A ‘Military-Grade’ Cybersecurity Leader – Mike Crandall: Making You as Cyber-Resilient as Ever A ‘Military-Grade’ Cybersecurity Leader

Cybersecurity is an area that is as dynamic and ever-evolving as the concurrent time itself. And now, with the coming of artificial intelligence, it has become one of the most crucial factors for all the global organizations, which on the one hand must remain digitally hyperactive as ever, and on the other, cannot afford cost escalations at either the IT security front or the digital investment strategy level. In that sense, Mike Crandall, the Chief Executive Officer, aka CEO of Digital Beachhead, comes as a saviour for all those organizations that want the most resilient cybersecurity at affordable investments.   

Mike brings a unique perspective to the digital battlefield, one shaped by a distinguished twenty-year military career. This background in defense provided him with a deep understanding of how to protect assets under pressure and how to anticipate threats before they strike. After transitioning to the civilian world, he spent another fifteen years in the corporate sector, learning the specific challenges that businesses face when trying to grow while staying safe. This rare combination of military discipline and corporate savvy allows him to see cybersecurity not just as a technical hurdle, but as a fundamental part of an organization’s survival and success. 

As the leader of Digital Beachhead, Mike manages a dedicated team of certified experts who provide virtual Chief Information Security Officer support to organizations all over the globe. He realized early on that many small to midsize businesses were being left behind by the high costs of traditional security leadership. By offering a virtual model, he provides these companies with high-level guidance and award-winning expertise without the massive price tag of a full-time executive. His approach is all about making the very best security accessible to those who need it most, ensuring that no organization is left vulnerable simply because of its size. 

Beyond his work at the firm, Mike is a recognized voice in the industry, sharing his knowledge through international public speaking and as a subject matter expert for leading magazines. He understands that in a world where technology changes every day, education is just as important as implementation. He focuses on creating customizable and compliant solutions that fit the specific needs of each client. Whether he is helping a team navigate complex regulations or building a strategy to fend off AI-driven attacks, Mike stays focused on providing practical and effective defense. The mission to secure the digital landscape continues as he finds new ways to bring elite protection to the global business community. 

The ‘Computer Warrior’ Legacy 

When asked about his career in the Air Force during the early days of network technology, famously demonstrating security gaps in DOS overlays, and that sharp ‘investigative’ mindset which he developed, still influencing his leadership today, Mike smiles, “Now this question brings me back. I find myself extremely fortunate to have ‘grown up’ in the technical industry, having been at the right places at the right time.” Mike says that because technology was new in the Department of Defense (DoD), “So those of us with any inkling of curiosity into computers were offered a greater depth of access into exploration and testing. We were children in the proverbial technology ‘candy store,’ and we ate a lot!”   

“To your question, I think this investigative mindset into how things worked, how they could be broken or exploited, still does influence my outlook today.” When examining or auditing a client’s network today, it has been a great value to understand how systems communicate at all levels, from the physical to the application. This understanding allows a deeper dive into developing the cybersecurity strategy for our clients. Often, the tools for sale by the cybersecurity company drive the audits and gap analysis. Mike and his team work to be tool agnostic and focus on the client’s data, communications, and corporate objectives. There is no way to eliminate risk; however, if you have a better understanding of the risks, you can then evaluate mitigation strategies, he explains. 

In his solid career, Mike was responsible for the operations of the $50 Billion Air Force Satellite Control Network. He recalls that this was one of the largest networks he had the privilege to be responsible for. This network allowed connected system networks, such as GPS, Weather, and Missile Defense, to operate smoothly by controlling the space assets each utilized. “Over the years, I have found the only real difference in networks, be they large or small, is the complexity of connections both internally and externally.” The biggest lesson he learned from managing such a large environment that translates directly into the defense of small to mid-sized businesses is never to overlook the small or seemingly ‘obvious’ things.     

Today’s networks, even the smaller ones, can have complexities built in with cloud computing, supply chain connections, and users working from both home and office. Mike explains, “When things get complex, we can often look at those complexities and get hyper-focused on protections and security implementations while losing focus on the smaller, less complex issues, which may offer a ripe opportunity for a cyber-attack. Maintaining a wide and in-depth view of our systems is critical, no matter the size or complexity.” 

Now turning back to Digital Beachhead, Mike accepts that the transition from a military career into a civilian career was a difficult one in general, so bringing into the mix starting a company and diving into the civilian cybersecurity world also required a huge learning curve. One of the main reasons, he says, they started Digital Beachhead was finding that most cybersecurity firms were going after the large corporate businesses and governmental agencies, as they appeared to be most at risk and more likely to have the budgets to afford cybersecurity implementations. “While most people would assume the DoD has an unlimited budget, this was often not the case, and we were asked to ‘do more with less’ more times than not.” This mindset translates directly into smaller to midsize organizations that understand they are at risk but feel there is little they can do to protect themselves due to budget restraints. Mike insists, “I understood that there is no budget amount that guarantees security, and it should be about risk management and doing the best you can with the resources you have.” Taking this military mindset into those previously neglected organizations allows them to not only shore up security but create a mindset of security strategy with a goal of growing into more security as resources allow.  

Strategic’ Beachhead’ Thinking  

Explaining the reasons behind the philosophy and choosing a name like Digital Beachhead, rooted in the ‘beachhead strategy,’ Mike says that the critical key to securing a network is understanding where the ‘Beachhead’ is. In a typical military scenario, it is a perimeter much like the beaches during World War II. However, your digital beachhead is anywhere you have an IP address. So, you have to change how you look at security. Simply installing a firewall and securing the perimeter is no longer effective. An organization must think deeper with a full-bodied approach, which includes the users of the system. Many traditional cybersecurity vendors have a product that focuses on a single myopic area within cybersecurity. “We have found that some companies have purchased multiple cybersecurity products that overlap in many areas with one or two unique offerings that they used to show they stand apart from their competition.”   

Mike furthers that their efforts are at first understanding your current environment, business requirements, budget, and the sensitivity of the data to be protected. Gaining an understanding of the ‘battlespace’ allows Digital Beachhead to create an individualized approach to the cyber risk management of an organization. “Most smaller organizations have a limited budget, and we must determine the best way and where we utilize the spending for maximum effectiveness.” No solution provides 100 percent assurance that an attack will never take place, but understanding risks, prioritizing them, and developing mitigation, transferal, or acceptance strategies provides for a much more difficult target than those who just fire and forget. 

Mike further advocates for another unique philosophy. The ‘Crawl, Walk, Run’ philosophy was one learned during his time in the military. The military loves to ‘hurry up and wait,’ and he found this to be frustrating at the best of times. He shares, “If we run to our endpoint with a clear understanding of how we got there, things will be missed. Building slowly over time and gradually increasing our ‘pace’ allows us to visualize, comprehend, and adapt as we move, versus looking for an end state too quickly. It is very true that we find it difficult to keep up with technology, but having the ‘new toy’ just to have it serves little purpose unless we understand what risks it may be solving, what technology or manual effort it could be replacing, and most importantly, what new risks it may be introducing.” Cybersecurity is a marathon with ever-changing attack vectors, threats, and vulnerabilities. Mike adds that if they run it like a sprint, it is likely they will miss some of the smaller, more ‘obvious’ mitigatable threats along the way. ‘To our clients, we like to express everything as risk management, and if you are running full out, it would be hard to notice all the threats as you sprint by.”  Take each identified risk, crawl into the discovery of it, walk into methods of mitigation, then run when implemented, and a true pace can be set to keep on running throughout the marathon. 

Now, at Digital Beachhead, Mike says they are very proud to be a CMMC Third Party Assessment Organization (C3PAO) for the Defense Industry Base (DIB) ecosystem. “I like to say as an authorized C3PAO, ‘we are the droids you are looking for,” which is a Star Wars reference to identify just how much of a ‘geek’ Mike really is. Digital Beachhead can operate as either a support organization helping DIB companies in their CMMC preparation or as the assessor towards formal CMMC certification. CMMC is a very thorough compliance framework with 14 families (domains), 110 practices (controls), and 320 objectives, which isn’t an inexpensive undertaking to achieve. Mike firmly believes that compliance does not always equal security: “So we work with our clients to find the most cost-effective and secure method to meet CMMC requirements.” Often this can be done using current tools with a finer tuning of configurations versus purchasing a tool specific to a CMMC practice. In other words, Mike and his team look to find methods of compliance by thinking ‘outside the box’ for solutions that provide some relief to the operational budgets.     

On the assessment front, they work diligently to maintain the best possible pricing, with costs really being based on the complexity of the environment being assessed. Their individualized company pricing is based on an initial questionnaire where they determine the true level of effort to create a specific cost for each company. 

Innovation and the Human Element 

Mike said in the past that you cannot simply ‘spend’ your way out of being a target. When reminded and asked how he coaches CEOs to utilize their existing resources more effectively to mitigate risk, he replies, “I feel fortunate to have my many years of DoD experience to help CEOs understand this dilemma.” Simply put, Mike states the DoD has billions of dollars it puts towards cybersecurity, and yet they are breached. Likewise, we see in the news all the large organizations being breached, and they, too, have large cybersecurity budgets. These examples show the inability to ‘spend out of’ risk of attacks, but the need to do what you can with what you have, and that no level of effort provides a zero-risk environment. It should be noted that while you can’t spend on cybersecurity, an organization shouldn’t underspend either. Balance is the key and developing a true risk management approach, he insists. Start with what you have, determine any gaps and overlaps, and work towards a future state with a change management cycle in place for continued growth and risk mitigation. 

Cybersecurity is often seen as a cold, technical field. Yet Mike is known for his empathy toward end-users. To that end, he shares that technology alone is never the answer. The technology should be used as a support tool/function for the organization and ultimately the end user. If you read most cybersecurity studies, they almost always discuss the end user as being the ‘greatest threat’ to a network. While this may be true, it could also be stated that the end user is the first line of defense, or as a cybersecurity sensor, often being the first to notice activity. While other organizations meet compliance with annual ‘death by PowerPoint’ training, Mike and his team recommend frequent interactive training with short monthly online training, looking to develop a cyber-secure atmosphere within the company. If the end users understand their criticality and are provided with sufficient training and incentives, then they can become an asset rather than just a risk. 

As an adjunct instructor, you bridge the gap between academia and industry. When asked about how Digital Beachhead is helping to solve the ‘talent crisis’ by mentoring the next generation of cybersecurity professionals, Mike reiterates, “As I stated earlier, I was fortunate to be in the right place at the right time and had the opportunity to ‘grow’ alongside technology.” People entering the workforce today have the pressure of technology being the driving factor in operations, so downtime is not acceptable. Mistakes often are unacceptable and have dire consequences. Mike believes that mistakes and/or failure are the stepping stones to success. “At Digital Beachhead, we often have two or three interns sitting in on client meetings, doing research, and helping develop documentation. They are, in fact, the ones who publish our daily ‘Cyber Bytes’ of cyber intelligence we post on social media and send to our clients. If our community does not properly train those who want to enter our career, we will always have the talent gap that currently exists.” 

A Leader’s Outlook for a Cyber-Secure Future 

Integrity and ‘leading from the trenches’ are Mike’s core values. Maintaining this culture of accountability as Digital Beachhead scales its operations globally is imperative. Mike accepts. He shares, “This is very much a trait learned and embedded from my military service. A notable example was the requirement for our staff to earn the CMMC Certified Assessor designation.” The path to this certification is not an easy one, with hours of mandatory training followed by a three-hour-long exam. Leading from the front meant to Mike that he was going to achieve the same certification as the team. Demonstrating what it means personally builds the culture across the entire team. As Digital Beachhead scales, Mike shows and expects that level of leadership across the organization. “Building a team of ‘we’ versus a group of ‘I’ is our overall goal and can only be accomplished if everyone puts the team first, and that starts with leadership.” 

With AI now powering both sides of the cyber battle, Mike anticipates some of the most significant shifts in ‘Cyber Risk Management’ over the next twelve months. AI is the latest in a long line of technology innovations and is, of course, driving much of the conversation lately. His hope is that AI is used to speed the review and analysis of data. Spotting trends, attacks, and other events in rapid, near real-time, which is impossible for humans to do. “I’m afraid of how it is being used by our adversaries with deep fake audio/video leading to more difficult to recognize attack vectors.” The shift in cyber risk management is coming to terms with the positive and negative aspects of AI. Understanding these new risks and working to find sufficient mitigation strategies. “AI is not going away, so as with any new technology innovation, we must try to keep pace in a way that keeps us secure.” 

For a leader struggling with the ambiguity of modern digital threats, when finally asked about the one ‘military-grade’ principle they can adopt today to protect their company’s future, Mike says, “This is a great question that actually made me laugh. Why? Well, as a retired military member, we tend to view ‘military-grade’ differently than how others may.” The DoD most often purchases from the ‘lowest bidder,’ which means that ‘military-grade’ is not always the best solution, but the most cost-effective one. “I will fall back to a previous statement as though of having to ‘do more with less,’ which really speaks to the military mindset.” Learning how to adapt and overcome any situation. Mike’s advice would be to step back and evaluate your risk compared to your current environment. What keeps you up at night versus what system/data that if compromised poses less threat? Understand risk, prioritize them, and THEN work towards mitigation using first what you have before looking for the next great tool. The key is knowing and understanding the risks first!