As my team and I prepared to start the process of Cybersecurity Maturity Model Certification (CMMC), we were under the basic assumption that we would be able to hire an internal IT person to take care of this for us. Save yourself some time because this is not the solution.
At the time, we made the best decisions with the information that we had. I admit I did not spend the time educating myself on the requirements of CMMC. Based on the very basic analysis of what CMMC means, we thought we would be hiring our very first IT employee. That assumption changed after attending a seminar hosted by our local manufacturing alliance. I immediately felt sympathy for all of the overwhelmed IT people that were in the room, under the same assumptions that I had made prior.
Executives, just like myself, put those people in that room to learn what they needed to do.
In all reality, an internal IT person would be extremely helpful but they are not the complete answer. CMMC is a holistic company process change. It touches every part of the business from human resources to the production floor. Cybersecurity direction and buy-in needs to come from the top, not from IT.
The general understanding I took away from this seminar was that I needed to build a third-party team for cybersecurity at STRYKER.
My research began by searching Managed Service Providers (MSP) but at this time, I did not realize that the MSP needed to be CMMC themselves. Now I look back and roll my eyes at myself. Do your research on MSPs that will be certified themselves. This will narrow your search immensely and it is probably the most important detail.
The overarching touch to each part of your business means that an executive/owner/leader needs to lead this charge and work with a MSP to delegate to the existing team members in each department. Without change management, I cannot see this process being sustainable or successful in a timely manner.
Instead of hiring an internal IT position, I am currently interviewing multiple MSPs to build my third-party team. I am also focused on getting all the right people in the right seats on my bus. Build your internal team and build your external team. Building an internal team is an undertaking in itself, but I count my blessings every day for the work we have already done building an amazing team. At least that fact gives me reprieve from the unknowns of CMMC. I can count on our STRYKER bus. Always.