David Malicoat shares about the journey from UNIX systems to leading his MSSP, BAMCIS Cybersecurity (https://bamciscyber.com). He covers a bit of his military background in Marine Corps Security Forces and his transition into technology. Great discussion about some of the challenges in starting a business and growing it through the pandemic.
Shout out to Veteran Executives Network (https://veteranexecutivesnetwork.com)
Aaron Spatz, Host, The Veterans Business Podcast
David Malicoat, CISO, Direct Marketing Solutions
Thank you so much for tuning in. This is The Veterans Business Podcast. I’m Aaron Spatz. I’m so delighted that you’ve chosen to tune in today. Thank you for joining me. If you are watching this in video form, please note that if you are driving around in your car, you’re working out the gym, going for a walk, whatever the heck you do beyond sitting in front of the computer, know that you can take the show with you in audio form. It’s available in Apple Podcasts, Spotify, the list goes on and on and on and on. So if you can find the show on in audio form, it will be there waiting for you. And then likewise, if you’re an audio aficionados and you love just streaming these, know that you can actually watch a lot of these shows starting back at the beginning of Season 2. We started in video form. So if you’d like to see the conversations take place, that is option as well.
So we’re going to dive right into it today. I’m incredibly excited to have David Malicoat with us here on the show today. He comes to us from Marine Corps background, but he has spent a large portion of his life and his career in information technology and cybersecurity. We are going to dive a whole bunch more into that. I’ll let him tell the story. And so, David, I just want to welcome you to the show, man. Thank you so much for being here.
Thanks, Aaron. I appreciate it for having me, man. Great to be talking with you.
For sure, for sure. So you know what, I would love to just kind of peel the onion back on you in terms of what motivated you to join the military. So give us a little bit of an insight into who you were growing up, what compelled you to join the military and what did that journey look like for you?
Certainly. Well, grew up in Indiana, found my way to Texas, of course, but that’ll probably be part of the later part of the story. But I grew up in Indiana and I was in high school in Northern Indiana, getting ready to graduate. I mean, just to be quite honest, didn’t necessarily had the means to necessarily go to college. I had seen a couple of my siblings go and have a rough time of it. Maybe that’s the advantage of being the youngest of four kids to have those siblings to help provide that guidance even if it’s a front row seat. And so honestly, one day I hadn’t ever really thought about it until the Marine recruiter was in the cafeteria one day and saw him, talked to him and kind of planted the seed and started considering it, thinking about the path, thinking about what the options were.
I was a wrestler in high school, I played football. So you know, kind of the activity side of things, the physical training side of things always appealed to me. And being biased of course now that come through everything, I think Marine Corps as a whole brings a lot to the table when it comes to those things as well as others and it flows in the family. My older son is a Marine veteran as well. He’s 27. And then my youngest son was just in the beginning. He graduated high school. He’s looking to become a Marine officer. So kind of rubs off on the boys in the family, I think, a little bit there.
But anyway, so I made the decision early. I actually joined the enlistment program the summer before my senior year and had to get my mom to sign the paper. She reluctantly did that. My mom still talks about it to this day. But now when she talks about it, it was a good decision. But my recruiter – of course, everybody has a recruiter story. My recruiter was in Security Forces and so he really kind of sold me on that path, which is for him was a kind of a double whammy or a double goal for his because he got people on the Security Forces as well as got his infantry quota in it pretty easily. For those of you who don’t know, if you went Security Forces, you actually chose your B school and then went into your A – not school, but you did your B path before your A path. So when I became a Marine Security Forces Guard, I guess, is what they call it. In Norfolk, Virginia, we guarded actually special weapons as well as the command and control center for all the US Navy Atlantic Fleet as well as Marine Corps.
So it was pretty interesting. We carried Condition 1 weapons every day. Actually every time before we went on post, we had to confirm that we were ready and willing to use deadly force if necessary. Pretty interesting thing for a 19-year old to kind of think about and do on a daily basis. I think a lot of folks who’ve been out there either if it’s retraining or other, you know, you didn’t use blanks and if you’re on a live fire, or if you have a loaded weapon, you’re on a range or something like that, we were walking around doing our posts in that manner.
But actually closed that early. The Marine Corps Security Forces Company in Norfolk closed down. They were pulling things and they moved to the special weapons we had. And so we closed down early and I went down to Camp Lejeune and immediately joined 2nd Battalion Light Armored Reconnaissance as a scout. And so really didn’t get the traditional line unit when I was in 0311 infantry. Didn’t get the traditional in that way, but as a scout, it’s pretty interesting. We learned a lot about reconnaissance, a lot about going out and really kind of be in the front of the force, kind of the screening part of things when it comes to large movements, particularly mechanized.
But went on a float, went on a deployment in 1995 overseas through the med, the Med float and we were on the USS Kearsarge. A claim to fame on that one. And I’ll be right up front with everybody. ‘92 to ’99, nothing happened. I can tell you that pretty quick. So no war stories from this side. But we did have – and actually a guy that lives here local, I think he still lives in McKinney, Texas. He was an Air Force pilot that got shot down in Bosnia by name of Scott O’Grady. Guys from our ship went and got him. So we were on the Kearsarge. They had two CH-53s, loaded up with the 81mm Mortar Platoon for the Weapons Company of Battalion Landing Team 3/8, which is fascinating. And you have a Marine Expeditionary Unit. They call it Special Operations Capable. So they call them USOC, as they say, and they’re cross training in a lot of different things. And so it was 81mm Mortar Platoon that was trained up to do the what they call the TRAP missions (Tactical Recovery of Aircraft and Personnel). And so those guys, actually funny enough, I was friends with many of them, bumped right next to them.
And so they hopped on those helicopters, flew in a couple of hundred miles and picked him up. I actually got to watch him walk off the helicopter and he addressed the crew before he left. He was in pretty rough shape. I think it had been a couple of weeks that he was out there eating bugs and drinking water off of plants and such. So that was our claim to fame. The unit got a Meritorious Unit Citation out of that, which was pretty cool. But yeah, the float was fun. It was a great time. I always tell people you need to be out there on the water and particularly to cross the Atlantic when there’s just nothing. You don’t see anything in sight. And so I’m sure a lot of either Navy or Marines listening to this or seeing this kind of shaking their head. They kind of get it, the open sea.
I mean, it’s sunsets that you’ve never seen before.
That you just did not realize was even possible like 360 degrees. I mean, man, this is insane.
It is. It’s in some ways some of the most beautiful that you’ve ever seen. And I mean, you can look off and see on one side you could have a storm that you could see from 50, 100 miles off potentially, you know, the curvature of the earth. On the other side, you’re getting the sun. I mean, it’s an amazing thing.
Yeah, that’s so cool. And real quick. So Marine Corps Security Forces hold a special place in my heart because I think I have to give the forces like a little bit of credit for recruiting me into the Marine Corps because I interact with them, Marine Corps Security Forces detachment in Rota, Spain when I lived there. And so I was quickly indoctrinated, I think I was like 13, 14 years old and got my first taste of what Marine Corps life could be like and that kind of stuck with me and followed me. So it’s funny. It’s kind of interesting to kind of see all that come around.
So was that a case of you’d seen them at the gate all dressed up looking sharp?
No. Okay. Yeah. No. So I grew up in a Navy family. So I grew up in the Norfolk area. So I was born in Norfolk, lived in Chesapeake. We lived in Virginia Beach. I mean, we hopped around. And I was fortunate my father got stationed between sea duty and shore duty. We were able to bounce around to quite a few different commands there. And so whether it was on a ship or if he was with Spec War or doing instructor duty or whatever the case happened to be, had a fairly stable home life there because there’s so much going on there in the Norfolk area. But took orders of Spain, right? We moved there. Absolutely freaking beautiful. So if anyone ever went to Rota or considered orders there, man, gotta go. It’s San Diego, but Europe. It’s like just perfect.
So there’s a Marine week there or – I was about to say fleet week because that’s definitely not what happened. It was like a teen Marine boot camp, I think, is what they may have called it. And so all the base kids, however many of us there were, you could sign up. And there was probably about, I don’t know, like a platoon size worth of kids that signed up. We were like 30, 40 deep or so. And so it was intense, man. As a kid, it was intense. You were learning basic drill. We’re up in the morning PT. We’re going on runs. We got woken up by trash cans. We had a few minutes to go to the restroom, shower and shave. I’m trying to try to censor myself as I talk here.
But so having all that. We did a little bit of combat water survival training with getting your trousers and blouse inflated and all that good stuff. So we had a lot of fun and it was something I had never experienced before in my life. And I came back from that and went back to where we were on base. And you know, I’m like squaring off every corner in the house. And you know, “ma’am, yes, ma’am” to everything, “sir, yes, sir”. No, it was cool, but that kind of made a lasting impression on me and just kind of followed me along and then eventually made my own decision.
So anyway, I just say I’ll have to say a Marine Corp Security Forces, I mean, a shout out to those guys. Because as you know, being there, I mean, it’s a tough job. And the fact that you’re Condition 1 even back in the peace time section of our history, that will tell you something about the sensitivity and the importance of what you’re responsible for handling. And if something was to go down, you in that detachment are responsible for making sure things stay safe. And so it’s really, really fascinating. So would love to love to keep pushing on here. So what drove you in your career to then decide to eventually get out? So you were with your 2nd LAR at Camp Lejeune but you eventually decided to get out. What was that decision-making process like for you? And then what was that journey in terms of finding your first stop post-military?
So, interestingly enough, that path goes through the Marine Corps. So actually, I did a lat move and I changed jobs and originally wanted to become an 0231. I wanted to be an intelligent and intelligence analyst. They were full. So they were like “But we have this other one called imagery interpretation. You should take a look at it. It’s an 0241.” So they sent me up to II MEF. Went and talked to, at the time his name was GySgt (indiscernible). And if anybody that’s listening to us that knows him, he’s an old school retired now master sergeant. But talked to him. He told me him all about it, told me what we’d be doing, all that good stuff. And I was like, yeah, actually sounds pretty fun. And it was pretty cool. Actually kind of more cool than the intelligence, actually doing the analyst side.
So signed up for that, went through the school and then got stationed in Okinawa, Japan. In Okinawa, I will say I actually had an unrecoverable injury. And they had surgery, bones in, bones out, screws in all that good stuff. And it just wasn’t viable at that point to be able to continue service. So I had to make a tough decision. Really, it wasn’t my decision per se. I want to stay in. I actually was pursuing to become an officer, me and a buddy of mine. And actually, he made it. We did it one year together. Either of us made it. Next year. I got out. He made it. Brian Lawson.
So he’s retired now and he’s out there now in 29 Palms, having some fun. But had good times out there in Okinawa, but it came to an end. And funny enough, during the time that we were doing imagery interpretation, they were moving from a hard copy as they call it. So actually looking at slides or looking at actual images through periscopes and such into digital. This was ‘97, ‘98, ‘99. And that transition was fully happening. You had to have some big iron to be able to do it. So that’s what got me into the IT side of things. They sent me to school to become a systems administrator on the UNIX side, on UNIX systems. So I was helping them take care of the systems there in Oki and then got out and pretty much had a job before I got out.
There was a small company called Sprint Paranet. Actually, it was associated with Sprint, but it was a small consulting company that services basically IT services. And that was here local when Alcatel was really big. So they had a contract with Alcatel where I would go in and help do kind of level 1, level 2 UNIX systems administration work for their large development environment. Because they actually developed all their telecom code and things like that on UNIX systems.
No, complete sidebar here. But every time you say UNIX system, I don’t know, there’s another podcast out there called CYBER. And so every time you say UNIX system, I think about the part of their pre-show role. It talks about the UNIX system and it’s like Jurassic Park, right? And so the taking control of all the assets of the park’s security systems and all that. So every time you say UNIX or UNIX system, that’s exactly what triggers because that is like the prominent back at that time, right? So in the 90s, UNIX was a completely different world. I mean, not a lot of people knew about it. So the fact that you got training in that, it’s very specialized. And so what was that like being able to go into something so specialized and then you’re starting to go then branch out? How did that set you up for the rest of your career?
I will say amazingly well, quite honestly. It is my foundation. Very similar, I always tell folks, the way that I am as far as either leadership or the way I approach a job or the way I approach an engagement, I can relate that back to the Marine Corps itself where the training that I have. When it comes to the technical side, that training that I got in UNIX was that as well for it on the technical side, where I could come in. We’ll have some folks that might be a Microsoft fan, but everything has its place. Most of the time, Microsoft, you’re dealing with graphical user interfaces or you’re clicking buttons and you’re making changes. In UNIX, we were command line and that’s how we did things.
And so you had these kind of archaic commands that you had to go and memorize basically. Or memorize most of the items, especially if you want to be effective. Because if you’re looking everything up all the time then you’re not going to be as effective because you’re busy trying to learn on the job. But ultimately, that taught me a lot about just basic technology, how everything interacted. I think I had an advantage when it came to networking because you had to actually learn exactly how these things work, a lot of kind of the inner workings of things. So it definitely was – it’s still my foundation. I tend to see cybersecurity problems through kind of that UNIX lens. I always refer back to the foundations of that as I try to solve problems even in the cybersecurity space.
Wow. No, that shows that it’s such a valuable foundation. But going forward, if there’s people that are listening to this, or they’re interested in cybersecurity, where do they start? Is it even possible to go back to where you were in terms of starting point? What’s the most appropriate start point for people now?
I would say the start point, there is a ton. And particularly on the veterans side, I know there’s a lot of veteran programs that gets you started in cybersecurity. A lot of times what they’ll talk about is A+ and some of those courses. I can say ISC-squared has a good start. I think it’s the CCSP, if I recall correctly, and it gets you that foundation. It gives you kind of that bottom level, where you start at what are the concepts you need to know, what is the jargon that everybody’s talking about? And again, not on the attack side, not on the threat side, all that kind of stuff, but basic items like what is identity and access management? Or what do you need to know when you’re talking about risk? What is risk and what are the different facets of it? It’s that type of stuff or those types of items.
And so what I would suggest folks do in the veterans home, I wish I could remember off the top of my head. Maybe I can get with you after this and give you a link. But like with my son that is a veteran, I got him pulled into this as well. And basically, you can sign up and get free courses if you’re a veteran to get started in cybersecurity. So I see you making yourself a note. I would do the same. I might get you this. You can put it in the show notes.
I’m going to try and find it. There’s free IT certificates. So Hire Our Heroes.
I think Hire Our Heroes but there’s another one as well.
The Federal Virtual Training Environment (FedVTE). If you look online, there’s a lot of opportunities though. There’s a lot of places out there that you can go grab some baseline level of knowledge. But how do people crack into the industry? So, I mean, certifications is one thing, but job descriptions always requires one plus years of experience or three to five years of experience doing X, Y, and Z. What’s the most appropriate way for someone to actually get going?
So I would say an IT start is not bad, right? So if you can get yourself on some sort of help desk/service desk, that’s a good entry point because you’re going to handle kind of the day-to-day problems. Don’t get me wrong. It is the lowest level. I have worked on a help desk myself back in my early career, answering the phone, who knows what you’re going to get, right? But what do they say? Plan your work, work your plan. And if you’re studying during that time and you’re making yourself more valuable, it won’t take long for you to not be on that desk anymore.
And then obviously, I would say another piece of that is that during that process, find a mentor, right? To find somebody that is immediate, you know, levels above you. Whether it be like my level or medium type level that can help guide you that’s been there and kind of executed on that same plan. Because I have not run into anyone, including myself or others, that are not willing to get that advice or willing to get that guidance.
Another thing that has become popular, and our company has actually joining that effort as well. Because we see that need. I don’t know what the latest are, but there’s figures around the lack of cybersecurity qualified individuals in the marketplace. And then you have the great chicken and the egg. Okay, great. There’s 750,000 open spots, but I’m not qualified, or I can’t get my foot in the door because I don’t – right? So what we’re seeing and what we actually are doing at BAMCIS Cybersecurity is creating apprenticeship programs where you don’t have to have a set of skills. You have to have some hunger, right? You gotta have some discipline and have some go-get-you to you.
But ultimately, our program, basically help you with the baseline education, points you to obviously some bright spots where you’re going to have to do some independent work. But ultimately, you come under the mentorship and care of our team, to include myself, and our cybersecurity analysts and consultants. And basically, you get access to the tools which is one of the big hurdles, right? When you say about the year of experience, you know, without having access to these types of tools to learn them and to learn what they’re doing and how they’re doing it and why, it’s hard to make that leap, right? And that’s one of the big, big issues.
So at an apprenticeship program, you actually go get your hands-on those tools and in a guided way to learn how to do that and help develop that knowledge up. We’re looking at a timeline of around six to nine months to have our apprenticeship program and have folks through that, where they would be similar to what you’d see in the Marine Corps when they say basically trained Marine or basically trained sailor or airman or soldier, same idea here. You get through the apprenticeship program, you’re a basically trained cybersecurity analyst. It means you have a good foundation that you can now move in any different direction that you may want to. Because obviously, there’s a ton of different areas in cybersecurity that you can get into. It’s not a monolith.
And I would encourage folks to look at other places as well. It’s not just us. But for us, we do have a veterans hiring or veteran preference when it comes to that. Why? Because the skills are translatable. There’s no two ways about it. What you’ve learned through your veteran experience, through decision-making, planning, and quite honestly, problem-solving, and certainly in cybersecurity, you come up with a problem and sometimes you have to think outside the box. And I think the biggest thing I talked with folks about is we’re here and we need to get here, whether it be with a problem or a project or anything like that. Military members know how to do that. That’s what we’re taught. And totally translatable. So bring me somebody like that. I can definitely craft them into an amazing cybersecurity operator in no time. And obviously, with the willingness and the drive that goes with it.
Well, I mean, that’s fantastic. And one, thank you for doing that. That’s a great service and it’s a great way for people to get their foot in the door, right? Because it can be a rather intimidating way or an intimidating industry to go into. Because like you said, there’s a million different things that you can do. And so I love to kind of shift gears here and learn more about the startup, the process by which you went and you just wanted to go ahead and form your own company. So what’s the story? What’s the story of BAMCIS, right?
Sure. So kind of flashed through. I was a UNIX system administrator. I had gone to a company called Perot Systems, which was very military-friendly. Obviously, Mr. Ross Perot, huge supporter of the military. I cherished my time that I spent there. It’s almost like you kind of – I don’t want to call it the mafia because that has a negative connotation, but you have a network that’s amazing. Because I could call up any other Perot person that I know today and ask for a meeting tomorrow, and 99 times out of 100, they take it. Just because you both were there and worked at the same place. It’s an amazing alumni to have. They were purchased by Dell in ‘04. So all that changed, left there, actually went into consulting. And so it was going in and doing different IT and that morphed into cybersecurity consulting. The drive was there. The need was there. A lot of businesses need it. It was a good match for me from my history as well. And I already kind of done it during the service delivery. Obviously, we’re not doing a deep dive on that.
So move that forward. And I really saw an opportunity when it came to this. One is current service providers around cybersecurity, this may be a little bit stronger statement but I don’t think they do it right. But then again, most people start a business because that’s how things go. And in this case, I saw a lot of the big players. Won’t call them out by name. A lot of the big players in what they call the MSSP space or Managed Security Service Provider space. A lot of it was, they were providing services, but what they would do is they kind of monitor your stuff for you and they really didn’t have a service orientation about them. So they would monitor your stuff, create a ticket and they just kind of toss it over the wall at you, right? So if I’m a customer, I’m like, where’s the value in that? Yeah, you’re monitoring my stuff, but you’re not providing me really great value.
So I saw that through my consulting years and kinda got into my head. And another aspect of this was you have to kind of the secure what they call the security assessment, right? So usually you have some sort of framework that you go off of the NIST’s CSF, a lot of all the NIST ones to the new one that just came out from the DOD is CMMC is one of those as well, ISO 27000. Pick your poison. They’re all in a dirty little secret in the cybersecurity realm. They’re all relatively the same. They do have some nuances, right? But you’re not going to have one that really stands head and shoulders above another. They’re all after the same thing, which is to make sure that you’re doing the basics and maybe coming to the medium stuff and some advanced, doing it well enough that you’re protected, you’re protecting your data.
So ultimately, relatively interchangeable. Some people have more experience than others. Some people have preferences. I will say the CMMC that just came out from the DOD does stand a little above because they bring a maturity aspect to it. So if you’ve ever been exposed to CMMI, which is a process maturity framework. They basically drive cybersecurity and process together into that framework as a whole. So we can get into that.
But moving that forward. And when I would do assessments, there were always kind of these core set of services that would always fall out that I would be recommending to folks. And it was this kind of bundle of services. Like you need to do better monitoring. You need to have stuff on your endpoint to protect yourself. The old antivirus isn’t doing it any longer and you need somebody to monitor it. And then another one is vulnerability management. We’ll get into that in a minute. And then usually firewall management, right? They may have a firewall, but it sits there and nobody’s keeping it up to date or nobody’s making sure that it’s monitored as well. And those are kind of the core, there’s others.
So as I was noticing that, and it just kept happening and it’s like one of those you wake up and you go, oh, wait a minute, that could be a business opportunity. And with my services background, and then seeing how kind of what I call the big guys or the usual suspects in this realm or in this space conducted business, I’m like, we can do it better. We can it different. We can actually… so I have a background in ITIL, which was the IT Infrastructure Library from the old British time. But basically, it’s a framework around how to deliver IT services. Perfectly applicable, if not even more so, to cybersecurity and how you deliver cybersecurity services.
So I’m like what if we had a company that used ITIL in how to deliver all services as well as a bent toward customer service? So where you’re actually engaged with a customer. You’re not tossing these things over the wall. You’re actually getting in and kind of get your hands dirty to some degree. And our target audience or our target customer base, it’s pretty broad, but at the same time, it’s unique, I think. So it’s what I call smaller large companies. We’re not after the enterprises. The enterprises are not necessarily where we sit. Most of those guys will be able to afford to have their own security teams and their own tools and all that good stuff. So probably smaller large, definitely medium size, and maybe some of the larger small, to where they’ve really, you know, today, for sure, technology is just lightspeed, right? And they’ve harnessed technology to build their business but maybe hadn’t necessarily thought about the security implications of that, or maybe that’s kind of catching up with them. And they probably think that they can’t go build it themselves because it’s pretty expensive to go out and buy those tools to go out and it would set them back.
And so our value prop is we can come in and provide you fractional services, licensing when it comes to the tools that we use. But we can provide you fractional people, let’s say, or fractional time of services because you don’t need a whole – you don’t need an eight-hour a day person sitting there in a chair doing this because they’re gonna be bored because you’re not that big of a business. But to be able to come in and do that on a fractional basis, it’s been a boon. I mean, their response to that is huge to where we feel like we really kind of hit that artery that just happened to folks’ consciousness around what do they need to do because cybersecurity people, business leaders are waking up – I say waking up, that might be a bad term – or realizing their understanding of the risks around cybersecurity, but also what’s shying them away from it is the cost. And we’re helping kind of solve that problem in a nutshell.
Wow. Well, I mean, because there’s always been threats. There has never been a time – I feel like there’s such a proliferation of threats. It’s in the news. And technology is becoming more – like we are becoming more and more dependent on technology for everything from public services to just the way that we conduct business to our own private lives. It goes everywhere and there’s the risk associated with that just continues to climb and continues to increase. And so there’s a tremendous value to having a team of people that are just dedicated to the security posture of a network and being able to be proactive. So I think it’s a great, great business opportunity for sure. And so when we come back from break, what I’d like to do is one talk about how did you get your first client or two or three? How were you able to get from the scraping by level to the, okay, we’re going to be here for a little bit, we’ve finally getting a little bit of stability underneath us. I kinda like to shift gears and talk a little bit more about that as soon as we get back.
So we’re incredibly grateful for some amazing sponsors. And so just incredibly grateful for the people that we’re able to partner with and work with. But one organization I want to promote and just thank today the Veteran Executives Network. So the Veteran Executives Network is a network of networks for veteran business leaders to be able to partner and do business with each other. So whether it’s resources, being able to resource you with additional information, the network itself does not pretend to the holders of all knowledge. It’s simply a way, a conduit, in order to get you to the right knowledge, right? So if there’s another resource out there, let’s get you to that resource.
So I personally work with Veteran Executives Network doing a lot of the work for them in terms of some of the marketing communications work that we do there. And so it’s been a tremendously rewarding experience as we are continuing to work with each other. Veterans, we can work together. We don’t have to be in competition with each other. We can actually do a lot of great things when we work together. And so tremendous, tremendous strength in that. It’s a free network to join. There’s going to be more information that comes out and is available to you soon. So stay tuned there. But you can go to veteranexecutivesnetwork.com to learn more information. So incredibly grateful to be affiliated with that organization.
So getting right back to it, David. So let’s jump into day zero, day one, day two, month one, year one. What does that look like for you? How are you able to get from idea to revenue to profitability? What does that look like?
So the good news was I had already established myself as a consultant with another company. Went independent, had BAMCIS already. And we just say we call it BAMCIS or BAMCIS Cyber. Obviously, I don’t have to take up so much time to say the whole thing. And so I was doing consulting work outside and as I kind of made the decision to move the company in this direction, it was really not necessarily a case of saying we’re starting a whole new company and we have a whole new LLC or anything like that. So we took the existing and we expanded the portfolio, basically. So at current company, we’re doing consulting and this was ‘18, ‘19, 2019, and taking all those learnings.
And then really, originally, the idea was to slowly kind of get the teeter-totter going, right? So mostly consulting now a little bit, start planning and start building the backend of that infrastructure that you need for the tools and the people and the training. And then hopefully, as you do sales, now things are gonna go the other direction. And still do the consulting. Don’t get me wrong, but I would be more of running the company, running the services, maybe have a stable of consultants that I would send out and do assessments because one begets the other, right? So if you do a good assessment and do quality work, there’s those recommendations come out and then you have a viable option for folks to take advantage of your services that you provide to plug some of those holes.
To make sure that I understand this right. So you’re hired, you’re working as a consultant for another company, but then while you’re doing that, you’re building up the side business at the time. And I mean, I know we’re getting detailed here. Was that company like on board with that? Was that something that they were okay with?
So the company, and that was interesting. So the company, I had pushed for them to do cybersecurity for a few years. The company that I was at. And they had basically said, “No, we’re not going to do it.” But the interesting part was, at least in the last couple of years, I always had cybersecurity work to do for them, which is kind of an interesting way to be. The other side of it is I had given myself a five-year plan with this company. And I had spent about five years with them and I felt that I was in a good place. I have learned a lot. I’ve worked with some of the most smartest people, helped polish me up. I mean, to be able to sit in a room with the CIO, CTO, CEO, CFO, and brief them. It upped my game 100%.
So definitely, it was a mutual thing. But I had moved in that direction with cybersecurity pretty heavily, and they thought it was a little, maybe too low margin to something like that. So that’s where it kind of, I was like, I know I want to go in this direction. And it wasn’t like I was biding my time; it was just kind of like the stars kind of aligned. Speaking about it, we’ll see that in a second. And so then I found out I got an opportunity where I could go independent. It was time. I felt it was time to move on from that other company. And they had just gotten acquired, and interestingly enough, acquired by an organization that had a robust cybersecurity practice. And so instead of me joining that practice, I feel like I need to be independent. I need to go on my own and I need to kind of test my model to some degree on the business chops. I think I had done it in my life previously, and it’s all about challenges, right?
So moving that forward, I’m actually independent for about six months or so which was late ‘19 into ‘20. And actually had a colleague, he had a MSSP business. And we had kind of worked together in a couple of different places. And he due to no reasons of the market itself was exiting his company, and I was ramping this up and he was like, “Do you want my customers?” I’m like, “Well, I don’t think it’s that simple, but if we wanted to approach them and see if they wanted to come over to us, I would be more, you know, yeah, we can have that conversation.”
So we did. He had five customers and I got two of them out of it, two good solid customers. And that conversation happened in January. We did it in February of 2020. And then the shutdown happened early March. And I’d already signed contracts back in with my provider for my tool set, multiple sets of tools. I was on the hook for that. And then because at that point, there was talks. I think everybody knows how quickly that shutdown came on. And then the business climate was the Sahara Desert, for the most part. Nobody was spending money. And while it makes sense, I’m not complaining. That’s the nature of how it was.
So still had some funds left over from the consulting work that I was doing that lasted us a little while. And then we actually, a little bit of a risk that we took on an EIDL loan from the SBA to make our way through. Had some strategic partnerships that we’ve worked with on the consulting side and that kind of helped as well, which got us into our next set of customers. And so then the momentum started picking up and we started seeing some good – not just looks, but actually a sign of real customers and make this work. Okay, now we’re here with this phase. Now let’s get the next one and let’s get the next – you know. And in that meantime, what we did learn is kind of the approach. Because I think earlier I talked about kind of some of these points solutions. And when you talk about the mid-market, what the mid-market looks at is they’re not necessarily interested because they don’t necessarily have as high of a cybersecurity maturity. And not a judgment. There’s just not a lot of thought leadership there because they don’t have it. That’s the point.
So we actually pivoted and changed how we approached, how we’re coming into businesses. So instead of saying we have these point solutions, because as we’ve gone into businesses, those point solutions tend to actually cause more confusion than they solved. So to be able to go in, because honestly, there’s nobody on their side to kind of connect with. So what we did is instead of saying we have these points solutions, we say we do cybersecurity as a service, like straight up. We come in, we’re going to meet you where you’re at or what your goals are, right? So we’re going to go with them in and there’s really kind of four levels to it.
There’s a leadership level, where if you don’t have a leader, we can come in and we can help with that, right? Doesn’t have to be full-time. And if anything, we don’t want it to be full-time. We want to do this on fractional basis, provide that strategic guidance, helps you get your strategic plan together. What are the large rocks that you need to worry about? That’s what the leadership level does. The next level down is the governance level, what I call the governance level, which is kind of governing your cybersecurity program. This is where your risk management sits. This is where your programmatic items sit like your vulnerability management program. You’re going to have some compliance items in there. But I’m sure most of the time, folks are reaching out, “Hey, fill out this questionnaire. What’s your cybersecurity posture? What are you doing for this? That sits in that level.
And then the bottom two, and I don’t want to call them bottom two because they’re kind of almost the most critical, but the next two on the rung. You have your operations and then the tools go with it. And maybe it’s three levels, but operations and tools. Because some people might not decide to say they want our tools. Ultimately, we want to bring our own tools to the table because we’re experts at it and we can provide the most value there. But ultimately, operations and tools. That’s your day-to-day SOC-as-a-service. You’re running the SIEM, you’re collecting data, analyzing it and making sure any alerts happen that we’re responding there for you.
So hold on. Just to translate what you just said. So for those that are trying to keep up here. So running security operation center as a service. So you’re able to monitor networks from a security posture, not the network operations themselves, but the security apparatus. And he’d mentioned something called SIEM. And so SIEM is where it aggregates all the logs and all the different data points of collection across your network, whether it’s firewalls, other endpoint, basically all the intel in terms of inspecting and without getting – like I’m going to go way geek here, but like inspecting packets and gathering all that data and looking for any types of anomalies and other weird things that an analyst that would need to manually review, take a look at and see, “Hey, does this represent an actual threat? Or is this a false positive, false, negative? What are we looking at here?” And so I just want to frame that up. That way, people are aligned, not scratching their heads there.
Nail on the head. Nail on the head, Aaron.
Cool. All right.
So from that approach, and there’s other things as well, kind of, again, think operations, think security operations, you have endpoint protection that you have to do and managed endpoint as well as that goes, managing firewalls for folks, making sure they’re updated and maybe change any rules that need to be made, all that good stuff. And then vulnerability management of the actual day-to-day of it. So actually running the scans, making sure that the reports come in and then ship them over to the programmatic side of things. But having that approach, to be able to come in and say, “We’re not just going to do these point solutions that make your life actually harder. We’re going to come in…” Right? I mean, because truly, it does.
I know what you’re talking about, man. It’s painful. It’s painful.
And so to come in and just say we can actually come to this as a package and actually an affordable package. So if you were to price these things out, not even individually, but even as a group potentially, we can come in and be pretty much hyperaggressive on price. Again, we go through, it’s a fractional basis, allowing you – because you’re not a huge company and you don’t need to buy that gigantic tool. That’s going to cost you $20,000. You don’t need to hire that person that sits there eight hours a day and you’re kind of wondering what they’re doing. Because the other thing that happens is you can only afford to hire one person, but they’re not a cybersecurity expert on every front. We can provide you those folks on a fractional basis. So your access to expertise is now much, much wider and covers all the things versus only maybe one or two of the things that whatever that person had been exposed to that you may be able to hire.
And then also we account for a churn, right? So you may hire that person and they’re going to work for you for six months. You’re going to send them to a couple of classes, get them trained up, and then they’re going to leave for a higher-paying job because you can’t pay him 20% more. We manage that internally. Again, back to the apprenticeship program, but our folks, we set them on a path of ownership with the company. So we want them bought in. We want them to stay and we want them to become experts and we provide them a path to go up.
We range in teams. So basically, at one team of three, four people, around there, maybe five, will work on a group of three, four, five customers, depending on the size of the customer, right? And they become intimately aware, intimately involved with that customer and knows the ebb and the flow of their business, knows their business. Number one, right. What business are you in? Like we have a construction company that is one of our customers. It’s pretty different because they have remote locations. They set up servers and trailers and things like that. So we see that traffic. We understand different events because of what they do on an occasional basis. Versus another company that is they hold a lot of data PII. Basically, your personally identifiable data. That’s a little bit different, right? And it’s more centralized. They don’t have any satellite offices or anything like that. So we learn about our customers and how they do things and then we adjust our approach to make sure that we reflect that and protect them at a maximum possible.
No, no, that’s awesome. I know we’ll go down a rabbit trail because they’re so fun. They’re so fun though. But for the veteran business leader that’s looking to continue to grow their business, that maybe they’re in their first year in operation or they’re considering to getting their own venture off the ground, what advice do you have to those folks? Because you kind of had a little bit of a plan in terms of how you’re able to kind of step out of one thing into the other while you’re kind of building it up and then you kind of acquired some other business through friends and through some networking opportunities that you had and you kind of were able to kind of put it all together. But what words of advice, what words of wisdom would you have for people like maybe if you were to go back and do it all over again, is there anything you’d do differently? If not, what was your method? What was some of the things that you did that you feel was able to help get you just off the ground?
I will say one adage that always sticks in my mind: You can’t steal a second keeping your foot on first. That’s using a baseball analogy. There’s going to be risks. I guess that’s the thing I try to communicate with that, right? You’re not jumping off the cliff. I mean, obviously, you want to have a measured amount of risk of how you do it. I tried to do it maximum risk of what I thought because I knew that I could keep up my consulting business while I try to launch this other thing. It just happened to me that this other opportunity to gain a couple of clients right out of the gate pretty quick came upon me. And that’s the other is you see an opportunity and maybe you don’t have everything that you may feel totally baked yet, you have to get an entrepreneur at that point and you’ve got to figure it out.
Obviously, when you’re talking cybersecurity, maybe some people don’t want to hear that, that we’re going to figure it out. We will figure it out. Why? Because we have great technology and tools. Ultimately, your issue runs with potentially more on the human side, being able to take that, translate in your people decisions. And I guess that would be one of the bigger pieces of advice. Relationships and the people that you bring in. And I don’t want to say it’s been a factor, but there are people that I’ve kind of danced with, I guess, would be the way to put it, to kind of, do you want to get involved? Do you not? And there’s some people that I just felt were not a good fit. And they were good friends or I say friends, but a good colleague, good people that I know. And I just didn’t feel like they were a good fit for the culture that I’m trying to put out there and trying to do. It’s not a matter of being a veteran or not.
Actually, I have a guy working right now that’s not a veteran actually, too. But ultimately, they are good fits. They’re good, good people. And when you know you know. I mean, that’s the best way I can put it. Because it kind of hits. Ultimately, what you’ll find out is if you’re cautious, they’re being cautious too. If they’re running at you with arms open and “Hey, everything’s great”, that maybe where you want to kind of go, “Hey, wait a minute. let’s take a pause. Let’s pack the brakes a little bit.” But if they’re being just as cautious as you are, if maybe even a little bit more, that’s a good sign from my perspective when it comes to people, and particularly people that are going to be what I would say very key and instrumental in your organization. The one right now that I’m looking at that I’m working with, he’s gonna wind up probably running all the operations for BAMCIS. But it’s a slow process. He’s not just rushing in and not just going to take over. It’s a slow, steady, making sure that we build upon one another strengths also.
So I think that would be the best advice. Because truly, if your business is about people, and the people, there’s two sides to it. The people that you have on your team that are servicing your customers or making your product or doing those things, they have to be solid and they have to be the right people. The other side of it is your customers. You have to have the right customers and you have to put yourself in a position to succeed with those customers. I always tell folks I think, you know, they call it consultative selling or relationship selling. Just go have a conversation. Just go talk to people. Just go make yourself available. I think I always put out there: If somebody wants to talk to me for 30 minutes about cybersecurity, no matter what. If they just ask, I’m in, I’m good. No expectations. I’m not gonna sell you anything. I want you to be smarter about cybersecurity.
Now when the time comes and you decide that you’re looking in the market itself. Obviously, the only ask I would maybe have is come back to me and what do I think? But that’s not even an ask. Because we usually what happens is, when somebody demonstrates that value to you, it comes back in kind of a hundred times over. So just have the conversations. Go out there, just like this conversation. Aaron asked me to be on this. And I can honestly say this is only my second podcast. The other one also happened to be with Aaron, but you know, take the chance. I don’t necessarily feel all that comfortable on film or on camera. But ultimately, you kind of go past that, have the conversation and hopefully, I think it will, obviously with Aaron’s talent, it’ll make an impact out there and get to a lot of people.
No. Well, I mean, you really articulated something incredibly, incredibly important and really, really strong. And I love the way that you framed it up. Because there’s this notion that I’ve got this widget and I’m going to make the widget fit for you and jamming your product or service down someone’s throat, and the approach that you’re taking, and it is the approach that works and it’s uncovering and understanding customer’s pain points, right? Like listening, asking questions, it’s all these things that it sounds so obvious after you’ve said them, but in the moment, sometimes we get so focused on the short-term goal or what’s right in front of our nose that we can, if we’re not careful, kind of forget, hey, we’re here to serve our customers.
And so back to what you’re doing here. You’re taking this consultative approach where people have some questions, they have some concerns. You’re more than happy to educate them. You’re more than happy to kind of bring them up to speed in terms of knowledge level because it is a very knowledge monopolistic thing in cybersecurity. You’ve got all of the expertise, right? If you have a client that comes to you, they’re not going to understand exactly what you’re telling them. It’s like an auto mechanic or an HVAC technician, right? They know this stuff a hundred times better than you do, even if you think you know it, right?
And so there’s a tremendous value in the way that you’re positioning that because then you’re adding value to them. You show them a little bit of your chops. You kind of give them a sense of what you’re capable of doing. You’re building a bridge or building that relationship with somebody. You’re making them feel comfortable with you. And so guess what’s going to happen? Then the next time that they have an actual problem, or they’re thinking about, you know what, that conversation I had with David three months ago, that was really impactful to me. I need to give that dude a call. I think he would be perfect to help us solve problem X.
I’ll give you an example. I had a conversation in February of 2020, touch based once or twice between that and December. In December, that same person came to me and said, “Can you give me a statement of work for these list of services?” And it was pretty significant. And so hadn’t talked a whole bunch, just kind of kept in touch and no expectations, no hard sell, but the next thing you know, “Can I have an SOW?” Yes, you can.
Yes, you can. Thank you very much. People do business with people that they like, know and trust. And so they got to know you over time, they liked you and they’ve gotten an opportunity to trust you. And so you’re building that bridge, kind of having a couple of touch points, sometimes that’s all it takes, right? And it’s not always going to fit. It’s not always going to match. I think that’s one thing I’ve shared with people is quit wasting your time trying to sell something to somebody when the answer is no. If it’s no, it’s no, move on. You’ve got way too many other things to worry about besides trying to make a no a yes. Don’t worry about it. Keep going. And you’ll eventually find – like in your case, you’re doing business with people that you would genuinely want to do business with, which it was just pretty cool.
It’s fun. Definitely fun. What I always try to do is become the trusted advisor and you have to approach it from a position of not power. It’s not a power position. Being a trusted advisor just means you actually add value to that person, that decision maker, and you can help guide them. And ultimately, it comes with a tent. The intent is to be true. I want these folks to be more secure in their business. I don’t want that breach to happen that takes their business down. And if I can help protect them at a price that they feel comfortable with, at the same time we feel comfortable with that we can meet our goals as well, it’s a great partnership.
And what you just said, you demonstrated that you care. That’s what you’re saying. That’s the number one ultimate best marketing strategy is care. Care about your customers, care about what you’re doing. So, I mean, that’s a great way to put a bow on this one, man. So thank you so much for spending the time with me, David. This has been terrific. Obviously, if you’re watching, listening, you can learn more about BAMCIS Cyber. I’ll have that linked up in the show notes so you can learn more about David and learn more about BAMCIS Cyber. But David, I just wanna thank you, man. This has been a blast.
Hey, just like the last one, I had a blast as well. I love coming on, just kind of talking, and obviously, shared past with the veterans out there. Sometimes the days can be dark. And I can tell you in many timeframe for me, you just got to show up. You’ve got to keep showing up. It’s just like you did when you were in. If you have that dream and you have that vision, sometimes I call it the bucket theory. Sometimes you make pour just to drop. Sometimes you can pour a whole cup. Sometimes you can pour a whole gallon. It depends. But just at least make sure you get the drop in every day. After that, everything’s great. And you’ll make it.
That’s solid. And one last thing to just completely embarrass David also would be if you want to learn more about David and see a little bit more in the episode that he’s mentioning, I had him on my other show, the Dallas-Fort Worth Business Podcast. So if you’d like to hear more about David, we actually covered quite a bit of different material between this episode and the last one. So there’s not going to be a whole lot of overlap. So you get two hours with David Malicoat
Oh, my gosh.
All your dreams are coming true.
Not many people can take it.
Oh, man. It was awesome. It was awesome. Thank you so much, David. Appreciate it.
Thanks, man. Appreciate your time.