Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to The Virtual CISO Moment. I’m so happy—this is my 250th interview for The Virtual CISO Moment.
Today I have Bruno Lecoq. He is the Co-Founder, CEO, and Chief Information Security Officer at BEMO, a company focused on helping small and mid-sized businesses protect their data, strengthen their cybersecurity posture, and navigate increasingly complex compliance requirements.
Bruno brings more than three decades of technology leadership experience, including 19 years at Microsoft before launching BEMO in 2010. Under his leadership, BEMO has grown into an award-winning Microsoft partner serving hundreds of organizations across the United States while achieving certifications and compliance frameworks that include SOC 2, ISO 27001, HIPAA, and CMMC Level 2.
With a unique perspective that spans cloud transformation, cybersecurity compliance, and the realities facing small and mid-sized organizations, Bruno has helped bridge the gap between enterprise-grade security practices and the practical needs of growing businesses.
Bruno, thank you so much for joining us today.
Bruno Lecoq: Thank you for having me. And thank you, ChatGPT, for a wonderful intro.
Greg: Good. Now, Bruno, I’d like to hear, in your words, your background, how and why you got started in technology, and bring us all the way through your Microsoft days, the founding of BEMO, and where you’re at today.
Bruno: I’m from France, and when I was 15 years old, I was crazy about computers. I saw a television show about two young millionaires in the United States. One was Steve Jobs and the second one was Bill Gates. I heard the story of the beginning of Microsoft, and afterward I went and woke up my mom and said, “Mom, I want to go work for a company like Microsoft.”
That became my goal. I eventually came to the United States. I’ve now been in Seattle for 36 years, and I achieved that dream by getting a job at Microsoft.
At Microsoft, I held multiple roles. My first job was as a developer working on MS-DOS, which definitely dates me. Later I worked on Windows NT, moved into hardware, worked on Xbox, and held a variety of different positions.
In 2010, I started BEMO. Originally, BEMO developed a process to deploy Microsoft Project Server and SharePoint Server in about 15 minutes. This was before Office 365 and before Azure existed. Then, in 2018, we shifted our focus into cybersecurity, and that’s where we’ve been ever since.
Greg: Awesome. You were talking about the Windows and MS-DOS days, and this is going to be a weird question because you may not have had any involvement with it whatsoever. Earlier in my career, I remember that TCP/IP wasn’t native in Windows. I think it was during the Windows for Workgroups era. We had to load a third-party stack—we used something called Chameleon.
Why wasn’t TCP/IP native at that time? Was Microsoft still pushing NetBEUI?
Bruno: Yes, exactly. You have to remember that in those days Microsoft was going through a major transformation.
My first products involved working on OS/2. One of my projects involved taking OS/2 components and converting them to DOS and Windows packages. I worked on that for about six months. Then, on the day of the shipping party, Bill Gates came in and announced that the product was being canceled because Microsoft was ending its partnership with IBM on OS/2 and moving forward with Windows NT.
Because of all those transitions and negotiations, there were many moving pieces determining what technologies would be included and in what order. When you’re a developer, you understand some of the technical reasons, but there are also business and partnership decisions happening behind the scenes.
It was a very interesting time.
Greg: I kind of wish OS/2 hadn’t lost out in that battle because, back in the day, it was an amazing operating system—well ahead of its time. But when Windows NT arrived, it was really a game changer.
So, after Microsoft, you decided to do something completely different and start a company helping small and mid-sized businesses.
Bruno: In some ways, it wasn’t completely different. I worked at Microsoft for almost 20 years, and even today BEMO is still 100 percent focused on Microsoft technologies. We don’t do AWS. We don’t do Google.
We’re a Microsoft Partner of the Year, and Microsoft has always been our ecosystem.
Before, I was inside Microsoft helping build products. Now I’m outside Microsoft, but still very connected. I’m based in Seattle, I’m on the Microsoft campus every other week, and I still feel very connected to that world.
Today, we’re heavily involved in Microsoft’s beta programs. Microsoft considers us one of the top cybersecurity firms in its ecosystem. Every January, Microsoft invites us to campus under NDA and shares its roadmap for the next 12 months across security and other product areas. We provide feedback, meet with development teams, and help shape features before they become generally available.
When those features are released, we’re already prepared to deploy them.
Greg: I won’t ask you to tell us what the next 12 months will bring, because I’m sure that’s all under NDA. But I imagine much of that revolves around AI, Copilot protection, and AI governance.
AI seems to be becoming the proverbial Wild West. Would it be fair to say that Microsoft’s general direction is to help organizations manage AI and AI governance?
Bruno: Totally.
Microsoft recently released capabilities around managing AI agents. The idea is that you can manage your agents whether they run on Microsoft, AWS, or Google. Microsoft wants to provide the management plane where organizations can govern all of their AI agents from a single location, regardless of where those agents reside.
I’ve always felt that Microsoft is often two or three years behind in some areas. They’ll release version 1.0, and I typically tell customers to wait for version 2 or 3. But once they reach version 3, things really come together and fit seamlessly into the ecosystem around governance and security.
Greg: So this is probably an extension of Purview then?
Bruno: It includes much more than Purview. It involves Azure, Microsoft 365, and the entire ecosystem working together.
Greg: I’m not going to pretend that I’m a Microsoft 365 administrator. I know just enough to proverbially be dangerous.
I’ve worked with Purview, Entra, and some of the Azure security components. One thing I noticed over the years was that Microsoft seemed to change things frequently, and it could be difficult to find administrative settings that used to be somewhere else.
Today, it feels like the rate of change has slowed down a bit. Am I imagining that?
Bruno: No, you’re actually pretty correct.
Take Entra, for example. Entra isn’t evolving at the same speed it was previously because it’s become fairly mature.
However, when you look at AI-related services, things are changing constantly. Right now, as we’re working on ISO 42001 for AI governance and using Microsoft 365 Copilot, features are changing every other day.
Everything around AI is moving incredibly fast.
Greg: In my world, we work with SMBs through virtual CISO engagements. Managing Microsoft 365 doesn’t usually fall directly to us, but rather to someone within the company or an external IT provider.
Are there strategies from Microsoft designed to help smaller organizations successfully manage Microsoft 365 without getting overwhelmed by all the complexity?
Bruno: Microsoft has always, in my opinion, been built around partners.
Ninety-five percent of Microsoft’s revenue comes through partners. Microsoft trains and enables its partners, and those partners then serve small businesses.
There’s no way that one IT person can realistically know Entra, Purview, data governance, SharePoint, Copilot, and everything else in depth.
Even within BEMO, where Microsoft is all we do, we have specialists because it’s impossible for one person to know everything.
Greg: Many organizations realize they need outside help to successfully manage Microsoft environments, but there are a lot of people out there claiming to be Microsoft experts. Some are excellent, while others are not.
What should a small or mid-sized business look for when trying to find a provider like BEMO?
Bruno: First, ask for referrals. Ask other organizations about their experiences.
Second, look at credentials.
We’re a Microsoft Partner of the Year. That’s important because it demonstrates that Microsoft itself recognizes the depth of our expertise.
We support SMBs across the entire country and work across many industries—from defense contractors to CPA firms and everything in between.
Greg: Since you mentioned defense contractors, let’s talk about CMMC.
I know CMMC requires organizations to properly protect Controlled Unclassified Information. Sometimes I get confused about how all of that translates into the Microsoft ecosystem.
Can you help simplify that?
Bruno: BEMO is one of approximately 50 Managed Security Service Providers in the United States that is currently CMMC Level 2 compliant.
We’re 100 percent Microsoft-based, and I can tell you that you do not need additional platforms or non-Microsoft tools to achieve compliance.
We’ve built our own enclaves, we’ve gone through the C3PAO assessment process ourselves, and we’ve successfully completed the audit.
So yes, it is absolutely possible to become CMMC compliant using a Microsoft-centric approach.
Greg: It sounds complicated to me. It must also be challenging when you’re working with an SMB and trying to explain that they need a specific architecture because they’re handling CUI. How do you sell that concept?
Bruno: Historically, organizations doing business with the Department of Defense completed self-assessments against NIST SP 800-171 and simply attested that they were compliant.
Many organizations checked the box and said, “Yes, we’re compliant.”
Personally, I believe many of them would not actually have passed an independent assessment.
I think the Department of Defense realized that, which is why CMMC was created. Now organizations must go through an independent third-party assessment process.
Fortunately, we don’t have to sell organizations on CMMC. Their prime contractors are doing that for us. Companies like Lockheed Martin are telling suppliers, “If you want to continue doing business with us, you need to achieve CMMC Level 2 compliance.”
Greg: One thing I’ve always found confusing concerns Managed Service Providers and CMMC. How does that work?
Bruno: A company can become CMMC compliant while using an MSP that is not CMMC Level 2 compliant. However, the MSP becomes part of the overall risk picture.
The MSP often has privileged access to systems, infrastructure, and potentially Controlled Unclassified Information. During an assessment, the MSP’s practices can absolutely affect the customer.
So while certification for the MSP isn’t always mandatory, there is definitely additional risk.
Greg: From my perspective, if I were a defense contractor handling CUI, I would certainly prefer to work with an MSP that had already demonstrated CMMC compliance.
Bruno: I would make the same choice.
The challenge is that many organizations don’t fully understand that relationship. They don’t realize that the MSP’s security posture can affect their own assessment.
Greg: This is why I often tell organizations that they must thoroughly vet not only their virtual CISO providers, but also their MSPs and security partners.
Ultimately, responsibility for protecting CUI always remains with the organization itself.
Bruno: Exactly.
One situation we see frequently involves organizations that believe they have been compliant for many years, only to discover they were never truly compliant.
For example, we’ll receive calls from defense contractors who say, “We’ve been handling ITAR-regulated data for 15 years, and now we need help with CMMC.”
Then we discover they’re running in Microsoft Commercial environments when they should have been operating in environments that support ITAR requirements.
Many organizations experience sticker shock because they suddenly realize the level of investment required.
In reality, they were simply receiving a free pass for many years because nobody was independently verifying their compliance.
Greg: Organizations should be suspicious whenever two providers present dramatically different pricing for what is supposedly the same service.
If one proposal costs two or three times as much as another, there is probably a reason.
Bruno: Exactly.
I recently worked with a company in San Diego with about 150 employees. They told us, “You’re three times more expensive than another provider.”
The competing provider was proposing a commercial Microsoft environment that simply would not satisfy their ITAR requirements.
Once we explained the differences and compared apples to apples, the pricing made sense.
Customers are free to choose whichever provider they prefer, but they need to understand the implications of that decision.
Greg: That really comes down to trust.
Although we may sell products or services, what we’re truly selling is trust.
If you begin a relationship by misleading a customer, you’ve damaged that trust from the start.
Bruno: At BEMO, every prospective customer receives a complete total cost of ownership analysis.
We show not only BEMO’s costs, but also all of the other costs associated with achieving compliance—auditors, third-party services, additional tools, and ongoing operational expenses.
We want customers to understand the full picture.
Relationships in cybersecurity are built on trust. If I mislead a customer at the beginning, we won’t have a successful long-term relationship.
Greg: Do you ever discuss potential penalties if organizations choose a non-compliant approach?
Bruno: Not really.
The first thing we determine is whether the prospective customer is genuinely interested in security and compliance, or whether they simply want a certificate.
If someone only wants a piece of paper, we generally don’t take them as a customer.
Greg: Amen. That’s exactly our philosophy as well.
Bruno: I often compare CMMC compliance to having a child.
The day you become compliant is like the day your child is born. It’s only the beginning.
From that point forward, there are activities that must occur weekly, monthly, quarterly, and annually. CMMC is an ongoing process.
Many organizations believe that once they receive the certification, they’re done. In reality, they’ve barely started.
Greg: Achieving certification is just the beginning. You still have to manage the program, maintain the controls, and continuously monitor everything.
Bruno: Exactly.
Many organizations view compliance as simply another expense.
Personally, I view audits and compliance frameworks differently. I see them as an opportunity to have independent experts identify weaknesses in our environment.
I’d much rather have an auditor discover a problem than a threat actor.
Greg: Segment three is always my favorite part of the show because I always hear different stories.
Cybersecurity and entrepreneurship can be stressful. What’s one of the things that you do to decompress?
Bruno: I’m a huge soccer fan.
Perfect timing, actually. My father is flying in from France, and he’s going to spend six weeks with me. We’re going to watch a lot of soccer together and enjoy every minute of it.
Greg: Now wait a second—you called it soccer. Shouldn’t you have called it football?
Bruno: I’ve learned how to speak American.
Greg: If you had said football, my American brain immediately would have gone to the Seahawks.
I have to admit that I’m not the biggest soccer fan. I think part of it is because of how we’re raised. I grew up with American football.
But the more I think about it, the more I wonder if soccer is actually the purer form of the game. In American football, you have a one-hour game that somehow lasts four hours.
Bruno: Growing up in France, soccer was simply part of life.
As kids, we’d go outside with friends, bring a ball, put down two shoes to mark the goals, and start playing.
It’s a sport that costs almost nothing to play.
Greg: Looking ahead, what plans do you have for BEMO and for yourself?
Bruno: For BEMO, we’re continuing to expand our AI security offerings.
We’re deploying security solutions for AI environments, including Microsoft Copilot security, agentic AI security, and AI governance initiatives.
One major focus area for us is ISO 42001 and helping customers establish governance frameworks around AI.
Within BEMO itself, we currently have 46 AI agents running internally.
Everything is accelerating. The speed of change around AI is extraordinary.
Greg: The pace really is incredible.
I’ve occasionally thought about retirement and what that might look like for me. But honestly, I enjoy this field so much that it’s hard to imagine stepping away.
Being able to witness and participate in all of these technological shifts has been a lot of fun.
Bruno: I completely agree.
I feel fortunate because I’ve experienced several major technology revolutions during my career.
There was the personal computer revolution, then the internet revolution, then cloud computing, and now AI.
The AI revolution is moving faster than anything I’ve ever seen.
It’s exciting to still be part of it.
Greg: Well, Bruno, I hope you and your father have a wonderful time together watching football over the next several weeks.
I really appreciate this conversation. One of the things I love about The Virtual CISO Moment is that I never know exactly where an episode is going to go, and I really enjoyed the organic direction this conversation took.
I learned a lot today, and I appreciate you taking the time to join me.
Bruno: Thank you for having me.
Greg: And everybody, stay secure.