SDM Show: A Deep-Dive on Cybersecurity with SCI’s Caleb Mattingly
From lockpicks to least privilege, Rob and Caleb cover a lot: training humans, balancing convenience with control, why backups fail, how AI helps and hurts, and the soft skills that make security programs actually work. Lightly edited for clarity; the voice stays conversational. If you like this, you might also enjoy our earlier posts: GRC Room: Five Questions with Caleb and Compliance Hell Is Optional.
Highlights
- Security is everyone’s job. Training beats blame. Urgency is a social-engineering tell. See more in our GRC Room conversation.
- Backups are not DR. Test restores, keep off-site copies, and retain months of history. If you’re building toward audits, check our Embedded Compliance approach.
- Least privilege matters. Admin sprawl = breach fuel. Role-based access + audits. Related read: Compliance Hell Is Optional.
- Patch faster. Core, plugins, PHP, OS. For WordPress, weekly isn’t enough anymore. Need a hand? Contact SCI.
- AI is a double-edged sword. Offense scales; so can log analysis and anomaly detection. Pair with ongoing control maintenance.
- Soft skills win. Security is a marathon; relationships and sequencing matter—more in this Q&A.
Getting into security — and staying there
Caleb: I started in IT help desk, fell in love with security, got told I’d never make it, earned certs, did defense contracting, led security at AllTrails, then returned to entrepreneurship to build SCI.
Home life, smart devices, and the “usable security” balance
Caleb: We keep modern conveniences but apply basics—strong Wi-Fi creds, updates, and sensible defaults. Not everything needs to be “no-tech” to be safer.
Rob: The tension is real—lock it down vs. make it usable, especially for seniors who struggle with MFA. Aim for the middle: app-based MFA or keys where possible.
Training beats blame
Rob: Mandatory annual training helps; more frequent is better. Staff need coaching, not shaming.
Caleb: Security is everyone’s job. Awareness changes outcomes. Expect pushback—meet people where they are.
Trust, platforms, and patch culture
Rob: People grumble about Windows, yet trust it to run the enterprise—Patch Tuesday is table stakes.
Caleb: Startups love Apple; at scale, many shift to Microsoft stacks. Either way, patch and monitor. Need a security review? Talk to us.
Backups and disaster recovery (DR)
Rob: Keep multiple backup layers (site, host/server, and independent storage), off-site copies, and at least six months of retention.
Caleb: Images + fast reprovisioning win in cloud. Store replicas in another account or cloud. If you’re prepping for SOC 2/ISO evidence, our Embedded Compliance service bakes DR tests into your cadence.
Least privilege and admin sprawl
Caleb: Frameworks require role-based access and access reviews. Early-stage startups over-permission by necessity—dial it back once you touch production data.
Rob: WordPress audit: 47 admins. Dropped most to Editor; no one noticed. That’s the problem.
Password managers—yes, with guardrails
Caleb: Use one (1Password, Bitwarden, etc.). It simplifies off-boarding and rotation.
Rob: Enforce MFA on the vault, memorize a strong vault pass, consider a personal “pepper” you append outside the manager.
Patching cadence (especially for WordPress)
Rob: Weekly is too slow now. We update three times a week and hotfix criticals. Keep PHP at supported versions; replace plugins that pin you to old runtimes.
Caleb: When a site’s compromised, it’s often outdated core/PHP—not just plugins. Build a routine; automate where safe. For ongoing help, see how we maintain controls.
Enterprises: patience, sequencing, and soft skills
Caleb: You can’t secure an enterprise overnight. Sequence the work, keep relationships intact, and push consistently. Security succeeds on communication as much as controls.
Rob: Our hospital made security talk to help desk three times a week—signals improved, incidents dropped. More on human-in-the-loop in this interview.
AI: offense and defense
Caleb: Offense: easier ransomware and better social engineering. Defense: log analysis, anomaly detection, faster signal from noise. Net impact TBD—plan for both.
Cloud first: identity over per-device VPN
Caleb: Lock root, enable SSO with your IdP (Google Workspace, Okta), enforce MFA, and prefer ephemeral, auditable access. VPNs still have a place (untrusted Wi-Fi, specific private services), but identity controls carry more weight.
Rob: For travel: use a phone hotspot or a hardened travel router; avoid hotel/coffee-shop Wi-Fi for anything sensitive.
Top business risks we see
- Insider risk: malicious or careless access misuse.
- Business Email Compromise (BEC): wire fraud, invoice tampering, vendor impersonation.
- Phishing/social engineering: urgency plays, executive impersonation, MFA fatigue.
- Over-privilege & shadow IT: unknown assets and admin accounts.
How to reach Caleb / SCI
Caleb: Find me on LinkedIn (Caleb H. Mattingly) or via our site: securecloudinnovations.net/contact.
Favorite Moments
“Backups aren’t a plan until you’ve tested restores.”
— Rob
“Security is a never-ending marathon—soft skills keep programs moving.”
— Caleb
Practical Checklist (Steal This)
- Centralize identity (SSO), enforce MFA, disable root logins for daily work.
- Quarterly access reviews; remove standing admin; log privileged actions.
- Backups: cross-account/cloud, encrypted, versioned; test restores quarterly.
- Patch cadence: core/OS weekly, apps/plugins 2–3×/week; hotfix criticals.
- Password manager + vault MFA; rotate on off-boarding.
- Security awareness: monthly micro-training + realistic phishing simulations.
- Travel: hotspot or VPN; no hotel/coffee-shop Wi-Fi for sensitive work.
Need a hand? SCI embeds with startups to implement, evidence, and maintain controls—without cutting corners. Explore Embedded Compliance or see how we’ve approached it in Compliance Hell Is Optional and Five Questions on GRC.
