Bruno Lecoq spent 20 years at Microsoft before co-founding BEMO. He didn’t leave because he disliked the company. In fact, he says he “owes his life to Microsoft.” But after two decades inside a global corporation, he saw something missing in the small and mid-sized business world: practical, integrated cybersecurity built for real operators. That gap became BEMO.
Over the past few years, the compliance conversation has shifted dramatically. What used to be optional – SOC 2, ISO 27001, CMMC – is now non-negotiable. Startups need it to close enterprise deals, defense contractors need it to bid, and MSPs are now in scope of their clients’ audits.
Long story short, compliance is no longer a “nice to have.” It’s a prerequisite for trust. But as demand has risen, so has the rise of “cheap compliance.”
In the latest episode of Trust Issues, Brandon and Bruno Lecoq sit down to debunk the myth and dangers of quick/ cheap compliance, why the checkbox compliance approach is dead, and the ways in which SMBs can re-commit themselves to a more foolproof, sustainable state of security and compliance.
Listen now:
Here are the key takeaways from the episode.
One of the most important distinctions Bruno makes is that compliance does not equal security, and security does not automatically equal compliance.
Compliance is a framework. It’s a structured way for a third party to verify that you are doing what you claim to be doing. Security, on the other hand, is an operational discipline. It’s what you do every day - from patching systems and reviewing logs to responding to threats and enforcing MFA.
At BEMO, compliance isn’t pursued to “check a box.” It’s used as validation. Bruno welcomes external auditors because they pressure-test assumptions. And, if a third party finds a gap, that’s not a failure - it’s feedback. This mindset is very different from racing to get certified as cheaply and quickly as possible.
One of the most striking realities from BEMO’s internal data is this: roughly half of customers experience attack attempts each year. And, most of them never knew before they had monitoring.
As Bruno points out, Azure Sentinel (a SIEM) aggregates millions of log entries per month. For BEMO alone, that equates to tens of thousands of log events per day. Those logs are filtered by automation and reviewed by a 24/7 Security Operations Center (SOC). Without that layer, you simply wouldn’t know. What’s even more concerning? Nearly half of Microsoft tenants historically did not enforce MFA on global admin accounts. That single oversight represents a massive risk, and it’s easy to fix.
The lesson is simple - security basics are still missing across the industry.
Can you technically obtain a compliance certificate quickly? In some cases, yes. But the real question is, what are you building? Bruno’s checklist of a strong security program includes:
That doesn’t happen in two weeks unless you already did the work, which brings us to the next key insight - the timeline isn’t just technical. It’s cultural.
BEMO deliberately chose to be Microsoft-centric. Not because alternatives don’t work, but because integration matters. The more tools you bolt together (Okta, CrowdStrike, separate backup tools, separate logging platforms), the more complexity you create. More vendors mean more audit scope, more integrations, more maintenance, and more failure points.
For SMBs, especially those between 50–300 users, simplicity often beats “best of breed.” For example, Microsoft’s E5 licensing consolidates identity, endpoint protection, email security, and logging into one ecosystem, which reduces cost and accelerates deployment. So, you see - compliance becomes easier when your stack is coherent.
For defense contractors pursuing CMMC, Bruno reveals another critical shift - your MSP is part of your audit scope. And if your provider is not aligned with the framework, your audit becomes harder.
That’s why organizations should verify whether their partners are registered practitioner organizations (RPOs) or have certified personnel. Frameworks like CMMC now operate within structured ecosystems overseen by bodies like the Cyber AB
So, remember, trust isn’t just about your controls. It’s about your partners.
For anyone thinking there’s no real business case for doing compliance and security the right way - you’re wrong. If a security company gets breached, its business is effectively over. Trust disappears overnight, and reputation damage can outweigh the cost of compliance many times over.
Security is no longer optional infrastructure. It’s essentially part of your go-to-market credibility.
Cheap compliance might win you a deal, but it’s a short-term reward. Like a dopamine hit. But when it wears off? That’s when real trouble starts to brew.
Real security, on the other hand, wins you longevity.
The question isn’t “How fast can we get certified?” I should be asking, “Do we actually care about protecting our business?”
If the answer is yes, shortcuts won’t satisfy you. And if the answer is no, no certificate will save you anyway.
Compliance and cybersecurity are closely related but not the same thing. Compliance is the process of meeting the requirements of a specific framework or regulation, such as CMMC or SOC 2, by demonstrating that certain controls are in place. Cybersecurity, on the other hand, is the ongoing operational effort to actively protect systems, data, and users from threats. A company can be compliant on paper but still vulnerable if security practices are not consistently enforced. True risk reduction comes from aligning compliance requirements with strong, day to day security operations.
Achieving SOC 2 or CMMC certification in a very short timeframe is only realistic if the organization already has the required controls fully implemented and operating effectively. In most cases, rapid certifications indicate that the focus is on documentation rather than real security maturity. Compliance frameworks require evidence of consistent execution over time, not just policies written for an audit. Companies should be cautious of timelines that seem too good to be true, as they may lead to gaps that create risk after certification is achieved.
Multi factor authentication is one of the most important security controls in Microsoft environments because it significantly reduces the risk of account compromise. The majority of cyberattacks target user identities, especially through phishing and credential theft. Enforcing multi factor authentication adds an additional layer of protection that prevents unauthorized access even if passwords are compromised. Despite its effectiveness, many organizations still fail to enforce it consistently, particularly for administrative accounts, which creates unnecessary risk in otherwise secure environments.
Compliance timelines can differ significantly from one organization to another due to several key factors. Leadership priority plays a major role, as organizations that treat compliance as a strategic initiative tend to move faster and more effectively. Internal ownership and accountability are also critical, since unclear roles can delay progress. Additionally, the consistency of execution across teams impacts how quickly controls are implemented and validated. Companies with strong alignment, clear processes, and dedicated resources typically achieve compliance more efficiently.
Using Microsoft technologies can help streamline the compliance process by providing an integrated ecosystem that reduces complexity. Solutions within Microsoft 365 and Azure are designed to work together, which simplifies security management, centralizes control visibility, and reduces the number of third-party tools that need to be audited. This can lead to a smaller audit scope and faster evidence collection. However, while the platform can accelerate compliance efforts, success still depends on proper configuration, governance, and ongoing management.
Your managed service provider is included in your CMMC audit scope because they have direct access to and control over your systems, data, and infrastructure. If your provider does not follow strong security practices, it can introduce vulnerabilities that impact your overall compliance posture. Auditors evaluate not only your internal controls but also the security of any third parties that manage or influence your environment. This makes it essential to work with providers who understand compliance requirements and can demonstrate their own security maturity.