29 - Modernizing the Shop Floor: Security, Efficiency and Survival

29 - Modernizing the Shop Floor: Security, Efficiency and Survival

Manufacturing sits at the heart of the Defense Industrial Base, yet many machine shops are only now grappling with what CMMC truly means for handling engineering data. In this episode, Paul Van Metre explains the practical challenges shops face, from managing drawings and CAD models that clearly qualify as CUI to updating decades-old processes never designed for cybersecurity. We discuss why CUI is so widespread on the shop floor, how traditional "print-and-post" workflows increase exposure, and why moving to digital, paperless processes can significantly reduce both scope and cost. Paul highlights the mindset barriers many shops encounter, the operational pressures on small manufacturers, and the hesitation some have in accepting that CMMC applies to them at all. We also explore: * The shift toward cloud-based ERP systems and FedRAMP equivalency * How modern ERP platforms eliminate local CUI storage, secure endpoints, and streamline compliance * The high cost and risk of old on-prem ERP systems * Strategies for lowering long-term CMMC costs * Lessons from hundreds of ERP deployments, including when to migrate historical data versus starting fresh Listen to get a clear, realistic look at what CMMC means for machine shops, the operational decisions that matter most, and how manufacturers can modernize without overburdening the business.

28 - Keeping OT Safe, Secure and Online

Operational Technology is everywhere and yet it's often misunderstood or overlooked in traditional security planning. We sat down with OT cybersecurity expert Todd Heflin to unpack the realities of securing systems that directly interact with the physical world, where uptime, safety, and reliability are non-negotiable. With concrete examples and engineering-minded insight, this episode lays out strategies for strengthening OT security without disrupting operations. We explore: * How OT differs from IT and IoT. * Which frameworks actually help organizations establish a solid OT security posture. * Practical considerations that come with real-world OT environments. * How risk manifests when technology controls physical processes rather than just data. * Frameworks like NIST SP 800-82 and ISA/IEC 62443 and explain how they shape everything from architecture to component security. * And more. References * NIST SP 800-82, Revision 3 [https://csrc.nist.gov/pubs/sp/800/82/r3/final] * ISA/IEC 62443 [https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards] (purchase required)

27 - CUI Discovery for CMMC Compliance

Scoping is one of the most misunderstood yet essential parts of the CMMC ecosystem. Before organizations implement controls, buy tools, or prepare for assessments, they must first define what is in scope—their data, people, processes, and systems. When done well, scoping reduces costs, limits liability, and streamlines compliance. When done poorly, it increases the risk of assessment failures, whistleblower issues, and expensive rework. In this episode, Cole talks with cybersecurity leaders Andy Paul and RJ Williams to clarify what scoping really involves, why organizations often get it wrong, and how an enclave-based approach can simplify compliance. They explore the operational, technical, and contractual details many teams overlook, from CUI discovery and cage code challenges to the real cost drivers of CMMC. Whether you're preparing for your first assessment, refining your compliance strategy, or trying to understand how enclaves fit into your environment, this conversation offers practical guidance you can use right away. We discuss: * Why scoping is the most critical step in any CMMC program. * How to correctly determine where CUI resides — and why most organizations struggle. * The value of minimizing scope to reduce cost, effort and assessment risk. * When the enclave model works, why it works and how to implement it effectively. * How DIBCAC assessors evaluate scope and why their approach differs from C3PAOs * Why contracts — not IT assets — should drive scoping decisions. * How people, processes and technology define an accurate compliance boundary. * CAGE code complications and how enterprises can manage multi-entity compliance. * How tools like Teramis support technical discovery to uncover hidden CUI and right-size environments. * The business case for reducing liability, avoiding whistleblower risk and gaining competitive advantage. * How segmentation, information barriers and GCC High configurations support scalable compliance. * Why many organizations overspend on licensing and tools due to incorrect scoping.

26 - Fixing What Breaks CMMC Assessments

Organizations often approach CMMC as a technology problem, but many assessment failures stem from foundational decisions made long before tools and configurations. In this episode, we break down the most common pitfalls we see in CMMC Level 2 assessments—from using non-compliant cloud environments to writing SSPs at the control level instead of the assessment-objective level, creating immediate and costly gaps. You will also learn about: * Frequent implementation issues like inconsistent MFA, especially on critical security assets such as firewalls * Why many risk assessments fall short because they are outdated, incomplete, or treated like control checklists rather than true threat evaluations. * How to effectively work with MSPs and ESPs, including what a solid shared responsibility matrix should include. * How assessors handle fixes during the assessment window and what qualifies under Security Requirement Reevaluation. This episode offers clear, practical guidance for any team preparing for CMMC Level 2—and looking to avoid the common false starts that derail assessments before they even begin.

25 - Building a Reward-Driven Security Culture

Phishing has been one of the most reliable tools in an attacker's arsenal for decades. Despite endless simulations, mandatory trainings and a growing set of tools, the problem hasn't gone away. AI-driven targeting makes it smarter, faster and more personal. But the issue isn't just the threat itself. It's how we teach people to recognize and respond to it. In this episode, we sit down with Craig Taylor, a 30-year cybersecurity veteran and co-founder of CyberHoot, to explore why traditional phishing exercises fail to change behavior and how shame-based or punitive approaches are undermining security culture. Craig explains how a multidisciplinary, psychology-backed approach can transform user engagement, reward good behavior and build real security resilience. Whether you're leading a security program, responsible for awareness training, or simply curious about how phishing has evolved in the age of AI, this conversation will change the way you think about user education. Highlights: * Why traditional phishing simulations often hurt security culture * How AI is reshaping phishing attacks at scale * The psychology behind behavior change and what most programs get wrong * Why positive reinforcement works better than punishment * How to build a learning-driven, user-friendly security culture * Practical steps organizations can take to modernize phishing education Craig Taylor is a seasoned cybersecurity leader with over 30 years of experience across web hosting, finance, manufacturing, and more. He is the co-founder of CyberHoot, a cyber literacy platform for small businesses and MSPs, and has served as a virtual CISO for more than 50 organizations. CyberHoot Resources * 20% Off CyberHoot for 1 year using code "Cyber Compliance and Beyond" * Main Website: https://cyberhoot.com/ [https://cyberhoot.com/] * Individual Registration (Free Personal Training for Life): https://cyberhoot.com/individuals/ [https://cyberhoot.com/individuals/] * Businesses and Managed Service Providers: https://nest.cyberhoot.com/autopilot-signup/ [https://nest.cyberhoot.com/autopilot-signup/] * Newsletter Sign Up: https://cyberhoot.com/newsletters/ [https://cyberhoot.com/newsletters/] * Blog: https://cyberhoot.com/blog/ [https://cyberhoot.com/blog/] * Cybrary: https://cyberhoot.com/cybrary/ [https://cyberhoot.com/cybrary/]