Security conversations often start with tools, frameworks, or the next technology wave. In practice, security breaks down for far more fundamental reasons. In this episode of #shifthappens, Summit 7 CEO Scott Edwards offers a grounded, experience‑driven perspective on why security maturity continues to lag across defense and government supply chains, even as expectations rise. Drawing from years of working directly with contractors, subcontractors, and multinational organizations, Edwards makes a clear case: real security challenges are rarely technical. They are organizational, cultural, and leadership‑driven.
From compliance pressure to AI hype, the discussion reframes security as an operational discipline—one that succeeds or fails based on how well organizations understand their data, scope their environments, and assign responsibility. What emerges is not a call for more tools, but for clearer thinking.
CMMC as a Pressure Test, Not the Problem
One of Scott's most consistent themes is that compliance frameworks make existing issues unavoidable. As enforcement becomes real, longstanding gaps surface quickly. Organizations that once relied on self attestation or informal practices suddenly feel exposed because reality caught up.
The Cybersecurity Maturity Model Certification (CMMC) is a third‑party attestation that organizations have actually implemented the security controls they were already required to follow. The urgency surrounding CMMC has forced many organizations to confront truths they previously sidestepped: unclear data handling, inconsistent labeling, and an overreliance on IT teams to solve what are ultimately business decisions.
This is why compliance pressure hits some organizations harder than others. Those who already understood their environments experience friction; those who didn’t experience disruption. The framework becomes a mirror — reflecting readiness.
Where Security Readiness Breaks Down and How to Fix It
Security breaks down when data, ownership, and scope are not clearly defined. What this episode makes clear is that many gaps stem from unanswered questions about ownership, boundaries, and assumptions. Before organizations look at frameworks or technologies, they need to define how responsibility and trust operate across their environment.
Decide Who Owns Trust
Security challenges often persist because responsibility is diffuse. Scott makes it clear that protecting sensitive data, especially in environments handling controlled unclassified information (CUI) and federal contract information, cannot be treated as a task owned solely by IT. Instead, accountability must sit at the organizational level, with leadership responsible for ensuring that data is properly handled, secured, and aligned with contractual obligations.
When ownership is unclear, organizations fall into patterns of assumption: Teams assume data is protected, contracts are understood, or controls are in place. In reality, these gaps only surface when external pressure, like CMMC requirements, forces validation. Establishing clear ownership is what turns security from an abstract responsibility into an operational, enforceable function across the business.
Clarify the Guardrails First
A recurring issue Scott highlights is the lack of clarity around what data actually requires protection and how it should be handled. In many cases, organizations struggle with inconsistent classification and marking of sensitive information, particularly CUI. This leads to confusion across the supply chain, where data moves between government, primes, and subcontractors without clear labeling or shared understanding.
Without defined guardrails, organizations tend to overcompensate, treating everything as sensitive, or under-protecting what actually matters. Both outcomes increase risk and cost. Clear guardrails, grounded in accurate data classification and well-understood data flows, allow organizations to focus their efforts where they are needed most. This enables effective scoping and prevents security programs from becoming unnecessarily complex or unsustainable.
Question What You’re Trusting by Default
Scott points out that many organizations operate on untested assumptions about their data and systems. Data may be passed between parties without proper marking, created within contracts without being recognized as sensitive, or handled in ways that were never formally defined. Over time, these assumptions become embedded in operations, creating blind spots that are difficult to detect.
When organizations don’t actively question these defaults, they either underestimate risk or respond by overcorrecting — expanding controls across entire environments because they lack confidence in what truly needs protection. Challenging these assumptions requires a deliberate effort to map data flows, validate classifications, and understand how information is actually being used. This is where many of the gaps exposed by compliance pressures originate.
Revisit Trust as AI Acts on Your Behalf
Scott is particularly direct about the risks of advancing automation and AI too quickly without addressing foundational issues. He notes that many organizations are eager to adopt advanced capabilities but still struggle with basic practices, such as enforcing controls and understanding their data environments. In this context, introducing AI doesn’t solve underlying problems; rather, it accelerates them.
When systems begin to act on behalf of users – classifying data, making access decisions, or automating workflows – the quality of those actions depends entirely on the strength of the underlying data and controls. If those foundations are weak, automation simply scales inconsistency and risk. This is why Scott emphasizes that organizations must first establish strong fundamentals before delegating decisions to technology. Only then can automation contribute to security rather than undermine it.
Readiness Is Revealed Under Pressure
The episode ultimately reframes security not as a checklist, but as a capability. Pressure – whether from compliance requirements like CMMC, contractual obligations, or growing system complexity – reveals readiness.
As organizations face increasing expectations around data protection and operational resilience, the lesson from this conversation is clear: Progress doesn’t start with tools. It starts with clarity, accountability, and leadership willing to engage with the fundamentals.
Only then does security readiness become real and sustainable.
Episode Resources
#shifthappens Research: The State of AI Report
#shifthappens Insights:
#shifthappens Podcasts:
