GRC Room: Five Questions with SCI’s Caleb Mattingly

Hosts: Mike Andrews & Karina Clever (Clever Compliance) • Guest: Caleb Mattingly, Founder of Secure Cloud Innovations (SCI)

Policies ↔ Controls Compliance ≠ Security Healthcare Risk Cloud Engineering Terraform Automation Gap Assessments

Policies vs. controls, healthcare breaches, and why hands-on cloud engineering beats shortcuts. This is a lightly edited transcript to preserve the voices of Mike, Karina, and Caleb.

Quick Hits

Policies vs. controls is the common stumbling block—what’s required vs. what’s best practice, plus cadence for each activity.
Compliance ≠ security. Treat frameworks as a floor, not the finish line.
Cloud engineering + automation (Terraform, CI) can slash timelines without cutting controls.
A neutral gap assessment often delivers the biggest near-term lift in posture and sales velocity.

Q1) What part of cyber GRC do businesses struggle with most?

Caleb: Policies—and specifically how those policies map to controls and cadence. Teams ask what’s truly required for SOC 2 / ISO 27001 / GDPR / HIPAA, and how often to do access reviews, log reviews, and tabletops.

Karina: Don’t decouple documentation from controls. Your docs should contain the controls you’ll attest to.

Takeaway: Bake controls and owners into your policies, with clear review frequencies.

Q2) A data breach that stands out?

Caleb: Healthcare. We saw a neurology practice using personal email accounts for patient info—classic hygiene gap that leads to breaches.

Karina (pro tip): Before sharing sensitive info, check the HHS OCR breach portal to see if a provider is under investigation.

Mike: If a provider insists on fax, you’ve basically done a quick risk assessment—and it didn’t go great.

Takeaway: Don’t assume HIPAA maturity. Verify managed email, MFA, logging, backups, and secure data flows.

Q3) Most impactful GRC advice you’ve received?

Caleb: An auditor told me: “Never tell customers they’re secure once they’re compliant.” Compliance is a great step, not a shield. Plenty of SOC 2/ISO-certified companies still get popped.

Karina: Minimum-viable, checkbox compliance leaves visible holes attackers know to target.

Mike: There’s also a legal angle—avoid absolute “we are secure” claims.

Takeaway: Market honestly. Aim for resilient operations, not just a logo.

Q4) What does SCI do differently?

Caleb: We come from cloud security engineering, not just governance. We embed and make hands-on cloud changes. We’ve built Terraform modules and tooling that implement many control requirements in minutes—without removing controls.

Mike: That startup-friendly, practical approach lets teams focus on product and growth.

Takeaway: Speed should come from automation + expertise, not from cutting scope.

Q5) One thing a business can do today to strengthen GRC?

Caleb: Get a third-party gap assessment (Clever Compliance, SCI, or a trusted partner). Outside the audit window, you’ll get frank feedback on missing controls and higher-leverage security improvements. We’ve seen enterprise sales cycles drop from 12–18 months to 4–6 months after SOC 2/ISO readiness plus credible security practices.

Karina: It’s never an arrival—GRC is an operating rhythm, like product.

Takeaway: Targeted assessment + practical fixes = better posture and faster deals.

Favorite Quotes

“Compliance doesn’t equal security. Treat it as the floor, not the ceiling.”
— Caleb Mattingly

“Don’t decouple documentation from controls. Bake the controls into your docs.”
— Karina Clever

“Shortcuts come back to bite. Startups talk—trust compounds when you do it right.”
— Mike Andrews

What to Do Next

Get a gap check: Identify missing controls, fix cadence, and harden cloud basics.
Tie docs to controls: Ensure every policy carries testable, owned controls.
Automate the boring stuff: Use Terraform/CI for secure defaults—then verify.