Skip to content

EP 26 —  Peak InfoSec’s Matthew Titcombe on the Ins and Outs of Achieving CMMC Certification Success


On this week's episode of the DIB Innovators podcast, David speaks with Matthew Titcombe, CEO and Sr. Information Security Consultant of Peak InfoSec, to explore the intricacies of cybersecurity compliance. Matt emphasizes the critical role of conducting thorough gap assessments as the first step toward achieving CMMC certification. 

He discusses the common challenges organizations face, including a lack of understanding of requirements and cultural resistance to change. Additionally, Matt shares strategies for fostering a culture of security awareness and developing tailored compliance plans. He also provides valuable guidance for businesses looking to navigate the complex landscape of cybersecurity and enhance their security posture. 

Topics discussed:

  • The importance of conducting thorough gap assessments to identify compliance weaknesses and establish a roadmap for achieving cybersecurity certification.
  • The complexities of the CMMC and what organizations need to know to succeed.
  • The frequent hurdles businesses face, including misunderstandings of compliance requirements and insufficient preparation for audits.
  • How cultural resistance within organizations can impede progress toward achieving cybersecurity compliance and how to address it.
  • Developing customized compliance strategies that align with an organization’s specific needs and risk profile.
  • The importance of fostering a culture of security awareness through training and education for all employees.
  • How organizations can create effective remediation plans based on the findings from their gap assessments to address identified vulnerabilities.
  • The need for ongoing evaluation and improvement of cybersecurity practices to keep pace with evolving threats.
  • How organizations should seek collaboration with cybersecurity experts to navigate the complexities of compliance and enhance their security posture.

Guest Quotes: 

“And I just literally decided I'm just kind of done. Don't want to be a government employee and punched my ticket. Been a serial entrepreneur before, so let's just go start up a security consulting business. Made the wife panic. But I'm like, security is not going away. This is guaranteed jobs. So I wasn't worried about that. Ended up, it was funny. Jumped in, got pulled in by some friends of mine, ended up doing some work for United Launch Alliance underneath IBM. And it was 2016. We were helping them and re-architect their data center, their firewalls, everything else. And in the middle of this, they're like, well, we got to deal with these 853 controls. Okay, easy peasy. I know those.”

“The moment that goes into effect and the updated version of SPRS comes online, it doesn't matter what DoD is doing, because frankly, every prime out there, everybody who's on a teaming partner with a prime, is going to mandate, ‘you need to get your stuff updated in SPRS today.’ So be ready for that pressure in that first month when this starts of updating SPRS.”

“The other thing that — because they're not doing it at the assessment objective, which breaks down the verb noun pairs against each other, so you're cross checking against them all. They don't understand the definitions and then how things fit and work with the other requirements.”

“If it sounds too easy, it is. There is no easy button in this. If they're telling you you can get certified and we can get you through this in a couple months, probably not. Most times when we're helping clients to get ready, it's typically at least a year. The problem is what we really run into. This is not an IT problem, realistically.”

Get in touch with Matthew Titcombe:  

LinkedIn 

Website 

Get in touch with your host, David Graff: 

LinkedIn 

Listen to more episodes: 

Apple 

Spotify