Austin’s Journey To Simplifying Digital Compliance With Laika!

Pratik

Welcome to SaaS Unlocked. I’m thrilled to introduce our guest, Austin Ogilvie. Austin is the co-CEO of a compliance platform that empowers the fastest-growing companies to compete with larger organizations. Again, I cannot just introduce Austin in just two sentences. I have a great description of him because he has achieved so much in his career, with years of experience in developing and scaling successful companies. Austin has gained a wealth of knowledge and expertise in the tech industry. So today, he will share his insights and provide valuable advice on how startups can stay compliant while scaling their business with automation.

Austin is an avid Bluegrass fan and whitewater kayaker, which speaks to his diverse interests. So get ready to learn from one of the brightest minds in the industry. Please join me in giving a welcome to our esteemed guest. Welcome, Austin, to SaaS Unlocked.

Austin

You’re too kind. Thanks so much for having me. I’m excited and appreciate coming on.

Pratik

Austin, there is one thing I’d like to bring up. I think you launched in 2019. And in no time, you raised almost a hundred million dollars in Series C Round, right? So introduce us to Laika. Tell us the backstory about your Co-Founder. What inspired you guys to launch Laika?

Austin

Yeah, sure. Laika is a compliance automation platform for digital companies to monitor their security and privacy controls in real-time. And for streamlining enterprise vendor security assessments and undergoing IT audits like SOC 2 and ISO 27,001 High Trust. There’s a myriad of different digital compliance standards and Laika. Companies take charge of all of it and manage it in one place.

Pratik

Amazing. So tell us more about the Co-Founders. How did you meet them? Just to add a personalized element to your LinkedIn life. People would love to know your journey and how you started and became successful in just three or four years since you began.

Austin

Yeah, sure. So, I have two Co-Founders, Sam and Eva. Sam and I both come from enterprise software backgrounds. We previously built two different startups.

Sam’s was an InsureTech company. It was like point-of-sale insurance where you could buy a policy on a drum set at Guitar Center. My company was a data science company called yhat. And both he and I encountered these enterprise securities vendor assessments, and IT audits as enormous stumbling blocks in our prior lives as operators in our first companies.

Sam had a certain level of instinct, given that he was in the insurance world. Meeting the requirements of big retailers and insurance companies was a day-one investment he needed to make from a compliance perspective. That being said, it was a very long process trying to get through SOC 2 audits that took many months, taking engineers off of writing revenue, generating code to write information, security policies, et cetera.

That was outside a regulated space specifically. Still, as we took the product to market with bigger companies, we encountered this as a major growth obstacle later in the game.

But in both cases, he and I became very intellectually and commercially interested in this problem. The side of the vendor was Eva – totally different profile. She was a managing director at Citigroup for 20 years overseeing cybersecurity, governance, and third-party vendor risk management. Essentially the entire institutional side of the bank’s digital compliance rolled up under Eva. So she had seen the movie from the other side of the table for a long time. The bank was trying to deploy significant R&D sums of dollars and needed help with new vendors. And she was inspired by what she saw in the FinTech revolution in 2014.

She left Citigroup to start a boutique consultancy, helping these internet companies a lot. My company and Sam’s Company meet these requirements. Understand what the market expects of third-party vendors, particularly software vendors, and what regulators insist upon for the same. And we got introduced through mutual investors, well now investors, then just VC friends in late 2018. And then it was an entrepreneur’s love-at-first-sight situation, I think, for all three of us. We were going to build something together; it was a perfect team-up opportunity.

Given that Sam and I are product guys, we know how to build stuff but had yet to come to this problem from years of compliance experience ourselves. So Eva brought that to the table, and we just got going. We incorporated it in the summer of 2019 and wrote the first lines of code. So we’re coming up on four years.

Pratik

Beautiful success journey so far, and I hope you’ll take over the market in the next few years. Automation has been an increasingly critical component of modern business operations. So in the last four years, you know, we are seeing trends in AI and automation. How do you consider the key factors that contributed to your success?

Austin

Yes, there’s a lot to say about this. So there’s an old, sleepy, tired software category called GRC – Governance, Risk, and Compliance. Suppose you can imagine a compliance team at a big bank or a hospital. They sit down at their desk in the morning. GRC is the software that they’re using historically to do their job. And several evolutions, in particular AI and automation, get us excited about dramatically changing the way compliance professionals do their work. The first is the massive adoption of SaaS tools and cloud infrastructure and the API application of virtually everything.

Today you can programmatically access a lot of the metadata and any other operational data related to compliance in a way that would be only accessible manually by somebody, literally going in and reviewing and reading something. But now there is just an explosion of digital exhaust available for real-time monitoring and doing a lot of the compliance legwork as an expression of code programmatically. In contrast, you just could never have done that in the past. And that provides several benefits; first that there aren’t enough compliance professionals familiar with these digital standards, so as an industry, we need to equip those professionals that are out there with the best possible tools to do what they need to do quickly.

We also need to reduce the likelihood of errors in this domain. A lot of this stuff can be very dense or complex to a layperson or someone unfamiliar with many concepts. It feels a lot like jargon and you may not understand everything. All of that adds up to the high probability that mistakes can get made, and edge cases can happen behind the scenes that you don’t know about.

So automation is an incredible lever, in that the robot doesn’t miss things, right? If you design automated compliance checks in a way that is comprehensive, you just set it on autopilot and it’s behind the scenes, which gives a lot of peace of mind to regulators, security teams, and so forth.

Pratik

Excellent. So you’ve been in the startup world for a while, right? And when you are working on a product at the very initial stage of your journey, and you are trying to get that first 1000 customers, 500 customers, whatever it is. The startup has to grow at a certain speed. 20%, 30% month-over-month growth. How can one implement automation to focus actually on the product side of things and scale in capturing the market? How do you see automation, and stay ahead in the competitive landscape that we have?

Austin

Well, just generically speaking about the building of products. You want to offload all of the things that are unrelated to the intellectual property or the novel solution that you are, are trying to bring to market. For most companies, unless you’re building, say a payroll company, it’s best to work with a provider like DEAL or Rippling, or Justworks, right? Similarly, you find all kinds of interesting tech-enabled service providers that are making it a lot easier to create startups. Back-office tools like Carta and Pilot and Accounting. These are ways for the average software team to become a proper business instantaneously, turnkey, which is precisely what we’re trying to do for our customers. 

With respect to digital compliance, the people that are revolutionizing, PI Pet Science in the laboratory or inventing the next Slack, or Discord chat experience or building the next Miro workflow collaboration platform – they don’t also need to be spending all of their time on all the other things that they may not be familiar with, and that certainly don’t specifically create the enterprise value as part of the solution that they’re getting out of bed every morning to work on. So finding those opportunities is huge. And the scarcest resource of all is time.

I want my engineers to think exclusively about digital compliance problems and how to solve them in elegant ways and create great experiences for our customers, specifically with respect to compliance. I don’t want them reinventing the wheel on all kinds of other stuff that isn’t core to that mission.

Pratik

Absolutely. When you talk about all of these tools, let me just have a word about outsourcing. Insidea is a leader in this space in terms of helping companies outsource remote talent, and we’ve been here for a while. How do you see outsourcing impact your business growth? And specifically some tasks that cannot be automated. It requires human intervention and that task can be given to someone else. For example, it can be customer support, or it can be the other side of the business. Even development. So how do you see that fit into your automation or scaling strategies?

Austin

Well for starters, we’re all Zoom children now. The pandemic sent every company into a remote-first, or, at a minimum, a hybrid, remote situation faster than would’ve occurred naturally. And I think it’s fair to say whatever relationship we all wind up having to physical offices will be different than it would’ve been 2019 and before. And that unlocks a lot of exciting opportunities for remote collaboration.

From the very beginning at Laika, we got going in the summer of 2020. My senior director of engineering, he and I have worked together for 13 or 14 years. He’s a Costa Rican guy and employee number one. He hired all the engineers for the first three and a half years. And we just knew we would be a substantially remote company. And, of course, the pandemic hit, and those of us in the United States had to change our work. But we already had committed culturally to have a substantial portion of our workforce, namely the software engineering team, mainly in Costa Rica but all over pan Latin America.

And so, from our side, we’ve just embraced hiring the right people wherever we find them. And we’ve applied that same thinking when thinking about contractors who are part-time. We work with all kinds of digital agencies on different things. And we get a lot of leverage out of that. And I’m not unique in this sort of thinking. I talk to CEOs all the time who are making very similar choices to invest in a certain way and find very talented specialist organizations to help them create leverage in things that are not core to their business.

The last thing I’ll speak to on this particular question because you mentioned automation. Specialists across all different domains are going to be increasingly equipped with very domain-specific workflow tools that are powered by AI. That could be document extraction stuff and processing data, all the way through copywriting. So the creative field overall will change. Humans, in my view, will become drivers. They’re not going to disappear.

Pratik

Since we are talking about AI and chat, I asked Chat GPT – I’m going on a LinkedIn live event with Austin; here’s the topic. Can you give me 20 questions on what I can ask Austin? It came up with questions that I can ask you. If I had somebody work on it, it would take two or three days for a person to come up with questions and answers to this. Chat GPT can do it in two to three minutes, which is fantastic. I’m very bullish on AI incorporated with all of the work that we’ve been doing, so I completely agree with that point.

We have some questions from the audience. If you are listening live and want to ask questions to Austin, feel free to put them down in the chat. I’ll take the question along the way.

So Austin, from your perspective, can you list three effective tasks to automate and scale? It can be automating repetitive tasks, using some tools you mentioned, or leveraging AI, which can be very effective for scaling businesses.

Austin

Document processing and data extraction have come about recently. Some of these tools are for labeling named entities and finding particular pieces of content hidden in everything from public documents in PDFs on various websites to underwriters looking at loan documents, financial statements, and stuff like that.

The tools for processing that and converting it into structured data are unbelievable. A lot of stuff will change concerning anything that involves emailing PDFs around the internet. In the creator space, for sure, there will be like you said, prompts for copywriters, which will dramatically increase their productivity.

And in our world, there’s a lot of documentation concerning vendor compliance in enterprises. So we think a lot about how we can improve the process of an enterprise procurement team—evaluating the security measures of the vendors that they trust to do business with.

Take JP Morgan, for instance. They have something like 5,000 vendors. Almost all of them are software vendors, and each must be assessed at least once yearly. And indeed, initially, part of that is a human has to read every policy these companies have, concerning securing systems. So these document extraction capabilities are front and center for us when we think about improving the process of bringing new technology into a big company like that because it’s such a time-saver.

Pratik

Absolutely. Let’s talk more on the rapid scaling side. As an experienced entrepreneur, you can shed some light on how businesses can use techniques or strategies you mentioned to hyper-grow their business. Let’s say a company started with Seed Round and wants to go Series C Round in three years. From your journey, what are some things that you can share with the audience?

Austin

The biggest part of the answer is you are building something that people actually want to use. There’s quite a lot of discussion in startups, venture capital, and ecosystem about product market fit. It is a phenomenon worth paying attention to because until you have a product that can be sold not just by you at an excellent task, at great expense, but by anyone, you might hire on your team. A product that a company can purchase without a great deal of customization. You aren’t even ready to answer your rapid scaling question.

The first bit is, do you have a product that matches the problems elegantly that your customers have? Once you have that, you can think about which sales channels will work. Is this a product that is bought, or is this a product that is sold? Where are your customers hanging out? Are they at conferences or on Twitter? And the rapid scale question certainly depends on what it is you’re doing. We chose to start with our core audience.

From 2019 to 2020 largely venture-backed digital companies, particularly FinTech, InsureTech, and digital health companies operating in a regulated space tended to come with a certain level of instinct. Compliance being essential for them, we saw the already significant tailwinds behind SaaS adoption of cloud adoption at enterprises. So they just got it and dialed up to the max.

The pandemic sent everybody home. So how do big companies adapt to that environment when they used to be all in the office? Well, you have to buy a lot more software, which really accelerated our business as a total macro adjustment where there are just vastly more risks being taken on through the mass adoption of these tools.

So our customers were underwater with respect to these assessments. Now you can’t induce a pandemic. But looking at trends like this and being able to react and adapt to them and take advantage of whatever opportunity there is with respect to the overall climate and atmosphere in the macro environment is.

Pratik

There’s a question from the audience. What factors can be automated for digital compliance when enough is not enough, and digital risks are too much?

Austin

So many of the digital compliance controls are bound up with people, processes, and training, and many of them are bound up with technical configurations. So concerning our customers, they log in to Laika and connect all of the tools that they use to run their company. So you’re connecting GitHub, all of your AWS products that you’re using, as well as your HR system and various tools related to how your company handles data. 

And then behind the scenes, what we can do with that information is alert our customers – “Oh, one of your software engineers has pushed code and merged it into the main branch without having undergone a code review.” That’s the kind of thing that when you’re going to market with a big company or if you’re handling PHI, it’s a set of laws. You have to be doing certain things demonstrably to meet these requirements. So you can automate the process of checking that all of these activities are indeed happening, and you can automate the process of remediating many of them too. So if Laika detects some problem, it can alert your team to take action. And in some instances, it can take action itself.

Pratik

When you talk about this specific topic, how does this challenge impact the operation and growth side? It could be more specific on the overall problem statement here for businesses, which leads them to face challenges on the growth side.

Austin

I’ll work from an analogy or an anecdote. JP Morgan, as I said, has 5,000 vendors. If you’re trying to be one of those vendors, you’re trying to sell into that company. You should be aware that they have a very advanced risk evaluation process for vendors. They classify you. That’s the first thing they do into different risks – negligible, nominal, low, medium, high, and critical- depending on which risk tier they classify you. That will dictate what level of assessment or review they do of your technology, and that could be everything from not doing any checks at all.

If you are a food vendor, they won’t ask you to demonstrate that you have encryption standards. This doesn’t make any sense, obviously. On the other hand, if you’re deemed high-risk or critical risk, you are constantly audited by the JP security team, which is a go-to-market problem. So, yes, it’s a risk mitigation problem because that’s fundamentally why JP Morgan or any of these big companies do this. After all, they have colossal brand risk. They have enormous sums of customer data. It could be a total catastrophe if they let a particular vendor in that represents a severe technical weakness or operational weakness that opens them up to true cybersecurity risk or just bad acting by accident.

So you want to be in a position not to be that company at all for reasons that are, are self-evident. But you also need to connect it to the growth question, which is if you want to be inside JP Morgan or Yale New Haven Hospital or Delta Airlines, they’re going to ask a lot of things about your security controls, your data hygiene, et cetera. So it’s both a bottom-line thing and a top-line thing for software companies.

Pratik

Thank you for sharing that. As we go further into this conversation, let’s talk about the problem statement – the growth statement. Implementing this automated complex solution. What steps are involved when somebody’s looking to implement this security or compliance?

Austin

It’s super simple. Customers log in during onboarding. They connect all the tools and systems they use to run the company. And the first thing they will see is a sense of what controls you already have in place that is operating effectively. We can do this because a lot of the controls are technical. We can say, “You need to comply with HIPAA and SOC 2 standards. Well, we’ve scanned all your stuff, and we know for a fact that you’re already doing a lot of the technical controls the right way.” And then, from there, it’s a matter of going through a TurboTax-style guided navigation for implementing whatever controls are not yet implemented. And on Laika, that’s just a very clean UI with elegant steps that are simple enough to follow, even for folks not coming from a compliance background. We’ve tried to make that experience as simple and easy as possible.

And also we educate along the way. Our customers get a lot of value from speaking with confidence and authority on topics related to compliance. And embedding an education layer as part of the implementation helps level up a baseline understanding across teams of these requirements and why they matter.

Usually, it just takes a couple of weeks in total for companies to get through it. Of course, it can be a couple of days if it’s a smaller company, but it is not a tremendous burden to get started here.

Pratik

So when I’m using Laika, having those certificates that are required from a compliance perspective – if I’m using Laika – is it something that I can say on my side now that I am a HIPAA-compliant vendor or partner? How does that work? Or do I need to apply to the organization directly?

Austin

So it depends on which standards you’re talking about. Many of these standards require an outside independent audit to represent that you are compliant with a particular standard. So, for instance, SOC 2, you have to undergo an IT audit. On the other hand, HIPAA doesn’t have a strict external independent audit as a requirement. It does require that you do a self-attestation. This is broadcasting that you have actually done an audit of your systems and that you are indeed representing that you comply with the HIPAA rules.

Each standard is different, including the vendor processes at these different companies. So as it would be delightful for a go-to-market perspective for any B2B software company to say I have done compliance and raise your hand. And it’s a once-and-done situation; there are a lot of nuances, and each buyer will be different. So, for example, a lot of them will insist upon their own controls being tested on top of a SOC 2 on top of an ISO, while others will say, “Oh, great, you’re SOC 2 compliant. No problem. You can fly through the vendor review process because we trust that the auditor has created a great report and tested everything we care about,” it just depends.

Pratik

A bit off-topic here, but there is a question from the audience that we are talking about. So it’s there’s no doubt that automation and AI are present and most definitely in the future. What are your views on the current debate that says AI will scale creativity?

Austin 

I’m worried about it to a certain extent. I mean, if human flourishing has been pegged to anything in the history of mankind, it’s creative endeavors. But, unfortunately, I think the large language models are only as creative as the volume of data they have access to. So yes, you can ask Chat GPT for prompts related to certain things, but until it has been trained on literally everything, there still will be the need for a human to write good prompts for the software to even work in the first place.

Pratik

You know, I feel it will enhance creativity because, let’s say, I’m into marketing. So I know what copywriting is and how I can resonate with the audience and create that kind of virality, create that kind of hook, right? But at the end of the day, I still need a copywriter to implement the ideas into reality because I’m focused more on the strategy side of things versus the copywriter’s creativity. So the prompts that you mentioned are equally important. But now, I just ask AI, “Hey, I have this idea for a tweet.” So let’s say I want to focus on how a startup can use a brand or have a customer obsession with it and write Tweet on it. 

For example, it’ll come up with 20 tweets, and I can select whatever I want, giving me more ideas and enhancing my creativity. That’s my opinion. Again, some jobs might be compromised because of AI, but AI will create more on top of it because AI will change how we work and how we work, and it’ll help us go and run faster.

There’s one question from the audience that I would like to take. What are the best practices for streamlined automation for continuous compliance? And maybe it’s also in my mind when we say that we did first check, how do, how do we make sure that we are continuously making sure that we are compliant and have that kind of a culture within our organization to make sure that we are making sure our data is clean and safe.

Austin

Your question has the answer embedded within it. If you implement this stuff at an early stage in a company’s life, you set yourself up to succeed in the future when it’s culturally just the way you operate as an organization in. These compliance controls just exist versus if you implement these controls retroactively. Once you’ve scaled, you take a cultural hit because people have to change.  If the marketing team knows that this is how we handle emails and other pieces of personal information, then this is how we’ve always done things. 

Let’s say engineers have a specific process in place for the way they do their release cycles. Or you always maintain a disaster recovery sort of failover script. And you update it with each release, whatever the organization does habitually – the norms and traditions that you use to run the company. If they happen to be compliant from the beginning, nobody notices once the company is significant that there’s any burden. If you have to change how everyone is doing their work, that can be very tricky to pull off. From a cultural perspective, people don’t like change. So moving the ship can become difficult. We started with automation, but I think people love our conversation on the compliance side.

Pratik

And there’s one more question that came in. Does every company in the world need our compliance solution?

Austin

If you’re selling B2B software, the answer is yes. The answer is yes if you even employ a single software developer. However, regulators are often behind industries, and there is increasing interest and awareness of digital security and privacy among regulators.

Obviously, in Europe, they’re pioneering privacy legislation to protect consumers, but all of that stuff is coming. So there will be more compliance regulations in the future, not less. As a builder, operator, and entrepreneur, that can feel intimidating, and it would be amazing to be able to click a button and have all of these problems disappear.

But taking my entrepreneur hat off and just like my putting on my citizen of the world hat, it’s a good idea. Big Tech has not necessarily impressed me with respect to the large volume of misadventures, data breaches, bad acting, accidents, and all the rest. We want this trend to level up across the board regarding the companies we trust with everything you care about on your phone.

Every transaction could include your patient, personal, medical records, and family photos. So whatever you might care about is represented digitally, and we should expect tech companies to protect it.

Pratik

Absolutely. Hey Jake, thank you for the question. Historically, audits have been the point in time activity. How does Laika think this will change the continuous automation? What are the key benefits of companies for this?

Austin 

All IT audits are increasing, yes, performed in a moment, but they are not strictly auditing data from a moment in time. Auditors are looking backward over 3, 6, 9, and 12 months and looking to evaluate controls as of any random date in the past. And they’re doing this to ensure that your controls are operating over the entire period that you said it was, that you can’t just set things up on the day of the audit and expect an auditor to bless that anymore.

That probably was the paradigm several years ago. But given the availability of digital exhaust that we can now get programmatically, auditors have a reasonable expectation that if you say that you are enforcing multifactor authentication for all critical systems, well, I want to see that. You indeed were doing that six months ago, and they’re checking. So yes, the audit is performed at the moment in time. But that doesn’t mean you can get away with a once-and-done activity with the auditor. You must be able to prove that you have been operating your controls 24/7.

Pratik

The audience is quite active in asking a lot of questions. Thanks for that. There’s a question from Diana. What key factors could small businesses consider when deciding which automation strategies to implement? Should small businesses aim to implement all available automation strategies? Are there specific areas that I should prioritize based on the potential impact on the business?

Austin

 It’s easier to answer if you know some of the specifics of your business, but I’d say, generically, think hard about what your unique magic pixie dust needs to be for your customers. Like what is the thing that really matters for your company, and find areas to create leverage with automation in every other part of your company except for that. Free yourself and your team from worrying about that center of the bullseye. Whatever the pixie dust needs to be. The thing you guys need to be the best at that’s where you want to spend your time. Automate as much of everything else as you can.

Pratik

Thank you. We already covered this question, but we can shed more light on what advice you would give businesses or owners new to compliance. You can give a couple of tips on how to get started.

Austin 

Totally. This may sound self-serving, but that’s very much what we’re in business to do. Find a partner, whether it’s Laika or another that can serve as a helping hand and can provide that baseline education. You can’t be every kind of professional simultaneously, right? You can’t be a finance professional and an expert in machine learning and an expert in compliance and a lawyer. That’s a fantasy resume that is 10 careers in one. So compliance is like any other part of the organization where you can find partners like Laika or others who can help fill gaps and provide the education you want.

Pratik 

Maybe I will now request you to wear your entrepreneur hat and help other entrepreneurs around the world who are listening to us. Some tips that you can share if they’re looking to launch their successful product.

Austin 

Well, I’ve built a lot of products in my life. Most of them bad, a few of them good, and have thick skin. Don’t be wedded to ideas just for the sake of it. Really think and care deeply about your customer’s problem and less fixation on your version of what you intuit the solution needs to look like or auto look like.

Be open to the possibility that you need to throw it away and start over. That’s not a bad thing. I think on some levels; startups are experiments. Like that’s the exercise. The job is to walk the parameter space of problems and solutions and find the right match between those two. And sometimes, that means abandoning something that’s not working. The trick is that you also can abandon something too soon, right? There is a balance where you need to give things enough time, but not so much time that you’re just spinning your wheels on something that’s never going to work out. And that’s a dark art.

Pratik 

Absolutely. So what are the trends you’ve been seeing in the industry that could affect how businesses operate in the future?

Austin

The remote thing is very real, it’s sort of obvious, but that’s a big one. I think AI and machine learning are big ones. Obviously, everybody is paying close attention to generative AI and what that’s going to do. We’re going to see a lot of the same with logo design and perhaps music and all the rest.

Pratik

I actually interviewed a couple of startup founders with music AI. It’s incredible. You can just design your own music. The power is in your hands. I recently uploaded a couple of music playlists on our YouTube channel, just like work for focus music, because we are working with a lot of remote talents versus also companies. So both of them need focus music. I also usually like to use music for my work. So definitely a lot of scope out there.

Now for the last part of this conversation, it’s a surprise one. I didn’t mention that to you.  I usually like to end the sessions with founders on the personal side. We will ask you rapid-fire questions which are more on your personal choices as a founder, and as an entrepreneur. Are you ready?

Let’s save the Rapid Fire and the stunning wrap-up exclusively for the Podcast. You can watch the full episode on INSIDEA’s YouTube Channel and on Spotify.