Cyber Compliance & Beyond

28 - Keeping OT Safe, Secure and Online

Operational Technology is everywhere and yet it's often misunderstood or overlooked in traditional security planning. We sat down with OT cybersecurity expert Todd Heflin to unpack the realities of securing systems that directly interact with the physical world, where uptime, safety, and reliability are non-negotiable. With concrete examples and engineering-minded insight, this episode lays out strategies for strengthening OT security without disrupting operations. We explore: * How OT differs from IT and IoT. * Which frameworks actually help organizations establish a solid OT security posture. * Practical considerations that come with real-world OT environments. * How risk manifests when technology controls physical processes rather than just data. * Frameworks like NIST SP 800-82 and ISA/IEC 62443 and explain how they shape everything from architecture to component security. * And more. References * NIST SP 800-82, Revision 3 [https://csrc.nist.gov/pubs/sp/800/82/r3/final] * ISA/IEC 62443 [https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards] (purchase required)

27 - CUI Discovery for CMMC Compliance

Scoping is one of the most misunderstood yet essential parts of the CMMC ecosystem. Before organizations implement controls, buy tools, or prepare for assessments, they must first define what is in scope—their data, people, processes, and systems. When done well, scoping reduces costs, limits liability, and streamlines compliance. When done poorly, it increases the risk of assessment failures, whistleblower issues, and expensive rework. In this episode, Cole talks with cybersecurity leaders Andy Paul and RJ Williams to clarify what scoping really involves, why organizations often get it wrong, and how an enclave-based approach can simplify compliance. They explore the operational, technical, and contractual details many teams overlook, from CUI discovery and cage code challenges to the real cost drivers of CMMC. Whether you're preparing for your first assessment, refining your compliance strategy, or trying to understand how enclaves fit into your environment, this conversation offers practical guidance you can use right away. We discuss: * Why scoping is the most critical step in any CMMC program. * How to correctly determine where CUI resides — and why most organizations struggle. * The value of minimizing scope to reduce cost, effort and assessment risk. * When the enclave model works, why it works and how to implement it effectively. * How DIBCAC assessors evaluate scope and why their approach differs from C3PAOs * Why contracts — not IT assets — should drive scoping decisions. * How people, processes and technology define an accurate compliance boundary. * CAGE code complications and how enterprises can manage multi-entity compliance. * How tools like Teramis support technical discovery to uncover hidden CUI and right-size environments. * The business case for reducing liability, avoiding whistleblower risk and gaining competitive advantage. * How segmentation, information barriers and GCC High configurations support scalable compliance. * Why many organizations overspend on licensing and tools due to incorrect scoping.

26 - Fixing What Breaks CMMC Assessments

Organizations often approach CMMC as a technology problem, but many assessment failures stem from foundational decisions made long before tools and configurations. In this episode, we break down the most common pitfalls we see in CMMC Level 2 assessments—from using non-compliant cloud environments to writing SSPs at the control level instead of the assessment-objective level, creating immediate and costly gaps. You will also learn about: * Frequent implementation issues like inconsistent MFA, especially on critical security assets such as firewalls * Why many risk assessments fall short because they are outdated, incomplete, or treated like control checklists rather than true threat evaluations. * How to effectively work with MSPs and ESPs, including what a solid shared responsibility matrix should include. * How assessors handle fixes during the assessment window and what qualifies under Security Requirement Reevaluation. This episode offers clear, practical guidance for any team preparing for CMMC Level 2—and looking to avoid the common false starts that derail assessments before they even begin.

25 - Building a Reward-Driven Security Culture

Phishing has been one of the most reliable tools in an attacker's arsenal for decades. Despite endless simulations, mandatory trainings and a growing set of tools, the problem hasn't gone away. AI-driven targeting makes it smarter, faster and more personal. But the issue isn't just the threat itself. It's how we teach people to recognize and respond to it. In this episode, we sit down with Craig Taylor, a 30-year cybersecurity veteran and co-founder of CyberHoot, to explore why traditional phishing exercises fail to change behavior and how shame-based or punitive approaches are undermining security culture. Craig explains how a multidisciplinary, psychology-backed approach can transform user engagement, reward good behavior and build real security resilience. Whether you're leading a security program, responsible for awareness training, or simply curious about how phishing has evolved in the age of AI, this conversation will change the way you think about user education. Highlights: * Why traditional phishing simulations often hurt security culture * How AI is reshaping phishing attacks at scale * The psychology behind behavior change and what most programs get wrong * Why positive reinforcement works better than punishment * How to build a learning-driven, user-friendly security culture * Practical steps organizations can take to modernize phishing education Craig Taylor is a seasoned cybersecurity leader with over 30 years of experience across web hosting, finance, manufacturing, and more. He is the co-founder of CyberHoot, a cyber literacy platform for small businesses and MSPs, and has served as a virtual CISO for more than 50 organizations. CyberHoot Resources * 20% Off CyberHoot for 1 year using code "Cyber Compliance and Beyond" * Main Website: https://cyberhoot.com/ [https://cyberhoot.com/] * Individual Registration (Free Personal Training for Life): https://cyberhoot.com/individuals/ [https://cyberhoot.com/individuals/] * Businesses and Managed Service Providers: https://nest.cyberhoot.com/autopilot-signup/ [https://nest.cyberhoot.com/autopilot-signup/] * Newsletter Sign Up: https://cyberhoot.com/newsletters/ [https://cyberhoot.com/newsletters/] * Blog: https://cyberhoot.com/blog/ [https://cyberhoot.com/blog/] * Cybrary: https://cyberhoot.com/cybrary/ [https://cyberhoot.com/cybrary/]

24 - CMMC Architecture: Enclave, Enterprise, or Hybrid?

Organizations chasing CMMC often jump straight to "what tech should we buy?" but scoping begins with people, policies, processes and how information actually flows across the business. In this episode offers Clear, candid guidance for any team wrestling with scope and architecture for CMMC and trying to do it right the first time.We walk through the real trade-offs between enclave vs. enterprise approaches, why enclave complexity can hurt day-to-day work, and where a hybrid model can make sense if you have the internal expertise (or the right MSP). We discuss practical criteria for selecting MSP/ESP partners, break down the 36-month assessment window, the kinds of environmental/business changes that might trigger reassessment, and explore NIST SP 800-171, Revision 3 readiness. Highlights: * Start scoping with people, processes, and information flow—not the "shiny tech." * Enclave vs. enterprise vs. hybrid: reduce user complexity, weigh operational realities and plan for 36 months. * What to ask MSPs/ESPs: Level 2 status, shared responsibility matrix specifics, contract gaps, and insurance. * Changes that can trigger reassessment and how proactive change control avoids surprises. * Revision 3: prepare now; certification momentum on Revision 2 still pays dividends.