“Cybersecurity” not only has become a buzzword in recent years, but it’s also a massively important step for businesses to take—especially when it comes to Department of Defense contracts. Their required certification, known as CMMC (Cybersecurity Maturity Model Certification), is a multi-tier program that mandates certain levels of cyber protection at each increasing step. 

Rebecca Ferlotti, Content Marketer, sat down with Ken Fanger, Founder and President of On Technology Partners, to go over CMMC as well as what entity should be the driving force behind cybersecurity.

Before we jump into CMMC compliance and the importance of cybersecurity, I wanted to ask about your book that recently came out, RELAX: A Guide to True Cyber Security.

The book is going great. I’ve been doing a promotional tour and talking with people, and people seem to enjoy it. As I say, it’s a compilation of my screw-ups and blunders over a 30-year career, all in one place. It’s stories of what happened to me; stories of what I’ve done—good and bad; how to recover; and how to get back on your feet when things don’t go the way you’d expect. Because they’re not going to.

Yeah, absolutely, unfortunately. We’d love for everything to go right the first time, but it’s not how life works.

I wouldn’t have a job if everything went right the first time!

Right! With your 30-year-long career and with your book, what’s your main takeaway? What should people know about cybersecurity—first and foremost?

In our quest for cybersecurity, we forgot it’s about protecting people. I’m using this phrase “humanizing security,” and humanizing cybersecurity is a function of that. We have to start asking the question: Where is the person in this journey? We talk about protecting the data, and we talk about protecting the money, but data and money are only valuable if there are people connected to them.

I connected with Dr. Adams out of the UK who worked on this concept called “usable security.” All of us have passwords. When I worked in the pharmaceutical industry, we had to have complex passwords that were changed every 90 days…because that seemed like it made things really secure. Unfortunately, it’s not really secure because you can’t realistically remember complex passwords that are changed every 90 days. So in the journey to be safe and secure, we lose the actual protection we’re trying to get to. 

It’s funny because I was just over at Bowling Green doing a presentation, and I did an exercise with the students there. I said, “How many of you would like a classic Corvette?” and a bunch of them raised their hands. Then I said, “How many of you would like a classic Corvette encased in a cement block?”

And they all said, “No! I don’t want that!”

I asked them, “Why don’t you want that?”

And they said, “We can’t even see it, much less use it.”

So I said, “Yes, but it’ll be the most secure Corvette you’ll ever buy!”

That’s the thing: It’s not just about being the most secure. It’s not just that phrase. A boat in harbor is safe, but that’s not what a boat is for. That’s where we are with cybersecurity.

Another thing I talked about with Dr. Adams is people using workarounds for the security systems that are in place. When they come and deal with that, what they do is try to stop the workaround. But instead of doing that, we should be asking: Why are they attempting a workaround to begin with? What is it about the cybersecurity processes that causes a disruption to their work? These are more useful questions to ask, rather than punishing the people who figured out how to get around it.

That all comes back to how cybersecurity should be user-first. It should go: user, process, technology. We’re currently doing: technology, process, user. In the present way of doing things, people are the bottom; they’re the last consideration. They’re considered a problem we have to deal with instead of the purpose behind why we do it. 

Companies think “We’re gonna be really secure; slam it down on everybody.” And then we get confused and surprised as to why they resist cybersecurity, why they hate it, why they fight it. You want the people on your side, not seeing them as your enemies. That’s the article Dr. Adams wrote: “Users are not the enemy.” So that's where I’m coming from, humanizing the security journey. We should be talking to the users.

I was on a podcast just recently and the interviewer asked me, “Why would someone want to do this? To talk to people about their security takes extra time.”

And I said, “Yes, but a lot less time than figuring out how they got around it and why you got breached.”

Taking a little time upfront will pay off in the long run. And that’s the same conversation we have with CMMC. Yes, CMMC is a pain in the butt. It’s going to be hard to implement. It’s going to be costly. There’s no one that thinks that’s not going to be the case anymore. Its intention is to create security, but it can also—like anything that is a top-down type of approach—lose security in the journey to make security. It’s going to reduce the number of companies that want to do Department of Defense contracts, and that reduces your security because even with a secure company, a dedicated attacker can get through.

So again, we really need to have that double conversation: What are we really protecting? And does this really protect it, or does it just make it onerous? Does it just make it so hard to use that it’s safe, but it’s a Corvette in a cement block?

I’ve talked to so many different people in so many different industries, and there are overlaps we have between us: that people-first approach. We all have more similarities than we think.

Your point about CMMC is what RGI is going through right now, and it’s something I want to dig into. This is all about the Department of Defense, and there are multiple levels, correct?

The DoD is mandating CMMC to their whole industrial base. There’s level one, level two, and level three. I’m still having a hard time getting anyone to tell me when you’d move to level three. It’s not very well-defined.

But level two is very well-defined. Most of the people reading this will be level two, and a small percentage will be level one. And how you know if you need to be level one or level two is ironically very easy and very hard at the same time.

It consists of what’s called “controlled unclassified information.” Because it’s the government, it’s another acronym: CUI. But the problem is that only the government gets to decide what CUI is, so you may not even know if you have it. That’s what makes this kinda hard. I tell people that if you do something that is not generally available to every human being on the planet, you probably have CUI. For example, if you make a special screw that is used in a torpedo, you have CUI. If you have a special way of sweeping the floors in the Pentagon, you have CUI. But if you sweep the floors the same way at the Pentagon that you do at Howard Johnson’s, you’re okay.

We’ve talked with dozens and dozens of companies, and most of them don’t know what CUI is, let alone if they have it. One company that comes to mind makes parts for planes. We reached out, and their purchasing agent wasn’t sure if they had CUI, but thought they did have CUI. If you don’t have CUI, you only have 17 criteria to meet, versus 110 criteria if you have CUI, so it’s not like it’s a small change. That’s where it becomes really hard for a company to navigate, especially a small to mid-sized company.

Right now, to have a contract with the DoD, you have to register with SPRS and get your SPRS score. These are things that people don’t readily know. We’ve helped people through it. They thought they were doing wonderful on their own, and then when we actually sat down and talked with them, they were nowhere near compliant. They don’t know what they don’t know, and they end up being punished because, “Well you have to be this way.” But it’s a little unfair to expect them to just know better.

I understand where the government is coming from, and that this is how they do compliance. I worked in pharmaceutical—a heavily regulated industry with lots of compliance. But it also results in very few pharmaceutical companies, which means they can charge whatever they want because there's very little competition. There’s a justification for it because you don’t want people to die from taking drugs, but I do think there are better ways to find that balance. It takes five years for a company to basically become vetted in pharmaceuticals. Most businesses don’t have the type of money to do that. You can’t be a startup and do that easily without really big backing. And so that ends up shrinking your base. It shrinks the number of companies that can support, which creates a less secure environment because, as a hacker, all you have to do is take out one subcontractor and then you can destroy the entire supply chain.

Those are the journeys. That’s that humanizing aspect that I mentioned before. What’s the real intent of the security versus the implied intent? Complex passwords help keep unauthorized people out, but it also keeps the good people out.

Yeah, we do need to think about usability. I mean, ultimately, in the day-to-day space, the people who are using these technologies are our team members and CEOs of companies. And how can they actually take this to practice?

And the CEOs are the ones who have to think about it. I still remember I used to work for a company where the CEO had the best computer in the building, but he never turned it on. His assistant had the worst computer in the building, and she was on it eight hours a day, five days a week. One day, I snuck in and swapped the two computers and didn’t tell anyone because I wasn't allowed to. Because he was the CEO, he’s supposed to have the best computer. His assistant then became extremely productive, and ironically, so did he (because the work she was doing was for him). We get lost in what we should be doing versus where we sit in the hierarchy. CEOs should be getting their people the security they need to do the work they need.

And a little bit more on CMMC: One of the things I try to tell people is it’s more than cybersecurity. It’s gonna take buy-in. I was talking with another excellent cybersecurity company, but they were saying there are these 500 different touchpoints for CMMC. And I told them, “So this is what you’re doing: you’re taking a baby and you’re asking him to run a marathon in a week. You haven’t got him crawling; you haven’t got him walking; you haven’t got him running. You want him to be at full tilt in a week, and you don’t understand why they're saying ‘no.’”

We need to take people through crawling first. If you’ve never implemented any compliance standards or if you’ve never done ISO (International Organization for Standardization), jumping into CMMC is going to be a very hard process. If you’ve already implemented compliance standards, then you understand the process and have likely built what’s called a culture of compliance. Having gone through a similar process, you have a better idea of what to expect, so it becomes easier. One of the things I try to do, even with companies that have to move to level two, is to get them through level one first, just to get used to the 17 standards in that level. Get that normalized. And then they can start to move toward level 2 compliance.

But we try so hard to jump and push them to this thing and say, “Just do it! Take off the bandage!” I don’t know about you, but every time I rip off a bandage, it hurts me to hell. And while we do have to move companies toward compliance, we’re at a point where, if we push too hard too fast, they’re going to resist, which doesn’t get us where we want to be.

We want to bring as many companies into as safe and secure of a state as we can get them. I think there are a lot of excellent cybersecurity people sitting around a table going, “If we do this, it’ll be the most secure Corvette we’ve ever had,” never thinking there’s a cement block around it.

Absolutely. As far as CMMC level one, you said there are 17 things. I know there’s a ton more for CMMC level two. What are some of the things that are most complicated for folks to wrap their heads around within those steps?

First of all, any cloud-based service, Office 365 or whatever, needs to have FedRAMP certified encryption, which is fairly expensive, but nobody knows that. We are working with partners to be able to provide that for anywhere you keep this controlled unclassified information (CUI). So you end up with this situation where you have to pay more per user; you don’t know what CUI is so you don’t know where you have it; and again, it’s a very onerous situation. CUI is going to be the killer of this whole thing because people don’t know what it is, they don’t know where it is, they don’t know how it’s transferred. With a lot of IIoT, industrial internet of things—automation is running on really old technology, even when you buy it brand new. There was this metal weighing device that was brand new, $250K, running Windows 98 last year. 

It’s going to be very hard to do that. Another thing that’s going be very hard for companies to deal with is what I call the “ain’t broke; don’t fix it” disaster. At the pharmaceutical company I used to work for, we had a system they had used for 25 years. They never wanted to invest in new equipment because this old equipment continued to work just fine, or so it seemed.

Inevitably, it crashed and took everything—all the data, files, and information—with it. If you’re doing CMMC, something that’s 25 years old is no longer going to be acceptable. It’s not going to be in compliance. And that’s a major change. If you had a customer-written ERP (enterprise resource planning) system, it’s very likely it’s not going to be in compliance. So you have to plan on how you manage that, how you drive that out and not have it on the system. That takes time, especially since cybersecurity is not your company’s main job. Your company’s job is to build a widget, make a better car, etc. You’re not thinking about this cybersecurity stuff day in and day out. Being up-to-date on all your passwords and all your systems…all your systems cannot be “end of life.” That’s not easy for companies that don’t think about what it means to be “end of life.” They don’t know what that term even means. So getting an understanding of common vocabulary is a long journey just to start with.

The point you brought up about people not doing this day in and day out is so important because with CMMC compliance, if you are going after DoD contracts, you have to understand the point at which you no longer have the capacity to do this, when you need to outsource it, and who you need to outsource it to.

It’s going to be hard. Everyone’s at risk of being hacked. I talk about the three stages of a hack: aware, address, and arise. “Aware” is the stage before the attack. CMMC would come in here. It’s preparing, making sure your team and your technology is ready for it. “Address” is during the attack because what you do during an attack is critical. If you’re on the phone and someone says they’re with Microsoft and you let them in to your systems, that’s an attack. And your team needs to know how to respond while it’s going on in real time. And the one I swear we all forget about is “arise,” which is coming back not just financially, not just data, but emotionally. Because if you were the payroll clerk that just sent $128K to a hacker, you’re probably in a really bad way. You probably feel scared, you feel stupid, you feel useless. And if the company comes down on you, the next payroll person is going to be terrified to share that it happened. That’s what I call “victim shaming” and “victim blaming.” People do that a lot.

I was at a conference and someone put up a slide that said, “You can’t patch stupid.” If you’re telling people that make a mistake that they’re stupid, they’re not going to want to tell you what’s happening the next time they make a mistake. They’re not going to want to share what they did. And as I do these presentations, it’s amazing the number of people that run up to me, desperate to tell me what’s happened to them and the people they know.

And so, the “arise” stage is a human recovery. And I think that we often forget that.

Yeah, you’re giving them permission to actually take a breath. And you could be the first person that ever did that to them, so it’s not surprising they’re running up to you wanting to vent. But it also deeply saddens me for sure that we address failure this way. We need to be more compassionate, to be more empathetic, and to lead with that first. So it’s wonderful you’re reminding people of that. Because, at the end of the day, we’re all human.