Takeaway: Cybersecurity is like exercise: regular and frequent workouts get you better and faster results for your efforts!
The April 2026 blog theme is “Time for Spring Cleaning – Using your Compliance Scheme to Keep You Current – Why ‘dated’ compliance can be worse than no compliance!”
(Too) many decades ago, I was a fanatical reader of science fiction. In Robert Heinlein’s Tunnel is the Sky, the young hero is about to go off on an ‘Outward Bound-type’ solo survival exam on another planet. He can take any firearm he wants. His older and wiser warrior sister tells him not to take any firearm, based on the idea that if he knows he is helpless, he won’t have a false sense of security. You get the analogy.
If you are a senior leader, and you have paid for a compliance framework/ certification in the past (CMMC/NIST 800-171, PCI/DSS, ISO 27000 and derivatives, SSAE SOC 2, HIPAA, etc.) feel free to disregard this month’s blog until your annual maturity assessment if and only if:
You have not onboarded nor offboarded anyone new since your last formal compliance review. Include an Agentic AI in your onboarding thoughts – they can be insider threats.
You have not brought on new products, third-party suppliers, or in the least modified operations (including new hardware or software) to meet client needs or market changes. There is nothing new, good, or bad, without risk – you need to understand the risk you are accepting with any change.
You know for certain, in defiance of all human psychology, all members of your team focus on cybersecurity compliance first despite any operational opportunities or pressures.
There have been no regulatory changes whatsoever in your market area.
Your know your data encryption is up to date, and nobody on your team thinks multi-factor authentication requirements are met by SMS. Just like the old joke about running from a bear – you do not have to have perfect encryption or authentication – just much better than all your industry competitors!
For business text messaging, your team only uses an end-to-end encryption system. ‘Signal’ is just an example.
The “Cybersecurity Bad Guys” have forgotten your industry exists. Try telling that to Microsoft, Amazon, or Google, or any other hyperscaler!
You feel no need (careful here!) to modify the scope of your compliance framework. Would your compliance partner agree?
Now I would never, ever suggest you not have a solid cybersecurity compliance scheme. But the absolute worst thing you can do is buy into one and consider it ‘completed,’ because you will naturally become complacent. Cybersecurity is all about the journey, minimizing risks with every new opportunity. You can only stop watching out for business risks when you reach a destination like retirement. My Marine son got me in physical shape by saying, “Dad, you treat physical fitness workouts as a time luxury – make it a necessity!” So I say to you: “Make cybersecurity, through a compliance scheme, a daily necessity in your organization!”
It’s Spring! Stay cutting edge! Do you want tangible benefit from this effort? How about asking “Are we ready to absorb our competitor’s clients when our ‘complacent, once-a-year-for-cybersecurity’ competitor craters their reputation in a highly publicized data breach?”
News: CMMC Update: CMMC/AB 31 Mar 2026 Town Hall: ISACA Website for CMMC Assessor & Instructor Certification Organization (CAICO) went live at 1000 ET, 1 Apr 2026. The CAICO credentials are 1) CMMC Certified Professional (CCP), CMMC Credentialed Instructor (CCI), CMMC Certified Assessor (CCA), Lead CMMC Certified Assessor (LCCA), and Provisional Instructor (PI).
Excellent book recently read: Saydjari, O. Sami. Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time. New York: McGraw Hill, 2018.
Also newsworthy if you are thinking forward: You cannot attend a cyber conference anymore without getting an AI deluge – and the latest buzz words are ‘Agentic Misalignment.’ If you want to be listened to at your firm’s virtual watercooler, you will have read Anthropic’s 30 Jun 2025 report, “Agentic Misalignment: How LLMs could be insider threats.”