Demystifying CMMC to Protect the DIB

Patrick Spencer (00:02.478)
Hey everyone. Welcome back to another Kitecast episode. This is Patrick Spencer. Unfortunately, my cohost, Tim Freestone, isn’t able to join us. He’s on business travel. So I will need to do today, but we have a real treat for us. Joining us is John Christly. He, for the past two years has served as the director of IT security at Summit7 based in Fort Myers, Florida. He’s an author of two books. We’re going to talk about both of those on the podcast. He’s a

former CEO, CIO, CISO, CTO, and a bunch of other acronyms I probably can cite. He speaks frequently at different events. He’s a regular guest on different podcasts. He’s a board advisor. He has a long, long list of core certifications and licenses in cybersecurity and compliance. We’ll talk a bit about those as well as project management.

And before entering the private sector, John served in the US military. John, thanks for your service and thanks for joining us today.

John Christly (01:01.166)
Well, thank you for having me, Patrick. Very happy to be

Patrick Spencer (01:05.038)
Looking forward to this conversation. Both of these books you published this year, I think you published one earlier in the year. That’s more. It’s the first book, the basics of cybersecurity. It’s available on Amazon along with other other locations. And then you have a second book that’s more for the kids. How to keep your kids and parents safer online. A guidebook for families. The first book you wrote yourself. The second book I suspect you wrote with your wife or

Your kids or your daughter, is that true?

John Christly (01:37.99)
That’s correct. Yes. So, I I’m very proud of both books, but I think the second book that I was able to do with my family actually did that with my wife and my daughter. My daughter is turning 18 soon and who better to talk about the cybersecurity perils and issues and things for parents and adults and teens than my own family who we’ve grown up through it and we’ve grown up with this new tech that’s out there. some of that is a world that I’m still, I’d love to say that I know it all, but let’s be honest.

I’m just a father at the end of the day, and I’m trying to navigate these areas. So that book, I tried to sort of cover the gamut. It’s for parents of children. It’s for parents of teens. It’s for parents who have elderly parents, because elderly folks, and we have them in our family, are some of the most targeted at times and exploited. And so I was like, we know a lot as a family here in this household. We know a lot.

I’m not saying that we’re an expert on everything, but we’ve got a perspective. Let me get this down on paper. And so I utilized what I learned with self -publishing the first book and I got the family together. I can’t say they were always so happy with me sitting down saying, hey, we got to hammer out this chapter and I need some help on these topics, but we did it. We’ve got it out there. It’s been very well received. I’ve got everything from church groups to schools and things like that asking me for bulk numbers of copies of these.

And it’s getting out there into the world and I couldn’t be

Patrick Spencer (03:07.758)
That’s great. We’ve actually interviewed a couple of different folks on a podcast over the past year and a half. A couple of them actually have authored books on cybersecurity and kids, which is kind of ironic. There’s a bunch out there. What differentiates your book from the others that are on the market today?

John Christly (03:28.422)
You know, I’d say one of the things, and I’m not sure because I haven’t read those others. I do see a lot of my colleagues and family members who do this. And one of the things, the perspective I wanted to bring was I’m talking not only am I, this is my 30th year in IT and security. So not only from a 30 year IT vet like myself, who has a CISSP and all these other acronyms, which makes me think that I know what I’m doing. But beside all that, I brought in the heavyweights. I brought in my wife who’s had to live with

and grow a teenager in this world and then bring in my daughter herself, her aspect into this. And I’m so proud that they were able to now be named authors. You they have a book on Amazon, not just me. And it’s the perspective. You know, I’ll give you an example just really succinctly here. I’d like to, you know, when we talk about social media, sure, I know, you know, LinkedIn and Facebook and even Instagram. And yes, I know TikTok

But that’s about it. You get into Snapchat and some of these others and even TikTok to the extent that the teens know it. I’m not in my comfort zone. I have to bring in people that know that. So I brought in my daughter. That’s the perspective is we’re trying to talk from a real life, real world, boots on the ground, as if my daughter wrote the book by herself, but we tried to bring all the aspects. And then the other side too is I’ve got elderly in -laws who have almost been scammed in their past.

Luckily, they knew to call us and we were able to keep them out of the dangerous waters. But I’m like, you know, we have a lot of elderly family and friends and I wonder if this perspective and what we teach our in -laws could help others keep themselves out of trouble. And there’s actually, I think it’s cool, maybe it’s the geek in me, but at the very end of the book, those that actually buy the book, if you do the online book, you don’t get this, but the actual

The very last page, there’s a coloring exercise for kids, but there’s also a guide for seniors that can actually print out these kind five by seven cards, if you will, like take the paper out of the book. Because, know, elderly people in our generation, they like to have paper. Where can I print it? Where can I keep it? And so I actually have this cutout. It’s almost a little bigger than a postcard. And it’s got some important numbers of agencies you can call if you’re in trouble, but also where they can write in their local police department and other areas.

Patrick Spencer (05:46.318)
Hmm.

John Christly (05:49.103)
And I wanted to give everybody that ability to have at their fingertips so they’re not alone. They might be alone, they might be living alone, but they’re not alone any longer. They’ve got our combined expertise helping them along.

Patrick Spencer (06:02.03)
Yeah, just don’t write their passwords on that last page in the book, right?

John Christly (06:05.616)
There’s no section to write down the password. Yeah, we talk about that for

Patrick Spencer (06:08.814)
Yeah, I’ve dealt with my mom in terms of her use of the internet and they didn’t grow up with it. It’s a completely different perspective to your point. And then our daughter, my daughter’s a little bit older than you’re, she’s just finished her second master’s degree. Now she’s looking for a job. But she has a different perspective and she uses social media that I don’t use. Or if I do use it, I don’t use it in the same way she uses it, right?

John Christly (06:10.862)
Absolutely.

Patrick Spencer (06:37.07)
That’s interesting that you brought your daughter in so you can have that perspective. And the other authors, most of them probably aren’t. They’re our age, maybe they’re a little bit younger and they’re writing these books because they have kids in the household. They’ve seen the dangers or the potential dangers that exist with the internet. And they want to provide something that is useful just not for their family, but for a much broader audience. And that’s the genesis for their actual writing projects.

John Christly (07:00.294)
Correct.

Patrick Spencer (07:04.27)
How long did it take to write the book?

John Christly (07:08.452)
Yeah, you know, and it’s interesting. A lot of people say, wait a minute, you released two books in the same year. And I think they may have come out a month difference. But the thing is behind the scenes, I had to learn the whole self publishing. And I’m very proud of that, too. Self publishing on Amazon, self writing a book, which wasn’t the hard part exactly, but self publishing. you know, I didn’t have to go to some big publishing house. I do have to commend Amazon’s Kindle Direct Network. You know, just a little plug there. They made it very easy for me to get these through the process.

You had some rules that I had to follow and a lot of it was formatting and things like that. But once I figured that out, they have a book for that as a matter of fact, and I read it and learned how to do it. Then I was able to quickly get through the process. And so it probably comes as no surprise. You might say, are there any other books next? Yeah, I’ve got an entire laundry list of topics that I want to talk about and get those ideas out of my head. It’s sort of what I can give back to the community at large.

and these ideas where, and I had my own podcast for a while. I like doing this better and I like writing because then it’s memorialized and it’s not even about the money. There are some commissions that come with it, but it probably took the better part of a year to conceive it and lay down the ideas. And I spent a lot of time in front of the computer with the voicing into word, my content.

and just speaking it away and then going back and being super critical of my own speaking and writing and trying to make it suitable for publication, which probably took the amount of time. But in a year’s time, we were able to get two books out the door. And now it’s just a matter of time before I have more of them out there.

Patrick Spencer (08:46.99)
and rest of it.

That’s great. So the other book is more for, you know, the professional out in the marketplace. Talk a bit about it that was published about a month, as you said before the second book.

John Christly (09:02.758)
Yeah, yeah, so the first one it’s called the basics of cyber security and I’m very proud of that one that also so I’ve done a lot of speaking writing blogging You name it speaking at conferences. I got into mentoring along the way and I cry still I do a lot of mentoring I’m a certified fraud examiner and I actually belong to the ACF ease Mentor group and so I mentor a lot of people that are coming up trying to you know get to that that level in their

And what I found, the reason for the book was I found that I just kept repeating myself, especially people that are either coming out of college, I do a lot of speaking at colleges to MBA groups. As a matter of fact, I go to lot of areas where they teach cybersecurity degrees and they’d want somebody to come in from industry and speak. What is it really like? What’s the job really like to be a CISO? And I just kept repeating myself over and over and over. I sort of had a pitch that I would do.

I was like, you know what, let me lay this down on paper and let me get it out there in the form of a book. so it’s not just for somebody who’s looking for that career advice. It’s really about you. So you want to get into cybersecurity and it doesn’t matter what level, whether you’re first coming out of college and you want your first job as an analyst or you’re a little more experienced, you’re an engineer, you’re trying to climb a ladder or you’re already an executive in cybersecurity, but you’re having trouble maybe with board presentation.

And I know that’s a lot to cram under this topic. Matter of fact, I got some critique very much needed in my situation from people who said, you know, John, you probably could spin that off into like three or four different books. I’m like, you’re right. This was my first one. Had all these ideas that I wanted to just lay down in paper. It resonates obviously with the feedback. I’ve gotten different chapters, if you will, resonate with different people in their career. But, you know, I’m talking from my perspective, this is what it’s really like to do the job of cybersecurity.

It’s not all glamour and glitz. There is some of that at times. It can be very lucrative, very rewarding. It can also be the most boring thing on the face of the planet, especially when you’re the guy or girl that has the right policy or do auditing. That can be a very thankless job. But it’s a truth serum book. This is what it’s really like. These are the basics of what’s out there. Everything from how to secure systems. First, you have to know what you have to secure, how to wrap your hands around this.

John Christly (11:23.364)
And some things that hopefully, and the feedback has been, hopefully it gives readers kind of a launching pad. They can go back and they say, wow, that’s interesting. I learned something. Let me go back in my day job, my profession, or my studies and actually put that into practice. And I wanted to do that. And so far the feedback is that it’s hitting its mark in that realm.

Patrick Spencer (11:44.558)
That’s great. Well, I think when you talk a bit about mentorship and coaching, right? There’s a lot of discussion about the paucity of the pipeline of new cybersecurity professionals, and we don’t have enough. And there’s a cybersecurity skills gap. I’ve been talking about it for, well, since I’ve been in cybersecurity, about 15, 20 years at least. You think, well, there’s…

new programs like a cybersecurity degree, which wasn’t available 10 years ago that you can actually do. And there’s a master’s program now in cybersecurity that you can embark on. So there’s certainly educational routes that will help fill some of those gaps. But mentorship, in my opinion, is an area that is underexplored. You know, at Fortinet, we had a program where they were mentoring those who were just coming out of the military and mentoring them and coaching them and giving them a way to make that transition from

the private sector into the public sector and a transition into the cybersecurity profession. What are your thoughts on that matter? It sounds like that’s something you’ve had a lot of, you’ve put a lot of thought into already.

John Christly (12:55.994)
Yeah, you know, I want to go back to the first concept, is, know, cybersecurity industry in the job market and there’s not enough skilled professionals. And I see that I read it. I read, you know, some of the same material. What’s interesting is I see the other side. I see the companies that are laying off like crazy. There was a round this week from a very famous company. You know, I won’t mention, I don’t like to dig at any company. You know, they’re going through what they’re going through, but you know, thousands are hitting the market and a lot of them are cybersecurity people.

I see the side where now I’ve got a very large LinkedIn network, not the biggest of people that I know, but I’ve got a very large extensive network that I’m very proud I’ve built over the years. And I do a lot of helping, if you call it pro bono, I help a lot of my peers try to find jobs. And so I’m sitting here going, wait a minute, I know about a lot of people at all different levels from analyst to engineer to architect to executive and management, right? I know a lot of people.

They’ve had the open to work banner on their LinkedIn for a long time. Some people more than a year, they can’t find a job. And I’m going, so wait a minute, what’s going on here? And they’ll tell me, but John, I’m applying to everything on LinkedIn and Indeed and other places. Every job I’m getting automated emails almost instantly. It’s been filled or you don’t qualify. We’re hearing about ghost jobs being posted by unethical companies that just seem to want

show that they’ve got, I don’t even know why this is going on in our world. They’re posting jobs that…

Patrick Spencer (14:25.006)
138 % uptick due to AI, I noticed last year’s article yesterday.

John Christly (14:29.712)
Correct. Yeah, it’s just crazy. And I don’t understand it. My peers don’t understand it. We’re getting very bitter and jaded with this concept. But I’m telling you, I don’t know where this idea of there’s not enough cybersecurity pros. I don’t see it. Now, maybe I don’t have enough exposure out there. I happen to know I’m actually talking to a lot of staffing firms, not because they want to recruit me, because I’m happy. I’ve got a job. I’m very happy where I am. But I know a lot of people.

And there’s a lot of recruiting firms and they’re going, we just don’t have enough jobs for the amount of people that are out there. So I’m going, I don’t get it. I don’t know what it is in this world. The AI is affecting the job search market in what perceives to be a very negative way. I happen to use AI to help my out of work friends and colleagues with matching up their resume to the job and helping make sure it’s well written.

But that’s not the problem. If anybody’s looking, if anybody listens to this and they’re looking for cybersecurity pros, hit me up. I can give you lots of referrals to people. Now, you know, we went through COVID and I’d say we’re on the tail end of that, if you will, as a country. I understood, you know, everybody wanted to work from home. I work from home, as you can tell. I’m very happy with working from home. There’s a lot of people that they came out of COVID, they don’t want to go back to the office. That’s not for them. They found

at home jobs. And now I’m seeing a lot of companies say, no, now you got to come back into the office. Well, I think that’s affecting their ability to attract and retain talent. The generation we’re in, which is post COVID generation, I’m not talking age at all, but the post COVID generation is most people want to work from home. They figured out how to it during COVID and they’re very comfortable. And some people are scared to go back to an office environment because COVID is not eradicated completely yet.

Very interesting times we live

Patrick Spencer (16:25.71)
Yeah, yeah, very, very true. Let’s switch over to your current rollover at Summit7. I think you just finished two years, a month or so ago. Talk a bit about the company and what you do there.

John Christly (16:39.994)
Yeah, absolutely. very proud. This is my, I know LinkedIn says it’s a little more, but I think this is the month for two years, almost exactly, almost to the day that I joined Summit7. And I had come from a company that was doing something very similar before that, but they, you know, I idolized Summit7 from afar before I joined them. And I was looking for a way in. And the only advice I can have to people that are looking is don’t, don’t relent, be relentless.

I pursued Summit7 and I found my way in. Now I’m a former VP in CISO and you would think, well, wait a minute, you didn’t take a CISO job. No, I didn’t. I took an architect, a security architect role because that’s what they had available. They paid better than I’ve made in the past as a CISO, I’ll tell you that. So Summit7 Systems, a lot of people know them, some don’t, but they are a managed service provider and managed security provider for DoD contractors.

So in the Department of Defense world, we don’t typically always get the big prime companies, we get their subcontractors. Those subcontractors are going through right now the need to become CMMC level two and NIST 800171 compliant. Even though that CMMC rule is not yet finalized officially enrolled out, it’s been around long enough where everybody knows it’s coming, it’s going to be, and you better get on board. A long time ago.

Patrick Spencer (18:03.726)
It’s going close now, right?

John Christly (18:06.79)
Yeah, and so Summit 7 Services, those customers almost exclusively, they’ve been doing it for a lot of years, very successful. The company’s now right at about 200 employees -ish, maybe a little more, a little less, depending on the day. boy, they just, that’s what attracted me to them. They do it the right way. I’ve seen a lot of companies out there, they try to do it. They want to do it, but either they don’t have the resources, the

or the money to invest internally and boy, 7 just blows it out of the water. I can’t say enough about them. That’s why I tracked them down and found any way I could to get on board. I I would have taken a project management role if they would have had me just to get in the door. And then I was fortunate to be promoted to my current role of director of IT security. I actually, I was over there IT and security for a period of time. They’ve got a brand new CIO who is my boss that they’ve appointed. And so he took IT, which allowed me

come back and focus on IT security, which is a big job because at Summit7, we do it for our customers, but what we learn from our customers or what we learn internally, typically then we either roll things back out to our customers that we learned, or we learn from our customers and then we bring it in -house. So we’re constantly learning. I’m constantly working with our product development team to roll out new offerings and upgrades.

And so yeah, that’s, I’m sorry, that was supposed to be a short explanation, turned into a long one, but that’s Summit 7 for

Patrick Spencer (19:39.694)
Well, you bring up an interesting topic. The CMMC stuff has been important to our business because, you know, we comply with many of the check marks when it comes to the controls on the CMMC 2 .0 front. And we have a lot of organizations that contact us because they are able to accelerate their ability to achieve the compliance that’s right around the corner, as you just noted. You know, you guys, I assume, are 2 .0 certified, and then you’re working with a number of clients who aren’t.

and you’re trying to get them there, where’s the maturity level when you look at CMMC and you help someone who contacts you, do you help them get there faster so they don’t put their DOD business at risk?

John Christly (20:23.45)
Yeah, so to be clear, we’re not certified. Not too many people are, except for those customers who are able to get into the early assessment process because nobody else, I mean, the rule’s not final. We can’t, and so we’re a vendor. mean, know, just plain, you know, putting it out there, we’re a vendor. We’re not a government contractor per se, where we’re manufacturing things and holding the data. We are a service provider to those customers. We cannot

CMMC certified, quote unquote, yet. And we’re hoping eventually to be able to. Now we think at some point what we do for customers and other MSPs like us, we may have to be CMMC level three certified because that’s the level that we may have to be. You know, we’re looking at all sorts of things. We have a lot of compliance frameworks and certifications that we’re running after as a company to try to make sure that we’re as prepared as possible.

But what we do is we help our customers because we know what’s coming. mean, it’s a very clear roadmap. know, lot of customers will come and we’ve heard this in the industry. They’ll say, my God, it’s so hard and so expensive. Well, it doesn’t have to be. And we’re a company where we look at this and say, it’s not hard. Expensive is in the eye of the beholder. mean, we do a lot of work with SMB,

And I know the very very very micro SMBs the mom and pops the literal mom and pops they could view this as expensive because maybe they never had Patch management and and and sim and and you know other kind of things in place and maybe now they have to make some investments But the typical SMB the typical and you know SMB phrase it or define it how you like typically we’re getting anywhere from 50 to 250 employees is kind

the world that we’re seeing that’s coming to us, they typically already have a lot of these systems in place, or they’re looking to migrate from another MSP and come to us and we have a compliance team that will come in and audit and see, well, you know, it’s like a health check. Okay, let’s see how good you’re doing. You may have more than you think you have, but nobody’s ever told you how good or bad you are. And so we will come in, we’ll do that, that, that health

Patrick Spencer (22:19.214)
Yeah.

Patrick Spencer (22:32.462)
Hmm.

John Christly (22:39.12)
will tell you where it’s kind of like give credit where credit is due, but then call out the areas where there’s gaps. And a lot of customers find out, wow, you know, we actually do have a lot of things in place, but we don’t have it documented. We can’t prove it to an assessor. And that’s where your policies and your procedures getting you ready for the eventual audit that is to come. If for CMMC, you’re going to engage with a three CPA, three CPAO always got to love the acronyms.

Patrick Spencer (22:59.086)
Yeah.

Patrick Spencer (23:07.406)
Yeah.

John Christly (23:07.682)
and they’re going to come in and they’re going to do the audit and that’s what we do is we get you ready for the

Patrick Spencer (23:12.398)
Hmm, interesting. Yeah, and the maturity level, it sounds like, are some of them surprised that they’re this far along? It’s probably because from a legacy standpoint, there’s DFARS, there’s NIST 800 171. If you’re talking about level three, 3 .0 even, you’re talking about 172, because those have been around a while.

You find that more organizations are a little farther along than they expect when they start looking at CMMC or is it, gee, we should have paid attention to these regulations. We haven’t in the past.

John Christly (23:48.858)
You know, that I think is closer to the truth right there is I’m finding, know, and I think we are, I don’t want to speak for, you know, everybody that we run across, but I think we’re finding a lot of people still, they dragged their feet. As you said, they were supposed to be doing a lot of this for DFARS years and years ago. So it’s like, why didn’t they? Well, you know, my background, so I came, I’ve worked for private colleges, university. I’ve also worked in healthcare. You know, there were things like FERPA and PCI and HIPAA.

And it was the same thing. Like nobody pays attention to this stuff. Honestly, this is the industry. Nobody pays attention to those things until they have to, until they start losing contracts or being unable to bid on work. And so a lot of the primes are now flowing this down saying, well, you’ve got this in place, right? I mean, you told us that you had this in place and you can’t lie anymore. You better not lie about it anymore.

Patrick Spencer (24:41.102)
You gotta prove it.

John Christly (24:43.526)
And but we are finding that a lot of people who are surprised just didn’t pay attention to it They you know back when before this this new level of CMMC rule is coming out self self assessments and and self Self -governance was sort of the rule of the world. Yeah attestation exactly. That’s the right word and you know, everybody found that doesn’t work Okay, it just doesn’t work and don’t ask me why I’m smiling into the camera because I can tell you why it doesn’t work, you know, but

Patrick Spencer (24:58.894)
Just making.

John Christly (25:13.392)
People are paying attention now. think, well, those that are, there’s going to be a lot, there’s all these, these DOD subcontractors and there’s numbers out there. They’re in the tens of thousands of companies that will have to get certified and talk about a gap. We have a gap of three CPAO companies. And while there are dozens now, they’re still not enough. You know, if the rule comes down and they start enforcing that these companies are going to come out of the woodwork and now they’re going to pick up the phone and say, okay,

Now I need to take this seriously because my prime is telling me that until I officially attest that I’ve done it, you know, back in the day, you could have a SPUR score that was self -attested to put it in the SPURs database, SPUR system online and go along. it was, I got to be honest, I think the majority of it from what we’ve seen, it was all false and fake. It takes me back to the old PCI applications and cyber insurance applications

It’s saying, are you PCI compliant? And people were checking yes. And yet when the truth came out, they weren’t any closer to that than they were a millionaire. You know what I mean? It’s just crazy.

Patrick Spencer (26:23.598)
I, we did a webinar, this has been a little more than a year ago, about a year ago on CMMC. We’ve done several of them, but one of them, we cited some research. I think it’s from Cyber Sheets. I’d have to go back and look at my records. It’s like 70 % who did self -assistation and thought they were compliant with 2 .0 and all 110 controls actually aren’t. They thought they were, but they aren’t. So I think that corroborates your point that you have a lot of organizations out there that

may be overconfident in terms of the fact that they’re compliant and now there’s teeth. It seems to me that you got to have teeth in these regulations in order for them to really take hold. In the case of CMMC, it’s you’re going to lose business with the DOD and it’s going to go away. Your revenue is going to disappear or it’s going to increase substantially.

John Christly (27:09.764)
Yeah, that flow down of that risk, you’re absolutely right, Patrick, that flow down of that risk. mean, it’s like who’s the teeth, who’s enforcing it? Well, the primes are going to enforce it, excuse me, because they’re going to say, have to show us, and we’ve actually seen it. By the way, I’ve seen this now for four years. That’s how long I’ve seen this where a certain prime, and there’s a couple of them. I don’t want to mention them here on camera, but there’s a couple of primes where they’ve had these questionnaires. And so anybody listening that’s been through this, they’ll know exactly what I’m talking about.

Because the primes couldn’t get access to the score. couldn’t get, you know, they couldn’t get access to this stuff. So they had a questionnaire that they put out and I’ve seen it. I’ve had it in my hands because customers will say, can you help us fill this out? And it’s very crafty the way it’s worded. Since you can’t get access as a prime to the Spur score, they’d say, are you compliant with DFAR 7012? Are you compliant with NIST 800171? Have you implemented this number of controls? Have you implemented this number

you another 50. And if you’re an astute and procurement officer at the prime, when you get this questionnaire back, could tell exactly, you could almost guess what their score is, their SPUR score, by looking at the results of this questionnaire. And yet they didn’t ask you for your SPUR score. They didn’t ask you, the word CMMC wasn’t even on there. And there were ramifications to it. If you answered it honestly as a sub,

Patrick Spencer (28:30.222)
Huh.

John Christly (28:36.542)
and it was not a good set of answers because you haven’t been paying attention, you put that back, that procurement officer may prohibit you from bidding or renewing any work. There’s your teeth. I’ve seen it happen. So, and I think more of it is

Patrick Spencer (28:48.91)
Yeah.

Patrick Spencer (28:54.158)
I think we’re seeing with GDPR, we’re going to see it, I think with the state data privacy regulations, CCPA starting to issue their fines and penalties. GDPR was what last year, more than the previous three years combined or 2019 through 2021, I believe. HIPAA, the fines were up last year. So, you know, when you put teeth behind these regulations, then you achieve compliance. Self -assessation just doesn’t work.

in many instances to your point. Yeah. So now you know. Good. Good.

John Christly (29:24.976)
Exactly. And Patrick, I want to go back just once. go ahead. I was just going to say, I want to draw an analogy here also for people that are wondering. In my past, I worked for a outsource call center BPO company for a while. And they had a customer that they took on, a call center customer who required them to be high trust certified. And at that point, I didn’t have any high trust experience. And it was, well, that’s HIPAA on teeth. There was HIPAA, then HiTech, and then high trust. And high trust.

was, in my humble opinion, that is what CMMC level two, know, 800 171 is now. It’s the verification. It’s no longer self. You have to have a company come in and do the actual assessment, right? It’s like the difference in PCI between doing a self online and having a sag D where somebody has to come in and, you know, actually verify. And high trust was no joke. And the ramifications was in the company that I was with, unfortunately, they did fail their first high trust.

certification and there was too many findings. They had to go back and fix a lot of things. Most of it was documentation, process and procedure documentation. And I look at that as like, that’s what we’re going through now is you’re going to see, and the ramifications were that the customer who required us at that time to be high trust, they said, if you’re not high trust, you cannot bid on this business. And it was a multi -million dollar, multi -year contract for business.

They said, sorry, we’re only taking companies that are high trust certified. That’s where the compliance framework and that standard came in and really prevented business. And it’s rough. Trust me, that company that I worked for, they jumped all over getting serious about it then and saying, well, now we want to get to the point where we take this seriously.

Patrick Spencer (30:56.206)
Interesting.

Patrick Spencer (31:12.91)
Yeah. Where do you, that brings up an interesting topic on the FedRAMP side of the house. You know, are you starting to see that where if you’re not FedRAMP moderate, then you can’t do business with certain segments of the government, DOD specifically. And, you know, when we’re talking about FedRAMP, how do you see that as something that’s become more and more prevalent?

John Christly (31:36.346)
Yeah, so in our world here at the company I work for now, FedRAMP is the rule of the land, if you will. Our CEO is very, very smart and he looks ahead into the future. There’s a rule we have where if you’re not in the FedRAMP marketplace as a product, we probably cannot use you as a service. Because we have to buy products and services ourselves to use and use for ourselves and use for our customers. If your product is not

If it’s not anything, know, equivalent, whatever, if it’s not in that FedRAMP marketplace, then the rule that we have is either then we have to host you in our GCC high cloud and Azure, the government high cloud. Or if you say no, you know, as a vendor, you won’t let us host you. can’t air gap us in there, right? Then we simply can’t use you. So it’s a big part of our world here at our company. And for our customers, that’s it’s a big topic. And it’s

Patrick Spencer (32:19.566)
Yeah.

John Christly (32:34.106)
It’s a very contentious topic too, because the rule hasn’t said that everything has to be FedRAMP yet. But there’s so much pointing to it. We’re not taking any chances. That’s the thing. That’s what I love about our CEO. He doesn’t want to take any chances. We’d rather, you know, there’s some customers say, hey, we don’t believe. We think we can get there by hosting everything in a commercial tenant and using commercial tools. Well, swim at your own

We’re not going to take that chance for ourselves and our customers. We’re going to try to do the right thing. Sure, that means that some of the services are a little bit more expensive because now we’re talking about everything has to be US based and handled by US personnel, US data centers, right? And again, if you haven’t found out by now, we’re a big Microsoft partner, very big. And we believe in it. We drink that Kool -Aid and we put all of our eggs in that basket for the most

Because we’re trying to do it right. We’re trying to make sure that we’re protecting the American warfighter. That’s what the DOD subcontractors, they’re building for DOD and military purposes. But we just don’t want to take any chances that could cripple because, we didn’t realize, and this is what we find, Patrick. I mean, there’s a lot of great products on the market. I’ve used them back in my commercial days. But when you’re talking about the government, you may put a product in use and you don’t realize that it’s got hooks out

another cloud who will rename nameless and maybe the people that have access to that cloud are not US citizens and they’re, you know, it’s not on US soil and that’s where it gets real, real dangerous and we’re simply not willing to take that

Patrick Spencer (34:16.462)
Now, do you find, you know, there’s been this trend in the marketplace the past few years where organizations will claim, well, we’re FedRAMP like, which doesn’t mean they’ve gone through the certification process. There’s four or 500 certifications with moderate, right? And they’re stringent and the, you know, the certification process, they make you, they evaluate each one. And if you don’t pass one, you have to go back and make a remediation to get the certification, as you well know.

Our organization’s waking up that those that claim FedRAMP -like, it really doesn’t work because it’s FedRAMP -like, not really FedRAMP.

John Christly (34:53.83)
So here’s my take on that and what I’ve seen and I see this quite a bit and boy, what another loaded topic here, the FedRAMP equivalent. And I think that’s actually written into some things and that’s what’s sort of the problem with CMMC is I think there is some wording around it either has to be FedRAMP at a certain level or FedRAMP equivalent at that level. Well, the problem is the people that wrote all that, they’re not giving guidance about, what is FedRAMP equivalent?

I will tell you, I’ve got some peers in the industry and there’s some companies, they sort of hang their hat on this going, we can get there. We know how to do that. You know, we have an opinion on what FedRAMP equivalent is. And I will tell you, it’s not impossible. It is possible to do. And I only know of a handful of companies out there that really, really get it. And what I mean is, look, let’s talk about some easy things, right? If you’re setting up computers for customers or yourself, are you STIG imaging them?

Are you using, you know, a CAS tools to vulnerability scan? And if I’m using terms right now that you don’t know, I’m not saying you Patrick, but anybody listening, if they don’t understand the words coming out of my mouth right now, that’s a problem. Because only those that understand how to build secure systems to a standard, to a level, how to, you know, go to this level, a lot of IT companies and MSP companies are out there. I don’t want to take anything away from them.

They know how to manage IT, but they don’t know how to build to what I’ll call DoD spec. Those that do can likely get there. And I will be honest with you, you probably could build in almost any government cloud. I am concerned about some of the commercial clouds because where are they? Where are they hosting the data on the backside? Where’s their recovery sites on the backside? Who’s got the ability? That’s what scares me a lot.

Patrick Spencer (36:40.526)
Yeah.

John Christly (36:47.278)
about espionage and insider threat, which is a big part of my job. But if you’re in a government cloud, for example, know AWS has their AWS GovCloud, and I partnered with them in the past before coming to this company, you can build a very secure set of virtual machines and networks and all that, but you got to be able to do it, that’s the point. You got to be able to say, this is how we build this to this spec, and you better be able to bet your paycheck on it and stand

and plant your flag and say, I will defend this to the death. Not literally, but maybe the death of your career if it’s not built to that spec, because nothing else should suffice. And there’s people that just kind of fake it and say, no, I think it’s secure. I’ve applied all the patches and I’ve got good endpoint anti -virus EDR. OK, but that’s not enough. That’s not enough. And the people that don’t know, they’ll defend what they’re doing to the death.

And you put them up against the people that actually know how to build secure systems and that have been around government systems. we go back to the manuals of the past. I I grew up in the mainframe era and then came from that. I’m not as old enough to remember punch cards, but I definitely came through mainframes. And you learn back then how to build a secure system. And unfortunately, too many companies and people nowadays

don’t and unfortunately the kids coming out of college, I hate to call them kids, but they are more than half my age at this point. They’re coming out of school and they don’t learn this typically in most, you know, I don’t even care if it’s a PhD level cyber security course, they don’t learn how to lock down systems to the nth degree like they should. Otherwise we’d be in a lot better position than we are as an industry.

Patrick Spencer (38:32.622)
Now, we’re about out of time. I wanted your thoughts on, you know, we just published our annual survey report around sensitive content communications, privacy and compliance. And we, we added a few, you know, we have asked some of the same questions every year, and then we add some new questions, obviously. Then we did some cross analysis. We found that organizations that have

You know, he said, do you have more, you know, you have 2 ,500 to 5 ,000 or 1 ,000 to 2 ,500. Do you have more than 5 ,000 third parties that you share and send information with and how many tools do you use to share and send that information? And are they in their own silos? We found two things. One that said they have over 5 ,000 third parties. They had a much higher report rate in terms of data breaches than their peers. And then those that said they have seven plus.

communication tools for email and file sharing and MFT and web forms and so forth. They also had a much higher breach rate, like three times is what the data came out to be. From your experience when you evaluate risk, you know, as consolidation on the horizon from a tool standpoint, and then, you know, it seems that the number of third parties organizations exchange information with, you know, it’s hard to get away from that. That’s the…

the core of our business for most businesses nowadays. How do you manage all that? Sorry, that’s a whole different podcast in and of itself, but I would be interested in your thoughts on those two subjects.

John Christly (40:00.002)
Right,

Yeah, a couple of things. know, number one, there’s way too many tools out there on the market. And, you know, as a former CISO, and I’m sort of in that role now, just not by title, but, you know, most CISOs have to deal with just so many tools. Many have been bought and just put on the shelf and not really utilized to their fullest potential. I’ve seen that over and over. I used to be a SIM specialist. I would be brought into fix failing SIMs or they lost their SIM guy or girl. And, you know, they needed

Get well planned for the SIM. Nowadays, my specialties include CASB and DLP and information protection. I don’t want to sit here and plug Microsoft, but I have to say I’m very impressed with where Microsoft has gone in this realm and what we’re able to do with it at Summit 7. I work with this all day, every day, and it’s allowed me to consolidate on a single set of tools.

different portals, but it’s all within this Microsoft cloud. And I got to tell you, part of the problem, while you’re seeing the numbers you’re seeing, is that people do not have a good handle on information as it’s leaving their organization. Probably the biggest thing that they’ve been able to tackle, if they’ve been able to tackle this, is encryption, by email encryption, or maybe secure FTP, or secure file transfer. A lot of companies still haven’t even gotten over that hurdle yet.

They need to advance and mature into the world of DLP and CASB because only when you get visibility into the cloud apps that are being used by your employees, do you realize how little control and visibility you really had. I’ll just use one example just for sake. Nobody likes to say that they allow Dropbox unless they do. I’m not trying to pick on Dropbox or Box. I could throw a couple of vendors.

John Christly (41:56.93)
A lot of times though, when you get a CASB tool or a CASB monitoring tool in there, you’ll find that people are using it and they’re not using the corporate edition that you would buy if you were to buy such a tool. That means you have no idea the data that is possibly leaving your organization. Are they just putting their resume in Dropbox or getting files for their fundraiser that they’re doing at church? Or are they stealing your intellectual property and your trade secrets? You don’t know because you can’t even see it.

I’m a firm believer in the need to have good visibility. As a CISO, I couldn’t work anymore unless I had visibility into all the applications that are in use, all the cloud applications that are in use, even though I might not be able to do anything about it right away, I’ve got to be able to have that CASB level visibility that, and know, Microsoft has that with Defender for Cloud, which I love, and I’m able to see what’s going on. And then you start to break into that going, all well, let’s dive into this. What is that being used for?

And then you get into the data loss prevention where you’re trying to, and information protection boundaries where you’re trying to put some labels on your sensitive data so that you can watch it better and control it and maybe automatically encrypt so you don’t have to think as hard about it. Okay. But I think just too many companies, and again, I’m very blessed and privileged that I joined a company. on the internal side, right? I don’t deal with our customers as much. I deal in our internal corporate IT and security.

but I’m protecting us and by protecting us, I’m protecting our customers. And I’m sitting in front of the steering wheel of these tools and I’m very blessed because it’s made my life easier as a practitioner. Whereas in the past, I’m like, gosh, I don’t even know where to start and it can get out of hand real quick. And again, we’re a company of 200 employees. Imagine the company with, when I worked in healthcare, 15 ,000 employees.

at 2 ,500 doctors and they just had no idea where data might be going. And that’s when you get into trouble very quickly.

Patrick Spencer (44:00.718)
No, no, no, in terms of content tagging and classification and knowing where it sets and where it’s going, who it’s being sent to. And you’ve got to have that real time monitoring. And the more tools you have, the harder it is to have that consolidated log and visibility into what’s actually happening here. I would be remiss if I didn’t ask this question. It’s perfect segue based on the answer you just gave me. How do you deal with all the AI threats? Right? You have all this data.

that employees have access to. Some of it’s private personal information, PII, PHI, corporate secrets, IP, and there’s these public AIs out there and they’re so alluring, right? They make your jobs much easier, make you a lot more efficient, but they’re public LLMs. You ingest that confidential data into it, it’s exposed to the world and it incurs a compliance violation in many instances.

As a head of security, how do you deal with that? Or how do your customers deal with that issue?

John Christly (45:06.31)
Well, here’s what we did and what I recommend. First and foremost, you got to get in front of it. Now is this time as good as any. I we got in front of it a long time ago at our company. First thing, and I went out and I got myself as educated as possible. I’ve got a couple of certs, but that really means nothing. means I think I know how to use a couple of the engines pretty well. And I do, I use them daily in my personal life. I use them all the time. It worked very carefully, very carefully.

What we did first is first thing I was taught is you got to have a policy, right? This is not, you would think it’s easy. You would think your employees know, but they don’t. And they’re not necessarily trying to steal all your data and be malicious and cause issues and incidents and breaches. They just simply don’t know. So first you’ve got to teach them. And so the first thing we did is we came up with a written policy. I wrote it. Gosh, I think I actually used AI to help write the AI policy because why

And because I want to make sure that I didn’t forget about anything that maybe I should think about. And so I used it and we came up with an AI policy and then we train. That’s very important. Don’t just put your policies out there and leave them. And, you know, I’ve worked with attorneys in the past, certain companies that say, well, you put it out on the policy portal and it’s up to the employees to read it. No, wrong. And my humble opinion, I’ve spent some time internally. You’ve got to sit down. We have lunch and learns. have internal, you know, sessions.

You got to talk to your employees and explain what this is about and give some examples because that’s when you’re going to get the feedback from people. And then we started out very, very simple. said, look, you wouldn’t put CUI or PHI into Google browser, right? You may not want the answer to that, by the way, sometimes at certain companies. at least at our company, our employees were like, well, yeah, of course, John, we would never do that. OK, good. We’re on the right track. Think of this as a browser. Do not put that sensitive data.

into this tool. That’s not what it’s there for. And then we gave a whole bunch of examples. Well, here’s what it is very useful for. I know HR departments and sales and marketing, they love to use this for their purposes. And you know what, when you use it properly and under the right rules of engagement, there’s nothing wrong with it, in my humble opinion. They can really enable. And we’re seeing a lot of software tools and products that now have AI enabled in them. Again, use very carefully.

John Christly (47:25.37)
But if you engage with your employees and you keep the conversation going and make it a little bit fun, because that’s what I do, I think it’s very fun. I love that part of my job. Even the policy writing for that was fun. And then you find out and people will come to you. Now we have people raising their hand going, hey, we want to do this one thing, but we want to make sure it’s OK. Well, good. Thank you for coming forward. And there’s got to be a reward system for that. Sometimes the answer is yes, you can go do what you’re looking to do. Or sometimes the answer is no, please

And then you need ways to monitor, which takes me back to the sensitivity labels and the DLP and the monitoring, the activity monitoring. Nobody likes to talk about this in our world, but you do have to monitor at times what your employees are doing so that you can find out, there any violations going on that somebody didn’t even think it was a violation, but it is. AI is a big threat, but it doesn’t have to be. You can embrace it and use it for what you need to use it for safely.

Patrick Spencer (48:22.19)
Yeah. Some very helpful recommendations for our audience. I completely agree with you on all the points you elucidated. And we could go on for another hour, but of course we don’t have another hour. We have to get back to our day jobs. I think our audiences, I know our audience is going to find this conversation very, very helpful. For those who want more information on Summit 7, they simply go to your website. They want to purchase one or both of your books, which we encourage you go to Amazon and do so.

If they want to get in touch with you, John, reach out on LinkedIn. Is that the best way to do so?

John Christly (48:53.926)
Yeah, probably best way is look me up on LinkedIn. I mean, if anybody does want to email me, it’s very simple. It’s jchristly at gmail .com. It’s spelled J Christ L Y at Gmail. And I also just want to put a quick plug, Patrick, if I could to, it’s a shameless plug and I apologize, but I’d like to do it. In addition to the two books, I actually did two courses that are on Udemy. You can look me up by name there. One is a course about cybersecurity leadership and how to become a CISO, a very specific topic.

And the other one was, since we’ve been talking about NIST and CMMC, it was an overview of the NIST 800 171 controls, and I call it made simple, a step -by -step guide on how to comply with 800 171, which is the basis of CMMC level two. I’ve gotten a lot of good feedback that it’s helped people understand and take the complexity out of it, which was my intent. Why I laid that down as a course, and both of those are on Udemy as

Patrick Spencer (49:50.062)
Yeah, I’m glad you brought that up. We had that on our list of topics to cover and we just ran out of time. So, but they both map into the conversation we had. So thanks for bringing that up. Well, to our audience, we appreciate you joining another Kitecast episode. We encourage you to check out other Kitecast episodes at kiteworks .com slash Kitecast. Have a great day.

John Christly (49:57.061)
No worries.