Doug Barbin on Leadership, Trust, and Building Defensible Cybersecurity Programs
Mission: Cyber — Episode 1
PODCAST
Mission: Cyber Ep. 1 | Doug Barbin on Leadership, Trust, and Building Defensible Cybersecurity Programs
Cybersecurity isn't just a technology challenge—it's a leadership challenge.
In the inaugural episode of Mission: Cyber, CyberSheath CEO Emil Sayegh sits down with Doug Barbin, President and National Managing Principal at Schellman, for a candid conversation about the leadership decisions that shape resilient cybersecurity programs.
Together, they explore why trust is essential to building strong security cultures, how AI is creating new governance challenges, and why organizations should focus on building defensible cybersecurity programs—not simply passing compliance assessments.
Whether you're preparing for CMMC, leading cybersecurity initiatives, or navigating the rapid evolution of AI, this episode offers practical insights for executives, security leaders, and defense contractors alike.
In this episode, you'll learn:
- Why cybersecurity is fundamentally a business challenge—not just an IT issue
- The leadership traits that create resilient security organizations
- How AI is accelerating governance and compliance risks
- Common misconceptions about CMMC readiness
- The difference between being compliant and being truly secure
Listen to the full episode and subscribe for future conversations with the leaders shaping cybersecurity.
Mentioned Resources
Transcript
Emil: Welcome to Mission Cyber — the podcast where we explore the leadership journeys behind cybersecurity, compliance, and resilience in the Defense Industrial Base. I’m your host, Emil Sayeg, CEO of Cybersheath.
Cybersecurity is often framed as technology, threats, and compliance. But behind every successful program is a leader who made difficult decisions, built trust, and navigated uncertainty. This podcast is about those leaders.
Today’s guest is one of them: Doug Barbin, President and National Managing Principal of Schellman. Since joining in 2009, Doug has helped transform Schellman from a respected IT audit organization into one of the most influential cybersecurity and compliance firms in the industry. His background spans technology, leadership, product management, fraud investigation, operations, and auditing — giving him a rare and broad perspective.
Doug, welcome to Mission Cyber.
Doug: Thank you for having me.
Emil: How was your weekend?
Doug: It was good. No complaints. The kids are out of school, summer is moving fast.
Emil: You’re based in Sacramento now, right?
Doug: Yes — just outside Sacramento. I’ve been on the West Coast for over 24 years. Before that, I lived in the D.C. area, and I grew up in Atlanta.
Doug’s Journey Into Cybersecurity
Emil: Let’s start with your journey. Maybe go back to college and bring us forward from there.
Doug: I did my undergrad at Penn State — second‑generation Nittany Lion. I double‑majored in accounting and criminal justice because I wanted to work for the FBI on white‑collar crime. In the early to mid‑90s, agencies were looking for people with business acumen who could understand transactions and criminal activity.
My first job out of college was at Price Waterhouse in their forensic accounting group — not the traditional financial audit track. I got my CPA, and early in my career, I worked on financial fraud and corruption cases, including investigations for the World Bank and the Swiss bank dormant accounts tied to Holocaust survivors and victims.
I also helped start the computer forensics practice there, because everything was becoming digital. We did early DOS‑based imaging, e‑discovery, and forensics, which led me deeper into security. I worked closely with penetration testers and security teams.
In 2000, I had the chance to join the FBI — I’d made it through the interview rounds — but I also had an opportunity with a cybersecurity startup, Guardent. I chose the startup, which was later acquired by Verisign. I spent several years there before joining Schellman in 2009.
Critical Moments That Prepared Doug for Schellman
Emil: What experiences prepared you most for your tenure at Schellman?
Doug: When I joined Schellman in 2009, the firm primarily did SAS 70 audits. At Verisign, one of my last roles was in product management for managed security services. They needed someone who understood compliance because Verisign had to undergo SAS 70 audits. Even though my CPA was dormant, I understood both sides — the auditor and the auditee.
I always joke that I was a SAS 70 client before I was a SAS 70 auditor. It gave me perspective: what independent auditors do, why it matters, and how clients experience it.
After Verisign sold the business, I didn’t expect to return to public accounting — yet here I am, sixteen years later. What kept me was the mix of technology, learning, and being on the leading edge with clients. It’s been a great seat for growth.
Leaders and Mentors Who Shaped Him
Emil: Tell me about the leaders and mentors who have shaped you.
Doug: There have been many. Early at Price Waterhouse, I worked with Bob Lindquist, considered the grandfather of forensic accounting. He taught investigations and the investigator’s mindset — that there aren’t just two sides to a story; the truth may be somewhere else entirely.
At Guardent and Verisign, I had amazing leaders, including strong women in cybersecurity. Maria Cirino, CEO at Guardent and multiple startups — deeply growth‑minded. Lisa O’Connor, my manager twice, formerly NSA, later leading global cybersecurity at Accenture.
At Schellman, working with Chris Schellman and later with Avani Desai — both exceptional leaders who pushed me to grow. I’ve learned just as much from leaders I didn’t want to emulate. Negative examples are as important as positive ones.
A Leadership Lesson Learned the Hard Way
Emil: What’s a leadership lesson you learned the hard way?
Doug: Tough conversations. I’m naturally agreeable and collaborative. But avoiding difficult conversations, especially with people you like, is harmful — to them and to the business.
I had to learn the difference between nice and kind. Nice is easy. Kind is compassionate but direct.
When leading hundreds of people, you can’t ignore performance issues. You owe it to them and to everyone else in the company. And often, having those tough conversations leads to growth.
How He Approaches Hard Feedback
Emil: When do you have those tough conversations — during reviews, in one‑on‑ones?
Doug: Mostly in one‑on‑ones. But at a certain point, it does need to be reflected in performance management. Sometimes verbal feedback doesn’t land with the necessary weight — writing helps reinforce the seriousness.
But waiting until an annual review is too late. Feedback should happen close to when issues occur. People shouldn’t be blindsided.
About Schellman
Emil: For those unfamiliar with Schellman, tell us about the firm.
Doug: Schellman was the first CPA firm to focus on SAS 70 audits — early IT audits. Our mission is to help companies convey trust to their customers through independent assessments.
We expanded from one service to over 30, including SOC, ISO 27001, FedRAMP, CMMC, PCI, HITRUST, and more. We stay very focused:
No financial audits. No management consulting. Just high‑quality professional services for assurance and certification.
We want to grow with our clients — from SOC 2 when they’re small, to ISO and FedRAMP as they scale internationally or sell to government.
What Doug Is Most Proud Of
Emil: What are you most proud of during your time at Schellman?
Doug: Not just building practices — though I’ve helped launch PCI, FedRAMP, and others. What I’m most proud of is watching leaders grow within those practices. Seeing people step up and take something far beyond where I started it — that’s incredibly rewarding.
Cybersecurity’s Evolution Into a Business Issue
Emil: You’ve watched cybersecurity evolve from an IT issue to a business issue. When did that shift happen?
Doug: Coming from investigations, it was always a business issue to me. Fraud is a business problem; security failures are business problems.
Cloud computing forced the business conversation — scalability, cost, and operational changes. AI is accelerating that even more. The faster technology changes, the more security must be understood as a business imperative.
Emerging Tech and the Threat Landscape
Emil: How is AI changing the landscape?
Doug: AI is moving much faster than cloud ever did. Companies implementing ISO 42001, the first AI governance standard, are putting real structure around trustworthy AI — not just security.
Then there’s agentic AI, which is evolving rapidly. Schemas like AI‑UC1 are gaining traction, driven by industry experts rather than regulators — which I love.
We’ve had shadow IT for decades; now we have shadow AI. Organizations need to get ahead of that.
Beliefs Others Might Disagree With
Emil: Do you have a belief about cyber, AI, or compliance others might disagree with?
Doug: People polarize themselves. You hear “security doesn’t equal compliance,” which is true, but misses the point. Both matter. Trust is nuanced. Resiliency matters as much as protection.
I’ve long believed that “bad things will happen,” and strong programs are those that respond well. That used to be a contrarian view in security.
How Doug Entered the CMMC Ecosystem
Emil: How did you first get involved in NIST 800‑171 and CMMC?
Doug: Like many things at Schellman, it began with clients asking about it. Our deep FedRAMP experience positioned us well, since many of those requirements carry over. We paid attention early, participated in discovery sessions, and compared CMMC with frameworks like PCI to help clients prepare.
We conducted one of the first voluntary CMMC assessments with DCMA/DIBCAC — a great learning experience.
Once you enter CMMC, you must go all‑in. It’s serious work with significant accountability.
Common Mistakes Contractors Make
Emil: What mistakes do contractors and subcontractors make?
Doug: Rushing. Thinking CMMC is a checkbox. Buying a high‑security license (like GCC High) and assuming that’s enough. Or assembling documentation that doesn’t reflect reality.
We try to catch this early. We’re auditors, not consultants — we don’t want to fail a long line of companies. We often tell clients, “You’re not ready for us yet.”
What Makes a Partnership Successful
Emil: Cybersheath and Schellman have worked together many times. What makes a partnership successful?
Doug: Shared values around security and compliance. Independence is crucial — no conflicts of interest. Cybersheath represents the client; we are the independent auditor.
Good partners focus on helping clients build defensible security programs. Not just compliant — defensible.
When our teams work together, it’s clear we care about the same things.
If Doug Were CEO of a Defense Contractor
Emil: If you were the CEO of a defense contractor today, what’s the first thing you’d focus on?
Doug: I’d gather IT, operations, sales, and marketing, and ask: “What do we do? What data do we receive? How do we handle it?"
Business first, operations second, technology third. From there, align CMMC to business needs — not the other way around. Otherwise, you risk building narrow enclaves that hinder long‑term growth.
The November 10 CMMC Deadline
Emil: What changes after November 10, and what happens to unprepared organizations?
Doug: It’s not a cliff. New contracts will require certification. Some primes may accept a path to certification for a period of time.
But competition will intensify. Companies that get certified earlier will win the opportunities. That’s the real consequence.
Lightning Round
Emil: Lightning round! What’s your favorite leadership book?
Doug: Trust Matters by David Horsager — trust is multidimensional and must be measured. I also enjoyed The Octopus Organization recently.
Emil: Do you have a cybersecurity or compliance joke?
Doug: I’ve joked that I spend years defending compliance as more than a checkbox — only to follow that up by sending clients 400 requests through an audit portal.
And for CMMC Level 2: you pay someone like me to tell you what you already know, write a document no one will read, and upload it to a system no one can find the first time.
Emil: Coffee, tea, or soda?
Doug: Coffee. Usually cold brew.
Legacy and Leadership
Emil: When your career is complete, what do you hope people remember?
Doug: That I helped leaders become better. The multiplier effect is real — leaders coach leaders who coach others, impacting families and careers. That’s the mark I hope to leave.
Closing
Emil: Doug, thank you for joining us. This conversation could have continued for hours. Before we end, a reminder: the Phase 2 CMMC deadline is November 10, 2026, and many organizations underestimate the time required to prepare.
Cybersheath has reopened its free CMMC Ninja Training Program for the fifth consecutive year, where participants can earn white, blue, and black belts and be recognized at CMMC CON 2026 on September 23–24. It’s virtual, free, and open to all. Visit Cybersheath.com to register.
Thank you, Doug, for sharing your insights. And thank you to our listeners. Cybersecurity is no longer just a technology challenge — it’s a leadership responsibility.
This has been Mission Cyber with Emil Sayeg. Until next time.