Lawrence Cruciana

CISSP, CISM, CCP, GCCC and Founder and President


With over 20 years of Information Technology (IT) experience in regulated enterprise businesses and as a Managed IT Services Provider (“MSP”), Lawrence brings unique insight into the fusion of information risk management, third-party supply chain privilege management, and the operational IT challenges faced by mid-market and small governmental organizations. He is an experienced information security practitioner that has designed and implemented hundreds of cybersecurity and technology risk management programs incorporating key control frameworks including NIST Cyber Security Framework (CSF) and the CIS Critical Security Controls (CSC).

Lawrence is actively engaged in ongoing security research and community development which mitigates supply-chain vulnerabilities introduced by smaller businesses into enterprise organizations. His specific emphasis recently is focusing on improving the overall security of the information ecosystem by incorporating unique risks introduced into smaller government and mid-market organizations through IT MSPs and third party trusted vendors.




Lawrence Cruciana Headshot-1200-1

Examples of Past Presentations/Publications

Lawrence Cruciana has experience in speaking on a number of subjects related to the SMB security sphere. If you are interested in having Lawrence present at an event, below are three examples of recent presentations that may speak to your audience. Feel free to contact us to suggest additional topics or areas of focus!

The White House and You - Are the Walls Closing in on MSPs? (MSP Success)

On May 13th, 2024, MSP Success published an article on the recently released version 2 of the National Cybersecurity Strategy Implementation Plan (NCSIP). In the article, several thought leaders gave their insight on how this new plan will impact MSPs. Lawrence Cruciana, founder and President of CorpInfoTech, touched on the theme of teamwork and how the NCSIP acknowledges that cybersecurity is a team sport and requires everyone working together to build a solid defense. 

Why "DSPM" Was the Acronym to Watch at This Year's RSA Conference (Channelholic)

In this article published on Channelholic's website, the author discusses the importance of DSPM, or data security posture management, and why it was of particular interest during this year's RSA conference 2024. With generative AI and LLM's becoming increasingly popular, data protection must become a top priority. Lawrence Cruciana warns of the dangers in trusting "private" LLMs with data even when they are often described as safer than public ones. 

Will The New Cyber Defense Plan for RMM Keep You Safer? It's a Start. (MSP Success)

 Remote monitoring and management (RMM) tools are a valuable tool for MSPs despite having their own vulnerabilities. In 2023, CISA published the JCDC's Cyber Defense Plan for RMM to help protect organizations utilizing RMM tools. In this MSP Success article, Lawrence Cruciana discusses why this plan is important and what it hopes to accomplish. 

Manufacturing Matters - Cybersecurity Insights for Secure Manufacturing (Defense and Munitions)

Lawrence Cruciana, founder and president of Corporate Information Technologies discusses how the vulnerability of government, enterprise, and small business organizations alike to supply chain attacks is a rapidly evolving threat.

"Residual Risk: It's Not Always About the Zero Days"

The state of Cybersecurity often is typified in terms of the latest flashy 0-Day exploit or the most recent high-profile data breach. While these are characteristic elements of the state of security, they are not representative of the vast majority of successful attacks. Often, smaller organizations focus on implementing increasingly complex, capable, and expensive cybersecurity tools rather than securing the practical and, often, more opportunistic areas of the information ecosystem. This session will review the vulnerability management practices of a typical commercial entity, identify the common pitfalls encountered by IT teams in this pursuit, and present practical and directly implementable methods to implement meaningful security controls across a modern multi-vendor environment. Using the CIS Controls, we'll address many of the most commonly attacked areas found in most information ecosystems using free and low- cost methods that are easily implemented and understood. Attendees will walk away with actionable information, field-proven tools, and practical methods to improve the cybersecurity posture of their individual environments.

"The SMB Supply Chain Ecosystem"

The vulnerability of government, enterprise, and small business organizations alike to supply chain attacks is a rapidly evolving threat. One commonly overlooked supply chain attack vector, recently identified within initiatives supporting the National Cybersecurity Strategy, is the use of Remote Monitoring and Management (RMM) software by threat actors to effectively bypass many existing security controls. RMM software historically has been employed principally by Managed Service Providers (MSPs). With approximately 85% of commercial organizations that employ fewer than 500 employees utilizing the services of one or more MSPs, the presence of multiple RMMs within the trusted supply chain of most commercial enterprise and government entities is nearly certain. This session will explore in depth the origins, identification, and effective risk mitigations for this highly successful emerging threat. Delivered from the perspectives of a technologist and practitioner, two experts who first raised concerns in 2016 about the potential for attacks using RMMs will explore proven methods to cooperatively improve the security of the supply chain from enterprise to SMB against RMM attacks.

"Measuring Up: Achieving CMMC/800-171 Compliance in Smaller Organizations"

Throughout the industrial supply chain, cyberattacks continue to increase in frequency and severity. Smaller organizations are disproportionately impacted by these attacks and are often not equipped to deal with the long-term ramifications. Unsurprisingly, organizations involved in the supply chain of the U.S. Department of Defense are often more aggressively targeted by sophisticated threat actors. The NIST 800-171 and emerging CMMC standards intend to help safeguard potentially sensitive information from these threat actors. Smaller organizations often have difficulty accurately measuring and reporting their cybersecurity posture under these standards. This session will provide attendees with the knowledge to more readily understand the intentions of these standards and the tools by which to measure and objectively report their cybersecurity posture to internal and external stakeholders. Additionally, we will introduce practical solutions to close the cybersecurity gap between IT and OT to improve overall cybersecurity outcomes. These solutions employ open standard cybersecurity frameworks and low-cost tools to ensure they are accessible to organizations of all sizes and complexities.