Musings from the Cyber Trench
Musings from the Cyber Trench
CMMC Compliance Explained: Risk, Cost, Tech Stack & Culture Shift in the DoD | Khanh Tran | EP 107
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
CMMC is not new. It is enforcement.
In this full episode of Musings from the Cyber Trench, we break down the real operational impact of CMMC inside the Defense Industrial Base.
Our guest brings over 25 years of experience across enterprise GRC, defense programs, and federal cybersecurity.
We discuss:
- Why CMMC was long overdue • Level 1 vs Level 2 and what “basic hygiene” really means • Reactive vs predictive risk culture • The true cost drivers behind CMMC assessments • CCA scarcity and pricing pressure • Tech stack decisions: AWS vs Microsoft vs Google • Why veterans thrive in cybersecurity missions
If you operate inside the DoD ecosystem, this conversation gives you clarity on what matters and what does not.
Responsible for ICAM, Zero Trust, or identity security in a federal agency, prime, or large regulated enterprise?
If you’re trying to move from strategy to execution, start with Zephon’s Zero Trust Readiness Assessment: zephon.tech/zt
Questions or guest ideas? Email defend@zephon.tech
Hello everybody. Welcome to another episode of New Things from the CyberTracks. Today's episode is going to be slightly different. We don't have a fixed topic per se, because we'll be talking about a lot of different things. All important, all equally interesting. My guest today is a leader in the uh in the uh the Department of Defense, CMSC compliance. With over 25 years of experience across commercial government and nonprofit sectors. He has built a reputation for trust, integrity, and helping organizations navigate the complex world of cybersecurity. His organization supports the defense industrial base with lean compliant tech stacks, bar-driving process optimization, and continuous improvement through automation and agile practices. Beyond frameworks and controls, he has a real passion for people. Whether that's educating executives on governance risk and compliance, or empowering veterans to build careers in cybersecurity. And here is a fun fact. He once considered trading it all in for a for a career-free life, working at a sea shop in Australia. I would want to hear more on that later. With that, everybody meet my guest Khan Ram. Welcome to Music Some the CyberTexCon. I am excited to have a deep dive into GRC C MMC and whatever this conversation is.
SPEAKER_02Sounds great. Thank you so much for uh inviting me, Visual, and thanks for being here to uh uh in this um uh podcast of yours and and really talk about you know uh things that really matter to me and things that really matter into the defense of uh uh Department of War. So really excited. And and it's really exciting to say the DOW because uh, you know, everybody some people like it, some people hate it. To me, it's just kind of it's kind of funny, so it's all good.
SPEAKER_01Uh I think uh it has to be passed by the Congress to make the name uh official, like I'm wrong.
SPEAKER_02Yeah, yeah, yeah. It has to, it's just that uh some people are are enacting it now, other people are enacting it later. Uh so uh it's just uh I I don't know. Uh it's it's one of those things that uh you know it it's it's a good conversation starter.
SPEAKER_01So uh let's talk about the big thing going on right from the start and the uh in in our uh defense right now. So just see MMC compliance. Do you think we are moving in moving in the right direction with respect to uh uh having CMC compliance uh forced?
SPEAKER_02Absolutely. Uh as as an individual that came from enterprise, uh uh you know, GRC, the idea here is something that uh to me, and this is just my opinion, is has been very very much overdue, right? So as uh our um uh you know our uh our country is growing, uh and as we're doing uh a lot of uh projects with the DOD and uh or uh the DOW and the data that we have, yeah, as you see so far, is it's not really being protected, right? Um and it's it's been eased for so long, right? For a very long time, we we were very eased about protecting this data. Um I think that you know when we're talking about uh different countries and you know just stealing this data or or taking this information, it's we're at the beginning stages of understanding cybersecurity and protecting data, right? Uh we're looking at China, we're looking at different other countries out there, their technologies are way, way more advanced today, right? Uh than what we have. But all we could do is start somewhere. And this is a really good start. Um, and we go back uh to the uh industrial age and everything, and we talk about how you know in industry moved from where we were in a creep, crawl to walk to run. Um, I really think that you know CMMC uh at the crawl space right now will start running a lot faster than uh you know just uh different uh uh parts of our history because it is that important. Data today is like I I think I read somewhere uh two, three years ago, it's almost like that instead of renewable energy, it's almost like infinite energy, right? Whoever uh understands data, runs data, and and you know, protects or you know it embraces this data will be leader in the um you know the new world. And we don't want to be left behind.
SPEAKER_01So uh you think the the compliance requirements should also be uh be extended to the first side?
SPEAKER_02So the the compliance itself, I think is uh as uh I was talking to a client yesterday, and we were talking about uh level one versus level two, right? So level one is is no more than basic hygiene, right? Uh if we can't do basic hygiene today, who's to say we can do more that's coming in revision three, right? So I think I think there are a lot of frameworks out there. I think there's a lot of great frameworks, and each framework has a rhyme and a reason for it, right? Uh if you're talking about CIS, you're talking about hardening servers. If you're talking about uh CMMC, it's about following that data, you know, and protecting that data. If you're talking about uh CIS, I mean uh um CMMI, you're talking about uh, you know, just uh uh integration and really uh uh scrumming of an organization, how they operate. So each each uh framework has a time and a place. Just when we're talking about uh uh uh the the uh the div, uh we're talking about you know just CMMC and the data being just that important.
SPEAKER_01But like see, like uh for the div, uh CMMC will be a required. We don't have corresponding requirement on the FedSIP side. So do you think we should uh extend CMC there too?
SPEAKER_02We we should see we should see that CMMC over the next couple years be adopted by a lot of organizations and moving out, right? I think one of the things that um just everybody's waiting for is to see how it goes. Uh see see how it protects the data, see what type of disruption it's gonna cause, and how to build around it and grow from it, right? It's just like buying a new car, right? When I I bought my first uh truck in 2007, it was a brand new version of that truck. Of course, there's gonna be a lot of problems, there's gonna be a lot of engine changes, there's gonna be a lot of uh you know recalls uh on different things that's happening. It's the same thing here. Everybody's waiting for those kinks to to get taken care of, and then wondering what that's gonna look like when revision three comes out. And then they're worried about what if I do, let's say if I'm looking at protecting and storage FIPS 140-2, uh reversion three is uh asking for a dash three, right? So what tool and technology should I be looking at, right? And it's one of the things that when we go out and talk to our clients, we talk about let's let's predict, be very predictive. I hate for people to think in a reactive manner, right? Uh I think uh mostly when you're a leader of an organization, you should look at, you know, just proactive and predictive. So proactively, yes, you need to get CMMC because it protects the data, and plus, it serves as a pro for your organization to get contracts or renew your contracts. Uh predictively, we have to be smart about our technology that we get, that it serves not only for um what what we need today for compliance, but it could actually like live and merge with us to what the future you know just uh revision is gonna look like. If not, we're just wasting money as an organization.
SPEAKER_01So like the way what I'm getting from what you just shared was we are currently waiting to see how things settle in. And in the in the future, uh once there is more uh maturity in uh the govcon space, we may see see MFC uh extract to uh Fed six articles.
SPEAKER_02Yeah, there's been talks about it. You know, as as we're we're listening, there there are uh CFRs uh being looked at to create for the federal space. But then again, it's not I I don't feel and this it's just and again predictably I see it, but uh if I say today there's there's something out there, I'll be lying, right? There's always talks about it. We talked about it. We're talking about the difference between 800,000 organizations uh versus you know uh 1.2 or or or uh in the millions in the federal space. So it's just let's see how it works here before it moves on. But that's my opinion, and that's what I'm seeing. But uh we don't really know until um uh something comes out. And that seems like every week there's something new that's coming out with CMMC that gets the whole ecosystem excited and LinkedIn just going crazy.
SPEAKER_01Uh let's talk about GRC, governance list and compliance. Why is that a big passion for you?
SPEAKER_02Uh so I think everything falls into GRC, right? So compliance is a big piece of everything we do, right? We have to know what the policy procedures are. We have to know what what we're doing is uh correct and and if not, right? When we're talking about the governance side of it, there's gotta I I fall into uh enterprise thought through this when I did a lot of uh um uh Six Sigma, right? Once you put something in place, you have to continuously improve and you also have to monitor to make sure that it it it it it is where it is. And if it's not, then you break it down and you improve again, right? You have to understand the defect. So governance uh is a very uh very important piece of it. And um, you know, just risk. Every company deals with risk. We don't just deal with risk when it comes uh into the cybersecurity space. We deal with risks in IT space, and we deal with risks as a whole organization when it comes to business, right? Is these are these risks a risk that we we uh you know that our organization is going to inherit, you know, or these residual risks from whatever happened before, every organization has to make that you know that decision. And it's a business decision just as much as it is a uh IT decision, engineering decision, or any part of the business. Um, so put it all together, it's encompassing of an organization, not just cybersecurity in general. So um when I look in the past with risk and I look at regulations in organiz uh in different countries, um, I notice that uh every region, every country have their own basic uh you know regulations. And those are risks, right? So it's just something that that we can handle. Is it something that we have to think ahead of and be predictive about it? Mostly when you you're dealing with a bigger organization, either that or your organization is growing. You want to make sure you be more predictive and more intentional in this, and then just oh my god, it's coming up and it's hitting me sideways, right? Yeah, you don't want to get caught after uh, you know, uh not on your A game, and then all of a sudden, oh you know, now you're you're penalized, uh now you're you're uh not compliant, uh your governance is off, your policy procedure is off, everything's off, and then it leads to a whole regime change and of course uh a cultural change. And uh if your organization, all this is costly, and we don't want that.
SPEAKER_01So when it comes to risk, you know, risk can have uh can have its own uh own uh qualitative side of things and also the risk uh quantitative side of things. Have you seen risk being taken differently in terms of quality and quantity between the commercial side and the gov quote side?
SPEAKER_02Yeah, I I I notice uh and and here it's the same MC part, right? Every every commercial piece we see when it comes to risk and compliance, we talk about you know self-anestation, right? Are you doing it? Yes, we're doing it, right? Are you doing it? Yes, we're doing it. I see a lot of primes are taken really seriously, but a lot of subs are are pinching their pennies and making sure that they wait until the last minute, right? So it's more reactive than proactive and being more predictive about it. Uh and so if you if you've seen, and I've seen over the last couple of years, a lot of organizations, let's say communication organizations, uh, you know, just uh uh hospitality, uh, you know, and and um in general, uh insurance and hospitals in itself has has been, you know, uh has been infiltrated, right? And it's because yes, do we do it? Yeah, we do it. But do you do it? So as uh as we're looking through it, we I I think um the the significance here with CMMC is removing that self-assestation part of it and putting it more into a a third-party organization, an unbiased party coming in to make sure that something is being done. Because uh, truth of the matter, what are we fighting about now when it comes to CMMC? We're fighting about, oh, it's so costly. Oh, you know, I have to buy this and that. I don't have money for it. It was not in my budget, this and that. It's it's been talked about since 2010. This is 15 years later. I was like, if if you were predictive about it, like some of these other companies, you will be where you're at and you'd be slowly moving. You would plan it every year, little bit by little bit, to get where you need to go. And start with, you know, basic hygiene and continue us on with, you know, uh, you know, just uh the extra layer protection and then advanced uh advanced security. But instead, you're starting at ground zero. And so it's just I understand the um the significance of it today, uh, mostly for small to medium um uh SMBs. Uh, but I also understand that it's been years, and you know, just you just can't go to the next person and say, hey, uh, what do you hear? Right? There's technical experts out there, like our organization, B1 Group Cyber, and there's also technical individuals out there that are more than willing to answer your questions uh and you know, just uh remove the falsehood of what's being driven out there, right? Because if if we don't understand cybersecurity, we don't understand the protection of data and what it means to our country, then at the end of the day, the chance of us staying where we are uh as a power, uh, you know, it's it's hard to say. I I just I mean, whoever has data and technology wins, right? And right now, we've seen everything way past what it is today.
SPEAKER_01I agree with you. So uh uh you mentioned uh uh SMEs. Okay. So I'm uh one thing I I have seen a lot lately is like many uh uh many uh SMEs are smaller size, their teams all work remote, they have uh like bring your own device policy and so on. So CMMC controls seem a bit vague in that area. What do you think?
SPEAKER_02So CMMC is not something new, right? It's 800-171, right? It's something that we should have done for a very long time. Uh, I see a lot of organizations come in, uh come in and say they've been working ISO 2701 for a very long time. Is it the same thing as CMMC? No, it's not, right? But then at the same time, there are controls that falls into place, you know. So if you're looking at where it is, you could actually look at uh Google NIS 800-171 appendix D, and it'll show the mapping between ISO uh 800 uh-53 and CMMC, and then uh which is the 171, uh 800-171, and see where it fits. So now you have a um a roadmap, right? You you know, as much as I don't want to tell the world this, but if if you have time and you have a team of IT individuals or cybersecurity individuals write policy procedures before, they understand how to do this. It's time consuming, right? But the roadmap's there, right? Nobody's telling these organizations you can't go to 800-171 alpha and under and look at the examples and say, oh, what is it asking for with you know objective A, objective B, C or D, right? Um, and then from there say, hey, we've done the the ISO uh 2701. How does it map? So they're they're asking it a certain way. Okay, let's bring that over and let's make sure that we have that and let's build that that roadmap for where we have. The thing that everybody's scared about is the nuance. Uh, the nuance of it is uh when we talk about adequacy and sufficiency, right? Is is there adequate evidence? Is there sufficient evidence, right? What is the right evidence? What is the wrong evidence, right? Uh so that's where a um an organization or a firm like us would come in. That uh if you have all this in place, uh we come in and we do a scope in the gap, uh, where we look at your uh your scope so far, understand your boundaries, understand your uh network diagrams, your data flow diagrams, your RBAC or role-based access control, uh asset inventories, what are the tech stacks you have inside, who's touching the CUI, and the facilities, either cloud or not, that's uh that's uh that's touching the CUI. And then we validate. If everything is validated, it's good. If not, we build for you and really help you understand what those boundaries are and where that data is moving around. And the the gap in the poems uh or uh the plan of action milestones really gives you an understanding, like, hey, am I on the right track or do I need help? Right? Uh we see organizations come in with uh they said, been doing it for three years, but they took a left somewhere, took a total left. Everything's messed up. There are 500, 600 poems in. They're like, what do you mean? Working with this for years. I was like, well, you're still in version one of CMMC, the five levels. We don't have five levels no more, we have three levels. Uh and uh so and we also have other organizations that come in and just rocking it out of the park. But it's it's the hey, do we have the adequate sufficient evidence? And I always recommend, let's say if your organization is gonna go do something and and create what the SSP is gonna look like, create your network diagrams, your um uh your data flow diagrams, your RBAC, your asset inventories, and start answering and setting evidence and policies uh for each control. Once you get done with that and you feel really good, come back and have an organization like ours where our team is basically comprised of CCAs and CCPs. So the certified uh CMMC uh practitioners or professionals have seen a lot of this, and we've they've been working through it so it their eyes are trained to see what kind of evidence artifacts and policy procedures are either uh you know adequate, sufficient, or not. And then they'll help you understand, hey, I would like some more of this. Um and on the other side, you know, have that conversation with our CCAs, right? Our certified CMC assessors who will be forward-facing you where you sit there and you have the discussion. Why is it this way and why is it not, right? I instead of just saying, hey, I paid you money, you figure it out. It's like, hey, let we we're a partner, let's figure this out together. Because at the end of the day, these are your own policies and procedures. We can't decide what you know what the daily or or quarterly or yearly cycle you're gonna look at logs or or you know, uh do instant response or things like that, right? That's your organization, and um that really will save money and really educate mostly the SMBs because and again, money is a is is a big driver here. A lot of SMBs are like, where am Want to find the money to do this, but let's take the first rope uh the first steps to it. Either you start and they come and get an organization like us to say you're on the right track, but hey, you missed some of this, or start off with us. So we build uh and helped you build the um the boundaries, uh, all the all the diagrams, collect everything and show you where the gaps are. And then now you have a roadmap to go, right? But if you have good money and you have a lot of money, then yeah, you could take us throughout the whole process, it makes life easier. But small, medium SBs is really hard. And I say use your money wisely and really go out there and really ask about who you're working with. If you're working with RPO, great. If you're working with some organizations that say that they can get you somewhere, the full package uh in like 10,000 or 20,000, I'm gonna be honest. If you hear that, you walk the other way because assessments alone, I see at a minimal uh somewhere out there there's a unicorn that's charging 20,000, right? And that's great, right? I don't know who it is, but we're seeing from 30 32 to uh 64 or 75,000, right? That's that's the range. So if somebody's promising you to get you ready uh uh uh and get you certified, certified, included for like 20,000 or less, I would love to know who it is because it's uh it's one of those things like oh that unicorn out there.
SPEAKER_01I had a question there. So uh you think like because of like we we do have a shortage of people to be able to do CMC assessments, yeah. It's a fact. You think that is driving the high cost right now, or the cost won't come down?
SPEAKER_02Exactly, exactly. Because we're talking about like scarcity, right? So if you if if you have so many uh only so many CCAs and CCPs out there, they dictate their cost, right? A lot of CCAs today, um that they they don't want to W-2, right? They don't want to work for organizations, they know their value. If we have six or seven or eight hundred and we uh CCAs out there, and we know that it takes three CCAs to do a project, then they dictate their price, right? So uh C through POs are sitting there, um, they're like um limited in CCAs, but they have to have to like uh uh 1099 these individuals, and they are costly, very costly. So that's what drives uh the price up, mostly when it comes to assessments. But uh I feel um, and and the federal space and everybody else will also feel in the future, as it you know, just levels out, right? Everything levels out, the price will come down, there's more efficiency in place. And that's what we're seeing later lately is teams are coming together to create that efficiency, that cost efficiency. Because um there's a there's a group out there that's there for the money, and then there's a group out there that's there for the dip, right? You're gonna have that anytime there's a there's a high need in things. But once we get to capacity, which uh um I'm very excited, uh, and you probably saw on LinkedIn about uh the um the training uh portion is going to Isaka, where it's gonna be more efficient, it's gonna be more streamlined, and and the the certifications are you know and testing will will move a lot more efficient and and you know smoother than what it is doing today. Because um we're everybody's trying to figure things out, even even the RPOs, we're working with different uh partners that brings different packages, right? Uh for organizations. We we're we've done so many uh readiness that we've seen that the price of our basic CMMC level one has gone down. Where in the past it costs us 15 to 25,000 to get that level one because not only that we're you're doing it, we're doing it, we're trying to find the efficiency of it. Now we are we're cutting that cost to so uh for the basic level one to around 7,900. That is a big cost savings, right? To say that you have it, you have the tools, the partners in place that simplifies this for a small and medium SB, you know, it's just it's it's a cost savings that that they could they can live with. Because everybody's asking for level one today, right? Who do you trust? Who do you trust? Where do you go trust? And that's a that's a different conversation, is there's so many RPOs that's just popping out of blue, so many C3POs popping out of blue, the big ores in the game with everybody else too, uh of counting. And then you also see you know consultant companies now adding CMMC to the piece, right? Who do you trust and how much money should you pay? Right. Uh for us, uh I think uh the narrative is how do we keep on driving that price down? Because we it's it's about trust, right? We talked about this before. We're just talking about uh integrity and morals. Because as we drive down, we're not just we're not just there to you know collect money, but we build a trust and ecosystem where organizations feel safe to make a good decision instead of going out there going like, oh, nobody's putting a price on on their packages. Uh we're gonna try to remove that. We're gonna put a price on our packages, right? We want to make sure you know what you're getting. Clear, concise deliverables. If if you hear today, you hear, hey, we do scope and gap, we get you ready, what does that entail? They're not gonna tell you. They need to tell you that clear, concise deliverables, brevity is very important.
SPEAKER_01So uh when you conduct uh conduct uh assessments, where do you see the most pushback? Is it in terms of the scope or something else?
SPEAKER_02I think it uh the most pushback I see is um the tech stack, right? There's been a lot of fight between, hey, do I go the AWS, do I go um Google, do I go Microsoft? Everybody tells me it had to be Microsoft GCC high. I have to say there's many ways to skip the cat, right? It just depends on your organization. Um, one of the things that we like to do is we we like to have that conversation, right? I think Visual, we had a conversation with one of your partners yesterday, and one of the things is hey, we we don't need this, we have this, this, this, this perfect, right? We need to have that conversation. It's not just a one package fits all, right? It's like we have to understand your current scope, we have to understand what you're trying to protect, which is your CUI, but where's your CUI going, right? If your CUI is something that you could just stay on a platform, we have platforms out there that is, you know, government uh uh instead of commercial, government safe, right? But it's not something that you can print out, right? It stays in the platform. Uh if if your organization is uh only um cloud-based, right? You're seeing emails and everything, you have a minimal organization uh uh organizational, you know, just uh privilege, then we look at different enclaves. We we we're partnering with a enclave to not uh today with QuickTrack. Um, you know, that's we're one of probably I'd say two or three sell uh resellers, but they operate in the small uh small piece where it's uh uh one to 15, right? So organizations like that, it's it's really simple. You don't own anything, the other organization owns that, right? Or we see organizations like bigger mids and primes are looking at configuration. Let's let's lift and shift the organization to a Microsoft or Microsoft Microsoft GCC or Microsoft GCC High, either that are AWS or Google FedRAMP, and then we'll manage it inside. The configurations will be done with uh with organizations like ours and our partners, but then once it's done with, and we send it in, we grab the evidence artifacts, and then now it's just continual maintenance of maintaining what you say you're gonna maintain, that you visually check, that you collect the logs. So CMMC is not only about today, it's about today, uh, every year for self-attestation to show that you're maturing, and then reassessment, and then continues on, continues on, continues on. Because we have to change culture of what we're doing today. We've been doing it wrong for a very long time. Change the culture and build that culture of uh you know uh security being an integral part in what we do, right? So um as we look, we've seen it throughout the years that um, you know, just DevOps become DevSecOps, right? When we're looking at, you know, uh compliance, we're we're looking at security, uh, you know, just risk management, we're looking at, you know, just uh um just everything starting to move to the right where cybersecurity is becoming more important because when we talk about where we are in the computer age, 1995 was what was that? IoT was 1995, and then all of a sudden, you know, 20 years later, we're here, right? 20 years later, we we have advanced so much that we're a you know a species of looking at your phone, right? So everything is techno technology, and um, you know, everybody has to understand with technologies, there's pros and cons, and there's a lot of risk. And then now organizations like primes, they don't want to handle that risk. And most mostly one of the uh one of the biggest risks is always suppliers, because suppliers are unknowledgeable about the security. You do not get you can get into a prime system, right? There's no such thing as 100% security, uh, but you'll get caught before you get to uh past the second level or third level, or they follow you. But the the weakest area is a uh an unknowing uh supplier or sub not knowing how to protect their uh their passwords, not locking doors, uh not not uh not protecting you know their computers from people just walking in and taking them, right? Over-the-shoulder surfings, uh, you know, just uh social uh uh uh you know just uh social risks, different things like that that we see every day. That's something that we can need to build into our culture uh as a country because if you if you're in any other country, you know, let uh let's say uh China or something, they're very protective of it because they know, you know, it's just like that data is important.
SPEAKER_01Let's switch gears a bit. Okay. So let's talk about your second passion. I have and I've seen that myself. Your passion on bringing veterans into the field of cybersecurity.
SPEAKER_02Yes. Uh so um a lot of people don't know. I I spent a lot of uh 2000, 2000, uh, 2004, 2005, did a lot of work uh in the Middle East, right? Uh started working on uh military projects back in uh 2000 2002, 2002 to 2005. Um either I'm working with uh Helos, uh I'm working with you know just uh uh the drones and different projects uh in um defense companies and also in the Middle East. Um that time there they built the camaraderie, right? Uh and uh when when you're when you're being isolated into a base, it's almost like a prison. Uh I just want to be honest about it. Um the only people that you you are considered battle buddies is the person next to you. It might be a corporal, it might be a private, it might be a sergeant. It doesn't matter. You only have the person next to you to protect you, right? As we moved through um uh my career back in 2008, 2009, I did it again. I went back over because I I missed that camaraderie. I I missed that, you know, that that battle buddy sense where you you need everybody, everybody's protecting, you know, everybody's in line with each other. And um uh really left that space uh in 2011 when I went to Boeing, airplane manufacturer, and I was I was not feeling I I guess you could say uh PTSD a little bit from from leaving uh the Middle East and going back to the States, but it wasn't um individuals that's around me that that could see it. It was only veterans, right? And there was many times where they just stopped me and was like, hey, I can see it in your eyes, you can see it in my eyes. We're all here uh and let's talk about it. Let's let's uh you know you can talk about it. And I was able to find a help group, right, of veterans that has been in the military that that was there for me when I needed it. So by giving back, um I did a lot of stuff with the diversity, mostly uh when we talk about Asian Americans and Hispanic Americans and black uh black Americans. And then after that, I thought about it as like, you know, uh veterans are a big part of of who I am, right? So for me to give back is natural, right? Because veterans, what are we looking for? Right? We're we're looking for that that family, we're looking for that mission. So when we talk, it's not like hey, we gotta go do this. Like, hey, this is the mission. We we we have to complete this mission. And they're like, boom, everybody's on the same page, we're moving, right? And I love that because everybody's just you know acclimating to regular life is really hard. You want a mission, you want to fight for something that matters, right? What better mission then is to protect that data? Because we have a lot of veterans on our team. Whenever these veterans hear that, oh my god, excitement, because you don't feel lonely no more. You don't feel like you're just there just to just to live out life anymore. The action's gone. We just take that energy from the field and we bring it into protecting data now. And it's just a lot of these conferences when we go to, it's a lot of veterans. It's a lot of active militaries, a lot of veterans. So they see their friends and they see like like uh majors and generals that they they work for, and and they see that their um there are other corporals, uh, you know, uh other, you know, just uh sergeants that they work with, they're all there and they reminisce and they feel like they're part of the family again. And that to me is, I mean, it's it's moving, it's great, and that's what we want to build. I know it's cliche to say a family, but let's just say a team. Every time we talk to uh clients and every time we work within the dib, it's a team because it doesn't matter if you're on that team or on this team, you know, we're on one team and one fight, and that's to protect your data.
SPEAKER_01I was speaking with uh with uh veteran uh who uh who is uh a former Marine. And I really appreciate the fact that you know they bring the same mission-focused mindset to their civilian life cost. You know, I haven't grown in the field, I'm not a veteran, so I don't I don't really know about that till I spoke with them, you know, how important it is for them to be able to still bring that mission-focused mindset and bring it to cyber security or whatever field you are currently working in.
SPEAKER_02I mean, I I I wouldn't say that the Middle East and everything was a bad time. I had a great time. It was a crazy time. I mean, there was times when, you know, uh funny story, you know, that this one time we uh we built a an island, you know, we're in the desert, so we built an island. Um, and it's it's a sand island. So we built the island, you know, and then we put the the the uh the camel spiders in, we put the the deadly uh ants in there and everything. It's like a war zone. We made a little bridge, we did a little moat around it with water and everything, and it was just like Death Island. And we spent, I mean, literally like three days, day and night, everybody's like, you know, into that island, right? And the the idea is like trying to get your mind away from where you're at, and then find something that that is like oh amusing, it's fun. Um, so I think I think back there's been crazy memories, there's been fun memories, there's been sad memories with the individuals that you know that we work with that were lost along the way. But and again, the memories, the tributes of of what we've done in life, and it really matters to not only myself, but it matters to all the veterans to be able to find a place where they could talk about it, release it, and and then cope with it and you know just share, share these great tributes, share these great memories with uh their co-workers, and of course the in the ecosystem that is the defense space that they could go to and meet everybody and say, remember when, right? Remember when it's uh and then they laugh about it.
SPEAKER_01I really uh appreciate you uh you sharing that. You know, many people don't really share about the ask like that, you know, like there are good things and bad things because they used to be uh like who we are right now. So uh uh now let's get to know you better. Okay. Tell us about the fact that you thought you would get it all for uh to work at a a ski shop in Austria. Tell us about that.
SPEAKER_02Uh huh, yeah. Uh so I spent some time in Germany, and uh, as I was there and I was working with uh organization, everybody probably knows Danacor International, and um um I was there with uh uh with my fiance at the time and we broke up, right? And um I was devastated. So uh as much as I love snowboarding, as much as I love to go to uh you know Paris and I love to go to Austria, it was between uh just giving up everything and going to Paris and just be uh in the area and just doing the whole uh you know just uh French bread, cheese, and and you know, just romance, or giving everything up and party all day and night at the at the at the clubs, work the ski shops, drink shops, and snowboard every day. So I went there uh uh one weekend, and of course I've been there for so many and so many times. I had a whole family of individuals that work in snow shops, and we will party every night and we'll snowboard every day, right? So it was just the life. And uh I I thought about it myself and I was like, man, not a care in the world. All I have to do is sit there, clean boards all day, right? Have a couple schnaps, uh, you know, go and uh and snowboard at night and go and party every night, right? But um life life is weird, right? That's as I was about to do that, right? And I found a lot of friends that actually did something like that. And and and they lived life, and I was like, wow, that's amazing. Uh but uh I I met my wife. Uh at the point I met my wife, and I just everything just came to. And so instead of having that dream, which was probably like a month away from actually happening, uh, I was like, oh sorry, sorry, dream, I'll I'll let you go. It was like, my goodness, I like this one. I'm gonna get married. So um, you know, my wife brought me back to reality. We got married, um, and we had a first kid, uh, Jacob, uh, in uh uh in Germany. And then we moved back to the United States, where, you know, uh we're raising him and his brother and sister. We we had three children and uh lovely, lovely, uh, lovely children. Uh I mean they're they're tornadoes, they're chaos, they're hurricane, whatever you like to call it. But my little um he reminds me most of me, right? It's just his personality and his thought about, oh, I'm just gonna go do this. I was like, my young, my young butt, maybe one day you could do it, right? I'm not gonna stop you. If you if you wanna, if you want to dine coyote through China, if you want to uh uh snowboard and and and and work at a ski shop in Austria, if you want to go to Paris and and eat cheese and uh and drink wine every day, that's fine, right? Um, but it's my job today is to build that foundation for them to be able to do stuff like that, to live the life that you know I I'm gonna vicariously live through them somewhere along the way.
SPEAKER_01How old are your middle and your elder child?
SPEAKER_02So uh how old are my kids?
SPEAKER_01Yeah, yeah.
SPEAKER_02Yeah, so so my oldest is 14. So it's been 14 years since I I've been in Europe. Um, well, it's been 13 years since I've been in Europe, but I it seems like it's just today, right? Uh I have a six year old and then I have a four year old, and um, it's just uh the four year old is the craziest one. Very bossy young man that uh that bosses everybody, you know. Uh and I'm like, wow, yeah, you got your dad's personality. Uh hilarious.
SPEAKER_01And uh let's talk about. Your childhood. Did you grow up in the US or you grew up in New Yorktown?
SPEAKER_02So I grew up in US, right? I would say if we're discussing my parents to be first generation, I'll be second generation. Was born in uh San Jose, California, right? And then we moved down to uh Bayula Battery, Alabama. So if you listen to different podcasts, you know that I grew up in the South, in the seafood capital of Alabama, uh, and um lived uh in the country, right? So it was uh it was a whole different type of living uh versus when I finally, when I grew up, I think it was 1920, and went back to California and realized how different the two lives would have been if I was staying in California or you know, just grew up in Alabama. So uh there's good, there's pros and cons, but then you know, really living in the South and really living in Alabama has given me the traits that I have today, right? Really strong traits that uh um that I treasure.
SPEAKER_01How old were you when you moved from California to Alabama?
SPEAKER_02I think uh it was three um when my parents moved to uh uh Alabama. You know, California had us had a lot of great stuff about it, right? But my my parents came from a small island in Vietnam called Fuwa, right? It's it's a it's a fisherman island, right? So what they knew was the fish and and and and the shrimp. So when they went to visit my aunt and uncle in in Alabama, they realized, hey, there's a lot of seafood here. So they they just moved over here, right? It's quieter, you know. California is so hustle bustle. Alabama, why? Right? Uh so we we were uh uh we were shrimpers, uh, we were oyster shuckers, we were crab pickers, we did all that, and you know, it just the life was uh uh it's very interesting. Very interesting.
SPEAKER_01So did you actually go in the boats? LSD? Yeah. Oh nice. Okay, I know that no.
SPEAKER_02I used to I used to be a daredevil, you know. It's like uh um uh I think middle name was like I was no fear was my middle name. I was the one that they send in the water whenever uh whenever we we're stuck somewhere and they give me a knife, say go in there and cut the nets. And I'll just dive in into, you know, just rough uh Gulf of America waters, right? And then just dive in there and cut the nets and all the fish and sand dollars are coming out. I'm the one when there's a storm. I I you know I uh um go out into Outriggers and I jump down with these boards that are slamming against each other and grabbing chains and you know, just removing uh stuff. So I mean, I was uh I was crazy at that point in time, but nowadays, you know, it just I think life is like this, right? Um there's nothing in life that is more complicated or uh than than what I've lived through, right? So if I find somewhere that's really hot, I was like, was it hotter than Louisiana, right? Was it more humid than Louisiana? Or was it hotter than uh Iraq or Afghanistan? Or was that? No, it's not hot enough. Or somewhere that's really cold, and I was like, is it colder than that one time that I went down the slopes in Austria, negative 21 degrees, my o's, my my ears froze? Is it that cold? No, it's not that cold. I'm fine, right? So every every moment in my life, uh, every obstacle, uh, you know, every uh everything that's in front of me, I always relate it to something that has happened in my past. And if it's not that bad, there's nothing that that will stop me from moving forward, completing the test.
SPEAKER_01So uh, you know, I tried uh snowboarding once. It didn't go well. I fell very bad uh hard and I was like I was done. Maybe I might try it again, but I can't really ski that one either. So what tip would you give uh give a 47-year-old who wants to learn snowboarding?
SPEAKER_02You're gonna fall a lot on your tailbone. You gotta commit, and that that commitment is scary. And I tell you, I I want to be honest with you, I I feel a lot of my tailbone. Uh it's just like, hey, watch me do this, knowing that I've never did it before, knowing that I've never jumped anything before, knowing that I've never been down a black diamond before, and spent hours trying to save me, me trying to save myself from drowning in snow, either that or going down a slope like this, walks everywhere, or you know, just flying in the air and realizing that that's not how you jump. And then your legs are in front of you, and just slide down um after you hit your temple, right? So uh there's there's a lot of pictures out there when I was in Germany where all you can see is like somebody took a picture and I'm sliding like 30 miles an hour down a bound, hair, everything's uh, you know, snows flying everywhere, and I'm just like, whoo. And it's just it, I was so in so much pain. I think I passed out. I just kept on sliding all the way to the bottom. I'm like, it's crazy. Okay. But you know, Visual, as as we're young, we do crazy stuff because we're like, oh yeah, this is awesome. But as we get older, I'm like, uh, my back does not feel like it wants to do that anymore.
SPEAKER_01Yeah. Yeah, I I got it once, I fell on my tailbone really hard, and I was like, I was done.
SPEAKER_02You know what they did? They said, they said, oh, you your back hurts, you fell on your tailbone 50 times yesterday. I'm gonna tell you, I fell on my tailbone a lot, right? And they're like, uh, here's here's a schnaps, and and and and and here's a painkill. Put it on, let's go. And then we go again. And then it's just like every day. Yeah. But that's when you're younger.
SPEAKER_01I will keep turning fire.
SPEAKER_02Don't do it. I wouldn't do it. I wouldn't do it. Not not not today. Not today.
SPEAKER_01Okay. So uh currently, uh do you still ski or snowboard?
SPEAKER_02Uh we used to s uh do it every weekend, you know, uh when when we're when we were in Europe, right? Um, so we're either in uh somewhere in Germany, uh, we're in Austria, uh, either that or we're Sweden or anywhere around there where we just if there's if there's snow, even if there's ice, the uh the the slopes in Germany was ice. They call it the ice wall. And I would say once you fall, you can't get back up because it's full of ice. Uh but uh if there's something that we can go down on, we we went down on. And I know that a lot of my friends uh in the summer, they would do uh biking, and they would go down those slopes on the bike. That is something I have no desire to do. Moving 30, 40, 50, 60 miles an hour down the mountain uh and looking at the clouds, uh, and yeah, there's rocks everywhere. Now you see it because there's no snow. No, no, that's something I wouldn't do.
SPEAKER_01But uh, do you do you still ski or scumbag?
SPEAKER_02You know, reminiscing about my youth and everything, I I I want to, and I think uh there's uh some afsea events next year in Stuttgart. And uh I know that there's one in Belgium and uh uh probably I I thought I saw uh Frankfurt, but if if I make it over there again, uh definitely we'll bring two things. One is my snowboard and two is my golf clubs because uh I want to play golf and I want to you know uh ski down the mountain, uh snowboard down the mountain.
SPEAKER_01Awesome. Okay. This has been a great uh conversation, and I think we would uh I would definitely like to continue uh some other day, you know, in another episode. But for now, tell us how people can can reach you.
SPEAKER_02So there's there's a couple ways you can reach us. A lot of times when you see us at a conference, please come, please ask questions. We're always welcome to questions. Uh, we also have people that come come to us uh uh through email. We have uh info in f o at beyond group cyber b-i-o-r-n uh g-o-up c y br dot com. You can email us there and say, hey, we we would love to have um some time to talk about our scope and and really see what you guys have to offer. Uh either that or of course we have a website at www.beorngroup.com or bjorngroupcyper.com. And uh if if you're heavy on LinkedIn, you'll always see me on there, and there's always a button that says uh that you want to set up a meeting, and definitely I'm more than willing to set up a meeting with your organization. I just want to say, because we are who we are and we create our organization based on you know betting on ourselves, uh, we're not private equity owned, we're we're not part of any conglomerate. So for us, when it comes to small, medium S and B, it's really easy for us to say, hey, would this work for you? Would that work for you? And we could be more um accommodating, accommodating versus a lot of organizations where it's just you're stifled with with a price and you're stifled what what you get, and you can't change it. Um our idea is as we grow, we want the ecosystem to grow with us. And um, if you look at our Bjorn logo, uh there's a small I in the middle uh of the big B. And for me, everything has a meaning. And to me, it's the industry base, right? Industrial base being the that that innocent small I that today that we're at. And our job as Bjorn is to secure and really, you know, mature the industry base uh to where it should be uh in the next uh coming up years.
SPEAKER_01And I second that, you know, like uh small companies, startups, they usually have a more uh personal service, which you won't get when you work with a bigger uh company. And I'm not saying that because we are small, just in fact because you are smaller you you care about people more because you you go through things as as a group, as a team. Some of the some of the that gets lost as you as glow.
SPEAKER_02Yeah, and I think visually we we we see a lot of uh plans, we see a lot of big organizations when everything's OKRs and metrics, right? Data analytics, OKR metrics, uh, you know, just understanding how they can grow and everything. I think before, and I want to be honest about it, and this is my passion talking, right? This is con passion talking, is relationships are built, you know, uh through connection, communication, collaboration. Um, where we are in the you know ecosystem that is CMMC and you know, Cyber A B and all the C through POs, ESPs, and everybody in here, it's it's still as the infancy where communication and collaboration still matters. Relationship still matters. It's not just about OKRs, it's not about data analytics, it's about trust, integrity, and morals, right? And that's how I mean way back when the forefathers of Boeing, the forefathers of Lockheed, and all these other organizations, they build relationships. Relationships. So I really, I really believe in building relationships because somewhere along the way, I'm gonna need you, and somewhere along the way, you're gonna need me. And that when that time comes, I want you to know that over the last five, six, I think we've known each other close to four years. It's like uh, yeah, um, it's about relationship. We wouldn't be here today, or you wouldn't send people over to have a conversation with me if it wasn't for relationships and understanding what my values are. And I always want to keep that as forefront value over money, right? Money's great, let me tell you. But if I cannot do what I promised you I could do, then I'm not gonna take that job because all I'm doing is hurting you as an organization. We started off small, you know. Uh our investment was our team. Uh, you know, I uh a lot of uh C3POs today, RPOs and stuff, as we're building, we we mortgage our houses. We mortgage our you know uh our our assets because this this is our dream to build something that can last, that that is not only for today, but is for generational wealth, right? Not only are we protecting today, but we're gonna continuously see how the industry moves and how we're gonna protect it tomorrow. So it's not just being reactive, it's going proactive and being more predictive of where CMMC is going tomorrow and how do we protect it. Also, how do we change the lives of our our kids and our grandkids? And just maybe 10, 15 years from now, if I'm still here, we could sit back, have a drink, and talk about how the industry has grown over the last 20 years.
SPEAKER_01That'd be awesome. I would look forward to it.
SPEAKER_02Me too, me too.
SPEAKER_01And uh I love it, Khan. I like uh value over money, connection, collaboration, and uh and communication. Thank you again, Khan. Thank you so much for being on the show.
SPEAKER_02I want to thank you too. I I think uh uh when we talked about this uh uh three to four years ago, it was at the Eastern Defense Summit and one of my first partnerships uh was is with your organization for Zero Trust. And I want to make sure that everyone everybody knows it's like if there's any question that comes our way uh about you know the the partnership or the product that we we work on uh on that side of it, it's always with your organization. Thank you so much for the invite.
SPEAKER_01Thank you so much, uh this brings us to us to an end of another episode. I'll see you on the next one.