IT Matters | Tech Solutions and Strategies for Every Industry

On this episode of the IT Matters Podcast, our host is joined by Nathanael Dick, Vice President of Cybersecurity at SteelFab, for a deep dive into the evolving world of cybersecurity compliance. Together, they explore why frameworks like the Cybersecurity Maturity Model Certification (CMMC) are becoming essential for modern organizations and how compliance can strengthen overall security. Nathanael also shares why companies should shift their mindset and view compliance not as a burden, but as an opportunity for business improvement.

Conversation Highlights:
0:00 Introducing Nathanael Dick, VP of Cybersecurity at SteelFab
[2:23] Two Truths and a Lie - Cybersecurity Edition
[4:50] Nathanael's Background & Experience
[8:54] Compliance as a Growth Opportunity
[26:38] A Message to the Industry

Notable Quotes:
"What is always so critical to stop the bad guys is to be aware." - Nathanael Dick [28:17]
"Stay cyber safe. Stop and think." - Keith Hawkey [29:19]

Connect with Nathanael Dick on LinkedIn.

Read the transcript: Episode 39

The IT Matters Podcast is about IT matters and matters pertaining to IT. It is produced by Opkalla, a technology advisory firm that helps their clients navigate the confusion in the technology marketplace and choose the solution that is right for their business.

Creators and Guests

AB
Host
Aaron Bock
KH
Host
Keith Hawkey

What is IT Matters | Tech Solutions and Strategies for Every Industry?

Welcome to the Opkalla IT Matters Podcast, where we discuss the important matters within IT as well as the importance of IT across different industries and responsibilities.

About Opkalla:
Opkalla helps their clients navigate the confusion in the technology marketplace and choose the technology solutions that are right for their business. They work alongside IT teams to design, procure, implement and support the most complex IT solutions without an agenda or technology bias. Opkalla was founded around the belief that IT professionals deserve better, and is guided by their core values: trust, transparency and speed. For more information, visit https://opkalla.com/ or follow them on LinkedIn

Aaron Bock: Welcome to the IT
Matters podcast, hosted by

Opkalla. We're an IT advisory
firm that makes technology easy

for your business. Our
vendor-neutral technology

advisors work directly with your
team to assess technology needs

and procure the best IT
solutions for your organization.

On this podcast, expect
high-level expertise from our

hosts, plus experience-driven
perspective from the leading

experts on topics like AI,
cybersecurity, industry-focused

IT solutions strategy, and more.
Now let's get into today's

discussion on what matters in
IT.

Keith Hawkey: Welcome to the IT
Matters podcast, hosted by

Opkalla. At Opkalla, we help IT
teams understand the busy

marketplace of technology
strategy and services with a

data-driven approach. On this
podcast, we invite technology

leaders to discuss the
challenges facing the modern IT

department. My name is Keith
Hawkeye, Technology Advisor at

Opkalla, and I am pleased to
announce we are joined by

Nathanael Dick, who currently
serves as the director of cyber

security and governance at Steel
Fab. Nathanael brings a really

practical perspective to
security, someone who's not just

thinking about frameworks and
compliance and theory, but

actually using them to drive
stronger, a more resilient

organizations. He's got a
background that spans cyber

security leadership compliance
strategy, especially in the

areas of CMMC, which we'll dive
in today. He's also deeply

involved in the broader security
community, even co-hosting for a

stint his own cybersecurity
podcast, and regularly is a

speaker on many subjects.
Cybersecurity in this

conversation, we're going to get
into how security leaders can

rethink compliance, not just a
checkbox exercise, but as a

lever for maturity. How AI is
both the threat landscape and in

defense strategies, and what it
actually takes to build a

security culture that sticks
inside an organization.

Nathanael, welcome to the IT
Matters podcast.

Nathanael Dick: It's great to be
on, Keith. Looking forward to

it.

Keith Hawkey: But as per usual,
we are going to start with a

little game, if you don't mind,
Two Truths and a Lie, and this

is cybersecurity focused. Do you
know how to play Two Truths and

a Lie?

Nathanael Dick: Actually, don't.

Keith Hawkey: All right, so I'm
going to read off three. They're

sort of news events, and two of
them are true, and one of them

is completely made up. And I
want to see if you can guess the

falsehood. That's the idea. All
right, so two truths and a lie.

Are we ready?

Nathanael Dick: Ready.

Keith Hawkey: Okay, so number
one, a Fortune 500 company

experienced a breach that was
definitively tracked to a

compromised smart refrigerator
on its corporate network. I'm

Number two, security researchers
demonstrated it's possible to

run a functional Linux
environment inside a PDF file by

abusing the PDF format scripting
and rendering capabilities,

highlighting just how flexible
and risky, widely trusted file

formats can be

Nathanael Dick: Very good.

Keith Hawkey: and and number
three, a ransomware strain known

as Volk Locker was discovered
with a critical flaw. The

attackers accidentally included
the decryption key within the

malware itself, allowing victims
and researchers to recover files

without paying a ransom.

Nathanael Dick: I'm going to go
with number one as the lie.

Keith Hawkey: You are correct, I
there are no, at least reported

instances of Fortune 500 or
Fortune, any any 100 companies

having their network breached by
a smart refrigerator on the

corporate network, because that
would be entirely embarrassing,

but I actually think it's
coming. Good idea, Nathanael.

Nathanael Dick: Yeah.

Keith Hawkey: it's just hasn't..
it's going to be one of our

truths in the next year, is what
I'm guessing.

Nathanael Dick: Well, we had the
target breach, which was an

HVAC, so it's kind of waiting
for that one, but refrigerator.

I was like, okay, yeah,
hopefully they put it on the

guest Wi-Fi.

Keith Hawkey: Yeah, exactly. So
let's talk that, Nathanael, you

have a breadth of cybersecurity
experience, I'd. Love to learn a

little bit about how you got
into the industry. What inspired

you to go down this path? Some
of your background, can you kind

of introduce us to Nathanael's
kind of path to where he is

today?

Nathanael Dick: Yeah, so it
started back in, I guess this

could start as a teenager
building a business with my

brother, and through that
process learned a lot about

business and how to sell things
online, and a little bit about

scammers too, and then went to
college and earned my Bachelor's

of Science in Computer Science,
and then started in IT for a

defense company, and during that
time there really got a lot of

experience, had some really
great mentors there that helped

me learn a lot, and so I just
was taking in a lot of

information and really grew to
love a lot of areas of it, and

then I started to lead that IT
department and got into a lot

more with and we'll probably
talk about this later on the

importance of how defense
companies need to meet federal

compliance and then that kind of
led me into the compliance space

and along that path also the
cybersecurity space so just

started to really develop a
passion for securing

environments and the importance
of using frameworks and

third-party frameworks and best
practices to apply those

principles, and somebody that
didn't know a lot of that, doing

a lot of learning, and what
really helped along the way was

those frameworks to understand
here are the best practices to

apply to a company's security
posture.

Keith Hawkey: I know that
there's one point in which kind

of on your journey that you were
handed a regulation to handle.

Nathanael Dick: Yeah.

Keith Hawkey: So tell us a
little bit more about about that

experience.

Nathanael Dick: Yeah, so we were
a defense company in Grand

Rapids, Michigan, and remember
my boss one time we were kind of

working through the NIST 800-171
compliance, which is NIST stands

for National Institutes of
Standards, and it's a

publication arm of the
government that publishes best

practices for the government,
and NIST 800-171 is a compliance

requirement that they started to
enforce for companies that do

business with the Department of
Defense, so back sometime in

2017 we were working through
that process, and I remember one

day my boss at the time at this
company, he was a great guy,

great mentor, and we looked up
to him, and he, he handed me

this regulation, or said, "Go
ahead and read this, and you'll

probably fall asleep, and I took
that, as you know, kind of an

opportunity, and ended up just
really actually not falling

asleep, but just kind of
engaging with the document, and

in really having fun with it,
and I started to see a lot of

commonalities as we worked
through understanding the

different specific guidelines
and legal language in the

framework, and so that really
was a, was a game changer in, in

how not only the company looked
at compliance, but I was able to

develop a lot of informational
learning myself, so that was a

great opportunity, and also it
just kind of developed my, my

passion for, for frameworks and
cyber security too.

Keith Hawkey: A lot of new cyber
security leaders view compliance

as a burden and as a big pain,
and I just find it, it's

interesting, compelling. How
you, you took this piece of

regulation, you took this
assignment, and you were

engrossing material, and didn't
think of it as, as a checkbox,

but how can, how are you going
to improve security maturity at

your organization, that it, it
is something to embrace and live

by as a security professional.
And where do you see

organizations get this wrong and
treat CMMC like a checkbox

instead of a real
transformation?

Nathanael Dick: I think it is
partly a mindset shift, because

we start to look at compliance
as kind of the bad boy in the

room, and something to blame
your problems on, because we

don't want to engage with the
compliance framework and find a

business solution, so I'm a big
believer that cybersecurity

compliance. It needs to help the
business, it can't pull back the

business. So, going back to my
experience in business, and also

have my MBA, I think that's
vital to understand we need to

encourage the innovation and
success of the business, and

that's the first goal. So,
compliance and security have to

support that, and so I think
it's that mindset shift. Once

you kind of get over that
mindset shift, stop blaming

security and start to enable the
business. Some practical ways

that can just kind of do that is
instead of being saying, hey,

this needs to be this password
policy needs to be this way,

maybe there's some creative ways
that can be just as secure, even

more secure. You get your users
to engage with why you have it

this way, and then they can kind
of have not input, but they can

kind of help guide that process
of innovation, so you're not,

you're not just being the police
and saying it must be this way,

you're kind of working with the
business, different stakeholders

in the business, making sure
they can still do their work and

being compliant, so there's a
lot of ways to solve compliance,

and a lot of people think it's
just one way, but if you, you're

careful and you engage your
stakeholders, you can really

have success, not only in being
compliant, but making it so that

people come back to you and ask
you these questions and keep

your business safe.

Keith Hawkey: There is a
significant compliance benchmark

that's coming up in October of
this year with CMMC and lots of

organizations are behind the
eight ball, as I've discovered

in my day job, and are
scrambling to make ends meet to

reach this compliance, you know,
there's different levels of

compliance requirements, so they
can bid on those juicy

government contracts and agency
contracts. Maybe you could just,

you've been on this journey,
could you kind of delineate what

are the different diff, what are
the differences between the

different levels of CMMC? I know
there's a level one to what

house, if you're, if you're just
starting down this journey, and

if you are starting now, you are
way behind. Let's, let's hope

that you're made some progress.
Yeah, it's yeah. How should

someone that's been assigned
this journey kind of think of

the different levels and sure
what's good for them?

Nathanael Dick: So, there's
three levels, and I'll take a

step back. So, first of all, in
context, the problem the

government faced back in 2000
and even in the 90s was we were

losing our secrets, so the F 35
fighter jet was stolen by the

Chinese, there was a lot of
other pretty major secrets

stolen, and so they had to get
their handle on all this data

being lost, so they developed
what the NIST 801 71 standard,

and in 2010 there's also
executive order by President

Obama to kind of consolidate the
different data types that the

government had, and it was fine
storing, in the most part,

classified data, which think of
like movies where you see these

big rooms and all this very
secret stuff, but the problem

was all this data that was not
classified. When taken together,

these spies and these
organizations could actually

develop some pretty major
informational data points that

could lead to these secrets
being stolen, so the government

realized that, and then try to
consolidate that into what was

called control and classified
information, and then over the

years regulation was enforced on
businesses that handle this

control and classified
information, and they had to

comply with 110 cybersecurity
requirements for the NIST 801 71

standard, but nobody really was
doing that, so they were saying

they did in general, obviously
there was some exceptions, but

nobody was really taking it
seriously, because there was

really no skin in the game. The
government was saying just do

it, and we may check you, but
not a lot of people really

checked. So then they realized
how we need to start to validate

this and have a way to make sure
if you say you're compliant, you

have all these under 10
requirements, you actually are

compliant, and that was what
caused the cybersecurity

maturity model certification to
go into effect, the whole

basically the whole thing, the
whole process. Processes, you

have an auditor come out and
verify you are meeting these 110

requirements. That's it. That's
really in a nutshell what CMMC

is. Now, then you kind of get a
little bit more in depth. You do

have CMMC level one, so that's a
base controls, so it's going to

have a lot smaller subset of
controls, and actually a third

party verification is not
required, so that's the MMC

level one, and this is for data
that's not even CUI, so this is

what's called federal contract
information, so very

non-technical data and it
doesn't even meet the controlled

unclassified information, so if
you do do any kind of what we

call controlled technical
information, so code drawings,

things like that, you're you're
likely dealing with controlled

technical information, and then
you're dealing with CMMC level

two, CMMC level two is those 110
cybersecurity requirements that

align with the NIST 801 71
framework, and so that's where

organizations largely need to
get audited by what's called a

c3 PAO, or third party certified
assessor, and that's the main

bucket that organizations are
going to fall into. We're not

going to see a lot of
organizations fall into the next

level, which is CMMC level
three. Those are more critical

programs that maybe space
satellites, things like that. I

don't even know, but critical
sensitive programs that would

need that CMC level three.

Keith Hawkey: Why has this been
delayed over and over and over?

Do you like.. I remember five
years ago this was,

Nathanael Dick: Yeah.

Keith Hawkey: This was coming,
and it was delayed multiple

times. Do you know, do you have
any insight, like why they

delayed these ramifications and
the seriousness of this? I mean,

it seemed like it would have
been urgent,

Nathanael Dick: Yeah.

Keith Hawkey: many years ago,
but

Nathanael Dick: You would think,
right? But it's something I've

been frustrated, kind of in
general, just in industry, is

kind of at least there's us fans
of CMMC, which I consider myself

a fan.

Keith Hawkey: There you go.

Nathanael Dick: I'm getting a
little bit frustrated because it

has gone through a lot of what I
call industry criticism, and

it's, it's understandable. I
think a lot of it has to do with

maybe some of the ways it was
rolled out originally, so there

was a CMMC phase or version one,
and that was a little bit more

maybe rigorous, you could call,
or confusing. There was actually

five levels in that, but only
three counted, so it's kind of

confusing, and I kind of wonder
if a lot of that failed first

version of CMMC was largely due
to just the confusion around the

communication, because I
remember people explaining it,

and it was like, why do we have
level two, and you don't really

need to do level two, but you
have level three, and you need a

level, so it was very kind of in
this confusing space, so they

made a lot of good changes, and
they did listen to industry, so

they did get that right, and
when they came out with what we

call now version two of CMMC, it
was had a lot of good industry

insight and feedback, and so I
think they came out with a good

product, but it did take the
speed of a turtle to get here,

for sure.

Keith Hawkey: Yeah, really, is
CMMC level one just kind of the

training realm? I mean, it
sounds like the one that really

matters for 95% of organizations
that are engaging with CUI and

classified information are going
to need level two. Are there

organizations that it's just a
good training exercise for level

one? I mean, I doesn't seem like
that would be a requirement.

Yeah, more of like getting you
started.

Nathanael Dick: Well, you know,
there's CMMC level one, there's

some, there's some tough
controls, um, some physical

access controls, and some others
too. So, there's some things

there that do take some
investment and time to at least

document and show what you're
doing. I think, but it's a very

baseline level, and hopefully
you've been kind of doing that

already, so if you're not at CMC
level one, even you have a lot

of work to do, but for the most
part, you are going to see most

companies going to be at least
that handle CUI for sure, if

they handle CUI. Going to be at
level two, so yeah, there's

definitely going to be quite a
few that are level one. In fact,

you can do a search on sam.gov
which has a list of all the

contracts, and kind of look at
that. What is even now a

requirement for level one? So
there's even some CMMC level one

and two out on sam.gov so we're
actually in the first phase that

started November of 2025 all the
way to the next phase, which

starts this year, so people were
saying, "Oh, this is going to be

the harder phase. Well, it
probably will be, but we're

already starting to see some of
these requirements pushed out

already, so it's really
important to be aware of that

and be ready as soon as you can.

Keith Hawkey: Was there a point
when you were, you were

approaching your level two
certification where you thought

we are not as ready as we
thought we were, were there any

gotchas, any trip ups that
someone cybersecurity leader

that is going down this journey
should be cognizant of, should

be thinking of anything like
that in your story.

Nathanael Dick: Well, thankful
we had a great team, so it took

IT full IT security effort. My
boss, Sandra Clay, was awesome,

and the whole IT team, we really
kind of worked together really

well, and we had a really
successful process down, and so

that was good from what I've
seen in industry, and just kind

of the talking a lot of
colleagues is probably the

biggest challenge is figuring
out who's going to kind of own

the CMMC space, and then after
that is like making sure you are

scoping kind of your environment
correctly, and that's probably

the biggest gotcha, where you
may not really understand what

you said you were doing, and
that could be a cause for an

audit going awry, or you see a
lot of where a consulting

company will kind of generate a
lot of the documentation and

policies, and then you may be
reading it, and you're like,

okay, well, you know, are we
really doing this? So I think

that's the kind of gotchas in
industry is make sure if you

have enough policy, make sure
you're actually doing it, and

make sure you have a lot of
review kind of built into all

your documentation. Probably 80
to 90% of CMMC is documentation,

whether that's policy
configuration or just the

continual maintenance and review
process of CNOC, the last 10% is

just good cyber security
controls, and you, so that's

kind of the main uplift. Yeah,
there's definitely significant

investment in some of these
controls, like multi-factor

authentication, but not really.
I mean, a lot of that is just

already pre-built into, like,
Microsoft, for example. So it,

the real work is the
documentation and making sure it

ties back to your, your
configuration, your controls, so

Keith Hawkey: With those third
party, because, because I work

with them, I work with companies
that do this, can provide a lot

of the documentation and offload
that burden from an IT team, but

it sounds like the way you made
that this appear is that

sometimes you can get into
trouble to some extent when a

third party's supplying a lot of
your, your quote unquote policy

that your company abides by, and
their interpretation of how your

organization is abiding by this
policy may be very different

than someone internally that
knows how that organization is

abiding by certain policies, and
then when the audit comes

around, it might, you might be
in a sticky situation if you

lean too much on a third party
that's going to do a lot, a lot

of this work. Is that kind of
what, what you're getting at?

Nathanael Dick: Yeah, we have
some great MSPs we work with

too, and I think the main piece
is if you use an MSP, that's

great. Just make sure you know
what they're telling you, and

they're advising you, and make
sure that you understand it

yourself, or somebody at your
company. Maybe I always

recommend companies choose a
CMMC main person. They don't

have to be the expert.
Everything, but they should kind

of know a little bit about the
regulation, and then they should

definitely know your policies
backwards and forwards, and then

that can be your really main
point person. So, even if the

consultant creates a lot of the
documentation, that's great. I

love some of the consultants out
there that that do that, and

they have some great products,
and I actually recommend you

kind of use some of their
products, but make sure you know

what they say and what they
recommend, so as it applies to

your environment. When the
auditor comes, you can be the

one to answer that, and that's
going to help when you make

upgrades to your system. Say you
need to, you need to make an

upgrade if you aren't aware of
what your policy says, and you

just make the upgrade, that
could be a violation of the

policy, or it could impact you
long term and make you get out

of compliance. See, really, it's
really critical. We, we

obviously went through a steel
fab, steel fat went was one of

the first fabricators to go
through a level two audit, and

we're now, we're in the
maintaining phase, and that's

just as important as a, as
getting this, the certification

is maintaining it, and making
sure you're aligning with it. I

hear a lot of people say, okay,
once we have it, you know, we

just can kind of turn off the,
or we can kind of let go of the

consultant now and figure it
out, but you got it. There's a

lot of maintenance to be done.
There's a lot of things that

have to be done on a weekly,
daily basis just to maintain

that certification.

Keith Hawkey: That's, that's,
that's so valuable to, to hear,

Nathanael. We're running. I feel
like we're just scratching the

surface, but we're running up on
time on the podcast, so we'll

have to have you back to follow
up, maybe even after these

deadlines actually take place in
October for CMMC level two. One

thing that we like to do at the
end of the IT Matters podcast

is, well, actually make this
close to home. We both live in

Charlotte, so let's say you've
got, you know, everyone uses I

77 to go up and down Charlotte.
If you could rent out a

billboard on I 77 that all these
IT leaders and Charlotte could

see about something that you
think is missed in either IT or

cyber security or a message or
something that you think is kind

of the unsung virtue in the
industry, what would you want to

kind of, in short form, what
would you put on a billboard

that, if every IT leader could
see that you think is missing?

Nathanael Dick: I think it's a
great question, and I think what

Keith Hawkey: I know, I sprung
that on you.

Nathanael Dick: What I would say
is keeping aware is so critical,

like I just think about some of
the people that come up to me,

my friends, or even coworkers,
and they, what always is so

critical to stop on the bad guys
is to be aware, and maybe I

would put, you know, stop and
think. I think those would be

the two things, and in that
would probably solve most of, in

stop most cyber incidents, if
people stop and thought before

doing whatever, whether it's
clicking something or maybe

responding to somebody, or in
any type of action, in it really

comes down to, we stress this a
lot at our company, is it's a

team effort, and it's not just
me and my office, and I'm, I've

got all the cool cyber gadgets.
It's really having a team, and

it's not just the IT team, it's
the entire company, and that's

what keeps us safe and cyber
safe.

Keith Hawkey: Stay cyber safe.
Stop and think from none other

than the great Nathanael Dick.
Thank you for taking a little

time to join the IT Matters
podcast. Nathanael, where can

our listeners find you? They
have any questions if they're

beginning this journey down
CMMC. What's a good place for

them to talk to Nathanael.

Nathanael Dick: Yeah, so I love
just engaging on LinkedIn a lot,

so you can find me on LinkedIn.
Feel free to message. Always

interested in hearing other
people's CMMC stories and

cybersecurity stories, so love
to continue to just collaborate,

um. And I always enjoy hearing
other people's stories.

Keith Hawkey: Perfect, we'll put
the Nathanael's LinkedIn

information and the show notes,
and with that we are done today,

and we'll catch you on the Not
the next IT Matters podcast.

Thanks for listening, and we'll
talk to you soon.

Aaron Bock: Thank you for
listening, and we appreciate you

tuning into the IT Matters
podcast. For support assessing

your technology needs, book a
call with one of our technology

advisors at O P K A L L A.com
that's oppallo.com If you found

this episode helpful, please
share the podcast with someone

who would get value from it, and
leave us a review on Apple

Podcasts or on Spotify. Thank
you for listening, and have a

great day.