Matt Howard: My name is Matt Howard. I'm the chief marketing officer here at Virtru. I'm here today with my colleague Andrew Lynch. Andrew, please go ahead and introduce yourself.
Andrew Lynch: Yeah, thanks, Matt. My name is Andrew Lynch. I'm the VP of Sales here at Virtru. I manage a couple of our sales teams here, and I'm excited to speak with you today.
Matt Howard: We want to have a quick conversation about CMMC. It's a topic that anyone in the federal government contracting community, also known as the DIB or the defense industrial base, has been wrestling with, honestly for a couple of years now, and probably today is faced with the reality that CMMC is on our doorsteps and about to be in play for everyone in the federal government contracting arena. Andrew, welcome. Great to see you. I know you've been spending a lot of time over the last, honestly, couple of years talking to lots of small contractors, medium contractors. You know, curious to get your take when you talk to those customers and you've been sort of hearing them inquire about CMMC compliance and security process and security maturation. What have you learned?
Andrew Lynch: Yeah, thanks, Matt. Good to be here. Great question. I think to your point, it has definitely changed over the past couple of years. I mean, thinking back to when CMMC 1.0 or the first version came out, I think we talked to a lot of organizations that were trying to be proactive with getting in front of it, but still just doing a lot of research. I think a lot of them were trying to uncover, you know, for example, where encryption fit in or what aspects of encryption they needed. I think that a lot of them were somewhat confident that maybe things would change with the requirements, which which they later did. I have not worked for an organization within the defense industrial base, but I think, again, a lot of those who had kind of saw some of the challenges with meeting CMMC, maybe some were unrealistic. So that then, I think, led to 2.0. So most recently, you know, we've been having a lot of conversations with organizations now that are seeing it's serious, it's coming. We need to get ready for it. And to that point, I still think a lot of them are trying to prioritize which aspects to try and meet first. It seems like while the requirements are somewhat straightforward, with the NIST 800-171 requirements, there are still some uncertainties. So I think that's... we're regularly I think, which I enjoy these conversations learning from people kind of what they're going through and they're still looking to learn. It's one of these things where we just recently, for example, had a somewhat basic webinar around CMMC, kind of how we're talking now, but still hear positive feedback from people that are just still doing the research.
Matt Howard: Yeah Yeah. So, so I think it's great context and you use the word "learn," which is I think critical because that's what sessions like this are all about. I mean, for the benefit of anybody watching this, Virtru is definitely not a CMMC expert, neither myself nor Andrew. We are a data protection business that provides governance controls for information that needs to be shared in a variety of different workflows, primarily email and file centric workflows. And in light of CMMC, we do one thing pretty well, which is governing CUI data in a way where organizations can progress their maturity as it relates to cybersecurity, best practice, and align themselves for CMMC and position themselves to compete more effectively and win contracts in the government business where CMMC is relevant. And so, with that said, Andrew, you know, I'm not an expert, you're not an expert. We both know that CMMC itself is a big, broad puzzle and Virtru itself is really just one small piece of the puzzle as it relates to encrypting CUI data and governing and controlling that. More practically speaking, I'm curious about this idea of complexity and cost. I know most of the organizations that you speak to have a lot of questions about that. Can you comment?
Andrew Lynch: Yes so that is definitely something that, as you can imagine, comes up on most calls. That said, I mean, a lot of them, which is great, they're able to see some of the packages right on our website that they can...
Matt Howard: Give me an example, paint a picture for me. Like what is a typical small to medium government contractor look like? How many employees, how big is the IT shop? Paint that picture for us.
Andrew Lynch: I would say, I mean, a larger one that I just spoke to today. The organization has about 22 employees. I would say that's on the larger end of these smaller government contracting agencies. Of course, we've worked with large enterprises that are going to need to meet this. But I'm talking the average...
Matt Howard: Dozens of employees.
Andrew Lynch: Majority of the makeup of them as well. There's more 20-employee contractors than there are, you know, 10,000 employee big five. So yeah, these are organizations that some of them have an IT person. I would say the organizations that are fortunate enough to have one have people that have the knowledge to, to research what's needed to meet CMMC on the other end, I've talked to people that, you know, they are maybe a CMMC manufacturing organization where the person who is making the gear that may go into a military vehicle is also the one who's tasked with looking into meeting CMMC because he or she is the owner of the organization. So it's really a wide range. That said, to the question about complexity cost. What I've learned is these are busy people that are stretched thin, you know, having been in sales for some time, selling to small businesses, also selling to corporate organizations, you know, there's a difference. Most of the people we're talking to, again, they are a lot of times the payroll, the HR person, the IT person, the legal person. So I commend them for all the duties they have, but they are tasked with now researching what's needed to meet this. They may be less familiar in some cases with it, but they have been in business for a long time. They want to stay in business. They want to be compliant to be able to continue to win business. Then I would say where they're usually excited to speak with us is they have gone through uncovering that there are often few options from what they've seen.
Matt Howard: Affordable options?
Andrew Lynch: Affordable—Well, I would say even few to start! Whether they're affordable or not, I would say, compared to and to Matt's point, for those listening, we are not a CMMC company. We do not just help organizations meet CMMC or ITAR, for example. You know, I somewhat joke with people that we speak to that, you know, out of our 7,000 customers, probably by sheer volume, the most common would be a psychiatrist, a solo practitioner, or a dentist. You know, it just so happens that they're using encryption that can, that can meet these CMMC requirements.
Matt Howard: Yeah and, and to put a fine point on that, I mean we're talking about with 7,000 customers at Virtru, we have, you know, obviously a set of them are sort of large enterprises, a subset of them are medium enterprises. And then the vast majority are small businesses that are IT constrained and honestly, you know, have finite resources to try and do what they need to do to A. secure their business and then B. comply with whatever regulations or standards that they need to be compliant with. And in the defense industrial base now front and center is CMMC. So, with that idea, you know, where do they turn first? Is it Google, is it Microsoft? I mean, so many of these small organizations who don't exactly have IT departments aren't really running and managing Exchange servers themselves. Instead, they're probably, I'm guessing, I don't know. You tell me. Either with Microsoft Office 365 in the cloud or Google Workspace in the cloud. And how much of that does do they benefit from that in terms of having security controls in place that would allow them to claim CMMC capabilities?
Andrew Lynch: Yeah so I mean it is all, I would say, they're all of them. I would say from my experience, probably less than some of the other compliance regulations that we're working with, less of these have moved to the cloud. I think historically, because there was always more of a concern to be able to control their data and protect it. And so they may have been on Exchange previously to also meet some of these compliance requirements. I mean, even, for example, with ITAR, I mean, that was only in the past few years that we, Virtru, could even help an organization meet that requirement when it comes to emailing or storing technical data or export data. So it's, again, across the board, but a lot are still on Exchange. Those who have gone to Microsoft are typically aware of the Microsoft GCC SKUs.
Matt Howard: And can just for the benefit of the audience, what is GCC?
Andrew Lynch: That is Microsoft's government cloud SKU where, and full transparency, I have never used it. I'm always curious with people I'm speaking to who have to understand how it works. But it is, it's the government SKU that is somewhat, from what I've learned and been told, turnkey. Covers lots of different applications within Microsoft, allows an organization to be in the cloud and be able to configure it to meet the CMMC or ITAR requirements. That said, I've continued to learn that it is — while there are lots of integrations again with the Microsoft suite, not turnkey as in purchase it, you know, turn it on and you're good to go. So it does require an app and an administrative time that some of these people just may not have or be able to do.
Matt Howard: Sure I mean, it's my understanding it's a very sophisticated set of controls inside of a cloud collaboration product, a Microsoft Cloud collaboration product, which, you know, is a terrific solution for certain folks that have the competency and patience and the budget, honestly, to pay for it because it's not cheap, right?
Andrew Lynch: That is what I have learned. Correct I, I have learned that normally we are a small fraction. Virtru added onto a Microsoft SKU, a small fraction. I mean, I was talking to someone today where again 20-employee organization on the low end was I think quoted in the high, high twenties, $20,000 plus per year. I again, it's somewhat ambiguous and hard to find information around how it is priced. And I think there's some customization component, setup component.
Matt Howard: In any case, it's not inexpensive. Again, back to the picture you painted. These are small organizations, small ish, you know, one person wearing multiple hats. Chief legal chief IT. Chief this, chief that, trying to get their arms around. How is it that they mature their business to get CMMC compliance and if they are Microsoft customer, it is possible for them to invest in, you know, GCC High as a way of getting there. But it also is a sizable investment. So I'd like you to just do me a quick favor, maybe compare that with another organization, for example, who might be in a similar boat, but looking at Google Workspace as an alternative.
Andrew Lynch: Yes, I would say so. So even before Workspace, I mean, to the piece, from what I've been, you know, from what I've learned from people to your point, Yes. Those who have the means, the resources financially from a time and investment perspective, can consider GCC. If you're on Microsoft, it seems to be a somewhat common thing you'll consider. A lot of those, though, that again, haven't gone to GCC. They may not even be aware that they can go to Google because historically that was more challenging. They didn't really have a turnkey solution the way that GCC does. So some people we talked to are pleasantly surprised that they could maybe consider even Google Workspace. Again, they just are maybe from that heavy Microsoft environment really having been told from multiple consultants and other peers that GCC is the way to do it. Because it is — you can meet it with GCC.
Matt Howard: Yeah, absolutely you can. But I think it's funny to reflect on a conversation I had recently. I'm not sure if you were part of it or not, but it was a relatively small government integrator, you know, surprisingly sophisticated from an IT and security governance perspective that had digitally transformed their business with Google, Google Cloud and Google Workspace. And they were surprised, pleasantly, that the governance controls and security capabilities of Google Workspace and Google Cloud were mature and advanced enough to give them comfort for CMMC compliance. And they described it as Google's like, the last friend to come to the party, but when they do come, they always bring the keg because they come prepared with all of their resources, all of their technology, all of their competencies, which obviously are not insignificant. And so one thought I'd love to get your quick thoughts on. I know we're relatively short on time here. Regardless of whether you're on Microsoft technology or GCC High and that's your path to CMMC compliance, or whether you're on Google Workspace and in the Google Cloud and that's your path from an IT perspective to get governance controls and aligned with CMMC: In either case, Virtru is in a position to add a small piece of value, which is important, but admittedly one piece of the puzzle around governing and protecting CUI data that needs to be shared as a critical part of your work in support of the federal government. What does that look in terms of implementation costs, complexity, usability for the typical small DIB small business?
Andrew Lynch: With Virtru, you mean?
Matt Howard: Yes
Andrew: So I think again, to your point, what people are pleasantly surprised with around Virtru is how you can essentially consider really any of those platforms: Exchange, O365 the non GCC SKUs, and then Workspace with Virtru and be able to check off some of those important critical boxes around data governance, encryption, control over your data. For some of our customers on the smaller end, you can see right on our website, the business package, which is around $3,000 per year for 25 users is sufficient and something that people regularly, I would say appreciate that we're able to offer what we do and how easy we are to do it, to again, add on to their existing platforms. For larger organizations, of course, we would allow them to select which products of Virtru they want to add. Still, though, being a fraction of the cost compared to against some alternatives, specifically GCC. You know, the other thing I would mention is it's, it's common that when I had said earlier, there are few options that would be specifically referring to encryption offerings that integrate with your existing mail clients. What's also common that we've heard is maybe a lack of communicating data because, again, there are concerns with where it is, where it's being stored. And so there may just be more antiquated processes that just really aren't conducive of doing business and collaborating, which I think people understand are not free because there's that tradeoff of collaboration. But also now with CMMC may not even be allowed.
So as far as the investment too, we have a, we have several our products are pure SaaS where you can get Virtru set up and running in minutes. People appreciate that some other specific aspects that people really enjoy about Virtru is how you don't have to pre-configure people that you're going to email. You don't need to exchange certificates or keys. You don't need to tell someone on the other end that you're about to communicate with, "hey, we're using Virtru, you need to download it." Anyone can receive a Virtru-encrypted message or data and decrypt it with our Secure Reader using existing mail credentials. So no usernames, no passwords. Admins can get set up in minutes. There are some additional security recommendations that we would recommend normally, such as our Customer Key Server, where a customer, they could locally encrypt the keys that we are hosting for them. Just to add an additional layer of separation for some of these more strict compliance requirements. That's really the only thing that they're going to need to do any sort of deployment around. Or they will.
Matt Howard: Yeah, Yeah. Listen, I mean, it's super interesting hearing you talk because I know you spent a lot of time in your day job sort of speaking with, you know, companies and individuals who are part of these companies, oftentimes small businesses, sort of just wrestling with the reality of, "what do they do on this journey to really position themselves for improving cybersecurity practices so they themselves can be more competitive as a government contractor?" And ultimately do the right thing, which is protect sensitive data, which is in everybody's national interest. I just want to maybe summarize as we get ready to conclude here. I heard you say a couple of things and I just want to repeat, you know, it's easy to use, easy to deploy, easy to afford, and ultimately kind of easy to progress your CMMC journey. We don't claim to be THE answer for CMMC. Not at all. We are merely one step on that journey towards improving your cybersecurity hygiene and aligning with CMMC, but nonetheless an important step because oftentimes email and simple file sharing workflows are so fundamentally critical to how smaller organizations in the DIB actually do business. And getting good governance and control around that information is fundamental to CMMC requirements. And so one last thing I really would love to get your comments on and then we'll wrap it up is, Is use, ease of use for the individual worker — Like when I say individual worker, I'm talking about the person sitting in front of their browser or their mail client who needs to send in information right now, send a file, an email right now to somebody else — How easy is it for them to send and how easy is it for the other person to receive? Because I know, having been in this business for a long time myself, sometimes email encryption can be difficult for the person who's trying to send. And I know it can sometimes oftentimes be very difficult for the person who's receiving it. So how do you talk about that as it relates to Virtru when you're speaking to these companies in the DIB?
Andrew Lynch: As far as sending, if you can send an email already, you should be fine with Virtru. We're an extension that plugs into your existing email client with your existing email account. Click the Virtru toggle to turn it on. At that point, that message is encrypted. Compose and send a message as you normally would, add attachments, you name it, go to town. That's as easy as sending it. Recipients that do not have Virtru installed, which they do not have to have Virtru installed. They don't even need to know what Virtru is. They're going to get an email from the sender, not from a variation of the sender's email address — the exact same person they normally email. They're going to click two buttons, one to unlock the message, one to authenticate. That's where we're leveraging our zero trust architecture to prove their identity, and then they can sign in using their existing email credentials.
Matt Howard: And that's it.
Andrew Lynch: That's it.
Matt Howard: Again, not just easy for the business. I can't stress enough how I think it's important for us collectively to be honest about the fact that cybersecurity hygiene and improving one's CMMC posture ultimately is about making it easy for employees, everyday employees doing their jobs just to do the right thing as it relates to protecting sensitive information and what you describe today certainly seems like it does that from a Virtru perspective. So listen, super interesting conversation. Definitely appreciate the time. Andrew, I know you're out there every day talking to a bunch of businesses who are at the front edge, at the leading edge of this CMMC game and keep up the good work and we will look forward to chatting with you again soon.
