Has CMMC Changed Cybersecurity Culture Forever?
June 23, 2026
Being CMMC-ready isn’t just about having your paperwork in order. It’s about having a security culture that’s ready for change. In this episode of Trust Issues, Brandon and Bruno Lecoq welcome Karen Connor, Founder of ReThinQ Labs and cybersecurity compliance expert, to unpack the kind of culture that sets organizations up for CMMC success. They explore why most organizations fail their assessments despite claiming readiness, how to build a CUI boundary that actually protects your business (and your bottom line), and the leadership shifts required to embed security across every department (not just IT).
Being CMMC-ready isn’t just about having your paperwork in order. It’s about having a security culture that’s ready for change. In this episode of Trust Issues, Brandon and Bruno Lecoq welcome Karen Connor, Founder of ReThinQ Labs and cybersecurity compliance expert, to unpack the kind of culture that sets organizations up for CMMC success.
From why most organizations fail their assessments despite claiming readiness and how to build a CUI boundary that actually protects your business (and your bottom line) to the leadership shifts required to embed security across every department (not just IT), this conversation reveals why your IT team alone can't get you CMMC-ready and what it really takes to future-proof your federal contracting business.
What You’ll Learn:
- How to recognize the three most expensive CMMC gaps before assessment
- Why IT ownership of CMMC is actually your biggest risk
- The executive alignment framework that converts reluctant leaders into champions
- How to avoid the self-certification trap that dooms assessments
- Why testing like an assessor before you're assessed is a readiness strategy that actually works
- How to drive behavioral change without burning out your team
Episode Chapters:
00:00 Introduction
01:20 How Karen Went from Navy Cryptographer to CMMC Readiness Leader
04:25 Karen’s Expertise: CCA, RPO, and Readiness Strategy
04:52 Why Organizations Suffer from the False Confidence Trap
05:48 DFARS to CMMC: Why Ten Years of Compliance Didn't Prepare You
08:52 CMMC Is a Culture Shift, Not an IT Problem
09:33 Policies Without Executive Buy-In Are Worthless
11:33 CMMC Is for Everyone: Best Practices That Protect Your Business
14:03 CUI Boundary Confusion Is Your Most Expensive Gap
15:47 Commit Fully to CMMC or Don't Pursue Federal Contracts
17:37 Self-Certification Is a Dangerous Illusion
20:45 Stop Self-Certifying: Conduct Internal Audits the Way an Assessor Will
23:11 Make CMMC Binary: Quantify the Risk and Commit or Step Back
25:06 How $400-500M Settlements Should Reshape Your Decision
26:51 Why Cyber Under CTO Leadership Creates Compliance Failure
28:14 Why Cyber Must Report Directly to the CEO
29:13 Independent Cyber Functions Report to Finance, Not Technology
29:48 Tickets Aren't Punishment - They’re Time-Savers
31:42 The Art of Rolling Out Change Management
32:46 Closing Thoughts
Connect with the team:
Trust Issues is handcrafted by our friends over at: fame.so