September 3, 2024 • 14 mins
Are you responsible for your organization's CMMC compliance program? Are you in a position of leadership where the responsibility lies on your shoulders, regardless of who's been tasked to implement NIST SP 800-171? In this episode, Landon Carlson, Chief Information Security Officer at Metron, shares his experience, insight, and opinions on CMMC as a CISO who is relatively new to the organization.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the quick 10 podcast brought to you by quick track, focusing on all things FedCon and cyber defense from different perspectives and different personalities, all in 10 ish minutes. Here's your host, Derek White.
(00:16):
All right, welcome back to another episode of the quick 10 podcast. I'm your host, Derek White, chief product officer at Beryllium and quick track. And today I am joined by a gentleman named Landon Carlson, friend of ours has been for a couple years, chief information security officer at Metron. Landon, thanks for joining me.
(00:44):
Thanks for having me, Derek. Really appreciate it.
Appreciate it. You bet. Now I know summer's coming to an end here. So it's a it's a crazy time. So really appreciate you spending a few minutes just chatting. For those listening online on your favorite podcast platform, make sure to subscribe. You can check out past episodes, future episodes. What we're trying to accomplish here with the quick 10 podcast is just short conversations around topics that are relevant. Hopefully it's useful. If you're watching on YouTube, you can subscribe there as well. And at the end here, I'll give you guys some direction on where you can find more
(01:17):
information. Landon, you know, you've you're in your new CISO to your role at at Metron. Tell me a little bit about Metron. How long you've been there and some stuff before we kind of get into some of the some of the fun stuff.
Sure. So I've been with the company for almost six months. We are headquartered in Reston, Virginia, approximately 220 employees. We just celebrated our 40th anniversary. The tagline on our website is delivering innovative scientific solutions to the toughest problems. So the majority of our customers are within the Department of Defense and some of the work that we do involves things like data analytics, data
(02:00):
analytics, decision support, autonomy software, using things like probabilistic modeling, signal processing, AI and data fusion.
Awesome. Well, that's thank you for that. So, you know, very clear to make it that people are tuning in here that you're you're you're facing some challenges and you have some responsibility. We're going to get into that a little bit. I have some questions for you that I think
(02:25):
I'm interested to hear your answers to. But we've had some some other guests on and we're trying to take this from all different angles. So thank you for bringing the eye of the CISO to light here on on what it's like. So, you know, you're six months in and, you know, every time someone starts a new role specifically in one at that level.
What's what's unique about that role, say, that you can share that maybe different from previous roles that you immediately saw within your first couple days, couple weeks?
(02:55):
Sure. So while a lot of the functional elements are similar to past roles, what I feel like is unique about this specific role is that it requires a comprehensive understanding of the business. So, for example, something that may not that that may not be
that that might be the most secure or the least riskiest option may not be the best thing for the company. At Metron, we do a lot of software development and developers often have unique tools and software that they like to use.
(03:30):
There are times where we've had to make allowances for certain things and to add compensating controls to lower the overall risk. And then other times we've had to deny certain requests because the risk was just too great. So,
it involves really, you know, getting to know people, hearing what types of work they're doing. It involves having empathy, right? You want to allow them to do their job and to get the job done. But there is that that middle ground of still doing things securely.
(04:06):
Yeah, no, that's, that's well said. And I, you know, I have to give you kudos to, you know, you've you've put the time in over the last few years, getting to know this industry, right? Whether you have to because it's, it's required for your job. I mean, there's there's a lot of events that you've been to I know you're very active in the community. You provide a lot of insight, which is why I wanted to have you on and talk about some of these things. But, you know, clearly, you're doing a very good job.
(04:34):
And I wanted to talk about some of these things. But, you know, kudos to you for for spending that time. It's a lot, right? It's it's a daunting amount of time to navigate what what's happening in this industry. But to hear it from those that understand it, that actually do care about those that are subject to these requirements, you know, getting this stuff done is not overly easy, as you know, somebody with that responsibility as a CSO role. And you've been in a couple different roles. I think that's really, really a tip of the cap to you.
(05:04):
Thank you. I just want to make sure I said that. Yeah. So when it comes to that challenges that you face in that role, you know, specifically, what are some of the things that CMMC versus somebody, obviously, there's more than CMMC that you have to focus on as a as a CSO at a company. So, you know, what are some of the challenges that you face in that role, specific to CMMC that you've seen so far?
(05:29):
I think overall, the probably the biggest challenge is the rigidity of of the requirements. So we know that the term poem is kind of a loose definition within CMMC. But ultimately, to get that certification, you have to have met every single requirement. So having all of your bases covered, all the boxes checked, I think is probably the biggest challenge.
(05:59):
And, you know, not not just for us, but for everybody across the industry. And then, you know, more recently, I think what pretty much everybody who's tuned in to the most recent updates would agree is another significant challenges, the inclusion of the requirements with some of the security protection data.
(06:19):
So, you know, previously, you know, if you were storing, processing or transmitting CUI in the cloud, the Fed requirement was in play. But now with, you know, kind of expanding that to security protection data, and some of the tools that might apply there, I think that is very, very challenging.
Yeah, not to mention that, you know, companies make, especially in your guys's industry, but across the supply chain of defense industrial base, you know, there's big decisions that CFOs and CSOs and CIOs that have to make regarding ERP systems or operational technology. And, you know, those, those are, those are big expenses, big expenses that then come with risk based decisions. But for many years, people weren't thinking about, you know, what you just said, you know, the
(07:07):
data that these things are going to interact with and how those impact security requirements today, but also in the future. A lot of those tools are out there selling options and services and licensing for, you know, current day stuff. And now there's some, there's a big shift there. And that's still being solved in some cases and trying to figure it out. So thank you for, for highlighting that for sure. I think this kind of rolls into the next question. This is one that I don't get to necessarily ask everybody that's on because, you know,
(07:37):
it's easy, it's easy in our space to find the negatives to, to navigate to anytime there's a requirement, this isn't a bash on, on CMMC, but anytime there's a requirement from the government or anybody, it's easy to kick sand and say, I don't want to do it. But in this case, you know, you're a CISO. So what are some of the things you actually like about CMMC? And maybe we'll hold off on things that maybe you, that you don't like, but if we have time, but what do you
(08:07):
like about CMMC from your role, from your perspective, thinking about your company versus anything else?
I, I've always been someone who likes figuring problems, likes doing puzzles, likes, you know, taking something difficult and solving it. And so every company is kind of going to navigate this differently. So I've worked at a few different companies now since CMMC has become a thing.
(08:36):
And for each one, the, the, the solutions that we've come up with, the, the things that I've suggested has been different because things have to be tailored specific to a company specific use case. So for me, it's, it's solving that challenge, understanding what the requirements are, how that applies to the company as a whole and figuring out what, what the best thing is for them. I think that's what I enjoy the most.
(09:06):
Yeah, well said. Thank you. Cause that is, that is a one size fits all approach to this industry is not existent. It's not going, and it shouldn't be that way. You know, broken record here, but the fact that these requirements are non-prescribed, you do them how you want to do them as an organization, as long as they meet the requirements is a better alternative to this is exactly how you have to do it. And if you don't, then you don't, you don't get to play in the sandbox. So, so, okay, then let's do this. We have, we have some time left.
(09:36):
What, what don't you like? And this isn't going to become off as a negative or anything, but what, what don't you like about the CMMC as it sits today that really from, again, from your role, sort of doesn't sit right with you. Anything come to mind?
Excuse me. I guess kind of touching on what I had mentioned earlier about some of the rigidity, I, you know, coming from an RMF background where you didn't have to get everything perfect. You, you could, there are things that you could identify during your assessment that needed to be fixed.
(10:12):
And you would have, you know, some runway to possibly fix those issues or potentially the, the risk was just so low that it just didn't really make sense to, you know, put in a million dollar piece of software that could solve something that really wasn't very risky.
(10:32):
So I really wish that with CMMC there, there was more risk-based decisions versus just every single company must do X, Y, Z when for small companies, it just may not make sense.
Yeah. And that's at its core, that's what it's supposed to be. Risk-based decisions, right? I mean, that's, that's how it used to read. Things have changed.
(10:56):
Things have changed. And hopefully there's some evolvement that happens here that, that does allow for that when you're a small company that's handling, I think what anybody in the information security, cybersecurity space will say is not nearly as sensitive as some other information that, you know, there's, they don't want companies to go out of business trying to get this stuff done. Right.
(11:18):
But you're right. There is a cost of doing business, of entering this space. We talk about this all the time that you, you know, you have to, you have to apply it to your business. You have to see if the juice is worth the squeeze. We can't make it so that it's, we're not making it, but it can't be made that, you know, it's not worth it.
That's not a, that's not going to solve any problems specifically as these, this threat environment is getting a little, a little steamier, a little hotter at the moment. We have a big year here in the United States coming up with an election and other, other areas of, of concern.
(11:49):
So, yeah, so that's great. So thank you. Thank you, Landon. This is a, this is a conversation that I think, you know, as things come up and you, you see things, you know, we're going to do this again, because I, we're going to see the, you know, with, with the 48 CFR coming out and we're going to have the, the finalization of the rule.
(12:09):
We're going to see, you know, they're going to do a pressure test, I'm sure, of how many assessments they can do at one time. It's, it's a, it's a prioritized phase, don't roll out. But as that stuff happens, there's going to be news of how things went. And if, you know, there are examples of things that didn't go well or did go well.
I think your perspective as somebody who's, who's six months into a new role carries a lot of responsibility. I think it will be fun to revisit that stuff. So if you don't mind, I think, Kevin, you want again in the future will be, will be great.
(12:38):
Sure. Looking forward to it.
Cool. Awesome. Well, thank you again. If anybody wants to connect with Landon, go on LinkedIn. You're very active there. There is a Discord server that's, that's active for the community. If you're somebody looking to maybe also new to your role or to the
CMMC space and you're trying to figure this out, there's, there's great resources out there. There's really good Reddit threads. There's, like I said, a Discord server called the Cui of Excellence server. You can find that pretty, pretty simple on Discord.
(13:09):
But if there's anything else from, from questions that you're having or stuff that you want, just reach out. You can reach out to Landon directly or you can reach out to us here at QuickTrack. We'll make the connection.
And from here, again, subscribe at the bottom if you're on YouTube and you'll see all the alerts. There's a little bell you can hit. There's future episodes coming up on some really great topics. All of our past episodes do reside on our website.
(13:35):
That link will be below pretty much anywhere that you're watching or listening to this right now. And Landon, again, thank you for the time, sir. And we'll make sure that we have you on again soon.
Thanks, Derek. Really appreciate the conversation.
You bet. All right. Take care, everybody, and we'll see you next time.
(14:18):
Thank you.
Welcome to the quick 10 podcast brought to you by quick track, focusing on all things FedCon and cyber defense from different perspectives and different personalities, all in 10 ish minutes. Here's your host, Derek White.
(00:16):
All right, welcome back to another episode of the quick 10 podcast. I'm your host, Derek White, chief product officer at Beryllium and quick track. And today I am joined by a gentleman named Landon Carlson, friend of ours has been for a couple years, chief information security officer at Metron. Landon, thanks for joining me.
(00:44):
Thanks for having me, Derek. Really appreciate it.
Appreciate it. You bet. Now I know summer's coming to an end here. So it's a it's a crazy time. So really appreciate you spending a few minutes just chatting. For those listening online on your favorite podcast platform, make sure to subscribe. You can check out past episodes, future episodes. What we're trying to accomplish here with the quick 10 podcast is just short conversations around topics that are relevant. Hopefully it's useful. If you're watching on YouTube, you can subscribe there as well. And at the end here, I'll give you guys some direction on where you can find more
(01:17):
information. Landon, you know, you've you're in your new CISO to your role at at Metron. Tell me a little bit about Metron. How long you've been there and some stuff before we kind of get into some of the some of the fun stuff.
Sure. So I've been with the company for almost six months. We are headquartered in Reston, Virginia, approximately 220 employees. We just celebrated our 40th anniversary. The tagline on our website is delivering innovative scientific solutions to the toughest problems. So the majority of our customers are within the Department of Defense and some of the work that we do involves things like data analytics, data
(02:00):
analytics, decision support, autonomy software, using things like probabilistic modeling, signal processing, AI and data fusion.
Awesome. Well, that's thank you for that. So, you know, very clear to make it that people are tuning in here that you're you're you're facing some challenges and you have some responsibility. We're going to get into that a little bit. I have some questions for you that I think
(02:25):
I'm interested to hear your answers to. But we've had some some other guests on and we're trying to take this from all different angles. So thank you for bringing the eye of the CISO to light here on on what it's like. So, you know, you're six months in and, you know, every time someone starts a new role specifically in one at that level.
What's what's unique about that role, say, that you can share that maybe different from previous roles that you immediately saw within your first couple days, couple weeks?
(02:55):
Sure. So while a lot of the functional elements are similar to past roles, what I feel like is unique about this specific role is that it requires a comprehensive understanding of the business. So, for example, something that may not that that may not be
that that might be the most secure or the least riskiest option may not be the best thing for the company. At Metron, we do a lot of software development and developers often have unique tools and software that they like to use.
(03:30):
There are times where we've had to make allowances for certain things and to add compensating controls to lower the overall risk. And then other times we've had to deny certain requests because the risk was just too great. So,
it involves really, you know, getting to know people, hearing what types of work they're doing. It involves having empathy, right? You want to allow them to do their job and to get the job done. But there is that that middle ground of still doing things securely.
(04:06):
Yeah, no, that's, that's well said. And I, you know, I have to give you kudos to, you know, you've you've put the time in over the last few years, getting to know this industry, right? Whether you have to because it's, it's required for your job. I mean, there's there's a lot of events that you've been to I know you're very active in the community. You provide a lot of insight, which is why I wanted to have you on and talk about some of these things. But, you know, clearly, you're doing a very good job.
(04:34):
And I wanted to talk about some of these things. But, you know, kudos to you for for spending that time. It's a lot, right? It's it's a daunting amount of time to navigate what what's happening in this industry. But to hear it from those that understand it, that actually do care about those that are subject to these requirements, you know, getting this stuff done is not overly easy, as you know, somebody with that responsibility as a CSO role. And you've been in a couple different roles. I think that's really, really a tip of the cap to you.
(05:04):
Thank you. I just want to make sure I said that. Yeah. So when it comes to that challenges that you face in that role, you know, specifically, what are some of the things that CMMC versus somebody, obviously, there's more than CMMC that you have to focus on as a as a CSO at a company. So, you know, what are some of the challenges that you face in that role, specific to CMMC that you've seen so far?
(05:29):
I think overall, the probably the biggest challenge is the rigidity of of the requirements. So we know that the term poem is kind of a loose definition within CMMC. But ultimately, to get that certification, you have to have met every single requirement. So having all of your bases covered, all the boxes checked, I think is probably the biggest challenge.
(05:59):
And, you know, not not just for us, but for everybody across the industry. And then, you know, more recently, I think what pretty much everybody who's tuned in to the most recent updates would agree is another significant challenges, the inclusion of the requirements with some of the security protection data.
(06:19):
So, you know, previously, you know, if you were storing, processing or transmitting CUI in the cloud, the Fed requirement was in play. But now with, you know, kind of expanding that to security protection data, and some of the tools that might apply there, I think that is very, very challenging.
Yeah, not to mention that, you know, companies make, especially in your guys's industry, but across the supply chain of defense industrial base, you know, there's big decisions that CFOs and CSOs and CIOs that have to make regarding ERP systems or operational technology. And, you know, those, those are, those are big expenses, big expenses that then come with risk based decisions. But for many years, people weren't thinking about, you know, what you just said, you know, the
(07:07):
data that these things are going to interact with and how those impact security requirements today, but also in the future. A lot of those tools are out there selling options and services and licensing for, you know, current day stuff. And now there's some, there's a big shift there. And that's still being solved in some cases and trying to figure it out. So thank you for, for highlighting that for sure. I think this kind of rolls into the next question. This is one that I don't get to necessarily ask everybody that's on because, you know,
(07:37):
it's easy, it's easy in our space to find the negatives to, to navigate to anytime there's a requirement, this isn't a bash on, on CMMC, but anytime there's a requirement from the government or anybody, it's easy to kick sand and say, I don't want to do it. But in this case, you know, you're a CISO. So what are some of the things you actually like about CMMC? And maybe we'll hold off on things that maybe you, that you don't like, but if we have time, but what do you
(08:07):
like about CMMC from your role, from your perspective, thinking about your company versus anything else?
I, I've always been someone who likes figuring problems, likes doing puzzles, likes, you know, taking something difficult and solving it. And so every company is kind of going to navigate this differently. So I've worked at a few different companies now since CMMC has become a thing.
(08:36):
And for each one, the, the, the solutions that we've come up with, the, the things that I've suggested has been different because things have to be tailored specific to a company specific use case. So for me, it's, it's solving that challenge, understanding what the requirements are, how that applies to the company as a whole and figuring out what, what the best thing is for them. I think that's what I enjoy the most.
(09:06):
Yeah, well said. Thank you. Cause that is, that is a one size fits all approach to this industry is not existent. It's not going, and it shouldn't be that way. You know, broken record here, but the fact that these requirements are non-prescribed, you do them how you want to do them as an organization, as long as they meet the requirements is a better alternative to this is exactly how you have to do it. And if you don't, then you don't, you don't get to play in the sandbox. So, so, okay, then let's do this. We have, we have some time left.
(09:36):
What, what don't you like? And this isn't going to become off as a negative or anything, but what, what don't you like about the CMMC as it sits today that really from, again, from your role, sort of doesn't sit right with you. Anything come to mind?
Excuse me. I guess kind of touching on what I had mentioned earlier about some of the rigidity, I, you know, coming from an RMF background where you didn't have to get everything perfect. You, you could, there are things that you could identify during your assessment that needed to be fixed.
(10:12):
And you would have, you know, some runway to possibly fix those issues or potentially the, the risk was just so low that it just didn't really make sense to, you know, put in a million dollar piece of software that could solve something that really wasn't very risky.
(10:32):
So I really wish that with CMMC there, there was more risk-based decisions versus just every single company must do X, Y, Z when for small companies, it just may not make sense.
Yeah. And that's at its core, that's what it's supposed to be. Risk-based decisions, right? I mean, that's, that's how it used to read. Things have changed.
(10:56):
Things have changed. And hopefully there's some evolvement that happens here that, that does allow for that when you're a small company that's handling, I think what anybody in the information security, cybersecurity space will say is not nearly as sensitive as some other information that, you know, there's, they don't want companies to go out of business trying to get this stuff done. Right.
(11:18):
But you're right. There is a cost of doing business, of entering this space. We talk about this all the time that you, you know, you have to, you have to apply it to your business. You have to see if the juice is worth the squeeze. We can't make it so that it's, we're not making it, but it can't be made that, you know, it's not worth it.
That's not a, that's not going to solve any problems specifically as these, this threat environment is getting a little, a little steamier, a little hotter at the moment. We have a big year here in the United States coming up with an election and other, other areas of, of concern.
(11:49):
So, yeah, so that's great. So thank you. Thank you, Landon. This is a, this is a conversation that I think, you know, as things come up and you, you see things, you know, we're going to do this again, because I, we're going to see the, you know, with, with the 48 CFR coming out and we're going to have the, the finalization of the rule.
(12:09):
We're going to see, you know, they're going to do a pressure test, I'm sure, of how many assessments they can do at one time. It's, it's a, it's a prioritized phase, don't roll out. But as that stuff happens, there's going to be news of how things went. And if, you know, there are examples of things that didn't go well or did go well.
I think your perspective as somebody who's, who's six months into a new role carries a lot of responsibility. I think it will be fun to revisit that stuff. So if you don't mind, I think, Kevin, you want again in the future will be, will be great.
(12:38):
Sure. Looking forward to it.
Cool. Awesome. Well, thank you again. If anybody wants to connect with Landon, go on LinkedIn. You're very active there. There is a Discord server that's, that's active for the community. If you're somebody looking to maybe also new to your role or to the
CMMC space and you're trying to figure this out, there's, there's great resources out there. There's really good Reddit threads. There's, like I said, a Discord server called the Cui of Excellence server. You can find that pretty, pretty simple on Discord.
(13:09):
But if there's anything else from, from questions that you're having or stuff that you want, just reach out. You can reach out to Landon directly or you can reach out to us here at QuickTrack. We'll make the connection.
And from here, again, subscribe at the bottom if you're on YouTube and you'll see all the alerts. There's a little bell you can hit. There's future episodes coming up on some really great topics. All of our past episodes do reside on our website.
(13:35):
That link will be below pretty much anywhere that you're watching or listening to this right now. And Landon, again, thank you for the time, sir. And we'll make sure that we have you on again soon.
Thanks, Derek. Really appreciate the conversation.
You bet. All right. Take care, everybody, and we'll see you next time.
(14:18):
Thank you.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com