ISACA’s Chris Dimitriadis talks about the Cybersecurity Maturity Model Certification, the cyber complexity of transatlantic operations and his predictions for the threat landscape in 2026.
Last month, the Information Systems Audit and Control Association (ISACA) announced that it had been appointed to lead the global credentialing programme for the US Department of War’s (DoW) Cybersecurity Maturity Model Certification (CMMC).
The CMMC, according to ISACA’s chief global strategy officer Chris Dimitriadis, is “designed to protect sensitive information across the defence industrial base and its supply chain”.
“What makes it different is that it sets out very specific cybersecurity requirements and a maturity-based assessment model, demonstrating both self-awareness and a continuous improvement journey.”
According to December’s announcement, the appointment has positioned ISACA – an IT governance organisation that provides education, training, guidance and credentials to companies worldwide – as the exclusive CMMC Assessor and Instructor Certification Organization, which makes it responsible for training, examining and certifying professionals, assessors and instructors across the CMMC ecosystem.
But while the CMMC appears to be of primary importance to the US, Dimitriadis tells SiliconRepublic.com that the certification is also quite relevant to European companies, including many that operate out of Ireland.
“If you are part of the DoW supply chain supporting US defence-related programmes, CMMC will become mandatory, regardless of where you are located,” he says. “That’s why it matters. It’s not only a best practice conversation, it becomes a market access issue.”
Dimitriadis also explains that the CMMC highlights something that he says ISACA has been focused on for decades: “cybersecurity at scale depends on people”.
“Building the workforce that understands the controls, the assessment model and how to implement maturity is essential for companies on both sides of the Atlantic.”
‘In practice, security is about progress, discipline and repeatability’
Transatlantic trickiness
Dimitriadis says that the nature of transatlantic operations heightens cyber risk for the organisations involved.
“Transatlantic operations almost always increase complexity, and complexity is where cyber risk tends to grow,” he says. “The first major issue is supply chain exposure. Attackers rarely go after the strongest link, they look for the most vulnerable one.
“In global ecosystems, that can be a smaller supplier, a service provider or a subcontractor.”
The second issue, he says, is the “nature” of the data and the systems that are involved.
“When defence-related information, controlled technical data, or sensitive operational systems are in play, the impact of compromise is simply much higher. That requires stronger access controls, better identity governance, and more disciplined incident response.”
The third and final issue that Dimitriadis highlights is “multi-jurisdiction reality”.
He explains that companies need to navigate different requirements, obligations and reporting expectations across regions, adding that if governance and security operations aren’t aligned, “you create gaps, and those gaps are exactly what threat actors exploit”.
Cyber in 2026
With the fear of advanced cyberattacks rising across the threat landscape, preparedness and cyber maturity has become increasingly important for organisations – a belief shared by Dimitriadis.
“Cyber maturity matters because cybersecurity is not a ‘one-time’ achievement,” he says. “It’s a capability that has to improve continuously.
“Too often, organisations see security as a binary state: secure or insecure, compliant or non-compliant. But in practice, security is about progress, discipline and repeatability.”
Looking to the year ahead, he emphasises that cyber maturity will be “critical” because the threat landscape is expanding, the attack surface is growing and organisations are under increasing pressure to “prove resilience, not just claim it”.
Dimitriadis also believes that 2026 will be a year where “cyber compliance becomes more evidence-driven and more workforce-dependent”, as evidenced by regulations such as NIS2 and DORA.
“What organisations need to recognise is that compliance isn’t something you can handle in silos,” he says. “Most requirements overlap – incident response, access control, governance, monitoring – and companies need a holistic approach to bring those obligations together efficiently.”
But the most important factor, according to Dimitriadis, is “capability”.
“The biggest risk for organisations won’t only be budget or tooling, it will be whether they have enough trained professionals to implement controls properly, assess maturity and sustain improvement over time,” he says.
“Without the people, compliance becomes unrealistic, and cybersecurity and consequently trust becomes harder to deliver.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
