409- Permission to Play w/Nathan Kaufman

You've Been Heard

Philip Howard

Tech News, Technology, Business, Management, News

0.0 • 0 Ratings

🗓️ 24 March 2026

⏱️ 37 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Nathan Kaufman built CMMC compliance from scratch at a defense contractor with SSH open to the internet and no Active Directory. Then he learned the hard way that technical wins mean nothing if you can't communicate your value. Nathan Kaufman walked into a $100 million defense contractor with 80 employees, zero IT infrastructure, and two years to become CMMC Level 2 compliant or lose all DoD contracts. No Active Directory. SSH open to the internet. Engineers buying equipment with personal credit cards. A flat network running on unpatched switches. He built it all from the ground up. Deployed CrowdStrike across 350+ endpoints. Migrated to Azure GCC High. Survived a merger, acquisition, and divestiture simultaneously. Grew the team from one person (him) to five across three locations and 260 employees. Passed the CMMC audit in November 2025. Then he got fired in August. We get into the technical path for CMMC compliance, why "permission to play" became his rallying cry with executives, and the SBI framework for communicating IT value. Nathan shares his biggest lesson: you can have amazing technical skills, but if you don't advocate for yourself, nobody else will. The brutal truth about building compliance infrastructure while life happens around you. Key takeaways: "Permission to play" - compliance isn't optional for DoD contractors; SBI framework: Situation, Behavior, Impact for communicating IT value; Technical wins mean nothing without executive communication skills

Transcript

Click on a timestamp to play from that location

0:00.0	Welcome back to you've been heard, everyone.
0:12.0	Today we've got Nathan Offman.
0:15.0	And Nathan, you've been doing a lot of stuff around cybersecurity
0:19.0	and actually getting an organization compliant for business with the
0:24.8	U.S. government.
0:25.9	I believe that's where CMMC really comes into play as being compliant for doing business
0:32.9	and requirements for the DOD to make sure that all contractors, subcontractors and sub-subcontractors
0:39.6	are all being very aware so that nobody accidentally introduces vulnerabilities.
0:47.9	But we'll get into all of that in just a minute.
0:51.5	But for the moment, why don't you tell us a little bit about who you are,
0:54.8	where you came from, and how you found yourself being the head geek and cybersecurity guy
1:00.2	for an infrastructure and stuff. Sure. So I have 25 years experience in IT in my way up from
1:08.2	desktop support all the way through being a director of IT.
1:12.9	Start in 2000 as a MSP consultant before they were called MSPs.
1:18.5	They didn't really have that name back then.
1:21.2	We got A-plus certified in 2001.
1:23.3	Yay.
1:23.8	I'm a blyfer.
1:25.4	And then I worked across many organizations at in person, ISP.
1:29.3	I worked at AT&T.
1:30.7	I got laid off twice from AT&T and decided I'm done with AT&T.
1:36.9	I've done a lot of why you do that.
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from Philip Howard, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of Philip Howard and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.