Subscribe
Share
Share
Embed
Secure Talk reviews the latest threats, tips, and trends on security, innovation, and compliance.
Host Justin Beals interviews leading privacy, security and technology executives to discuss best practices related to IT security, data protection and compliance. Based in Seattle, he previously served as the CTO of NextStep and Koru, which won the 2018 Most Impactful Startup award from Wharton People Analytics. He is the creator of the patented Training, Tracking & Placement System and the author of “Aligning curriculum and evidencing learning effectiveness using semantic mapping of learning assets,” published in the International Journal of Emerging Technologies in Learning (iJet). Justin earned a BA from Fort Lewis College.
Hello everyone and welcome to SecureTalk. I'm your host, Justin Beals.
In May of 2025, Raytheon and RTX Corporation paid $8.4 million to settle False Claims Act allegations that they violated cybersecurity requirements in Department of Defense contracts. The failures weren't sophisticated. Raytheon hadn't developed a system security plan. They hadn't installed antivirus on systems handling defense information. Penn State settled for $1.25 million. Georgia Tech settled for $875,000. These are well-resourced organizations with enormous budgets and sophisticated IT teams. They still failed.
After spending time with three-party assessors and registered practitioners across the country, I keep hearing the same explanation for these failures. People are failing CMMC because it's an HR problem. The wrong people are in charge, or nobody is in charge, or the system was stood up by someone who didn't understand what was being asked of them.
I've been thinking about this a lot lately. When we built Strike Graph, we recognized early that compliance frameworks don't harmonize. They compete. NIS2, ISO 27001, NIST CSF, CMMC, they all overlap, but never quite match. Most organizations treat each framework as a separate project, end up with redundant controls, and watch their operational burden grow exponentially. The only way through is natural language processing that can map semantic relationships across frameworks and connect them to what people actually do day to day.
But there's another layer to the problem that I hadn't fully appreciated until I met our guest today. The compliance industry is built on three separate communities that rarely talk to each other. There are the regulators writing the "thou shalts" — the laws and frameworks. There are the technical implementation people writing the STIGs and the CIS benchmarks — the "how do I." And there are the auditors and assessors deciding "did I." Each of these groups operates in its own authority domain, with its own language, and almost no shared lexicon between them.
Our guest argues that the missing piece in this puzzle is people. Specifically, which jobs in your organization should be assigned which tasks, and what cognitive load those tasks actually require. He brings up Bloom's Taxonomy, which I remember well from my work in standardized education. There's a real difference between asking someone to remember a procedure and asking them to evaluate, prioritize, and modify a control. If you assign the wrong person to the wrong cognitive task, the work doesn't get done. And no amount of technology will save you.
This connects to something I see constantly with companies pursuing CMMC. Earlier this week, I was on a call with a manufacturer who had been pitched an expensive technology platform that would supposedly make them CMMC compliant. I asked them a simple question. Have you identified which of your existing systems don't meet the requirements? They hadn't. They were about to spend a lot of money on tools they may not need, while ignoring the actual scoping work — and the actual people work — required to pass an assessment. When I told them this is largely how the industry operates, with substantial vendor kickbacks built into MSP recommendations, they were stunned. Most organizations are doing 90 percent of what's required already. They just don't have it represented in the right way, assigned to the right people, with the right evidence.
Today's conversation explores how to actually solve this. We discuss why dictionaries and shared lexicons matter for compliance, how O*NET and the Department of Labor's job taxonomy can map specific compliance tasks to the people who should perform them, and what AI can and cannot do in the repetitive parts of compliance work. We also talk about the open source release of native STIGs in JSON format with API gateways, which Strike Graph is partnering on as a named integration partner.
Dorian Cougias has spent over two decades at the intersection of security compliance and applied technology, and he's got the scars to prove it. As the former CEO of Unified Compliance Framework, he built what became the world's largest GRC database, accumulating 20+ patents in compliance automation along the way. Today he runs MoxyWolf LLC, a venture studio focused on AI-driven compliance infrastructure, and is the force behind STIGViewer, a widely adopted tool that helps defense contractors and federal agencies navigate the dense terrain of STIG and CMMC requirements.
Before any of that, he was Special Forces. That background shows up less in the résumé and more in how he operates: systematic, direct, and allergic to theater.
Dorian's current work sits at a moment of real inflection in the compliance industry, where AI is beginning to reshape what automation can actually do, and where the old checkbox compliance model is running out of road. He's building for what comes next.
He's based in Las Vegas and is active in the compliance, cybersecurity, and federal contracting communities.
Please join me in welcoming Dorian to SecureTalk.
—--
Justin Beals: Dorian, thanks so much for joining us on SecureTalk today.
Dorian James Cougias: Thank you, thank you for inviting me. Appreciate being here.
Justin Beals: it's it's a treat. I have been really excited about doing this episode because you and I have been chatting for a little bit now and I, I feel a deep seated friendship with you. And I certainly have like tapped into your mentorship on a couple of occasions being new to you know, my work in the compliance space. And I thought if you'd permit me, I'd tell a little story about how we met.
Dorian James Cougias: Sure. Lord.
Justin Beals: Yeah, so I was at it was the Gartner GRC risk, risk and compliance conference almost a year ago, about nine months ago. And I, and of course I like to go to the booth and stand there and meet people as they come by, even though I'm the CEO, I think that's slightly unusual, but we're a small team, whatever. And this tall, long haired gentleman started peering at our booth and what we were saying about AI and you just
We're like, why do you think your AI is the best? Like right off the bat. And of course, like I get some challenges for time and time, like people, know, that want to challenge us and what we're saying we do. And I started explaining it you were like, yeah, okay. I get it. And that really kicked us off. You must've looked at our booth sitting across from audit board and got like, who are these guys and what do they think they're talking about?
Dorian James Cougias: Well, I kind of do that to everybody. You know, I walk around the trade shows having a for a while been owned by an ad agency, which was weird in and of itself. And you go to the booths and a lot of them have the dumbest phrases and dumbest names I've ever seen. And you can't figure out what it is they do. And then you ask them and they'll give you the most either hyperbolic bull crap about what their capabilities are, or they will as if they're reading off a card. Yeah, so and very, very, very few and far between do I find people like yourself who really know what they're talking about. And, you know, I have 20 plus patent books of patents, you know, with a couple of hundred claims. And so I've been around the block once or twice. And I can tell, you know, I have a BS meter that's pretty low. And I can tell when somebody knows what they're talking about because I'll throw some words in and see if they know them or if they're making up their answer to them.
There's a, you know, what's that test in the Old Testament where it's the religious test. You say the word one way and, you know, you can tell which side of the river they were from and how they say the name. I can't think of what that's called. It even appeared in West Wing. But I will throw one of those tests out on a regular basis.
Justin Beals: Yeah, and you and I both had a deep background in natural language processing from different spaces. You had been working in the compliance space, built a really amazing company, UCF, United Compliance Framework, and Unified Compliance Framework. Thank you, Dorian, appreciate that. That is my worst. I give all my names to my computer and let it process it. Yeah.
Dorian James Cougias: Unified Compliance Framework.
That's okay. My wife for the longest time called it the UFC and I said, well, we wrestle with compliance, but not really in a ring.
Justin Beals: That's good. And then I had dealt with this kind of standard style management and education, which is why I got interested in the space. And it was really fun sharing our perspective on this like data ontology work from different perspectives. Yeah. It's very powerful.
Dorian James Cougias: Yeah, well, I come at it from the semiotics angle because I'm dyslexic. know, if anybody wrote the book on dyslexia, they would have, you my name is in there somewhere. You know, if you want to see somebody really dyslexic, just talk to Dorian. And...
And so when I come at a sentence, I still have to build the sentence mentally in my mind. So my mind is probably programming RDF triples every time I read something. So semiotics and the nature of language and that nature of definitions and things like that, I would love to say come naturally to me. They don't. They come by beating it into me. So that's how I see compliance.
See all of the things that these people write, which is why the patterns to me are so bloody obvious.
Justin Beals: Yeah, I think I just, I got very interested in it because it was a difficult computer science problem, right? It was in education with no child left behind. They were like, how do I know if this quiz question is testing the right thing or this textbook chapter is teaching the right thing? And these standardized tests were a big shift for everybody. And I was like, you know, the story is in the patterns in the language that connect all of this information.
And if we can bend mathematics and computer science, you know, in the right direction, then we can start to reveal the interconnectedness of these concepts. And it was absolutely intriguing to me. I loved it. Yeah. Well, let's let's start back at the beginning for you a little bit. It's distinguished military career, Dorian. I've certainly been around a couple of your colleagues and well respected. Yeah.
Dorian James Cougias: I don't know how distinguished it was, but it was a military career. But distinguished would be like, you know, and distinguished would be, you know, the rest of the guys who've got, you know, medals that go to the top and they say continued on t-shirt, you know, every class I went to, I think I graduated some come later.
Justin Beals: You describe it as...
Dorian James Cougias: So. Let's say that I was in and let's say that I did good things with the limited capacity that I have. they, know, the Peter principle, they just kept promoting me up because they didn't, nobody else wanted to deal with me. And, the neat part was, is I got to be in Signal. And I got to, you know, Signal turned into Signal Intelligence and listening. And so, you know, once you connect, then it's in, and you connect to your own people, all of a sudden you learn to connect to those people, the other guys, all of a sudden you can start figuring out, they're saying something, the patterns come out. know, what people say, how they say it means something. Shannon, there's a guy named Shannon, Claude Shannon. Shannon's entropy theory, I love why they named it Claude. Shannon's entropy theory is it became really, really big for what I did in the space that I was in. can't really.
If anybody really wants to know, go look this one up. I was sheep dipped into the ISA and I worked for the any work for somebody with an N and A in it. They had it. So if you know what sheep dipped and you what the ISA is, you'll now know what I did. And that's as far as I'm going to go. But we did use Shannon entropy theory because you guys going down range, he needs to know what other people are saying.
He needs to know what the load is. And the same thing then becomes in compliance. It's one thing to tell somebody to turn off the spigot. Well, the spigot's either going be on or going to be off. They're to be able to make that determination. But then if you say to them with a SCADA control, go look at the data panel and make a determination of the water flow and reduce it by 7 and 1 percent.
Okay, that's a different kind of that's a different level and funny enough. I just happen to have These sitting here. I think I gave you one of the trade show My favorite thing We're listening to this go get them. They're like two dollars and ninety five cents I just got a whole stack of them and then they just came in so they're sitting here
Justin Beals: You did. Yes. This is is something we chatted about at dinner. I'm so excited. Yeah.
Dorian James Cougias: Bloom's revised taxonomy. Okay. It's so when you're telling somebody to do something, it's really simple. You go on in and you say, look, you know, if I want you to remember something, choose how recall select. That's very, very simple. We can do that. If I want you to understand something, some basic things, classify, relate, rephrase.
And then you get all the way down here to the bottom where you're evaluating and you're saying determine and prioritize and then create something, you know, develop this, modify this, direct this, elaborate on that. So that's all Shannon entropy theory. That's a cognitive load that we have to tackle. Well, that becomes really important in compliance.
It becomes important at the high end of understanding what they're asking us to do with the regulations and the standards and the guidelines. And then on the bottom end in the secure technical implementation guidelines from the government or the CI security standards, you know, where they're saying, now here's how you implement it. Both of them have, you know, follow Bloom's taxonomies of cognitive load. How hard is it to do that? You got to marry it together at the top and the bottom.
And then you've got to marry it to the right people and the right jobs with the right training. Because if you give, you know, we used to say in the end, we called everybody in the military private snuffy. If you give private snuffy the job of, you know, fine tuning the nuclear reactor, maybe they ain't going to work so good.
Justin Beals: Right, yeah. Could be catastrophic. Well, Bloom's taxonomy is something that you've been playing a lot with lately and certainly was a big part of my computer science work because we were looking at what level of learning did this particular activity represent or what could we assess? Like what level of knowledge, according to Bloom's taxonomy, could we find in a certain style of assessment? I like where you're going on the compliance side, because even when we started working in the data science, the natural language processing, one of the things that floored me right off the bat is we take like a framework and a part of a framework, like a NIST control, and then an activity or an operational characteristic. And our first NLP models where we tried to connect them had a really low accuracy rate. It was really hard, because the language was very different about what you do versus how we're going to test you on what you do. And that was a big aha moment for us that there was a lot of work to connect these two pieces of information together.
Dorian James Cougias: And Bloom's is perfect for that. And so you have to tie it together. And you're talking about the language barriers between it. First of all, think every regulation, I think regulatory drafters go to obfuscation school.
Justin Beals: I call it folklore land. Like the folklore on this part of NIST 800 171 is this.
Dorian James Cougias: Exactly. Seriously, guys, can you make it, you know, butter the bread, God, you know, don't don't say, you know, take the Lord, just don't get me started on them. And but if one of the things that that I learned early on, one of the things that I had to do and I fell into it accidentally is when I first started this, I realized that we had to have a dictionary to tie everything together.
And then I realized that actually it has to be a thesaurus because in the world of lexicon, lexicon being all of the language of something, have the earliest easiest is the glossary. And you'll see NIST will have a glossary, PCI will have a glossary, whatever. This means this in this context. Then there's the dictionary. Then there's the, this is the generally accepted version of this and this and this. And then you have the thesaurus, hey, this can mean this in this context with this synonym and here's the antonym of it and here's the other of it. And when I first put Unified Compliance Framework together, the first thing I said was we have to have a dictionary underlying that. We're doing the same thing with whatever what I'm releasing now on the 23rd.
But I'm doing it better. And it's funny. And the first thing I did is I wanted to turn to real dictionaries to tie this language together. And then I thought, great, I will go to the world's largest dictionary, Oxford English Dictionary, 18 volumes, right? Each volume being about that thing. And I hadn't seen the movie yet with what's his name. The actor, they actually had a movie about how the Oxford English Dictionary was made. Pretty wild. I hadn't seen it movie yet.
Justin Beals: I haven't watched it. I'm to have to look it up. Yeah. Yeah.
Dorian James Cougias: And so I went to the Oxford English Dictionary, the very first thing I wanted to find out, personal data. That's kind of important term. There's a lot of companies that can't find what you would estimate, at least way past millions, hundreds of millions of fines of personal data loss so far, not in the Oxford Dictionary. So typical Dorian fashion.
I look up, is there a dictionary society? Well, it turns out where I went to school, University of Chicago. Yay! Anybody who ever had to go to the school where fun goes to die, I feel bad for you, especially in winter. Yes, I was the editor of the Maroon, co-editor of the Maroon. But so we had a library school.
And turns out a person that I went to school with is running Word Neck right now. I said, hey, you know, talk to me about dictionaries and dictionary structures and what's out there. And she said, well, you know, why doesn't Oxford have personal data in there? You have personal data. Why doesn't Oxford? She said, well, you know, there's this thing called the Dictionary Society meeting is coming up at Indiana University. Why don't you go present? Why don't you? You you're a smart guy. You're putting all this stuff together.
And so I said, OK, great. And I presented the lexicon of compliance, why the print dictionary is dead. And I figured there will be maybe two people in the audience. And everybody else shut down their presentation to come to mind because they wanted to hear why the print dictionary was dead. And then the very first row in the center was the lady who was running the Oxford English Dictionary at the time. Scared the bejesus out of me. And I said to her, " Personal data, that is incredibly important. know, personally identifiable information”. That's what they're calling it over here. They're calling it that over there, you personal information over there. This thesaurus needs to exist for regulators and other people testing them. Why isn't Oxford putting that together? And her answer was astounding.
She said, " We have 18 volumes right now that nobody buys”. If I put multi-word expressions, I didn't know they were called multi-word expressions yet. If I put multi-word expressions in the dictionary, we'll have 150 volumes, so we don't do it.
And then that's what she said to everybody, and they all looked at me, and I said to her, well, then your print dictionaries will die. And the room was silent. I'm now a distinguished fellow in the dictionary society. Not because of that one, I can guarantee you. But print dictionaries are dying. Where all of this is going is exactly what you were talking about. You have to be able to look at when somebody says something, what does it mean in that context?
What does it mean generally for the industry? And then if you put the predicate and subject together, how do we, if someone is saying, go do this, how do we then look at the same, go do this and say, how do we test for it? Is that it, both the action and the thing being acted on the same in both of those contexts.
And that's why I wanted to have that relationship with Stryke Graph because everybody at that Gartner conference, you and one other, won't, this is your show, so I won't name the other one. You and Reg, okay, if I can, Reg Steele. You and Reg Steele were the only two that had their act together to be able to bridge.
Justin Beals: Please, no, they're good friends. Yeah, they're good guys, yeah.
Dorian James Cougias: That and look at it the right way. There was another gentleman, can't remember the name of his company, Indian guy, really, really cool, super smart, PhD, tried to work with him and didn't work out. Because at the end of the day, I don't know if they didn't have budget or couldn't see things the right way, but in security, we have three different major players. We have the regulatory providers, thou shalt's.
We have the Center for Net Security and the guys who write the sticks. And by the way, and the vendors who provide those sticks to, to both. How do I, they write the, do I. Then we have the, in the government space, the three PAOs in the audit space, the PCI auditors, then, and then the, have the, how do I test this? All within their authority domain.
Well, God forbid the three of them talk to each other.
Justin Beals : Ha ha ha!
Dorian James Cougias: Just, you know, seriously, can't, I want...
We own part of a winery. I would open up the winery and say, let's all go and sit for two days and talk to what you were bringing up. How do we write the test of how did I? to match the that's what they should do and did I follow the thou shalt and then we go to the thou shalt person and say do you know how frigging hard it is you're writing that thou shalt stuff to get over to there and then down to there and then the guy's down there you know what do you need from them what do you need from them to ensure that you you're telling people you're building the how do I to to match those things
That conversation hasn't happened, but has to.
Justin Beals: I'll tell you one of the stumbling blocks I see too is the cudgel of independence. You know, I can't tell you how many auditors I've talked to or governing bodies that are like, we can't do that because we need to be independent. And I'm like, hey, you as an auditor, you're not technologically independent because you expect everybody to use Excel spreadsheets. Will you take it in a paper format? And the people writing the actual requirements, they're like, well, I don't want to tell the auditor what to do, you know, but I do need to set some form of rubric. And it's like, well, what if, what if you didn't use something like the STIG to say, make sure these steps are taken and then the assessment is much more accurate.
Yeah. Talk to me, what are you open to sharing about the work at MoxieWolf and the things that you're doing presently, Dorian?
Dorian James Cougias: I'm willing to share all of it. First, I do need to lay it out because of my former compatriots at Unified Compliance Framework.
Everything that I'm doing at Moxie Wolf has been a reinvention. know, yeah, I have 20 patent books in this stuff, but even though I'm not using what we've built, the patterns, the knowledge continues. Everything we're building is built on either open source or shared methodologies where we are publishing all of our work for peer review. As a matter of fact, I published a paper on LinkedIn, and it had 1,300 comments, some of which telling me I was full of crap, some of which saying that I was the next coming of the greatest donut in the world, which is kind of cool.
And so what we're doing is we're releasing, and in fact, StrikeGraph is our first named integration partner. We are releasing native STIGs in JSON format with an API gateway so that as they get updated, they'll come across and see KLB.
We're also then releasing with that. I know that O-NET has an API gateway, but it's not the world's greatest call. So we updated the O-NET API calls. We're releasing that because you need to have the jobs. And we're also releasing as a part of it, and it might or might not apply as much, all of the cybersecurity regulations for the United States that we have mapped in partnership with Reg Genome. And when I say I, the open controls team.
So Moxie Wolf is a contributor to this. This is being released by Open Controls with a lot of assistance by us. StigViewer.com is where it's all coming out. And phase one is let's get this out there in standardized JSON format so people get used to using it actively on a regular basis. The reason they don't use it right now is
You know, great, Stig's come out once a quarter from Disha, then you have to go pull it down, and then you can go to stigviewer.com and you can pull down an individual JSON file. Okay, great, wonderful. You know, I need to give tools like StripeGraph, the API capabilities for their end users to say, is what our Terraform, this is the products our Terraform has. We know that on a regular basis, every organization needs at least 50 or so Stigs.
To apply, you know, to hit CMMC. So great, I'm gonna give StripeGraph the ability to query their thing and then come back to me and say, these are the STIGs I need. We're not gonna put a limit on how many STIGs an organization can consume. We're just gonna say, here's the STIG library. 550 as they update, we'll let you know. Phase two of this, we'll have all of it mapped together, like we've been talking about.
The STIGs tell us what jobs they should be assigned to? And I want to get into that. That's kind of important because O-net is really, really important. What we're also doing in there is, and I'm working with Jim Pusser and a bunch of others at Anthropic, we're looking at which tasks can be handed to AI.
So there are a lot of tasks in there that are repetitive. And if you look at the Blooms or the other levels of analyzing it, there are skills libraries that are out there.
We have, you know, we tie into skills.sh, the website and a bunch of others. And we mine the skills, we're mapping the skills and saying, hey, that's repetitive. You can keep doing, you can set that up in Clod or, you know, new perplexity computer. Don't ever set it up in OpenClaw. There's more security holes in that than there is in Swiss cheese. But you can set it up in a secure environment and you have automations that you can tie into. Here are skills that map to that.
And then we're doing the same thing with the regulatory guidelines, not just the frameworks like NIST and everything else like that. But our first release with Reg Genome Cybersecurity is there are over 8,000 regulatory guidelines that government and banking people have to follow for cybersecurity. OK, we're going to make it easy that says, OK, based on who our clientele is,
Tell us all the regulations and standards that we have to follow. We're not going to guess. You know, this is who we service. So we'll be able to go through and do a reverse through a strike graph to say, OK, great. Well, this is the library of cybersecurity, 8,000 documents, that by the way, updates weekly because some of this stuff comes out from anywhere.
We have a feed coming in of over 80 different federal partners that have partnered with us, given us license to bring this in, map it, and redistribute it. So when a bulletin comes out from the FCC, when a this comes out, when a guidance comes out, when an OCC comes out, we know within a week. And we'll be able to then go and say, hey, look, here's what this says you need to do, not just for the CMMC overall to get your points and certification, but to keep up with all the other bulletins that are out there that you have to follow.
Here's the how-tos of the lower level STIGs, and after RSA, we'll probably have Center for Ant Security in there well.
And then with the O-Net, the Department of Labor giving us a direct feed and us, I'm on the committee to map that to NIST and everything else like that for NIST NICE. Here's then who in your organization this needs to be assigned to. So that strike graph can go on out and say, let's get all those people on the team and let's get communicating to them to what they need to know. That's what we're building.
Justin Beals: I think I love the vision of what you guys are doing. And you and I have had a ton of fun collaborating in these different areas, and what it means because we both see the interconnectedness in this work. I got turned onto it as being a CTO. was like, hey, I'm going for this compliance outcome, and 60 % of the stuff should be going to HR and not to me. But because one of it was technical, you're giving me the responsibility for a policy that needs to happen way over here. And so let's talk a little bit about Onet and the job applicability to the activity. Yeah.
Dorian James Cougias: Yeah, absolutely. Not just the job applicability, but the knowledge and skills applicability to what a person has to do for that job. Onet is very, very rich in that way. Onet, with our translators and with that dictionary and back of it, because some of the guidelines will say, encrypt this. The others will say, secure the data at rest throughout your station. Well, that is encryption. Or, or, or, or mask this information. That's also encryption. You know, cause you're not going to around with white out on the screen, right? And, and, and, and, and so, you know, we had to build all of that in and say, no, who does that? Who does that in the organization?
Justin Beals: Yeah, that's right.
Dorian James Cougias: And then you get these stakes where a single finding will say, " You have to do this and that”. That's actually two different jobs that have to talk to each other. That nobody is saying, now I don't know how you pronounce it. Is it rakey or racey chart? I've heard both.
Justin Beals: I've heard both. Racy has been the one I've heard most recently. Okay. Yeah. Good.
Dorian James Cougias: All we're going to go with RACI then. So then what's the RACI chart for who's in charge and then who's communicating? Because there's always got to be one person in charge. can't put two people in charge because then it just really gets screwed up. So, you know, who's going to take charge of this one? Who's going to communicate with that one? Who has the authority to give them that? And then what's the word breakdown structure for it? You know, what does that look like?
These are all the things that Uniquified Compliance never let me build because the PE guys, it's really weird, PE guys come on in and give you a big sack of money because you're brilliant, and then they stop listening to you. And then they put, you'll probably cut this part out, but then the guy that they picked to replace me is basically an anencephalic twat model.
You know, he's got the vision of a blind man and, you know, not little real vision, they didn't get the holistic part of where O-net fits. And one of the reasons I'm still involved is when I retired, they were supposed to pick all this stuff up and run with it. Matter of fact, they even asked me, can we have StigViewer.com to keep going? And then they never made any of the meetings. They didn't go to the DOD meeting, they didn't go to the NIST meeting, they didn't go to the O-net meeting. And so I got called and said, hey, can you come out of retirement? Can you not retire?
And can Moxie Wolf come on in and assist the open controls guys getting all this stuff out the door? So that's my relationship. That's the Moxie Wolf relationship to all this. Onet is essential because it does it. It then is the US version of all the jobs and tasks that you have to perform gives us a solid found footing for all of that.
And then ONET maps to the Japanese version, ONET maps to the French version, ONET maps to the NIST NICE version. So that's that core. And having it run by the Department of Labor is, you who are gonna argue with that? They're doing a fantastic job.
Justin Beals: Yeah. I don't think we give our civil servants enough credit. It is a big challenge what they tackle for us. Yeah. You and I, you served in the military, family that have worked a lot and in the DOD, and my family members have inspired me to appreciate more the hard work and effort watching them care so deeply about the missions that they serve in. Yeah.
Dorian James Cougias: Absolutely. And they do, they really, really seriously care for all of this. And the great part is it extends. When I was in Denver, I got to meet the loveliest woman who runs the Organization for Economic Development in the Americas. I forget what the acronym is. First thing she said to me was, we got to get this applied to Latin America and everything that we're doing as well. And the great part is, is O'Net for those jobs translates on over because she has a version that maps to O'Net. And Stig's go anywhere, you know, and, I didn't, when I pulled in the Reg Genome data for the regulatory guidelines for cybersecurity, I said just North America. Because if I said Latin America as well, I would have, you know, had another third of regulatory content. And I think the beachhead market, first and foremost, really needs to be the people who are coming up with CMMC certification.
Because what? And you heard the same thing, I think, when we were both in Orlando.
What I heard from almost every 3PAO and every RPO was people are failing CMMC because it's an HR issue. The wrong people are in charge, or nobody's in charge, or they're looking at a system that wasn't stood up correctly because the person who was assigned to stand it up was a corporate wonk who didn't get X and Y and Z. And so they're getting these low self, even low self assessment scores because it's an HR problem. It's a jobs, tasks, and work activities problem. And then an education problem. Who's it? Fair fact, I've got these are all the people who wanted me to tell them about where we're going when it launched from the show. There was a really, really wonderful woman. I want to remember her name and give her a shout out because she was so cool. Oh, look, here's Andy's card. Here we go. This was her really night. Rose Ketchum. Rose is running a product that does education. And she was saying the same thing that a lot of the other three PAOs were saying. It's.
It's a problem based on work activities and knowledge that you have to have to perform the work activities, and assigning the right role to that part of CMMC in the organization. Or, and then when we get into the banking side after CMMC, it's that MSP who's doing the job because there is no internal staff in the organization to do the job.
So not only are you not your own people, now you're one removed at an MSP. That doesn't give a rat's petoute, really, if you pass or fail your audit. They've got other clients. They're going to do their job. But how do you know that this person is doing the right thing? You got the right person assigned out there.
Justin Beals: So this week I had a call with a customer that's a StrikeGraph customer, and they're working through CMMC compliance, and they have a MSP and IT services provider that has kind of come in to sell them a technology solution to be CMMC compliant. And I sat there on the call with them, and I was like, have you identified what in your existing IT infrastructure doesn't meet the CMMC requirements that would force you to go and adopt this other platform?
And these guys were manufacturers, so they hadn't been around the software space as much as you and I have. And they were like, well, no, not really. And I was like, well, that's what we need to do. We need to look through the requirements. We need to look at what you do today. And we need to identify where you're not meeting the requirements. And then we can say, yes, I need a technology solution. And on the call, they said to me, man, it's so funny. It's almost like these guys get a kickback. And I was like, " Oh, you don't know. That's the way this whole industry works”. Like it's all a 15 % kickback.
Yes, that's right. What is going on? And I felt so bad for them because they just they were doing their best to support their business and the mission of the government that they work with, you know, the US government and here they were getting sidelined by adopt by this piece of software for me for quite a bit of money, and I'll make you see MC compliant. I'm like, yeah, that's not how it works. Actually, it's not all about the tech.
Dorian James Cougias: Right. Right. Absolutely. And funny enough, I'm going to be bringing you, I signed a recent agreement or I sent off a recent agreement last night to a guy who will represent you and I, you strike graph side to a hundred-million-dollar organisation that was bought by a small billion organization that was bought by a multi-billion organization that is wholly failing CMMC because they don't have the right job assignment package to even find out what is failing, where it is failing, and why it is failing.
And so, you know, I said, well, do you have the job map to even ask the right question? And the guy said, " What's the job map? And I said, and we're talking terraform, we were talking this and the guys, I said, same thing. Someone wanted to come in and sell them a solution. And the call came to me from my tie-ins to the DC folk. Hey, you know, and.
Well, I think they thought I still had a clearance, which I gave up when I retired. But they described what was going on. We did the NDAs. And I said, yeah, it's not a tech solution. It's a, you've got to figure out what you've got where it's a scoping problem. Both tech and people. And it's got to be buried.
And you've got to those three things: the regulatory, the how-to, and the how they're going to look at it, all focusing in on how to figure out where you're at and why you're failing.
Justin Beals: Because certainly some of the requirements say things like encrypt data. Like, we can look at something like CMMC, and there's like a FIPS 140, a very technical style encryption requirement in there. And you need the right job to do that. But there's another one that's all about, you know, what's the process for reporting a breach. And that's very different type of job, you know?
Dorian James Cougias: And how do you even know that you had a breach? So, for the process to report a breach, now that you've encrypted it, who's looking at the system, how can you tell that it's not there and et cetera, et cetera, et cetera? Where are those people? What's that Reiki chart look like? What's that word breakdown structure look like? What does that communications plan look like?
Justin Beals: Yeah, I feel like I bang a drum a lot of times where I'm like, this is a completely horizontal practice across the organization. When you go for one of these compliance outcomes, every part of the group will be touched on what they need to change. That being said, you're probably doing 90 % of what is required already. We just don't have it represented in the right way.
Dorian James Cougias: And we don't have it connected the way. The parts are there for the most part. But it's interesting. I fired a group of people I was working with. They had us on this platform called Directus, doing CMS. And on March 2nd, one of my other projects died. Directus was just turned off. And we get this email giving us our money back for the rest of the year for Directus. I went through the roof.
You know, the content management system gets turned off without somebody calling me? That's a no-go. know, heads will roll. Somebody is definitely getting fired. What's going on? Get a hold, finally get a hold of the directives, guys. They've been emailing the administrator three months ago, two months ago, a month ago. The platform you're on is being sunset. You've got to move off. That person never communicated.
Dorian James Cougias: That's not good. We could have moved off three months ago to another platform within their environment to keep going, and we would have had no loss of it because they had a whole migration plan but nothing was done because this person didn't do their job to pass it on. Yeah, guess who was fired? Right then and there. Yeah, yeah. Like don't even go in, you're fired for cause.
You dropped a content site just because you didn't say anything to somebody.
Justin Beals: Yeah, and that's the worst. We work in teams. There are people here to support you. You know, it was really easy to say, I need help.
Dorian James Cougias: I do all the time on a regular basis. say to my guys, hey, look, I'm a moron. You know, I don't understand this thing. You're doing action Y and Z. How does that really work?
Justin Beals: I love that, I think we're a little bit into being founders and leading teams and that work, which is something I take great pride and care in. Because to me, the reason to build these companies was to pull together a group of people I really enjoyed working with. Don't get me wrong, we want a great financial outcome. I want my investors to be really happy. I want my team to feel wealth in their life. But at the same time,
Every day, day in and day out, I just want to feel like I have a great team to do the work with. And colleagues like yourself have been a part of that, like growing, learning joy in a really hard thing to do. Yeah.
Dorian James Cougias: It is you've got to weed out who you work with and who you don't. You know, I could have stayed on with UC as the founder, and I was the single largest shareholder. At the end of the day, it was not fun because of the PE guys that came in. And it was not fun because of the way they wanted to build a culture of less caring than we had built.
And that's why I decided to completely retire, remove myself from the board. I sold them all of my shares back for a dollar. Just to be completely unencumbered so that I can go work with people like you said that I want to work with. Yeah, I'm doing the CMFC thing. I'm doing the Stig viewer thing because.
All of the people and you met the same people in Florida. All of the people who are trying to do this are building things to work with our federal government to make us more secure, to make it a better thing. The people that were there. You know the gentleman Rainer from what was his first name? Shoot, I you know have to these cards because I'm not the world's smartest guy in my memory. Kind of stinks these days. Richard Rainer.
Justin Beals: I have a very bad memory. Yeah.
Dorian James Cougias: Richard Rager from DCSA. What a great guy, right? Gave a presentation, and there's a guy. So if you want to call him a civil servant, I know, it's who has it together could probably be sitting on any board whatsoever. Smart as a whip, smart as a whip, giving it his all. To ensure that we're secure giving it his all. Hey, you know what? I'm in it for guys like that. They need the support. They need what we're building.
This is the first time that anybody's could be building anything that ties it all together, puts it into a tool like Strikraft to say, not only here's what you need to do, here's how to do it, and you're going to put it together in a way that passes the audit, but here's who. Here's the cognitive load. That's going to be so cool.
Justin Beals: It's really powerful, yeah. And whether I'm sure it's for a CMMC outcome or some other type of compliance outcome, but at the end of the day, I haven't had a customer that didn't go through the process that got on the other side and said, made us a better organization. Yeah.
Dorian James Cougias: Right. Absolutely. It takes, you know, and especially tying in all the stuff with AI. Let the computers, let the cogs do what the cogs need to do. Let the people think, you know, it frees them on up. We priced StigViewer basically saying, yeah, we know you can go download a JSON Stig for free.
Great, then you have to go load it into a tool individually, and you have to update it individually, and you have to, and you have to, and you have to. We're gonna give this to you for one-tenth what it would cost with all, you have to. As an API call that will tie into your tool, that will tie into everything else, so you can go do what you really need to do. And that's gonna make your life better.
Justin Beals: Dorian, I really appreciate you joining us today on SecureTalk. I am very grateful for our partnership with Moxie Woof. It is a blast to work with your team. And I'm deeply grateful for your friendship and sharing your knowledge with me as an individual. It has been so much fun to get on the phone with you every couple of weeks and then meet up together at a conference. So really, thank you so much.
Dorian James Cougias: Well, thank you so much for the time today. You've built a great organization. Your staff adore you. I got the pleasure of taking some of your staff to dinner, and just the wonderful justice stories that they tell are, I should be so lucky someday. So thank you.
Justin Beals: Likewise, yeah. Maybe some form of merger in the not-too-distant future.
Dorian James Cougias: So thank you. Thank you very much for having me on. I truly appreciate it.
Justin Beals: Our pleasure and thanks to our listeners today on SecureTalk, and have a great week.