Skip to main content

Learning from Layoff: A vCIO's Journey into CMMC & SOC2

  

September 5th, 2025

Welp, I never saw it coming.

I mean, I saw the signs. Several clients had been DOGED. We were bleeding money. And I was the highest-paid employee. But there's a difference between knowing the math and actually getting the call.

I was the VCIO and TAM at Envision IT, a 25-year-old MSP. Twenty-five years. They'd survived Y2K, the 2008 crash, every tech bubble burst. If they could make it through all that, surely they could make it through whatever 2025 was throwing at us.

Except 2025 hit different.

One client lost $60K a month in federal funding and couldn't pay us. Just... stopped. Another had their five-year contract terminated mid-cycle. Not because they were unhappy with our work. Because someone in Washington decided their program shouldn't exist anymore. We watched nearly $150K in monthly recurring revenue vanish. Not because we screwed up. Because the federal government decided to redraw the playing field while we were still playing on it.

My CEO was direct about it: "I have to make financial and business decisions." No corporate speak. No "this is harder for me than it is for you" nonsense. Just the truth. I actually appreciated that.

What Now?

Here's the thing about getting laid off from a client-facing role: you suddenly have time to think about all the fires you were too busy putting out to actually prevent.

So I'm diving into CMMC and SOC2 compliance. Not because they're buzzwords, but because I just watched a client fail their CMMC Level 2 certification and I finally understand why.

Our assessor warned us early on: "80% of first-time applicants don't pass." The client was confident he'd be in that special 20%. He wasn't.

And watching that failure, I realized the problem wasn't technical. The problem was that everyone treated CMMC like buying cyber insurance. Write the check, get the stamp, move on with your life. But CMMC Level 2 isn't insurance. It's 110 security practices across 14 domains, and every single one needs evidence that you're actually doing it, not just claiming you are.

The things that actually trip people up:

Companies don't define their CUI boundary properly, so they end up trying to secure their entire infrastructure when they only needed to protect a small slice. That's expensive and unnecessary.

Having the technology isn't enough. You need timestamped evidence of implementation, maintenance, and incident response. Documentation isn't busy work; it's the entire point.

Assessors vary wildly. Ours got stuck on details that other assessors apparently wave through. Finding the right C3PAO is as important as the prep work itself, and nobody tells you that upfront.

SOC2 Is Even Weirder

SOC2 is technically voluntary. But try getting an enterprise client without it. It's "voluntary" the way wearing pants to a job interview is voluntary.

The weird part is that SOC2 is principles-based. You define your own controls, then prove you follow them. Which sounds great until you realize companies implement impressive security controls and then fail the audit because they can't prove consistent adherence.

Like, you have the firewall. You have the policies. You have the training program. But you don't have 90 days of logs showing you actually reviewed the firewall rules. Or evidence that anyone actually completed the training. Or documentation of your monthly security reviews.

The audit trail is the audit. If you can't measure it, you can't audit it. And if your "audit readiness" phase starts 60 days before the audit, you've already failed. You need 90 days minimum for a Type II. Nobody tells you that either.

What Remote Work Actually Taught Me

Remote work wasn't my problem. It was actually my advantage.

Most MSPs just collect checks and wait for renewals. They talk to whoever signs the contract and call it a day. That's not strategic IT management, that's vendor relationship maintenance.

I held tech town halls. I scheduled one-on-ones with random staff members where they could tell me what was actually broken without their boss listening. And the gap between what leadership thought was happening and what was actually happening was stunning.

Leadership would say "everyone loves the new system" while individual contributors would privately tell me they'd built workarounds because the official solution was too slow. IT directors would insist everything was running smoothly while end users were using shadow IT because our stuff was too cumbersome.

That's the intelligence you need to make recommendations that actually work. Not what looks good in a presentation. What actually matches how people use technology.

Remote work made this easier, not harder. Video calls meant I could schedule quick 15-minute conversations with people across multiple locations. Nobody had to block off time to meet me in a conference room. We could just... talk.

And that's the lesson I'm carrying into compliance work. CMMC and SOC2 aren't IT projects. They're relationship-building exercises. You're not implementing controls. You're becoming a trusted partner who helps people understand why these frameworks actually protect their business.

The Uncomfortable Part

Getting laid off sucks. I'm not going to pretend it doesn't.

I believed in Envision. I turned down higher-paying offers because 25 years of history meant something to me. Stability over salary bumps. I brought energy to every client interaction because I genuinely cared about their success.

But the economy doesn't care about passion. Federal budget decisions don't care about your client relationships. Sometimes you do everything right and still lose.

I've always had this "Superman cape" mentality. Every client need is urgent and solvable. That doesn't change. CMMC and SOC2 are promises to clients that their data, their contracts, their futures are protected. That's the work. Same work, different company name on the paycheck.

What I'm Looking For

I'm looking for opportunities where I can help organizations actually navigate compliance instead of just checking boxes.

Whether that's driving CMMC certification success, building SOC2 readiness programs, or helping MSPs develop compliance practices that deliver real value instead of performative security theater.

What I bring to this:

Real-world experience with CMMC Level 2 prep, including watching it fail and understanding why. Most consultants just read about this stuff. I lived it.

Understanding of SOC2 from an MSP perspective, where you're not just securing your own environment but helping clients secure theirs.

A track record of building client relationships based on transparency and urgency, not just showing up to quarterly business reviews.

The technical ability to actually implement solutions, not just recommend them and walk away.

If you're navigating CMMC requirements, preparing for SOC2 audits, or trying to build a compliance practice that clients actually trust, let's talk.

Because compliance isn't about checking boxes. It's about protecting what matters. And I'm very good at protecting what matters.

Re'el Hawkins
VCIO & Security Compliance Specialist
Open to CMMC implementation, SOC2 consulting, and strategic MSP advisory roles

Comments

Post a Comment

Popular posts from this blog

My technology life...from the beginning.

It all started with the PlayStation. Oh, how I loved this damn machine! It's like nothing else mattered. All I wanted to hear when I came from school was "chicken"; signifying that I had picked up a familiar item in a mysterious location as I played (very badly) Tekken 3. I would often play with the neighbor kids as soon as we were finished our homework. I enjoyed the challenge of pressing buttons that I didn't know the function of. Mashing widely until K.O appeared on the screen. Even until my friend was red-faced and rage quit. Good times, until the game paused midway. Seemingly out of nowhere, the game would stop and laugh at our inability to continue. This single moment is where I had my "Oh Hell Naw!" moment. I was determined to get that game working. My reputation as Tekken King was at stake. I had kids owing me lunch over these games, and tomorrow was a favorite, potato bread PB&J with apple jelly! I wasn't about to let this slide. At that ...
Read more