Subscribe to the Next Level BizTech podcast, so you don’t miss an episode!
Amazon Music | Apple Podcasts | Listen on Spotify | Watch on YouTube
In this episode of ‘Inside the Win,’ Telarus solution architects Trevor Burnside and Jason Kaufman discuss a recent client engagement that demonstrates the power of strategic questioning and comprehensive solutions. The case study involves a manufacturing company with 50 employees who initially requested FedRAMP-compliant VDI infrastructure in Azure GovCloud but actually needed CMMC level 2 certification to retain a $23 million government contract renewal. Through strategic questioning, the team discovered that only 10 employees actually needed access to sensitive government data, allowing them to recommend a more targeted enclave solution rather than enterprise-wide compliance. The discussion highlights how asking ‘why’ can uncover broader business objectives and lead to better outcomes, transforming a point solution request into a comprehensive service that provides a faster path to certification within 90 days instead of the typical 12-18 month timeline.
Video Transcript
Transcript is auto-generated.
Welcome to Inside the We’ll break down real world wins, showing you exactly how strategic partnership with our experts empowers you to tackle your most ambitious opportunities with confidence. Let’s jump in.
Hey, everybody. Welcome to another episode of Inside the Wind. I’m Trevor Burnside, solution architect in cybersecurity, and I’m here today with Jason Kaufman.
Hey, everybody. Jason Kaufman, principal solutions architect. Previously, he was in the cybersecurity solution architect role, but now we’ve upgraded to Trevor. So happy to be here. Thanks, Trevor.
Well, I’m excited to be here today. We’re gonna talk a little bit about AI security, how they kinda meet together. We’ve been doing a lot of this lately, as you can imagine. Today, we wanna give just one specific example of how we’re working with clients, how we’re working with customers, and some the takeaways that we’re learning from these type of engagements, and what are some of the things that you can take away with your customers in in conversation. So, Jason, what’s the today that we’re gonna talk about, who is the client? What were they doing? And what kinda set the stage a little bit of, who we’re working with.
Yeah. So the partner came over asking, like, hey. I’m looking for, VDI infrastructure in Azure GovCloud. Who who’s a good supplier for that? And they just want a list of three.
And starting, you know, asking questions on, like, hey. This you know, it sounds like there’s another methodology here. There’s, like, overall goal, not just wanting licensing and build out and stuff for an for a FedRAMP compliant VDI solution. So I asked, know, hey.
Can we can we hop on a call with the customer to kinda see what the objective is? Because I’m sure there’s more things that we can help out with here. You know, because there’s a lot of point solutions that go with many objectives, but you don’t really get the overall scope unless you start asking questions. So, naturally, the partner was like, yeah.
Let’s do that. It sounds like a great idea. I think there’s some stuff we can help out with. They mentioned a few other things, like these FedRAMP, you know, build vulnerability management solutions, that type of stuff.
So got on with the customer, and the first thing they said, you know, I asked them kind of, like, what their, you know, what their business is around, stuff, did some due diligence beforehand, and figured out, you know, they’re in the manufacturing space. They have a lot of government clients. And the one thing that they do have is a lot of, like, f FCI and a little bit of CUI data. So that stuff that’s a little bit, you know, compliant.
You know, it’s it’s sensitive.
And, you know, there’s a lot of now, know, restrictions and stuff that come in on what they need to do on how they manage their processes, how they protect the government data, and all that stuff. So I was like, you know you know, we were brought here to talk about FedRAMP compliant VDI. You know, we could do that day in and day out. We have many suppliers that could do that.
You could build it on multiple different infrastructures. You know, Azure is probably the one of the more popular ones, but I was like, what’s the overall goal? You know, because, like, you have fifty employees. You know, it’s a it’s a lot of infrastructure to do here, but what’s you know, what are you looking to achieve here with the the Azure FedGov?
And they’re like, you know, we we really wanna get CMMC level two certified because we have these x x x, you know, contracts we’re about to lose. And one of them was like, we have we have one coming up in eight months for renewal, and it’s twenty three million dollars. Like, that’s a lot of revenue that we’re about to lose if we don’t have this attestation. So I’m like, okay.
You know, that’s something we could definitely help out with. You know, Azure FedGov VDI is just a piece of it. But if you wanna get that attestation so you can keep that contract that you’ve already learned or earned, you know, we have other avenues that we can get quicker attestation to where we could build an enclave with the provider that uses Azure FedGov VDI as a part of it, but they also bring in all the other solutions.
So we started getting into the the conversation on out of that fifty employees that you’re looking at building out an entire Azure FedGov VDI infrastructure, how many of them actually see CUI or FCI data have access to it? And how many are more enterprise to where, like, they don’t need to be included with that. So we started building out kind of a strategy plan. Okay.
We’re gonna take the ten people that actually only, you know, really need this type of solution, build an enclave with them, and then everybody else gets an enterprise VDI infrastructure and, you know, a path to get to certification within eight months. Because as you know, Trev, you know, the first question we get is how long does it take to get the TMMC level two out of station going through the entire process, the readiness, the the actual certification, the waiting time for a c three PAO to come in. And, it’s, you know, about twelve to eighteen months. So we’re already behind the eight ball, so we need a quicker path to do that.
Absolutely. Yeah. I there’s a lot of things from that scenario that I see patterns, right, with other clients that we’ve talked to, specifically around CMMC. One, some that don’t understand, they can actually segment the network.
They don’t have to have everybody FedRAMP compliant or or CMMC compliant. Right? That that’s one area that we see common. A second one is that we have vendors that can address all a hundred and ten security controls required for these you know, for the certifications where there’s some that can do some things and not others.
Like, you mentioned Enclave. Right? Like, a GovCloud Enclave. We have several suppliers within the portfolio that can do these Enclaves that are prebuilt, ready to go, that customers can move into, and they don’t have to do the DIY scenario with the GovCloud and and do it all themselves.
And and if especially if they don’t have internal expertise to do that, it’s just gonna extend their cycle on being able to get compliant. And then do they have the configuration in place that that’s gonna be acceptable anyway? So a lot of patterns here that what you’re saying that I think we’re seeing across the board. And especially when you’re looking at the impetus of why people are going are looking for these solutions, I think it goes across the board.
The more we ask why, we can start breaking down that iceberg. And sometimes what customers ask for, it’s just the tip of the iceberg when there’s really a lot more there that if we just ask a couple more questions, we can discover a little bit more and, address what they’re looking for rather than just a point solution.
Yeah. Because, like, everybody comes in with a preconceived notion on what they expect the solution to look like. They have their list of requirements. They know what their objective is, but they’re only communicating a piece of that because they’re asking for that one component that they need help out with.
And, you know, for this customer already in contact with Tenable directly for vulnerability management for the FedGov side. And they already had all these other point solutions. And the first question was, like, why do you wanna bring all those together, you know, differently? Let’s bring a holistic solution where everything’s included and it’s an easy package.
And it was really an easy easy step in to bring in some you know, we had Oriental and c three integrated into this one because those are easy buttons. You know, Oriental has that pre, you know, pre Enclave that already has the c three PAO that they partner with that can get you certification within, like, ninety days. You know, obviously, there’s a little bit of caveats there, but, you know, it’s a quick path to certification. And and once they once they learn, like, there’s more out there besides, let’s pull in all these point solutions.
We have to manage it. We have to learn it. You know, and having something that’s an easy button, ready to go for something that’s highly complex. Like, they they left the conversation like, we want this conversation now.
We wanna get started on this because this is the answer we were looking for. And all it was is asking about the goals and finding what that crux was that the problem they were looking to solve rather than what they knew what they immediately asked for. So, I mean, it just getting on that conversation was a home run.
Yeah. Absolutely. I think another scenario or something to think about here is, oftentimes, a lot of these manufacturing companies or construction companies or smaller organizations that make, you know, a small thing that act ends up going on an f sixteen jet. Right? All of those companies that that are even small you know, very small manufacturing companies do have these requirements that they still wanna work with the federal government or the DOD or DOW. So I think that’s something as well that we’ve been educating partners on that. Ask the question about CMMC, especially if you’ve got small manufacturing companies in areas where there’s, you know, potential military bases or otherwise or where they could be working with contractors because you’d be surprised how many of those are working with the government and now are gonna fall under the CMC, kind of requirement.
Yeah. Definitely definitely agree.
What would you say, from this kind of, engagement were the key wins that to take away of of how we were able to expand this?
Yeah. I mean, literally, it came in as one point solution. That’s piece of a strategy. Now we brought in a service to where it’s a service that has a predefined avenue for certification path.
The certification path was the overall goal. So we we got them on a road map and a very accelerated road map to get that done Rather than just bringing the piecemeal solutions that they thought were gonna solve the problem, we actually brought in the service that’s gonna solve it a lot quicker than their current expectation. And in the end, they’re not gonna lose out on a twenty three million dollar deal that they already have a contract for. They just need to renew it.
So, yeah, it it was an expansion of a point solution to a full service and bringing everything all under one umbrella to where we can control the environment, and that’s the that’s true value.
Yeah. Absolutely.
Thinking as well kinda when it comes to, CMMC, sometimes when we get into security, we have a can have a difficult time ex talking about ROI, right, when we’re putting in scenario or putting in solutions or things like that rather than just sometimes people look at it as an insurance policy rather than the actual growth enabler or or enabler for the business. Now we try to change that narrative and and show that cyber is an enabler for the business. I think CMMC is an example, though, especially when they have contracts or they’ve got things from a monetary value that customers are going after that we can easily show this is your ROI.
This certainly, it’s gonna spend you know, take money to get compliant to NIST eight hundred one seven one, which is what CMMC is built off of. But when you look at the upside of what that enables for the business and the contracts that you can get, it’s an easier conversation because there’s there’s an immediate, monetary value assigned to those type of engagements.
Yeah. For this one specifically, it’s either you get the twenty three million dollar contract or you don’t. So from an ROI perspective, twenty three million dollars for a yes or no equation, that’s that seems like an easy decision, especially with the price point. I mean, if you’re looking at what what what is it, like thirty k a year or something like that for the full Enclave for five users, just kinda math it out for a little bit for the ten. Like, you know, ROI is exponential. Yeah. Easy.
Yep. Yeah. But in by, orders of magnitude. Right? And a lot of times when I get involved with this too, I I take a look and say, how much did you make with this government customer that you’ve had, you know, for maybe a couple of years?
And is it worth removing that revenue, sir you know, stream from your your business? Because a lot of that is, like, oh, you know, looking at these enclaves or looking at, you know, some of these kind of more turnkey solutions, people can say, well, they’re they’re expensive. Right? I’m gonna go DIY.
I’m gonna do it myself because maybe I can save a couple dollars, but you’re ending up, you know, in introducing gaps, introducing, you know, potential things you’re gonna have to remediate when you do an assessment and figure out, oh, we didn’t address this all the way. It’s not configured correctly.
When you look at, okay. This is what the this customer is worth to my business. I would say, you know, what’s the speed to when you look at, like, a c three or oriental kind of like you mentioned, the speed to being compliant and being able to keep those contracts might be more valuable than than just doing it yourself, right, and and putting it all together, saving a couple bucks. But then you’re looking at a time line that you can’t really determine or define. And when those contracts are come up, you don’t get to choose when they’re ready. Right? You gotta be you gotta be compliant or not in those timelines.
Well, appreciate your time, Jason.
Thanks for, being on here explaining the deal. Always appreciate your insights. Anything else you wanna say with the to the crowd?
No. I was supposed say thanks for having me. And, yeah, any any re any requirements that come in that smells like there’s more to it, you know, just rather than just a point solution, somebody asking for licensing for Azure Fed or looking for a VDI solution that’s highly compliant, you know, always ask why. And if you don’t feel comfortable doing that, Trevor’s your guy, or I can help. But, you know, cybersecurity professional coming in, talking to them that knows the ins and outs, he’s obviously proved that.
You know, let us help you land and expand that opportunity because it’s you know, once it once it does, you get in that service part to where CMMC compliance is an easy button, now you’ve, you know, you’re you’re in with that customer, and you’ve you’ve shown them immediate value add. So, yep, here to serve.
Absolutely. Appreciate it. Thanks for your time. Thanks for the insight, and thanks everybody for joining us.