In this episode, Cheri Hotman sits down with long-time colleague and GRC leader Peter Spier for a candid, no-nonsense conversation about what actually keeps organizations secure and what quietly puts them at risk.

Peter brings more than two decades of experience across PCI, audits, and enterprise risk to unpack a topic most teams avoid. Integrity in GRC. Together, they challenge the obsession with green checkmarks, clean audit reports, and “passing” frameworks while ignoring what really matters. Reducing real risk.

This conversation cuts straight through common myths:

• Why a report with zero findings should make you nervous, not confident

• How audits differ fundamentally from running a security program

• The danger of scoping games and checkbox compliance

• Why continuous improvement requires uncomfortable conversations

• How ego, incentives, and fear quietly undermine security decisions

Cheri and Peter also explore the human side of cybersecurity. Coachability, transparency, and the willingness to surface problems early before attackers do. This episode is for leaders, practitioners, and auditors who care less about appearances and more about building programs that actually protect the business.

If you have ever felt uneasy about a “perfect” audit, struggled to push bad news up the chain, or wondered whether your compliance program is giving you a false sense of security, this conversation will resonate.

In this episode, Cheri Hotman sits down with Joe Kodali, a fellow CPA turned cybersecurity and GRC leader, to have a blunt, practitioner-level conversation about what is actually broken in modern cybersecurity programs and why compliance theater is making organizations less secure, not more.

They unpack the unique value CPAs bring to cybersecurity, not because of accounting, but because of how auditors are trained to understand entire businesses, ask uncomfortable questions, and tie controls back to real risk and return on investment. From there, the discussion goes deep into the widening gap between executives and cyber teams, the failure of checkbox audits, and how GRC tools and low-quality SOC 2 practices have created a dangerous false sense of security.

Cheri and Joe challenge the industry’s obsession with compliance over governance and risk, calling out poor scoping, copy-paste controls, and the misuse of frameworks that were never meant to be treated as templates. They also address the hard truth that tools do not fix broken programs, people and discipline do.

The conversation closes with a candid discussion on why governance is the most overlooked and undervalued part of GRC, how boards should be asking better questions, and what it actually takes to build a cyber program that protects the business rather than just passing audits.

This episode is required listening for CISOs, security leaders, GRC practitioners, auditors, and executives who want real security outcomes instead of green checkmarks.

In this episode, Cheri Hotman sits down with CMMC expert and strategist Linda Rust for a direct, unscripted conversation about what CMMC really means for defense contractors, why so many organizations get it wrong, and how leaders can approach compliance with clarity instead of chaos.

Linda brings more than 25 years of engineering and mission-critical technology leadership to the table. She breaks down why CMMC is fundamentally a business issue rather than an IT project, why third-party accountability is often the only thing that finally moves organizations to action, and why “cheap” approaches end up being the most expensive mistakes companies make.

Cheri and Linda dig into:
• What CMMC is (and isn’t)
• Why scoping and understanding your data matters more than any technical control
• Why leadership, not IT, must own the strategy
• The real cost drivers behind CMMC and why labor—not tools—is the biggest factor
• How small companies get themselves into false-claims trouble without realizing it
• What’s coming next with FAR CUI and NIST 800-171 Revision 3
• How organizations can right-size their efforts instead of chasing shortcuts

If you want a frank, practical explanation of CMMC from two people who have lived it for years, this episode will help you understand the landscape, avoid costly pitfalls, and build a program that leaders can actually sustain.

In this episode, Cheri Hotman unpacks the real story behind CMMC—and why it’s far more than a compliance checklist. Drawing on highlights from her recent Dallas talk, Cheri emphasizes that passing an audit is never the end goal. Instead, CMMC is about protecting sensitive government data, earning customer trust, and building integrity into every layer of your security program.

Cheri breaks down the biggest pitfalls she sees—like over- or under-scoping, documentation theater, and trying to “DIY” without the right expertise. She shares why companies must approach CMMC as an ongoing cycle of protection, monitoring, and improvement—not a one-time project.

If you’re navigating CMMC, you’ll walk away with:

• Clear insight into what the DoD really expects (hint: it’s not just a perfect score).

• Strategies to scope effectively and avoid wasted effort.

• How to balance third-party support with true internal ownership.

• The importance of building trust and integrity over “just passing.”

CMMC is a chance to strengthen your security posture and stand out in the market—don’t miss it.

In this episode, Cheri Hotman and Paula Biggs break down the realities of CMMC compliance, with a special focus on scoping and avoiding common missteps. They explain how CMMC builds on existing NIST 800-171 requirements and why scoping—deciding which systems, people, and vendors fall under compliance—is the first and most critical step. Paula emphasizes that smaller companies can often save significant cost and risk by narrowing their scope strategically, while Cheri highlights how poor scoping leads to inflated audits, unnecessary licensing fees, and added risk exposure. Together, they stress the importance of understanding vendor responsibilities, building accurate and detailed System Security Plans (SSPs), and treating audits as confidence-building exercises rather than checkbox events. The conversation reinforces that CMMC isn’t just about passing an audit—it’s about sustaining secure, risk-aware practices that protect sensitive data and long-term business trust.

Cheri Hotman and Tanya Wade cut through the checkbox mentality of audits to show why real compliance is about building programs that protect your people, data, and reputation year-round. From SOC 2 readiness to the pitfalls of over-relying on GRC tools, they share practical steps for prioritizing controls, assigning ownership, and reducing audit stress. If you’ve ever thought “we passed the audit—now what?”, this episode gives you the roadmap to continuous compliance with less chaos and more confidence.

In this kickoff episode of The Art of Cybersecurity, host Cheri Hotman shares why this podcast exists and what listeners can expect. Cyber isn’t just science or technology — it’s art. It’s messy, constrained, people-driven, and ultimately about mitigating risk to protect people and data.

Cheri cuts through the noise of “easy button” tools, audit-passing mentalities, and checkbox compliance to talk about what security really is: designing programs that work, tackling people and process challenges, and aligning solutions to business goals.

Expect honest, unfiltered conversations, real-world stories, and practical insights that go beyond buzzwords. If you’re ready to say what needs to be said and push for cybersecurity that truly matters, subscribe now and join the fight.

Take these 5 tactics given by Cheri Hotman to help better protect the cloud.