podcast, Redman spoke about the CMMC Standards Council, of which he is a part. He explains that the Standards Council is working to create an objective matrix that can be used to rate C3PAOs objectively. He believes this will help organizations choose the right C3PAO based on their needs and budget. The alpha version of the objective matrix was just completed and is circulating among subject-matter experts for feedback.
Redman also talks about the importance of having a risk-based approach to cybersecurity. He suggests that organizations need to identify their high-value assets and focus on protecting them. He believes a risk-based approach is more effective than a compliance-based approach, as it helps organizations focus on what really matters. He emphasizes the importance of having a cybersecurity program aligned with the business objectives of the organization and one that accounts for third-party risk management (TPRM).\
Digital transformation is driving dramatic changes in cybersecurity. The confluence of cybersecurity and compliance demands a risk management model, and one focused on keeping private data private. Organizations can no longer view cybersecurity and compliance in separate silos but rather as intertwined and predictors of risk. Kiteworks’ content-defined zero-trust approach, which relies on the Kiteworks Private Content Network, is used by thousands of organizations around the world to unify security and compliance approaches to sensitive content communications while wrapping them in a hardened virtual appliance.
For more on Schellman, visit www.schellman.com/.
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.