CMMC is Good, But May Not Be Enough
In the defense industrial base (DIB), organizations must adhere to DFARS compliance, which will soon include CMMC compliance requirements. For example, NIST 800-171 3.2.2 states that organizations “include training procedures for employees to understand their role and responsibilities in protecting CUI and how to use the system in a secure manner.”
To meet these requirements, security personnel can take two approaches:
Risk-based or compliance-based.
What’s the difference? Well, compliance-based thinking focuses on compiling a list of known gaps, so teams can determine the simplest path to regulatory adherence. With this mindset, organizations could choose to approach the NIST 800-171 requirement in a variety of ways.
For example, they could implement mandatory training, so all staff know how to minimize cyber risks and vulnerabilities, but they’re more likely to roll out cookie-cutter security measures since it will accelerate compliance.
The bottom line – compliance standards trail the broad spectrum cybersecurity risks and put companies behind the power curve.
That’s why I’m glad Conquest Cyber embeds a risk-based approach at the core of its cybersecurity philosophy. Based on my 20 years of experience in national security, I know it’s not enough to ask, “What requirement are we trying to meet?” Instead, we have to consider, “What risks need to be addressed?”
This paradigm shift can help DIB organizations see their challenges in a new light. For example, many companies view the shortage of cybersecurity talent as a recruiting issue, but the risk-based perspective turns that on its head.
Instead of viewing this as a minor hiring problem, leaders with a risk-based mindset recognize that these personnel gaps are exposing the organization to vulnerabilities. If unqualified personnel are managing highly-confidential data, what sort of risks are they letting in, even while technically meeting industry requirements?
While the way that Conquest Cyber views solving cybersecurity problems may seem unconventional, we hold firmly to the belief that if you can predict the adversary, you can win. That’s why we’ve developed a single, comprehensive software, ARMED™, that helps identify risk and address it with full visibility. It does this in a couple ways:
- It eliminates the noise of poorly integrated solutions
- A single software simplifies the security stack, so the basics are more achievable
- Automation minimizes manual processes to address the impact of the resources gap by enabling smaller staff to effectively protect sensitive data.
As artificial intelligence continues to evolve, more and more companies are getting over their initial skepticism and beginning to embrace its usefulness. Recent statistics show that the vast majority of leading companies (91.5%) are already investing in AI to...
October is Cybersecurity Awareness Month, a time when organizations worldwide focus on enhancing their cybersecurity posture and promoting digital safety. While cybersecurity is everyone's responsibility, this blog is dedicated to CEOs and C-suite executives,...
War is no longer fought only on a battlefield. It happens everywhere at any moment in the devices we carry around in our back pockets and on our wrists. Cybersecurity was unheard of until 50 years ago—years before personal computers became commonplace. Now, with...