Ep.165- The Art of Discovery Calls: Stories from Military Negotiation with Chris Rose
Subscribe to the Next Level BizTech podcast, so you don’t miss an episode!
Amazon Music | Apple Podcasts | Listen on Spotify | Watch on YouTube
Transcript is auto-generated.
Welcome to the podcast designed to fuel your success selling technology solutions. I’m your host, Josh Lupresto, SVP of Sales Engineering at Telarus and this is Next Level BizTech. Everybody welcome back. We’re on a fun, exciting track today talking about security, talking about military history, intelligence, negotiation, all kinds of fun stuff.
Today it is the art of discovery calls stories from military intelligence negotiation. On with us today, we have got Chris Rose, Ariento. Chris, welcome on, man.
Thanks Josh, happyto be here.
Newer supplier to the Telarus portfolio, but you’ve got a lot of differentiating things to offer that we have never had before. So we’re excited about that. We’re going to uncover that a little bit today and we’re going to maybe we’ll just we’ll start this off with a little bit about your past. So you’ve got some cool military training. So maybe just walk us through a little bit about your background, how the military’s influenced your approach and kind of, you know, day to day go to maybe some of your deployments. Just fill us in.
Yeah, so I actually started I’m doing the military a little late. So I kind of did a little bit backwards. I when I came out of school, I went and worked for a Fortune 500 company doing insurance, actually auto insurance pricing, I was in a rotational program and got some some some tech experience. But I was one of those, hey, you plug in a computer and it works types.
But I always wanted to kind of do the military had some in my in my family. So I joined the Marine Corps a little bit later after doing that. And when I went into the Marine Corps, I was a little bit older. So I kind of had the I’d worked for a mature professional
corporation, and I knew kind of going in, like how valuable something like this cybersecurity skill set and just just it in general would be so I I kind of set my sights, you know, for that direction to learn some of the technical skill set that I got in the military, while also being able to lead Marines in the case of me, I joined the Marine Corps. And so I didn’t did the Marine Corps, four years to reserve after that, in terms of kind of my experience in the Marine Corps, I, I got pretty lucky in when I came in since 2010 2011. We were we were wrapping up Afghanistan, for the most part, we’re still trained in some foreign countries to go in there. But because we were we were focusing on kind of getting stuff out of Afghanistan, a lot of the stuff in garrison was back here at home was, you know, some of those some of those bigger box, we call it big box calm so that so that the ones that have kind of the capability of, you know, like a cloud service provider really were were forward in Afghanistan. So that enabled some of us smaller units and I just kind of ended up right place, right time to be able to do some pretty cool stuff back here in the rear that we would have never gotten to do because it was it was more of a, you know, battalion, you know,
dedicated cybersecurity communications company task. So I got that experience. And then I ended up deploying to the Republic of Georgia.
And again, kind of right place, right time, we were we were training them to go into Afghanistan, because at that point, we weren’t really sending new troops.
But because of kind of the strategic important Republic of Georgia border in Russia, right. And so I got a lot of experience in that. And some of the cyber stuff there.
You know, when I was there, our commander got was tired of driving to the embassy for some of the classified briefings and reports and I’d have to go with him. So he said, Hey, I want to bring this out to kind of where we’re stationed. And so I got to set up all of that with with Marine Forces Europe and kind of do some cool stuff. So that was me post Marine Corps, I went and worked for Mitre Corporation, who is kind of the cybersecurity arm, federally funded research development center.
The cybersecurity arm for the United States federal government does not have capabilities themselves, they buy it, right from contractors. In the case of some of the technical things, they actually set up these FFRDC, so federally funded research development centers, who, who are funded by Congress, so they’re not tied to a specific contract in the sense that they don’t they don’t want your well being tied to that contract, right, in terms of if you’re evaluating the security of say a system that somebody selling to the government. So I went and worked for them. And that’s kind of the cybersecurity arm before going back to school and then starting our intel.
I love it. So I know there’s gonna be a lot of cool stories in there that we’ll have to pull some out. Walk us through maybe before we talk a little bit more about Arianto. Take us back 10 15 plus years hard lesson learned in their lesson from a mentor. What sticks out?
Yeah, I mean, I think, I think it’s, it’s, it’s the military communicates, you know, the Marine Corps specifically communicates some, you learn some good lessons just because in the case of the Marine Corps, for example, we’re kind of the technically under the Navy, right? So we’re always getting everything last. So we need to learn to be very resourceful in terms of, you know, the equipment, the gear, kind of the way that we execute missions, which is really, really important. And then we’re going to have to execute missions, which is part of the, you know, that’s been kind of part of the marine culture from the beginning.
But I would say some of the lessons are also just basic business lessons, right? You come in as a long young second lieutenant.
And the same way that you come into a new company or a new man, a new department or something and kind of the rule to, hey, give it the 30 60 90 days, right? Don’t start making changes, sit there, sit back and observe, right?
Because, you know, no matter how messed up you think things are, usually there’s probably a reason for it and you kind of learn it. So, you know, one of the lessons I would say, you know, you come in as a, as a fresh out of training, really excited to get to the fleet and the Marine Corps.
And you start thinking, you know, I’m going to, we’re going to do this better. We’re going to build a better mousetrap, right? And, and, and you’ll definitely get some pushbacks, especially from the enlisted side.
So again, a lesson you learn in, in, in large mature organizations in general, which is in just leadership in general, to kind of take a step back, you know, observe, and then, you know, put your stamp on it kind of when the time’s right. I think the other thing from a, from a Marine Corps standpoint, at least that we incorporate, and when we started Ariinto, the idea was we bring some of this military technology in the military model, at least to the private civilian world. And that’s evolved, but, but still to this day in kind of our training programs for entry-level folks, whether they’re coming in as a IT help desk or a SOC analyst,
the value of that repetition, right? Within some of the term we still use, we run a DOD skill bridge program where we get a lot of military interns, but we still use terms like battle rhythm, right? The value of repetition in training folks on how to do it is very much a military thing that serves us very well, you know, at least in our managed services business. Awesome.
So let’s, for anybody that’s not familiar, let’s talk about Ariinto, right? To us, when we initially came across you guys, there were some very clear standouts. But from your perspective now, being in the portfolio for a little while, break us down on who Ariinto is, what do you do? And then what are some key areas that you really stand out?
Sure. I think if I were to simplify it, oversimplify it probably, I would say, you know, we do CMMC. So the cybersecurity maturity model certification, which is a new regulation that went into effect December 16th of last year. I know we’ll talk a little bit more about it, but at the end of the day, it’s a contractual obligation that the federal government starting with the DOD is enforcing on their 300 plus thousand for the DOD, you know, millions for the entire federal government on their contractor base to protect intellectual property of the government, right? And we’ll talk about what that means. But, so that, so CMMC is something that we kind of approach to kind of go back. I think it’s important to understand the CMMC if we’re going to describe what we’re doing. So in 2017,
the Department of Defense, again, Department of Defense is kind of leading the way on some of these efforts and particularly CMMC, but it is heading to the rest of the federal government. We’ve seen some of that. But in 2017, the DOD came out and said, “Hey, we’re going to pass a regulation just like they did with CMMC, and it is going to be a contractual obligation for, around cybersecurity, for our contractor base.” But it was a self attestation is what we call it. So you have to do this stuff. You have to be compliant with NIST 800-171. And oh, by the way, just sign here and you have to affirm that you’re doing it when you sign the contract.
Yeah, I promise. I promise I did it real good.
Yes, exactly.
As you can imagine,
they did a couple years later, they did a inspector general kind of report to try and where they sampled some contractors to say, “Hey, how’s this program working?” Right? And the answer was, “Well, not only is our cybersecurity not any better, but we’re being charged on average.” I think it was like $1,600 per end user. The government’s being charged because companies are saying that it costs them that much to comply with this. So it’s being passed on to the government ultimately for the bill. So it’s like ultimate fail.
And that was right around the time when the F-35 had just kind of come out the new fire jet plane. And basically China had it like next week. And it’s like, how did China have this? We’ve been working on this for a decade.
I’ll be talking fast. This is what I see across the board.
So they said, “Okay, we’re going to take a step back.” And that’s where CMMC was born back in 2019, kind of 2020, where they said, “Hey, we’re actually going to put this third party… We’re going to stand up this entirely new industry of third party auditors, which will actually come in and certify companies that they’re doing this and that they need these 110 security controls and requirements. And you have to have that certification to be able to be on DOD contracts, you know, ultimately federal government contracts.” So that was kind of the big change. And then it’s taken them like anything with the federal government four to five years to get it out. And then December 16th, it officially came out.
So back to Ariental and what we do, we were fortunate enough at that time, a lot of people like me, background in federal government contracting, military. And we had a board member, actually former Marine, who at the time was the CISO, the Chief Information Security Officer of NASA JPL.
Back to that FFRDC thing and MITRE. So NASA JPL is an FFRDC, federally funded research development center, funded by Congress because what they do, you know, is something that is needed to be done and not put out for bid and contract and be kind of muddied by private contracts.
John Hopkins, Advanced Physics Institute and Carnegie Mellon Software Engineering Institute are also FFRDCs. They’re the ones that wrote the CMMC standard. So because we have this board member who was a CISO, we sat on the same CISO committees as them who wrote the standard. He said, “Hey, you guys might want to take a look at this.” And at that time, we kind of set a strategy to go after it. And what that strategy was and what we do today is we are, we were one of the first, an authorized, what’s called an authorized C-3PAO, CMMC, third party assessor organization. One of those that the DOD has come in, they’ve assessed us, they’ve cleared us to be able to perform these third party assessments and give these certifications so that people can do business with the government.
There’s, I think there’s 66 at last check. So we’re one of those 66.
And that, and, you know, we also help folks get ready because sometimes people want an auditor, they want somebody who knows how to audit to make sure they’re going to pass the test so we help folks get ready on kind of a project basis. That’s one side of our business. The other side of our business is our managed services side, which is what, you know, we, we’ve been doing on the commercial side for quite a while, but we also do it now on the CMMC side and have a lot of growth there.
And what that is, is you look at the government contractor basis of the DOD 80 plus percent of contractors are 30 employees or less. The government, the federal government drives small business set asides, right? They give rewards because they want small businesses. They want a fragmented supply chain, right? It’s not just the big primes that you think of the Lockheed’s, the Booz Allen’s and that kind of thing. So for them, for those, they don’t really have a choice but to outsource this, right? And so we provide some different managed services to help them deal with this burden and basically kind of take, you know, some or all of it off their plate.
I love it. Not, not to, seems like the Star Wars jokes always come out when we say these, not to be confused with C3PO, but you guys are, if we, if we look at you guys as a services company, to be fair, that’s where a big clip of the billing comes from. So there’s, there’s two paths. Let’s, let’s talk about these two paths just to help everybody understand because this is a completely new path for our TAs out there. We’re, I’d say we’re very accustomed to over the last few years, getting into the traditional services side VC. So augmented scope of work preparedness, things like that. So we can talk about that a little bit. And we’re going to have some kind of some talk around that. But the other side of it is we’ve turned down these opportunities over the years because it was, hey, who do we have that can actually attest to say, this entity is certified, we used to always have to say, ah, we don’t have anybody, they got to go figure out themselves. So let’s, let’s talk down these tracks a little bit, going down from an assessment perspective, I guess, what do you see the start with that first part, right? Not the certification side, but the assessing part, what do you see out there day in, day out? And if for the advisors that are listening, that maybe haven’t ventured into this, what would you advise them to start incorporating some of ways they could help their own customers out and their prospects out?
Sure.
I mean, I think that I think the first thing I would say to the advisors is, is that this is, this is a specialized thing, right? And I think, you know, it’s a new industry that the federal government, the duty has created overnight. And so there’s a lot of attention on it, right?
And a lot of folks that are thinking and saying, you know, Hey, this is another high trust. This is another ISO, right? And what I would say to the kind of the advisors is just be careful in terms of positioning yourself that way, because the federal government is, you know, they have the purchasing power, and they also have the DOJ, which is different than some of these others, right? And they have fully wielded it in this case, in terms of, you know, there’s been a ton of pushback over the last four years on this is too big of a burden. This is whatever. They justify it again, back to the F-35. They say that we’re losing more than the defense budget, which is in the trillions, right? We’re losing more than that a year,
because this information is basically our adversaries are picking off all these small suppliers. They’re putting it all together, and then they have the plans of the F-35, right?
And they’re saying, so if we’re not going to do this, well, what’s the point? We’re just we’re just spending this money twice. So that’s their, that’s their their logic. So, and they know that, you know, the government ultimately foots the bill for this extra burden. And that is cheaper than what we’re losing to our adversaries, right? But it’s, it’s specialized in the sense, and then what we’ve seen is, is, is the False Claims Act, right? Which is something that the, that it’s been around for a long time. The Department of Justice goes after contractors for false claims, right? Saying, Hey, I do this, right? In the past, they hadn’t typically used it for cybersecurity. But with all of this, now they’re starting to, and you can kind of Google DOJ cybersecurity claims, and you’re starting to see them going after folks for attesting to cybersecurity for saying this, right?
And I just say that because back to the advisors, this is a specialized thing. And the, the, the stick that is behind it, right? As well as the carrot, it’s a great business opportunity. Is a lot more than, than, than the ISO community, high trust for sure, which is like private, right? And some of these other ones, even SOC 2 created by AICPA, right? That’s a CPA driven, partner driven thing. Not saying those aren’t good compliance standards, they are. But,
but there’s just a different level of weight.
And I would say, unfortunately, you know, with the government, they tend to, this whole thing’s based on a national institute of standards and technology framework, right? NIST 800-171.
FADRAMP, for example, is based on NIST 800-53, right?
The government tends to trail, no secret here, right? A little bit in terms of kind of being cutting edge, right? In terms of compliance and technology. So again, for that reason, like you just have to know this stuff. And for the advisors, I would say, hey, go, go get training on this, right? There are certification courses you can do to be a certified practitioner, CMMC certified practitioner, CCP, even an auditor, even if you don’t plan to audit or you’re not working for, for a C2PO. Because that really helps to understand it. But in this new world, right? Where it’s literally a new industry being created overnight. There’s just a lot of misinformation and snake oil. And I would just say, hey, be careful, you know, to, to giving advice in this space. You know, bring in folks that know what they’re doing while you’re learning. Because, you know, three years from now, this will be a more mature industry and people will know it, right? And it’ll be, it won’t be the first time all these companies are going through assessments. But what we’re seeing in a lot of these, our C3PO side of the business is they’ll go into, and we’re even talking Fortune 500 companies here, right? That you would think would know that have the money to invest in this. And they’re finding out that they’re not ready, right? And we’ve even instituted a process now where we require a mock assessment before we’ll do the actual assessment. Because we don’t want to set our clients up for failure. And then they’re mad at us, right? We would rather say, yeah, that’s, you’re not ready.
Yeah, that’s huge. I want to talk about this for a second. I want to, I want to pinpoint on cost and at the risk of drawing some attention, current political climate, right? When you mentioned what’s happening with the Booz Allens and these giant contractors, this, there’s this idea of, is there waste? Is there excess? Have we just been checking boxes? And so I think for the TAs that see any of this going on out there and kind of the existing political climate, I think this is opportunistic in that they’re going to take a lot of money. And that they’re going to take a lot of very hard look at who the government is doing business with. And I think you’re going to see some things go out to bid that otherwise you might have been like, Oh, man, Lockheed’s got that contract for 600 more years, right? How dare I can never get into that mix. And so I think this is an exciting time that you guys have both paths to offer and a very clearly the way that you talk about these things, you guys have a very profound, deep expertise. So I think for the TAs, see this as opportunity in that things before that that may have been unreachable are now, I would look at those and I guess the second thing I would love your feedback on this before we go kind of down the assessing side. I feel like we’re seeing a lot more, you know, the stigma of what a government contract customer might look like might be this big, huge RFP bid something something formal like, Oh my gosh, who’s that who’s going to win that versus now it just seems like anybody doing any sort of business with the federal government with any subset of data, a traditional private company is, Oh, yeah, I got to have this too, right? So it seems like there’s a much broader swath of public sector and private sector companies that are being beholden to do this. Are you seeing the same?
Even to the depths of it, one thing that I didn’t quite realize when we got into this is international, even the amount of not just multinational like based in the US, but surely international companies that do business with the Department of Defense, right? So we’re seeing Sweden, Australia, Canada for sure, right? Some of these companies that are, this is even a bigger burden for them because it’s probably a small percentage of what they’re, they’re, they do business with, but they have to kind of put this in. But yeah, I mean, and I think the book, it’s federal government, but if you take them at their word and there are some programs out there, they are trying to that whole thing I mentioned where they’re 10 years trailing. I think they’re trying to do better, right? In the world of AI, you know, there’s a program. There’s a lot of companies we see called it’s called the small business innovator innovation research, SBIR companies, right? Which is kind of like, Hey, if you’re a startup, and you’ve got a cool technology, come pitch us on it. And, you know, we might give you a contract, even if it’s something that we didn’t know we wanted to buy, right? So to your point, it is, it’s touching not only the big primes, but, but even, you know, companies that traditionally weren’t necessarily looking at government contracting because of the buying power of the US federal government.
So earlier, we talked about, you know, the two, I always think of you guys as two forks, either got to go help me, you know, kind of be my virtual CISO and do all of these things for me for this entity, or you got to go, Hey, Ariento is the company you’re going to bring into the assessments, right? We got to kind of wall this off. So let’s go down. We went, we went down kind of that CISO type thing earlier. Let’s walk down again, lessons learned for the TAs. You do so many audits, so many assessments, attestations, getting everybody ready for that. What do you think, what should the advisors glean from that? And how can they incorporate that side of things?
I think, I would say start with scope.
Scope is what’s most important in these assessments, right? And when I say scope, what is being assessed? And it seems like a simple thing.
But it’s, you have to put it into the CMMC kind of scoping guides. And this is all public information, right? But at the end of the day, what CMMC is about is two types of information, right?
That the government considers proprietary and that they’re contractually obligating their contractors to protect. The first is what’s called controlled unclassified information or CUI.
It’s no different than, you know, we have a contract with you, Tolaris, right? And we, if we wanted to write in there something saying, hey, as a partner, if we label something confidential or sensitive, we want you to protect it in this way, right? You don’t have to agree to the contract, but if you do, then you got to follow it, right? In the case of the federal government, it’s kind of a take it or leave it. You want to do business with us, you take it.
But so CUI is a replacement for those who have been in the space of the old FOU program for official use only. The CUI program replaced that and in during the Obama White House years.
So that type of information, if the government is giving it to their contractors, they’re obligating them to protect this. The second type is what’s called federal contract information, FCI. It’s kind of a catch-all that says, hey, well, anything else that’s non-public that we might not label it CUI, but that we, you gleaned in this contracting process. We also want you to protect that. It’s kind of a, kind of a catch-all. But the point being is when we get back to scope, the way that you define scope is you figure out what people, what systems, and then where the facilities are that those people and systems are in, right? Including the cloud, including Microsoft, including Amazon, right? And that’s your scope. Wherever this information goes, whatever systems it touches, whatever people’s conversations or heads or they interact with it, it goes in. And wherever those two things are located, that’s the scope of a CMMC assessment.
And the reason that’s so important and the reason that we stress that and see problems is that if you don’t know how to scope, well, how are you going to have a conversation with an assessor to say, here’s what you’re going to assess, right? And what you don’t want is to get into the thing where you say, this is our scope and assessor looks at it and says, well, no, no, no, this is your scope, right? You just told me that you’re sending CUI an email, but you didn’t list your email system here in scope, right? Because then you’re starting over. So it really does start, and we see plenty of companies that will come in after the fact, right? They’ve already fired a couple vendors. And it’s like, hey, I hate to take you back to the basics and the foundation, but let’s start with scope because then you can make intelligent decisions on maybe scoping things out and narrowing your scope. So I think for the technology advisors, a good asset inventory, people, systems, locations, and whether they touch CUI is a great starting point.
Okay. So if we get back to the theme of the track, this is about layering in ways to help during discovery calls, right? So you’ve got this intelligence background. There’s some psychological things that go into this process that you’re trained with. But if our TAs are coming from, okay, maybe I sold CX to this customer before, or maybe I sold them cloud infrastructure, the listeners on the podcast are all about trying to figure out, all right, I sold that. How do I go into this? Or if I’m doing this, how do I do it differently or more effective? Or can I learn a tip or trick to help me on a new prospect that I’m trying to drum something up and say something unique? So in that, if you think about it, how do we just start this with the right questions? I always love to pick everybody’s brain. What are the right questions to ask? Because this is a really sensitive topic that demands a certain level of expertise and confidence and trust.
So how do we frame that up and what’s the right question set?
I think, and the technology advisors, I think usually have a pretty good idea, but do they do government contracting, right? Even if it’s state, you know, and then you need to understand, okay, well, is it just, is it state government contracting? Is it local, right? But if they’re doing business with the federal government, then this is going to be a thing, right? It either is a thing right now because they already have some of these clauses and the assessments are starting or, you know, it’s going to, the DOD is kind of a spearheading this, but we’ve already seen, you know, Department of Energy,
Department of Homeland Security, right? Some different things that are going to be like a close follower. So that’s likely coming. But I think that’s the starting point.
And then once you have that, I mean, we don’t really see too many problems today. Now that this has been a law, right? What we see is more misinformation, right? People thinking, oh, they’re telling me I got to be compliant tomorrow, right? Well, not quite, right? Like, this is the world we’re in right now. This is the world we’re transitioning to, right? And being able to understand that. And so I think, I think getting the right decision maker that understands their government business, right? And then, and I think the other thing that’s really important is what percentage of a company’s revenue, right? How big of a deal is their government business? Because if, even if it’s a Fortune 500 company, if we’re talking, you know, less than 10% of their revenue comes to the federal government, right?
Likely back to scope, they’re going to be looking at maybe doing, hey, you know what, we’re going to carve out this enclave and we’re going to create, I’ll use Lockheed Martin.us for these 40 users. And we’re going to just make them work out of that for when they’re doing the DOD business, right? And we’re going to get that certified. We don’t want to go through, you know, getting our entire multinational infrastructure certified, right? So, so the percentage of their business that this affects usually, it leads towards, well, what are the options in terms of addressing it, right? Lockheed was a bad example there. Lockheed boost, right?
What they do is primarily government contracting. So they’re going to have to do their, they can’t really narrow that scope in that sense.
But, you know, there are larger companies that are maybe especially based abroad, things like that, that we’ve seen that, that 5% of the revenue comes from the DOD, right? And it’s, it’s like, okay, well, there’s some different options available to you. They’re a lot quicker and then are just a lot more confined in terms of scope and don’t open your whole business up to open in the hood.
That’s good. Okay.
So now I’m going to pick your brain for story time. So I know you got a lot of cool stories in there. There’s probably a bunch of them that are at a level of security clearance that I myself am not at nor can we say broadly. But dig deep funniest, wildest, scariest thing that you can share that is declassified that, you know, that you just learned throughout the years.
I will. So in the,
in the. I shouldn’t, I shouldn’t associate this with this, but in the wake of the current signal stuff that’s going on or the whole using the wrong messaging app.
Can we, can we shift for anybody that’s not familiar?
You know, people use signal signal is led to be this secure communications thing. You get secretary of defense, VP, a handful of people communicating and accidentally added a reporter from the Atlantic on a text thread for anybody that’s not familiar with that.
No big deal. And they were talking about some stuff. Nothing, nothing major, just national security. Just, you know, security clearance violation.
So, you know, everybody is human, human beings, right? They’re all people, right? So when,
when, when I was deployed to the Republic of Georgia, right, one of the things that we were doing, obviously, Georgia is an important strategic location in the world, right? They were the first ones to declare independence from the USSR.
But, and looking at Ukraine, right, and everything’s going on, right? Russia had done the same thing that they did to Ukraine in terms of to Georgia back in 2008. They called it the 10 day war. They basically just came over, took a couple of territories, huge cyber outage, and then went back.
So part of it is, is, you know, we’re building these relationships with the Georgians, right? Because they’re a strategic partner. It’s not just, yeah, we’re getting ready to go in Afghanistan. Yeah, there was some cyber stuff that we were doing there that was important to, you know, not just the Georgians, but just because of the proximity and, and you get trained on that stuff before you go in country, right? You get trained on, you know, their culture and to be able to assimilate with them and relate. And so one of the things that we got trained on and warned on was, hey, they have these things called Supras. A Supra is essentially a feast in which you toast what seems like every five minutes and take a shot, right? And they, and basically the warning was decline, decline. It’s not disrespectful if you decline and don’t show up. What is disrespectful is if you show up and then you try and bow out or you’re not taking all the shots, right?
And like anything else in life, right? The, everybody has to be in this training, but maybe the senior folks don’t, maybe they were doing something else or they weren’t, you know, taken it seriously. And I was, I was one of the younger ones on our staff at the time. So we’re walking around downtown Tbilisi. I’m with another peer of mine and get a text to say, hey, show up here, right? By a senior Marine, right? Saying that ultimately I worked for, hey, show up here, right? Okay, show up there, right? Walking the door and clearly a Supra is kicking off, right? And they were absolutely right in the training. I will say that this ended with multiple senior and junior level folks. Like somebody at some point had the wherewithal to call one of the senior enlisted back at base and say, hey, you better come get us out of here because this is, this is getting out of hand. And to the point where, you know, everybody is fuking everywhere. You know, I don’t know, you know, blackout drunk and, and we, again, because you couldn’t stop once you, once you started, it would have been disrespectful to stop.
And we get, you know, we get piled into a, into a van and, and it was a less than ideal car ride home and they’re trying to sneak us in the back. So the junior Marines don’t see us. So I think that would be one of the crazier ones where we should have followed the training. But that’s that the Georgians loved us after that. Oh, yeah.
Yeah. Your buddies after that one. Nobody forgets that story.
All right. Final couple of thoughts here as we wrap this up. So, you know, this is, we talk about government is slow moving legislation is slow moving, but there’s a lot of sensitive things in security that may cause it to move quick or may make news and people have to figure out do they do something with that. So you just think about like you talked earlier about playing the long game, coming into the room, not making changes right away. So how do we, how do we wrap this up of if something changes in legislation, how do we stay ready for that? Does it change? Do we trust the process? Like what’s your, how do you think about things like that?
I think this is something that it’s had its ups and downs, right? I mentioned it’s been four plus years since they kind of started this journey. They actually rolled it out once under the under the regulation of an interim rule, and then they kind of immediately pulled it back because you had lobbyists, the only answer. So, so this has definitely had the roller coasters of it’s coming, it’s not coming or it’s changing. Right.
And, and but it has gone through multiple administrations has actually started in the first Trump administration. And so I think, you know, what I would say is cybersecurity is pretty nonpartisan.
It’s one of those things that both sides of the isles tend to get behind with all that’s going on in the doze in the world today. This has not been something that’s even kind of remotely hit the radar. And like I said, the law passed, which is the good news, right? But I think, I think that the buying power of the federal government, I mean, every year you guys have got plenty of vendors, right? Every year there’s a new cyber compliance standard to comply with, right? Whether it’s a state issuing it, whether it’s a private organization, whether it’s international community, this is not going away. They’re only just adding that. And I think the thing that I would say related to CMMC and FedRAMP kind of by it being adjacent is, is the buying power of the US federal government. I mean, when this thing came out, everybody, Canada, Australia, right? All these countries wanted to, Canada’s got their own version now. They wanted to hop on and do, you know, reciprocity with the DOD and, and, and figure out how they can, you know, same thing to ISO standards.
I trust everybody wants to say, well, Hey, can you give reciprocity for our standard to CMMC certification? Right? And the answer to the DOD because of the federal government is no. However,
you know, in reverse, there are some indications they’re going to give, give reciprocity, right? These standards, because they want to stay relevant. But I, I think the bigger thing is, is that because this is the federal government, how much buying power they have, at some point, this stuff has got to start to consolidate. Because it’s too burdensome, right? At least, at least at the United States government level, right? So, so the States, maybe that, you know, there becomes a federal standard, we would hope.
But this is the first time that we’ve seen an actual regulation related to auditing, right? And third party independent and standing up a whole industry. And I think, you know, you look at the financial world, right? And the pre-SOCs and all that stuff.
This doesn’t, to me, seem that much different than this is the start of third party inspections of people’s cybersecurity, right? Because it’s just that important. You take it back to, you know, it’s the fourth generation, next generation warfare type stuff. Like this is where the fight is. And just like the financial stuff is, is important. I think the cyber stuff is coming that way. So this idea that there’s going to be this third party auditing arm for this stuff, I think that’s, that’s only growing and not going away.
Does, final question, does the quick evolution of AI or compute or GPUs or anything, does that change it as you look forward to the future? Do we still double down on everything that you said or anything else to kind of keep our eye on?
Will,
but I think this goes back to that 10 year thing, right?
They’re not ready to take AI in that way, right? From a compliance standard, it’s a slow moving thing. And so this is what it is right now, which is the start, right? It’s the start to then build on. And yes, they will adjust the security controls by tying it to the National Institute of Standards Technology. It’s not just a DOD thing. It’s not just a one branch thing. Everybody can tie into it.
I think there’s a lot more to learn about AI, but I do think that that will become a part of this. I think that’s just probably compliance tends to trail behind actual security. And so you’re probably talking, you know, 10 years from now before you start to see the security controls related to AI in a compliance standard like NIST, A-turn 171.
Awesome. Good stuff, man. Chris, you dropped a lot of knowledge, a lot of expertise. Clearly, this ain’t your first rodeo. You guys know what you’re talking about. You got a lot of in-depth expertise here. And so I appreciate you coming on and sharing some knowledge with us, man. I just appreciate it. All right, everybody, that wraps us up for today. As always, don’t forget, episodes drop every Wednesday so you can catch them. Whether you’re coming to us from Apple or Spotify, be sure to get those as they drop every Wednesday morning. For today, that’s been the art of Discovery Call stories from military intelligence negotiation. Chris Rose, Ariento, I’m your host, Josh Lupresto, SVP of Sales Engineering at Telarus. Until next time.
Next Level BizTech has been a production of Telarus Studio 19. Please visit Telarus.com for more information.