We discuss the Cybersecurity Maturity Model Certification (CMMC) and the impact on Department of Defense (DOD) contractors to mature their cybersecurity hygiene in order to compete for US government contracts. CMMC was based on NIST Standards 800-71.
Here are the 4 Topics We Cover in This Episode:
1) Why Does CMMC Matter?
In the near future, contracts are going to be rated L1-3 and if contractors are not certified up to a certain level, they cannot bid on the contract. This is more focused on the smaller defense contractors who up to now, have generally disregarded compliance measures yet are major targets for nation state cyber attacks.
2) Failure to Comply with CMMC Could Mean Perjury
Compliance for DOD contractors is not new and companies were previously allowed to self-attest. When DOD regulatory bodies did the research, 75% of companies were found to be not in compliance. For enforcement, the Department of Justice is now involved and if contractors lie, it’s considered perjury.
3) Compliance Cybersecurity Controls Contractors Can Implement
- Having a community of people that you can talk to, even though they’re not necessarily near you, about issues you are encountering in the industry
- Having people that you can relate to and reach out to because they are navigating through the same path as you are
- Having a psychological safe space for people to problem solve, and brainstorm and feel like they’re not being judged
- Help people that are new in cybersecurity feel comfortable and stay in the industry
4) Incident Response and Threat Intelligence Controls Needed
Threat intelligence is in an evolutionary stage for larger contractors to monitor their subcontractors to determine if they have vulnerabilities and/or if they have been breached. Third party risk score cards are generally not actionable for defense contractors because the vulnerabilities are not put into context to a business risk. The key is to bring together a threat intelligence picture that can alert on actionable data leaks.
JEFF: How do we tell our customers that they can’t trust this person they’re working with? How do we tell them that their devices are compromised? Because in that SMB market, in that mid-market, they don’t understand that yet.
LANDON: Welcome to the award-winning Cyber5 podcast. Here, we discussed the most relevant cyber and fiscal security challenges facing enterprise businesses today. I’m your host, Landon Winkelvoss, co-founder of Nisos, the managed intelligence company.
LANDON: Welcome to the Cyber5. This is episode 83 with the great Jeff Sizemore, who is chief of corporate governance from Egnyte. Jeff, welcome to the show. Share a little bit about your background with our listeners, please.
JEFF: Yeah, thanks. And super excited to do it. Yeah, I’m chief governance officer of Egnyte. And my background, came out of the military and did a startup called PGP. And then from there, continued to build and work on security companies around data loss prevention throughout the market and continued to kind of evolve the market in the space. So just trying to help out where I can in privacy and security.
LANDON: I appreciate it, Jeff. And today, we’re talking about data governance and where threat intelligence converges. A lot of this is gonna be based around CMMC and the framework. We saw a lot of guidance come down from the administration a couple months back, probably about a year now, talking about how, you know, the DoD contractors have to have a certain set of compliance to be able to compete with government contracts.
Jeff, provide a little overview. Give us a little bit of what CMMC means and how that affects DoD contractors.
JEFF: Yeah, it’s actually, you know, I’m really excited about it. It is really something the DoD came out with to protect really the third-party risk that’s associated with these contracts, and to make sure that if you’re working with the DoD, that you’re working in a protected manner because they’re gonna be sharing confidential and sensitive information with you. Obviously, not classified data, but unclassified. So it’s a way that they’re trying to protect things. And quite frankly, I’m really excited about what I’m seeing.
The way they’re enforcing it, they’re doing this in a very measured way. They’ve been working on it for several years. And basically, the Cybersecurity Maturity Model Certification is based on the NIST SP 800-171. And, you know, there’s other things that you go through there, but there’s three levels of this.
And the first one is really the federal contract information. So the contracting data itself is what they would consider level one. Level two is considered CUI data, controlled unclassified information. And then level three, which is, it’s CUI with much more maturity processes and things of that nature that are associated with that. And 80% of the companies, you know, we’re seeing are really focused on that CUI level two data stream right now. But what’s interesting about it is the governments, and they’re really starting assessments now, so self-assessment started this month. By the end of December, you’ll start to see these things push forward more.
In March, we’re expecting the interim release to come and, you know, mandated in May. So people are starting to work up to this. And, you know, you think about that supply chain, and a lot of these guys are less mature than what we’re used to, right? We’re not talking about Boeings. We’re talking about the mom and pops who are, you know, doing construction work for the government that have access to this kind of information. Imagine if you’re an energy provider, you know, doing something for a, you know, a CIA black site, right? It does happen in some of these regards, that you’re building something for a military base. So a lot of these folks are going through this. It’s a really great initiative. And the government actually is helping people really, you know, sponsoring and compensating them out of the gate to do it by September.
So it’s happening. And what you’re gonna see, Landon, is when people go to bid on a contract in the future, the contract is gonna be rated a level one, level two, or level three. And if you wanna bid on that contract, you had already had to attest and be certified on that level before you bid in that process. So if you’re not level two, don’t bid. There’s no point.
LANDON: This brings me back to early days of Nisos. We had a couple DoD contractors that got calls from the FBI or NCIS. There was a breach. And they’ve lost government contracts. And I think that that was happening on a pretty massive scale. You know, of course, they can’t compete with government contracts.
What’s the enforcement mechanism that you’re seeing? How actually, compliance actually can become security and actually, you know, help contractors, you know, shore up sensitive data.
JEFF: Yeah, it’s a really good question. And, you know, I will say they are enforcing it pretty intensely. So as an example, the DoJ did a review of people who had already said that they were already compliant. You know, they should have already been doing it. So this new regulation coming out, everybody’s reacting, but they should have been doing it if they were already working at the government ’cause there already were these standards in place.
So the DoJ is now going back and looking at people. They look at already who self-attests, and they said like 75% of the people that self-attest weren’t in compliance. And so they’re literally saying at this point, if you do this, this could be a criminal act in terms of, you know, intentionally deceiving the US government in terms of what you can do. So you’re not gonna win any more deals for sure, but it could go much further if there is an incident or something that should occur, and you did attest that you were. It’s perjury, right? I mean, the DoJ is involved in this, so people are taking it seriously now. They should have already been doing it, but clearly, they’re realizing this is coming pretty intensely.
And the other part of it too and I think that’s pretty interesting is we’re already hearing that, you know, DHS is looking at this. We’re hearing other entities. So I don’t know if it’s just me being an optimist, but I think that what they’re doing with NIST SP 800-171, I do think it’s gonna have a much broader reach into the organizations that we’re seeing.
And I think we’re already seeing companies saying, “Hey, I just wanna be 800-171 compliant.” “Do you work at DoD?” “No, I don’t. I just wanna do it ’cause it seems like that’s the government standard.” So I don’t know if it’s just me, but I think about it as like, if they push a standard and they come down through supply chain, through the government, it becomes a standard in the United States. You know, it’s interesting to see if cyber insurance hits on the same standard ’cause they’re kind of out there all over the place right now. And we’ll start to see other agencies doing it. I don’t think it’ll ever be as pervasive. You know, where I think about things like AES 256, when they came out and they’re like, “You now will use AES 256.” I think that this is gonna be a pretty big standard for us.
LANDON: You mentioned the mom and pops, right? There are a lot of defense contractors. You know, there’s the CACIs, there’s the Booz Allens of the world that have the infrastructure and the manpower to build in a lot of security. There are thousands of mom-and-pop contractors who want to, you know, serve the mission. You know, probably just do nothing more than sign up for a Dropbox or a, you know, Google Cloud or, you know, Google environment instance to ultimately start procuring contracts because they just sell services or they sell bodies. And of course, that gets a little more complicated if you’re developing proprietary software and you have to segment your development environments.
But long story short, anybody that’s, you know, under 100 people are not gonna be dedicating, you know, a considerable amount of security. I’m kind of curious, what are some privacy solutions, you know, around that automation that can really bring, you know, companies into CMMC compliance?
JEFF: I definitely think there’s kind of the, you know, some of the privacy aspects of all of this as well, but I think privacy as it relates to security here. You know, it’s like anything else. You have to store this in a, you know, a secure container, fundamentally. And I think some people look at that and they think BDI. They think, “Hey, I’m just gonna use a Microsoft stack or, you know, the vendor of the day.” But the main thing is at the beginning, if you’re gonna put your data somewhere and you gotta be, you know, NIST SP 800-171, make sure it’s in the FedRAMP-compliant environment. Like, first and foremost, when you’re going through the audit, it’s gonna be like super easy.
The other areas I see people lacking and they struggle with is, you know, if you’re being audited, you know, last thing you wanna do is go through some spreadsheet process, right? Like, how do you drive automation into this assessment and make this defendable, right? Make sure that they can see that you’re doing the right things. And I don’t wanna say GRC, but more of a GRC light type of thing. Like, how do you track these things and make sure you’re doing it right?
And then the bigger one that I see people missing all the time right now, which is how do I ensure that that CUI data isn’t bleeding into some other part of my environment, right? And so they like, “Oh, I’ll just buy the cheapest enclave.” And you’re like, “Well, how do you know if someone’s not receiving this in email? How do you know that they’re not using it?” You know, we always know we have this like shadow IT, and a lot of these small companies still do. Well, if you have a shadow IT, or you have all these repositories, how can you verify that this kind of data isn’t leaking? So you gotta make sure you can label it, you can discover it, you can automatically move it.
So that’s where I see one of the bigger gaps just today, is people just don’t even know if they have CUI data. They don’t even know where it is. They don’t have access to their repositories. And they’re like, “Oh, I’m just gonna stick it into some enclave.” And you’re like, “That’s not a solution. That’s the piece of the solution, right?” Because there’s no way you’re gonna tell me that that data’s not leaking into that laptop or, you know, you’re not putting some CUI in email.
LANDON: So that’s kind of the left of boom scenario. Then, of course, you have attackers that are regularly looking for contractors that have sensitive information because contractors, at the end of the day, you know, a lot of times are the weakest link. Our third parties are always the weakest link.
LANDON: If somebody’s gonna go after one of the three-letter agencies of the intelligence community, yeah, of course, they’re gonna try, but they’re probably gonna go after the contractors and really do digging on the contractors in every kind of way that you can imagine.
Walk through, you know, how, let’s call that, outside-the-firewall, instant-response threat intelligence, how does that play in the CMMC with respect to third parties? ‘Cause let’s be honest, I mean, 95% of defense contractors are not gonna, you know, I mean, you’ll be lucky if you can get them to have an instant response playbook, right?
LANDON: Where do you start seeing the convergence of that from GRC to, you know, threat intelligence to really bring value there to these contractors?
JEFF: It’s a really good question, and it’s happening, it’s rolling out so fast. They’re coming from such an immature state right now. If you look at these contracts, like, do I have just a secure enclave that I can put this stuff in? And then they start asking the questions: Well, how do I share data with my subs? How do I think about that? Well, how do you trust the subs? You know, why would you share data with them? How do you keep this process involved? And how do you trust those devices that you’re working with this type of content?
So I think that especially in these SMBs, I mean, they’re coming into requirements. You know, they’ve already got all their data out there. There’s dark data about them. They’ve got laptops that have already been compromised that they’re like, “Oh, we’re gonna put it in CMMC. We’re gonna do this.” So I think the, you know, you’ve gotta have the data there, you gotta be able to prove it’s there, and you gotta be able to prove you’re doing the right things. And that’s the automation and that part of it, but I think the other part is you have to make sure if you’re sharing content or, you know, look, it’s always, it’s devices, it’s, you know, it’s your users, your external users, and your data, fundamentally. You gotta have that linkage in this process because you can’t, you know, how do you know you’re sharing CUI data on to a third-party device in any regard? Well, okay, how do you trust that? How do you trust this? Or how do you trust that partner? And, you know, that intelligence is so important right now for them, and they haven’t even begun to think about it.
And that’s one of the reasons why, you know, I’m having a lot of conversations on this right now, on this topic, which is how do we tell our customers that they can’t trust this person they’re working with? How do we tell them that their devices are compromised? Because in that SMB market, in that mid-market, they don’t understand that yet. But it’s really that I think it’s gonna be that evolutionary stage. I think it’s like once I get the enclave and I can see the content, then it’s gonna be, well, what type of data can I share, and who should I share it with? And how do I trust this contractor? And all that’s gonna come from threat intels coming in at them, in my opinion.
So I think the threat intel part, not just for there, but for anybody, right? I mean, not just those guys, but like, we have like 20,000 companies using our products at Egnyte today, and they’re all sharing content outside of the company. Right? Well, if you’re sharing content, who are you sharing it with, and why should you trust them? And there’s tools out there, right, like SecurityScorecards or whatever that are like do some reputational-type things, but that’s not the data that I would consider fully actionable, right? I want actionable intelligence that says, that I can drive to a policy that says, “If the threat intel that I have equals a risk above four, we don’t share content with them.”
And that’s where I think that we’re gonna start taking this and creating these patterns of, who are you sharing data with? Which domains are you working with? You know, to your point about privacy even, right? Who’s got my privacy data, right? You go and sign up on some website, somebody’s got your stuff. You do a right to be forgotten. They’ve been compromised. How do you remove your users’ data from that site? It’s all kind of connected. And I think that’s probably one of the bigger areas we have to move forward to. But I think that’s like stage three of this kind of maturity for these kind of folks.
LANDON: Do you think that this takes any kind of action on behalf of the larger defense contractors to implement? And here’s what I mean by that. I remember we’ve had to compete with government contracts with larger primes. I remember going and doing a proposal process where you’d go into their system and there were, I mean, I bet you there were at least three levels of access control. I mean, they even had their own IT specialists that would, you know, be able to get when you’re doing a red team or pink team, or any of these different types of team, which are just the different levels of contract review, and that they had complete visibility on anybody and anybody that touched that proposal, right? This was also a $100 billion company that’s able to do this.
I mean, do you think that it’s gonna get the, there’s a responsibility on behalf of larger defense contractors to ultimately say… To put it in the world of finance, right, it’s the big banks that, of course, have the ability and the resources to look at all of the different threat intel and everything that’s going on with threat actors and say, “Okay, there’s a problem with you, this company here. They’re on a sub. We have to limit their access. They’re having a problem.” I mean, is there gonna be a responsibility, you think, from the bigs to really have any kind of implementation to the smaller primes like this?
JEFF: I do. And we’re already seeing it, right? Because they’re already going out and pushing assessments down to those folks today to comply and to work with those things. Now, what they do with those responses of those assessments and how they function them will be interesting, but I do. And I see a lot of those folks, if you’re a sub, as an example, like, some are saying, “Listen, if you’re, you know, a large prime, you’re gonna be sub, we don’t even want you using your system.”
You know, similar to when we would go work inside of a government facility, right? Hey, here’s our laptop, here’s our asset. We’re doing this. I see that happening in those primes where they’re gonna honestly take that whole aspect and say, “You’re gonna work in our system. You’re gonna go through our processes to work in our contracts.” And, you know, they’ve been doing that already, but I think they’re gonna shore that up even more.
LANDON: When I think of ultimately, you know, where cybersecurity is going in the platform aspect of integration and ease of use rather than everything being so compartmentalized just to one little facet. I mean that’s where everything is going in the market. I’m kinda of see where you see, how you see the GRC space play overall. What’s the future of it?
JEFF: I think it’s gonna be very similar. I think if you look at all things that surround, you know, that three vectors of data, people, and devices, that governance that’s required for those three areas specifically, we have to build with different mechanisms, right, that help these mid-size companies do what we feel is the right things that they need to doing. And we had to reeducate them, right? Because those guys are going through this process right now, and, you know, every vendor’s calling on them, they’re doing this, and it’s like, “Oh, here’s this great product over here, this great product over here.” And they’re like, “Well, my budget is like 500 grand a year.” I’m not Citibank. I’m not some huge company that has this, and I don’t have 50,000 security people. Like, how do I do this in a reasonable way? Do I gotta go out, you know, be one part of this vendor and use their 18 products to do it? Or how do I do it?
We really have to rethink that to their educational level, right? We can’t bring them and say, “Yeah, we’re gonna give you a tool and expect you guys to be, you know, a security analyst in your environment and have these things open and willingly floating around your company.”
So I think like, issues like simplifying classification is things that we do. I think we can do a lot better job of showing how information is being shared. I think we can show them more things about how they can manage permissions in a better way and a more useful way, and how we can democratize this down in a way that people can start to understand this in a more intuitive way. I mean, you hear people today, I mean, you know, Landon, still adopting things like DLIP. Like, DLP was a great product like 14 years ago. We’ve evolved, and it should be shown that we’ve evolved. These problems should go away. We can do data science and figure anything out right now about data, but yet we can’t figure out if it’s sensitive or not. Right? That stuff has to go away and simplify and automate.
And I think there’s this new orchestration layer that is really governed by GRC. And that orchestration layer is kind of the key tools that we’ve seen in the past, like data access governance and DOP and data, you know, privacy, all these things. And then, fundamentally, there has to be something that aligns to a standard, and something that is reporting how these things work in a simplistic way.
Again, there you have another problem, right? If you’ve ever worked in like the GRC tools in the past, they’re impossible. They’re overwhelming. They’re insane for people. Like, how do we connect the dots in a more seamless way for this buyer? And that, honestly, I feel horrible because I’ve, you know, worked in these big shops, and you go in and you’re like, “Well, how does my accountant do this? How does my lawyer work on this?” Like, they’re just sharing information unsecure. They have no tools. So I absolutely think we have to build a new orchestration layer that is built for the resources they have today.
LANDON: When you see so much of large companies, and really we’re talking about big finance, I mean, I would argue that DLP is still alive today because of finance, right? When you say things like DLP is, you know, going to, you know, be yesterday’s news, that’s a strong statement. I’m not disagreeing with it, but there’s such a, you know, a push for compliance from that side. I mean, there are large companies even larger than Egnyte and Nisos-
JEFF: Oh yeah.
LANDON: ultimately banking their future on DLP, right? You talk to any security practitioner across, you know, behind closed doors, they’re gonna tell you that, you know, DLP is mostly, you know, meaningless in terms of actual security.
JEFF: Yeah. I think we have to look at how it’s, you know, it’s evolved, right? And I agree with the, and it’s such a nebulous term people use, right? It’s like, oh, I have DLP. Well, what does that mean to you? Oh, I block all my emails. Well, okay. That’s good. Or I have DLP. And like, well, what does that mean? Oh, I’m doing something on the endpoint. Okay, that’s good. What are you doing? So, you know, is it, you know, do we call basically security controls DLP at that point, or are we saying, “Okay, security controls with classification equal DLP?” And if that’s the case, then I would probably argue that DLP, if I looked at it more than a security tool, is an education tool.
And it’s really a way to hold people accountable for what they’re doing with their products. I mean, 99% of folks that use DLP today are still putting it on a network tap, they’re not blocking, they’re not doing these things because why? Well, if you’re a banker and you have 90%, you know, accuracy rate, well, a 10% false positive rate is significant when you’re dealing with a petabyte of data. So, you know, then it becomes, if you block a CEO, then all of a sudden the whole program changes and you have a DLP program with 4,000 exceptions in there.
And yeah, you can say on a compliance box you’re doing it, but you have to step back and say, “Well, what is this really doing for me?” Like, I could have buttoned up this machine. I could have blocked down these ports, called the day, and routed all this traffic through an SSL VPN and treat it like an iPad and been just as happy, right? So I don’t disagree with the concepts of DLP.
I just think that there’s, the way that it’s going, it’s evolving now, is more about that orchestration layer to the tools you might have versus I’m this all-in-one tool that is just gonna, that’s really more of education, right? If you look at like what we do, like, you’re sharing a file, we see it’s sensitive, we’re gonna restrict the way it can be shared in real time. We’re not coming back to you and saying, you “Should have done this differently.” We’re saying, “We protected you in flight.” That’s the way this stuff has to happen. It doesn’t help me to come back and say, “Ah, man, you’re gonna be in so much trouble. You shouldn’t have shared this.” And by the way, here’s my classification policy: my restricted, public, and sensitive, and just read it. Didn’t you know that meant that? Like, people read that and they’re like, “I don’t know what this means.”
LANDON: We’ve been friends with Egnyte for a long time. I remember talking to some of your leaders, and they always said, and this always rang true, you know, in my head, that a lot of the file sharing mechanisms out there are not meant to use for enterprise. I know Egnyte has come a long way to rebrand that they’re more than just, you know, a sensitive file share. They’re making strides. They are actually a, you know, full-service, you know, GRC platform.
What’s the next for Egnyte? And, you know, how are you guys gonna disrupt the DLP space?
JEFF: I think the first thing we’re thinking about is, you know, right now, what’s been kind of top of mind for me the last couple of years has really been two areas.
One has been privacy. You know, I’m a privacy advocate by heart. And I see privacy today, and a lot of people are doing a lot with, I hate to even call it real privacy. I’ll just call it consumer compliance, right? When I think about privacy, I think about PGP, I think about encryption, I think about privacy by design algorithms. And so I think right now we have a lot of people taking privacy much more seriously, but they’re all lawyers and they’re based on these policies. And I think it’s creating a new opportunity for us to really start pushing the boundaries of privacy in these companies. So things like scrambling PII data, doing things to take it out of scope. I think there’s a lot of opportunity to clean up privacy for people in a very simplistic way today.
So I think the privacy really is something that we have it, right? We see the data, we have all our repositories, we can see it. How do we work with that system? I don’t see a lot of people doing what I would say a great job in privacy today. I’m not trying to mock people. Somebody would say I’m wrong ’cause there’s multi-billion-dollar companies out there doing privacy. But privacy, to me, isn’t just consumer compliance, it’s enterprise privacy and it’s personal privacy, right? What are we doing?
You know, we talked about it before doing like, have you ever seen these like, or played these, there’s these things called data agents. And these data agents are so interesting. Like, say, mine, where they go into your mailbox, and they go off and they delete. They’ll go through your mailbox, they’ll come up, and they’ll say, “Okay, we’re gonna delete, you know, we’re gonna do 4,000 subject, or 400 subject access requests for you. Delete all your data from all these systems.” Okay, well, that’s really cool for a consumer, but imagine if you’re an enterprise company, and you’re doing these tools as an enterprise, and you have a dashboard from intelligence to say, “Look, this company has been breached. This is how many of your employees have their records and credentials with them.” Oh, that’s interesting now, right?
That’s the plug into threat, would you like us to automatically delete it? Because the threat intel tells us that this company shouldn’t have your employees’ data. That becomes interesting, right? That’s security, that’s privacy. And I think that’s the kind of stuff we’re looking forward to in plugging into privacy with threat intel and the way we’re thinking about who has your data. If they have your data and they have your credentials, are they compromising our enterprise systems through that process? I mean, 90% of the breaches I see through these processes are somebody scraping someone’s password, some username out there, and it’s your corporate assets. And it’s password they reuse and these kind of things, right? It is what it is.
So it creates this awesome opportunity, I think, to really have an impact on privacy that we’re not really thinking about today, right? We gotta think beyond the legal limits of privacy. The other one I think is really interesting for Egnyte, and it’s a natural play, is the idea of secure enclaves, right? Like, I started spending a lot of time working with customers, an average company, even though they’re small company and they have less than 100 people, they have 10 different repositories of data. 10. Like, why would you need that, right? What are you doing with this?
So you start to really question like, why would you have this? And then you start to realize it’s one of three reasons, right? One is control. Hey, I’m so-and-so in this corporation. I want my own repository for the company, and I wanna control it, I wanna know who has access to it. I don’t like our IT people and our security people. They slow me down. So I want my own. So I’m just gonna go do it. Somebody says, “Okay, you’re an executive, you’re in this position, we’re gonna do it.” Or they’re like, “Okay, we have this customer like Apple or whatever. It’s a huge company in marketing. We need a clean room for them specifically.” Or we have a purpose, right? Some other purpose for it. Like a GXP. I’m certifying a drug or a life sciences. Or I have CMMC data, I have, you know, all this. So how do I want to think about this? Do I wanna try to secure everything the same, or am I trying to create these silos of security, right?
Like, different safes for different reasons and different purposes. And no matter what we say about data sprawl, what’s really happening is everyone’s creating these repositories. So what we’re doing is building automation and we’re pushing out to say, “Look, we’re gonna give you a CMMC-certified setup ready to go out of the gate. You’re gonna be good to go.” You turn this on, you’re there, we already answered all the audit questions for you. We’ve preconfigured everything. You’re gonna do it. Oh, you want for PCI 4.0? No problem, put a PCI over here. So we’re gonna give you one for these repositories. And by the way, we’re gonna let you centrally manage these and deploy these in a certified way that we can actually hand you the controls, hand you the evidence, and say, “Hey, small mom-and-pop shop,” or, “Hey, company, here’s how you have 15 repositories, here’s why you have 15, and here’s how you centrally manage them all, And here is how they meet the compliance too.” I mean, vendors always say this, right? They’re like, “Oh, we can help you with HIPAA, HITECH.” Okay, how? Oh yeah, we do this. Okay, show me. Prove it, prove it. Like, show it to me. Right? And they can’t because they’ve never done the due diligence of spending the months that it takes to run through that process in the deep way that you need to, right?
So I think that there’s privacy sides really. And I think that really builds well into Egnyte and, you know, taking their file server and all of our security and all the things, wrapping that into a package that is compliant, that leverages the GRC framework, and it brings together and says, “Look, we’re gonna simplify this for you.” I think that is really what the mid-market and the small companies need right now because it’s what the big shops are doing at a much, much larger scale.
LANDON: Answer this question: In three years, Egnyte will be blank kind of company.
JEFF: Man, it’s a tough one. I think I’d probably say data governance. I think when you look at file servers, like, I tell people this all the time, like, when they look at us. And, you know, we have people that come into us and they’re like, “Oh, you’re expensive versus Dropbox.” I’m like, “Listen, if you just want Dropbox and you don’t care, then go to Dropbox.” Or like, you wanna use what came with your computer. If it’s Dropbox or anything, or you like what came with your computer, then use that.
If you actually understand the value and the assets of these things, you’re gonna wanna protect. And when you realize that, you’re gonna understand it’s not easy and there’s a lot more going on here in this infrastructure. I mean, I hire so many engineers in our company right now for this process that there’s just no way. I mean, 80% of our roadmap right now as a company is security and governance and risk.
And we have a Gartner, best-of-breed solution for our file servers today. We know how to do a file server, right? But that’s not the problem here. The problem is the data in the file server.
LANDON: Jeff, I can’t thank you enough for joining in today. I love what you guys are doing at Egnyte, and appreciate you joining the show.