Partner Perspectives: Q&A with Carl Carpenter, CEO of Arrakis Consulting

April 11, 2024

As the CEO of Arrakis Consulting, Carl Carpenter is a leader of leaders. Each member of his team has years of leadership experience and certifications in their respective areas, which they apply to helping customers achieve their security and compliance goals. Carpenter is no different, serving as a consultant in addition to his CEO responsibilities, giving him both a leadership and front-line view of the industry.

We recently sat down with Carpenter to find out how Arrakis delivers compliance services, his outlook for the provider space, and how his company stays ahead of an evolving threat and regulatory landscape.

1. What does Arrakis Consulting do?

Arrakis consulting is a full-service security company that primarily performs consultative services in relation to privacy, cybersecurity, and information security for both regulated and unregulated environments. We also offer managed services that help clients get compliant faster with less stress and effort on their part.  

2. What solutions/services does Arrakis offer?

We offer general consultative services to help clients become compliant with whatever regulatory or contractual environment they're in.  

We also offer virtual positions to clients that don’t have a role but need one. So, we'll do virtual CISO, CIO, data protection officer, chief compliance officer, chief privacy officer, and a bunch of other virtual roles. We do on-call network engineering, security architecting, and so on. For example, GDPR specifically allows you to outsource the data protection officer role and there are numerous other regulations that expect outsourcing.  

On the technology side of things, there's about 23 different managed services that we offer. And again, all of them are designed to help customers become compliant faster and with less effort. We try to take on the responsibility of the managed service, whatever they need to make it happen.  

If a client needs a custom service or technology, we’ll evaluate if it’s something we can offer and do so if it helps the client. And once they're ready, we'll run them through practice audits, so they know what to expect from the actual certifying audit. Then we'll stand shoulder-to-shoulder with them during the audit itself to make sure they know what to expect and can provide the right answers and evidence. If there's some confusion, we're right there.  

We are also bringing on a Tier 1-3 helpdesk service for customers that want more help or have more experienced people for general IT support without the financial overhead burden.

We also act as a referee in some cases because we've run across audit firms where the auditors were less experienced. If they're going down a rabbit hole that they really shouldn't be exploring, we'll help prevent it.

3. Do you specialize in any specific areas (industries, services, frameworks, etc.)?

In short, no. Our smallest client is four people. Our largest is several thousand. We don't care what industry they're in, what products they make, what services they offer, their regulatory environment — we don’t care. We handle all of it. And when I say all of it, I mean all of it. So, PCI, HIPAA, GDPR, CCPA, CNMC. I could go on and on about what we do.  

4. What differentiates Arrakis from others in the space? How do you stand out?

Our experience. All our people — except for one person who is just plain scary smart —   have between 10 and 15 years of experience, some have in excess of 30. All our people are certified in their respective areas. They’ve all held leadership positions, so they've turned wrenches and dug their ditches, but they've also told people to turn the wrenches, how to turn the wrench, and why they are turning the wrench. They understand all aspects of the field they're in.  

And the reason we do that is because we follow a Special Operations mindset of “centralized planning, decentralized execution”. Think of it like a football huddle. We all come together, we have a plan, and then we all separate to execute the plan with the least amount of management. All our people are self-managing.  

But here’s what really makes us different from other companies. I've run across numerous companies that have certified people, but not experienced people. Or they have experienced people, but they're not certified. And it really hurts those organizations because they're looking at capabilities, either a resume or just a certification, but not really understanding that there's more to being certified and experienced.   There's interacting with customers. There's understanding why the CIO is saying no to something from a financial budgeting standpoint. Things like that. There's a tremendous difference.  

Our principles are honor, integrity, and excellence. Our word is our bond. And if we follow those principles, we excel. In fact, we have a 100% pass rate for our clients in whatever regulatory environment in which they wanted to become certified. There is no guarantee of a 100% every time, but there is a much higher probability of becoming certified or passing some sort of regulatory requirement when you work with Arrakis.  

5. How do you stay ahead of a rapidly evolving threat landscape?

We are constantly reading the news. We're all members of various security organizations, and we're always interacting with our peers, sharing opinions and ideas. We also have connections within the government space that help us align faster around threats that may or may not be public knowledge at the time we're made aware of them.

6. How do you scale your services to accommodate a growing list of customers and regulatory requirements?

Arrakis has a huge list of consultants that are experienced and certified. They know what they're doing. I can trust them to do the job with the least amount of management, so we can scale up or down how fast we need to. It's not an issue to us.  

Regulatory environments don't change overnight. It’s several years. So, we try to stay ahead of the game and understand what's going on before it's a requirement. For example, ISO 42001 was just released around artificial intelligence. I went through the first course on that a few weeks ago, and I'll be one of the first four hundred people certified in ISO 42001.

ISO 42001 is still in the fledgling state for us, but we need stay on top of those things from a regulatory standpoint.

7. How do you bundle your security and compliance services (pricing, packaging, positioning, etc.)?

For technology-related services, we provide discounts based on the number of years that customers subscribe. That's the first layer of discounts. The second level of discounts that sits on top of the first is the number of technology services they subscribe to. The third layer is the number of devices, emails, or users. Customers can pick a la carte what they want, creating their own packages.

For human-based services, such as consultative services, we follow a similar construct. If we have a project that we know is going to last two years, then we'll give a duration discount to reflect that that long-term commitment.  

8. Do you have a favorite compliance framework? Why?

Internationally, I like ISO 27001 because it's accepted across the planet. It evaluates customers in a way that's accepted globally. Unlike SOC 2, which is really only used in the U.S., a company in France isn’t going to care if a company is SOC 2 but will consider 27001 or even consider requiring it.  

Outside of that, I really like NIST 800-53. It’s the foundational framework for practically everything else that the U.S. government has — NIST 800-171, CMMC, FFIC, IRS Pub 1075. But if I had to pick just one framework above them all, it'd be 27001 for it’s global reach.

9. What are the most common gaps or pitfalls you see when it comes to compliance management?

The biggest thing I see is company culture. Thinking they’ve done it this way for so long, why do they need to change now? That's the first thing, essentially not taking it seriously. Next is executive leadership that did not care about compliance until they were faced with a loss of funding, loss of contracts, or possible criminal charges. That's when they started to care. They should have cared the whole time.  

I view compliance like changing the oil in your car. If you had a $250,000 car such as a Lamborghini but you don’t want to spend whatever it costs to change the oil, then you really don't have a right to complain when the engine burns up. I've seen that more than once. So yeah, that's probably the biggest one — company culture.

10. What are your thoughts on compliance as a potential growth area for Arrakis (and for other providers)?

We’re growing quickly. You can't have compliance without security, but you can have security without compliance. That's why Arrakis offers both. One leads to the other, and doing both leads a company down the path of compliance faster with reduced risk. It's just a crazy amount of growth.  

Compliance isn’t going anywhere. And the more politicians enact rules, laws, regulations, things like that, the more it's going to stay and have an impact. It's never going away.

11. What's your outlook for the provider space over the next several years? What does it mean for Arrakis?

I see the provider space growing with time, much like the introduction of cloud technology. Everybody had on-prem stuff and then they started outsourcing to Microsoft AWS, Google, and others for cloud-based environments. It's the same thing with compliance, cybersecurity, and privacy.  

Companies that make widgets or are doing whatever else to manage on their own don't have the skillset to be fully compliant. They don't have people who understand how to do that — or want to understand that. And they don't understand that compliance people are not necessarily cheap to employ.

So, I see the provider space growing because it's cheaper for companies to outsource compliance than it is to try to do it themselves. For example, we offer security operations center as a managed service. But if a company tried to build out a SOC on their own, they would be spending several million per year as opposed to just several thousand. This is a shopping on the right side of the menu kind of decision. What's cheaper that gets you the same benefit — the same level of compliance?

12. Are you seeing increased financial pressure within the industry? If so, what does it mean for providers, specifically regarding the need to meet revenue goals?

I'm not seeing increased financial pressure from the standpoint of a client coming to Arrakis. What I am seeing, however, is increased financial pressure in two ways.

One is when a downstream customer has a contract requirement for one of our customers to be compliant with something, but the downstream customer engagement doesn't include the level of effort required to become compliant. This usually involves a salesperson just agreeing to whatever they can to get the sale, not understanding what extra work it will take to be compliant. That’s the first thing.

The second is a similar situation that applies to the CMMC space or Department of Defense. To become CMMC compliant is expensive. And a lot of vendors, like Lockheed Martin or McDonnell Douglas, are in the same boat. They offer a service or piece of equipment, but they outsource some of the work to a smaller company that must be that same level of CMMC compliant. But that smaller company doesn't understand what it takes even though the larger companies, the primes, are requiring it per CMMC.  

Eventually, there must be some sort of chargeback model to the government, in particular with CMMC, because of what it takes to truly become compliant with the costs and so on that the smaller companies can’t always afford.  Essentially, pushing the smaller business out of the ability to even compete.

13. How are you using Apptega today?

We are Apptega partners. We white label Apptega to basically act as a compliance platform for our clients. We use the platform as a single source truth for evidence capture, getting ready for an audit or certification of some sort. But we also customize the tool to our customers, making it easier for them to accomplish their goals.  

But pretty much it's like the SharePoint of GRC.

14. How important is compliance automation or other technologies (please specify) to the work you do?

Automation is amazing. We love that. It’s extremely important because it reduces the level of effort for our clients who would otherwise do it manually.  

The problem that we're finding though, regardless of how somebody programs Apptega or any other GRC tool, is sometimes we gather information that is not accurate. And that doesn't mean that the evidence was gathered inaccurately by the technology we’re using. It means the evidence itself was inaccurate.  

So, we have two sides of the puzzle. We have the compliance automation tool, and we also have the source of the evidence, which could be Microsoft, Azure, or whatever. That’s one of the integration and automation issues that we're running across. But yeah, we love automation.