Lawrence Cruciana, CISSP, CISM, CISA, GCCC, CCP, CCA and Lead CCA
Founder & President of CorpInfoTech
Lawrence Cruciana, CISSP, CISM, CISA, GCCC, CCP, CCA, Lead CCA is the founder and President of Corporate Information Technologies (CorpInfoTech), a cybersecurity-centric Managed Service Provider that he has led for more than two decades. CorpInfoTech was the first organization to achieve CREST accreditation under the CIS Controls Accreditation program, one of the first CMMC Level 2 certified MSPs, was among the earliest recognized CMMC Registered Provider Organizations (RPO), and is a long standing contributor to national cyber defense through its membership in the Cybersecurity and Infrastructure Security Agency (CISA) Joint Cyber Defense Collaborative. CorpInfoTech delivers secure IT services to highly regulated industries, including organizations within the Defense Industrial Base (DIB), financial services, and other information-centric regulated sectors.
With extensive experience designing, implementing, and leading cyber-risk programs in regulated and high-consequence environments, Lawrence brings deep operational insight and strategic vision to the challenges of supply chain security, critical infrastructure protection, and practical framework adoption. His expertise spans NIST SP 800-171, the NIST Cybersecurity Framework (CSF), the CIS Critical Security Controls, NERC CIP, and deep CMMC program compliance; he has implemented these frameworks in environments ranging from small professional services firms to enterprise-scale defense contractors.
A multi-time RSA Conference “Highly Rated” speaker, Lawrence has presented on cybersecurity, compliance, and operational resilience at major industry conferences, professional associations, and executive briefings. His ability to translate complex, regulated framework-based cybersecurity system design and operationalization into actionable, business-aligned strategies resonates with both technical practitioners and business leaders.
Lawrence’s current work centers on helping organizations integrate multiple security frameworks, with a focus on CMMC compliance and the CIS Critical Controls, into operational disciplines that strengthen IT service delivery, incident response, and continuous improvement. By coupling hands-on technical depth with a broad understanding of governance and risk management, he equips leaders and practitioners to make informed, defensible security decisions in an era of escalating threats.
Get in Touch with Lawrence
Examples of Past Presentations/Publications
Lawrence Cruciana has experience in speaking on a number of subjects related to the SMB security sphere. If you are interested in having Lawrence present at an event, below are three examples of recent presentations that may speak to your audience. Feel free to contact us to suggest additional topics or areas of focus!
2026 ChannelPro LIVE: Charlotte (April 7-8, 2026)
Lawrence presented multiple sessions at ChannelPro LIVE, contributing to both the main program and the DEFEND Cybersecurity Workshop. His talks covered selecting the right security tools, embracing co‑managed security models, and strengthening incident response planning. Explore Lawrence's Speaking Engagements
Bsides San Francisco: Cringe Corrected: Hot Takes Fixed by the CIS Controls
Lawrence Cruciana presented a lighthearted but deeply practical session at BSides San Francisco, using real social‑media posts to highlight common cybersecurity misunderstandings. He mapped each example to the CIS Controls, showing how they clarify intent, improve implementation, and strengthen real‑world security outcomes. The format delivered memorable, repeatable guidance for practitioners at every level.
Misconfiguration Madness 2026
In March–April 2026, Lawrence played a key role in Misconfiguration Madness, a five‑week tournament developed by CorpInfoTech and Senteon. The event challenged experts to assess how common misconfigurations behave under real production pressures - environment drift, broken visibility, and active incident conditions. Matchups were scored on real‑world security impact, exploit visibility, and adherence to CMMC expectations. Watch all episodes on Senteon's YouTube here - check out Episode 1 with Matt Lee from Pax8 and Episode 5 with Koren Wise from Wise Technical Innovations
PMPA Speaking of Precision Podcast: Everything CMMC Part 1, 2 and 3
Lawrence Cruciana and Laura Rogers, Director of NC State’s NC-PaCE program walk through what 32 CFR and 48 CFR mean, the difference between Level 1 (17 practices) and Level 2 (110 practices), and when companies will need a self-attestation versus a third-party certification. Listeners get a realistic, phase-by-phase timeline of when certification will be required—starting with self-assessments immediately after publication and culminating in full mandatory certification within three years. Both speakers stress the importance of vetting MSP partners carefully and starting now, since implementation and certification take time. PMPA Page - Everything CMMC Part 1
CMMC Unscripted: Navigating the Shared Responsibility Matrix
On a recent webinar with CEO of SMPC-C Srikant Rachakonda, Lawrence Cruciana discussed the importance of having a shared responsibility matrix (SRM) and why it is crucial to your compliance posture. Webinar link
Pax8 Beyond - (Your Journey Beyond Limits)
Lawrence Cruciana spoke on a panel with other CMMC experts at the most recent Pax8 Beyond event in Denver, CO. He was able to discuss the challenges of CMMC compliance and what contractors can expect when pursuing their own certification.
Pax8 - Podcast "The Game" (Pax8)
Lawrence Cruciana was a guest on the Pax8 "The Game" podcast. Live streamed from RSA.
Somebody's Responsibility is Nobody's Responsibility - Lawrence Cruciana & Matt Lee (RSAC 2025)
This session explores managing security within third-party IT relationships using Shared Responsibility Models (SRMs). With most organizations relying on third parties, clear responsibility definitions are crucial. Using the state of third-party Managed Service Provider (MSP) security as a lens, learn how SRMs reduce ambiguity, prevent exploitation, and drive accountability for everyone involved.
ConnectWise Acquires Axcient and SkyKick (MSP Success)
Lawrence Cruciana from CorpInfoTech commented on the recent acquisition of Axcient and SkyKick by ConnectWise.
Don't Fear, CIRCIA's Here... There, and Nearly Everywhere! (CompTIA ChannelCon)
Lawrence Cruciana spoke at the 2024 CompTIA ChannelCon in July of 2024. His presentation, "Don't Fear, CIRCIA's Here!", summarized the importance of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
The White House and You - Are the Walls Closing in on MSPs? (MSP Success)
On May 13th, 2024, MSP Success published an article on the recently released version 2 of the National Cybersecurity Strategy Implementation Plan (NCSIP). In the article, several thought leaders gave their insight on how this new plan will impact MSPs. Lawrence Cruciana, founder and President of CorpInfoTech, touched on the theme of teamwork and how the NCSIP acknowledges that cybersecurity is a team sport and requires everyone working together to build a solid defense.
Why "DSPM" Was the Acronym to Watch at This Year's RSA Conference (Channelholic)
In this article published on Channelholic's website, the author discusses the importance of DSPM, or data security posture management, and why it was of particular interest during this year's RSA conference 2024. With generative AI and LLM's becoming increasingly popular, data protection must become a top priority. Lawrence Cruciana warns of the dangers in trusting "private" LLMs with data even when they are often described as safer than public ones.
Will The New Cyber Defense Plan for RMM Keep You Safer? It's a Start. (MSP Success)
Remote monitoring and management (RMM) tools are a valuable tool for MSPs despite having their own vulnerabilities. In 2023, CISA published the JCDC's Cyber Defense Plan for RMM to help protect organizations utilizing RMM tools. In this MSP Success article, Lawrence Cruciana discusses why this plan is important and what it hopes to accomplish.
Manufacturing Matters - Cybersecurity Insights for Secure Manufacturing (Defense and Munitions)
Lawrence Cruciana, founder and president of Corporate Information Technologies discusses how the vulnerability of government, enterprise, and small business organizations alike to supply chain attacks is a rapidly evolving threat.
"Residual Risk: It's Not Always About the Zero Days"
The state of Cybersecurity often is typified in terms of the latest flashy 0-Day exploit or the most recent high-profile data breach. While these are characteristic elements of the state of security, they are not representative of the vast majority of successful attacks. Often, smaller organizations focus on implementing increasingly complex, capable, and expensive cybersecurity tools rather than securing the practical and, often, more opportunistic areas of the information ecosystem. This session will review the vulnerability management practices of a typical commercial entity, identify the common pitfalls encountered by IT teams in this pursuit, and present practical and directly implementable methods to implement meaningful security controls across a modern multi-vendor environment. Using the CIS Controls, we'll address many of the most commonly attacked areas found in most information ecosystems using free and low- cost methods that are easily implemented and understood. Attendees will walk away with actionable information, field-proven tools, and practical methods to improve the cybersecurity posture of their individual environments.
"The SMB Supply Chain Ecosystem"
The vulnerability of government, enterprise, and small business organizations alike to supply chain attacks is a rapidly evolving threat. One commonly overlooked supply chain attack vector, recently identified within initiatives supporting the National Cybersecurity Strategy, is the use of Remote Monitoring and Management (RMM) software by threat actors to effectively bypass many existing security controls. RMM software historically has been employed principally by Managed Service Providers (MSPs). With approximately 85% of commercial organizations that employ fewer than 500 employees utilizing the services of one or more MSPs, the presence of multiple RMMs within the trusted supply chain of most commercial enterprise and government entities is nearly certain. This session will explore in depth the origins, identification, and effective risk mitigations for this highly successful emerging threat. Delivered from the perspectives of a technologist and practitioner, two experts who first raised concerns in 2016 about the potential for attacks using RMMs will explore proven methods to cooperatively improve the security of the supply chain from enterprise to SMB against RMM attacks.
"Measuring Up: Achieving CMMC/800-171 Compliance in Smaller Organizations"
Throughout the industrial supply chain, cyberattacks continue to increase in frequency and severity. Smaller organizations are disproportionately impacted by these attacks and are often not equipped to deal with the long-term ramifications. Unsurprisingly, organizations involved in the supply chain of the U.S. Department of Defense are often more aggressively targeted by sophisticated threat actors. The NIST 800-171 and emerging CMMC standards intend to help safeguard potentially sensitive information from these threat actors. Smaller organizations often have difficulty accurately measuring and reporting their cybersecurity posture under these standards. This session will provide attendees with the knowledge to more readily understand the intentions of these standards and the tools by which to measure and objectively report their cybersecurity posture to internal and external stakeholders. Additionally, we will introduce practical solutions to close the cybersecurity gap between IT and OT to improve overall cybersecurity outcomes. These solutions employ open standard cybersecurity frameworks and low-cost tools to ensure they are accessible to organizations of all sizes and complexities.