EP 1 — Peak InfoSec's Matthew Titcombe on Enterprise vs Enclave Strategies

by Chris Petersen on 2025 | 08

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >EP 1 — Peak InfoSec's Matthew Titcombe on Enterprise vs Enclave Strategies</span>

After avoiding the Air Force's early CISSP requirements and calling the cybersecurity ecosystem "a mess," Matthew Titcombe, CEO & Sr. Information Security Consultant at Peak InfoSec, still found himself designing NIST 800-171 firewall architectures at United Launch Alliance. 

Since then, Matt has conducted hundreds of CMMC assessments and witnessed a consistent pattern: businesses confidently estimate their System Security Plan Review scores in the hundreds, only to discover they're actually in the 30s when assessed against all 320 assessment objectives rather than just the 110 basic requirements. He tells Chris that this gap between perception and reality reflects deeper misunderstandings about scope, configuration management, and the information-centric approach needed for effective compliance. 

Topics discussed:

  • The operational blind spots MSPs develop when serving defense contractors through convenience-based practices that become CMMC violations.
  • Why most small businesses require enterprise-wide CMMC implementation rather than enclave strategies due to role overlap and information flow complexity.
  • The systematic approach to CMMC scoping that follows information flow through people, processes, facilities, and technologies rather than starting with technology boundaries.
  • How System Security Plan Review scores drop precipitously from estimated hundreds to actual 30s when assessed against all 320 assessment objectives rather than just the 110 basic requirements.
  • Configuration management as the most commonly failed control area, requiring documented configuration baselines rather than just implementing DISA STIGs or security guides.
  • The market dynamics driving MSP consolidation as providers choose between compliance investment for small client percentages versus exiting the defense contractor market entirely. 

Get Email Notifications

No Comments Yet

Let us know what you think