Behind the Shield

From SQL Injection to Compliance Automation in Cybersecurity with Andrew Plato

InfusionPoints Season 1 Episode 28

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 1:02:42

In this episode of Behind the Shield, Jason Shropshire sits down with cybersecurity founder, author, and industry veteran Andrew Plato for a candid, wide-ranging conversation on what it really takes to build and scale a cybersecurity company.

Andrew shares his journey from accidentally discovering one of the earliest SQL injection vulnerabilities in the 90s to founding and growing a cybersecurity company over 26 years and ultimately exiting after building a successful compliance automation platform. Along the way, he breaks down the hard-earned lessons that most founders learn the hard way, covering everything from business model pivots and scaling challenges to sales strategy and the evolution of compliance in cloud environments.

This episode goes beyond technical security talk and dives into the mindset shifts that separate successful companies from the rest. From why “compliance is miserable” and how automation changed the game, to why customers do not buy products but instead buy pain relief, Andrew offers unfiltered insights that apply to startups, established companies, and anyone navigating today’s cybersecurity landscape.

Whether you are a founder, operator, or part of a growing security team, this conversation will challenge how you think about building, selling, and delivering cybersecurity solutions in a rapidly evolving market.

Chapters:
0:09 Introduction and Welcome
0:59 Andrew's Early Career and SQL Injection Discovery
3:01 Starting a Security Company
5:44 Compliance Automation and AWS Collaboration
10:49 Managed Security and Automation Insights
33:15 The Founder's Dilemma and Business Growth
52:31 Sales Strategies and Credibility Selling
61:21 Closing Remarks

What You'll Learn: 
•  How one of the earliest SQL injection discoveries helped spark a cybersecurity career 
•  The reality of building and pivoting a company over decades 
•  Why compliance has historically been “miserable” and how automation is changing that 
•  The origin and evolution of compliance automation platforms 
•  Why moving customers into standardized environments accelerates security and scalability 
•  The shift from hourly consulting to scalable, subscription-based models 
•  Why customers do not buy products but instead buy pain relief 
•  How to position cybersecurity as removing business barriers, not adding them 
•  The concept of opportunity barriers and how compliance impacts revenue 
•  Why traditional sales approaches like cold calling and product pitching no longer work 
•  The importance of credibility over product features in modern cybersecurity sales 
•  How startups can compete against larger, established players 
•  The biggest mistakes founders make and how to avoid them 
•  Why understanding your customer’s pain is the foundation of growth 
•  How automation and AI are accelerating the future of security and compliance

Guest Links: 
Andrew Plato- https://www.linkedin.com/in/andrewplato/
The Founder's User Manual (Book)- https://www.amazon.com/dp/B0CZXP7TNF/ref=tsm_1_fb_lk
Company- https://zenaciti.com/

InfusionPoints Links: 
Jason Shropshire- https://www.linkedin.com/in/shrop/
https://www.linkedin.com/company/infusionpoints/
https://infusionpoints.com/

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every e

SPEAKER_01

All right. Well, welcome back to another episode of Behind the Shield. I'm your host, Jason Shropshire. And today I've got uh our good friend Andrew Plato uh with us. Uh Andrew is uh another uh uh founder of a cybersecurity company uh for many years, and and um he's also uh an an author. And uh welcome.

SPEAKER_00

Hi, Jason. Thanks for having me here today. I appreciate it, and it's uh it's great to chat.

SPEAKER_01

Yeah, yeah, glad to have you here. We always love perspectives on on you know other other company founders. You know, we've we've been at this for 18 years, um, and I know you spent you know a lot of time in in the cybersecurity industry. Um tell tell me more about that, what that was like starting a company, you know, founding a company and and uh all the ins and outs.

SPEAKER_00

Well, that's a long story. Uh I mean I started my company uh 20 uh I started it in 1995, and it was one of the first cybersecurity companies really ever. Um and I had worked at Microsoft for many years. I was a technical writer. Um I documented databases, which is a really fun and exciting job, I might add. Um and uh I worked on uh I worked on some of the first e-commerce websites uh way back in the 90s. The internet was still kind of a new thing. Um and uh one day I copied and pasted a um SQL query and pasted it into a form field on one of the websites, hit enter and it returned everything. Uh and I was like, oh wow, that's cool. I didn't know I could do that. And then I started doing that all the time. Like I just would, if I wanted to query the database, I'd just go to the website and query it right through the website. Well, I didn't know at the time, and it took me a little while to figure it out that I'd executed the world's first simple injection attack, which of course you know was the grand mutual discovery, yeah. Yeah, I mean that's the attack of of all of them. Well, I had it again at the time I didn't know that. Um, but I knew it was on to something pretty like this was pretty serious because at some at some point I queried the database and got all the credit card numbers, and I was like, oh, I've got fun with those. I did.

SPEAKER_01

Um with uh prompt injection today.

SPEAKER_00

Yes, yeah, yeah, yeah. So um I took all this to the developers at Microsoft and said, hey, I you know, I think I found some a serious bug in in the code. And they were like totally dismissive of me. They're like, get out of here, Andrew. Who the heck are you? And um that was how developers were, as they still are that way. Um but I knew I again I knew it was on something, and I couldn't quite put my finger on all of it, but I knew security was a thing, and uh so I left Microsoft and I started a security company, and uh that was a Nation, and I ran it for 26 years, and I ran it through a lot of different versions. So Anitian, I did consulting, I did I was a VAR, I resold you know, Fortinets and and everything for years and years and years. Um I sold off that business at one point, uh, got into compliance auditing, um and got into managed services. I ran a I ran an MSSP, was a component of the business for many years. Um and then in about 2016 I I kind of made the big pivot into a cloud security automation company. Uh and and that is what launched my compliance automation platform, which then launched, you know, really kind of the the final version, I don't know if you want to call it that, of the company. Uh and I got investors and it grew, and I grew it all, you know, I grew that whole business line up, and then I and I exited in 2021. Uh and it was a long, it's a long haul. Yeah. I mean, it was um pivoting the company that many times was was tough.

SPEAKER_01

Oh, I bet. Yeah. I mean, you've got some years on us, um, actually. I think we started in 2007 and uh, you know, we're still going. We haven't gone the investor route um and and and have done that. We're trying to stay evergreen. But um But yeah, it's uh it it it it's a long haul. And uh wow, it's a marathon. It really is. Yeah, I think I think when when when we met around 2018, I think, or at least when you came on the scene um with regard to our like our work and FedRAMP, you know, we were um we were looking for ways to get get customers through the the process faster. You know, we were we were largely focused on advisory and and doc dev and doc packages, and we had gotten very good at that. Right. Um, but you know, we saw that you know customers were asking us to be more hands-on and we were like, how can we how can we accelerate this process? And then all of a sudden these platform accelerators burst onto the scene and uh we were we were a little bit like uh uh we better get in gear. But um, but yeah, I mean that was uh that was a really interesting time, and it's it's curious that that you know you had been a couple years into that pivot, it sounds like yeah, and the the story behind that is is kind of interesting because it it act for for me it grew out of a managed security effort.

SPEAKER_00

Um and and I and I I know the time you're talking about was about it was about 2018 is when it really started to kind of pick up. That's yeah, that's when we you know we did our first compliance automation work in early 20, late 2017, early 2018. Um, and that's of course when we connected up with uh you know AWS and Tim. And we can we can talk about them in a little bit. Because they were I think they were very instrumental, you know. AWS was extremely instrumental in the whole compliance automation athletic. Absolutely. Um But the the interesting thing, and and it's funny because you know, Tim at AWS just released his own book, um, and he talks a lot about the history of this, um, of how compliance, you know, these acceleration platforms happen. Um and it's and the there's there's an interesting kind of backstory. And I mean, uh on the AWS side, you know, they had actually been pursuing automating compliance and security for quite some time. And they had worked with many different companies, including some really big names that you and I both know really well. Absolutely who have who had tried and failed, or tried and couldn't quite figure out how to do it, kind of thing. Um or just couldn't quite get critical mass, you know. Right. It's like they couldn't they couldn't get all the little pieces sort of glued together. Um, and that's when sort of a perfect storm, perfect connection of of events happened for for me. Um and the first part of that was that in 2015, 2016, um, I got hired by a very large, frankly, the largest defense contractor to do an analyst project. They were looking at getting into managed security and they had acquired a couple of managed security companies. They were thinking of building out a whole big managed security practice focused on um not just defense, the defense industry, but but commercial business as well. Um and they felt that that was a good way to grow their business moving forward. They had a nascent security practice business going on at that point. Um and so I did this big research project and I hired, you know, it was me and a number of other brilliant analysts. Uh Richard Steenen was actually part of that group. Um and we we we basically ripped apart the entire security industry at that point and said, How do you build the next generation of managed services? Like what is that gonna be? Because at that point, managed services was clumsy, it frankly still is, but it was really clumsy at that point. Um, it was it was basically, you know, managed firewall, managed IDS kind of stuff. Um, and it was clunky and clumsy, and and uh you know, everybody was kind of like fumbling their way through it with with all this software that was very disparate. It didn't like and it was really hard, it was really, really super hard for MSSPs to scale. Um and even the ones that had scaled, the only way they had done it really at that point was to essentially reduce the amount of services they were delivering to customers, essentially not do security.

SPEAKER_01

Um so I did this or go or go like all in with a certain vendor, you know, things like that. That yeah. Right. I mean, I remember remember around that time, like I got really interested in SOR. Um if you remember that security orchestration automation. And uh, you know, until I started looking at like every deployment that that I came across, you know, was not working, right? Not well implemented, and uh and and eventually I had clients that just sort of like shrugged it off and gave up on it.

SPEAKER_00

Yeah, it's the I I used to call that the NAC problem because of network access control, which was a you know a technology that's been around for a while, but NACs all have the exact same problem, which every single implementation is a one-off. Everything is bespoke. There is no standard, consistent sort of implementation of those. And the entire implementation becomes a management of exceptions, of which there are an unlimited number of too many. Um, and so the management overhead just becomes a nightmare because um there's just so much bespoke stuff going on. And that was exactly the problem that was facing almost every MSSP. Every customer is essentially bespoke. Um, and that was exactly the problem that this defense contractor was worried about. Like we don't want to build, you know, we don't want to go into this business and have something that is fundamentally unscalable. So how do we scale it? That was their sort of core question. And the answer to that was was was frankly very emergent at that time, which was to automate everything, to automate the deployment, the integration. But I think the biggest change, the biggest recommendation that came out of this report that we gave them was that almost every MSSP at that point, in essence, was always trying to go to the customer. And in essence, they were trying to kind of put stuff into the customer's environment to run and manage things. And I think anybody who's worked in security for more than a few minutes knows that pretty much every organization that you go into is a complete and total mess. Like they're built, you know, networks and infrastructure and enterprises are built over, you know, years, decades, and they're always this piecemeal, you know, there's a little especially the acquisition companies that that grow by acquisition and start to you know knit the network together, and that's yeah. It's a I mean, they're just they're a mess. And absolutely. And trying to manage that in a consistent manner is virtually impossible. So one of the strategies that we had come up with as defense contractor was rather than you move into their environment, you move them into your environment. So you build an environment and then basically relocate their core services. And this wasn't necessarily going to work for like you know endpoint desktops, but it would but for core critical systems, particularly like defense systems, um, this was a this was a very viable model. So rather than trying to fix what was in place, you get your customer to move into your environment, which is already pristine and perfect, and you've built from an automated plat template that already implements all of the known good security controls. Um and that was like a big shift in thinking about how to do everything. And that was that was the that was one of the core recommendations that came out of this report that I wrote uh in 2016. Um, so I delivered that report, I delivered all this these insights, and and there was a lot more to it. It was not just that, it was also knowing how to piece together the right technologies, how do you put together things, how do you automate them, what does the automation look like? How do you manage and monitor that in an automated fashion? Like it was adopting a lot of the techniques that AWS and other kind of innovative companies at the time had been had been using um to essentially push people out of much of the work. Like get the manual processes out, automate everything, automate collection, automate controls, automate everything becomes code rather than um you know some random guy sitting there twiddling with things. Um so I anyways, I released this report, I gave it to the defense contractor, they were just training and love it. Uh, but they just they ended up deciding to go in a totally different direction. And there's a lot of reasons for that. And it's really nothing to do with my report, it's more to do with the political scene. Shelfware. Shelfware. But it gave you some great insights, I bet. Yeah, and and so they were like, yeah, we're not gonna do that, we're gonna go this other way. Thanks. Have a nice day, Andrew. Okay, whatever. That that is what it is. Well, I still had all the knowledge in my head that would you know that even though they paid for the report, the the you know, the intelligence was still you benefited from it. Um and I thought, well, if they're not gonna do it, then I'll do it. Um and I started down that path of automating things. And at the time we were a consulting company doing, you know, PCI audits, and we had a we had a really stable, good relationship with AWS as a consultant at that point. And we had this managed security business, but it was it was it was it wasn't that big. I mean, it was a smaller component of our business. Um and I thought, well, I'll build it. And um this is interesting. I'd I'll just so we just launched in and started building these automated platforms and automated environments and automated, and I did it originally to be a man to grow my managed security business. Um and it was weird because I would go out and bid on managed security agreements, and you know, we won a few, we lost plenty. Um it's super competitive. It was it was super competitive, but where we were winning was this this mindset change, this idea of I'm not coming to you, you're coming to me. And I I sold to a number of what I would call pretty savvy security CIOs who really bought into this idea of like standardization, of it's all, you know, it's all pre-configured and pre-engineered, and and like, wait a minute, so you're telling me you're gonna, you know, you're gonna give me all this infrastructure. I'm like, well, it's your infrastructure, you're gonna own it at the end of this, but it's gonna be perfect and pristine, and we're gonna get rid of all your old kind of broken infrastructure. And that was very enticing to a lot of, at least to the ones we sold it to. Um and it was uh and it was enticing to AWS. Uh, and that was just about the time that Tim Sandage came to me and he says, Hey, we're trying to do this thing, you know, we want to automate compliance, and you know, we've given it to this company and that company, they haven't been able to do it. I'm sitting there thinking, Tim, I've already done this, you know. And I showed him what we were doing. At the time we had a we called it Sherlock uh Manage Security or Sherlock, Sherlock Cloud Security. And um he was, you know, he kind of did one of these, like, whoa, wait a minute, wait a minute, you're already doing this. So that was pretty much it. That's what launched uh compliance automation at that point.

SPEAKER_01

And uh well, it's it's dawning on me here that that um like to that point had had you really thought about doing this for like highly regulated environments like FedRAMP or DOD?

SPEAKER_00

Or did that uh Okay, okay it was definitely in the plan. I think Tim and AWS accelerated it. Um they pulled that forward. Yeah, we were thinking more like PCI and and I, you know, I was thinking more managed security. Like I really wanted the managed security because in addition to this this development in my company that was going on, the other great, you know, I'm very proud of an innovation that I have was to shift our business from hourly billing to managed billings. Absolutely, yeah. That's that's that's the dream, right? Yeah, you know as well as anybody, and I say this to anybody who's in consulting your number one problem in all consulting business is the one-on-one problem. It's the one person, one hour, one rate. Um, and that kills every consulting company ever, because it's a completely unscalable system. You cannot, like you can never break the one-on-one problem. Um and the only way really to break it is to change to a subscription architecture, which is why basically every company in the world has shifted to a subscription architecture. Um which is you're billing a set rate for a set number of services, and then you're executing and delivering them sort of on a recurring basis. And the amount of hours you use to do those is kind of fully and totally under your control. You're severing the hourly problem from the billing. Those two things are now independent of each other, and it incentivizes you as the consultant to automate and accelerate your execution on things, which is exactly what we were doing.

SPEAKER_01

Um I feel really bad for the uh the companies who haven't made this pivot yet, the ones that are still you know doing the hourly grind, because AI has just really accelerated the the death spiral that that I think they're gonna be in.

SPEAKER_00

Big time. Um yeah. I mean AI AI is taking this entire concept and simply supercharging it. I mean what was a what was a really big financial benefit in you know 10 years ago is now just if you like AI. Table six. Yeah. It's now huge, and you you kind of have to do it this way.

SPEAKER_01

Um we were just talking about like the name, the name of our platforms, you know, our the first one we did was accelerator, a single tenant model, and and we were like, well, that that's concept is dead because acceleration is table stakes now. Like you know, that it has to be built in. Right.

SPEAKER_00

So and it has to be it has to be fast and sort of like anytime you're deploying anything, you have to be able to deploy sort of to a known good state. Like, and you have to be able to do it like that because the bad snack do it like that because um because customers just aren't willing to invest all that time and energy in the in these lengthy, grueling integration. And and I would say that was another innovation that came out of this, you know. When I started talking to Tim and AWS, when we started building compliance automation, I wrote a blog, which I think might still be out there somewhere. I'm not sure. I'll have to go dig it up. But it was um the internet never forgets. Yeah, the internet never forgets. It was the the you know, compliance uh is miserable. And it essentially argued that the core problem with all compliance efforts, whether it's FedRamp, DOD, PCI, is they are truly miserable experiences for pretty much everybody involved. Everybody hates them, everybody hates doing them, every company hates spending money on them. It is just like if you think about compliance from pretty much every angle, it's just loathed. Absolutely. Yeah. And that fact, that that that sort of just principle that it's a it's a miserable process, um the essence behind why you have to automate it, why you have to take people out of the process, why you have to make it faster and accelerate it, because um nobody wants to do it. Um and frankly, no company is good at it. I mean, I like that's not any company that invests in compliance, it's a one, you know, they want to just get it over with. They don't want to become compliance companies.

SPEAKER_01

Yeah, I mean, every effort that I've seen you know that a company's tried. To do it internally, it it's it's terrible. It's it's it's miserable. And then when they finally get it working, those people leave and it's broken again.

SPEAKER_00

And they go to work for compliance companies.

SPEAKER_01

Exactly. Exactly.

SPEAKER_00

They go start compliance automation companies.

SPEAKER_01

I mean, the bottom line is it's it's uh especially the the more regulated the environment, the the the more painful it is and the more wide open it is for pain relief, uh, which is where that's where we we built our businesses, right essentially.

SPEAKER_00

Which, I mean, that's an interesting pivot to my next book, by the way, pain relief. I don't talk about that at any time. Let's hold that pain relief because that's a that's a very important concept, not only in business, but particularly in security, is the concept of pain relief. And uh, you know, I advise a fair number of startup founders and and others these days. And among my many aphorisms I like to give, one of them is that you do not sell products and you do not sell services. That is not what your business is. Um, and frankly, nor is it any company, any startup's business. Your business is pain relief. That's what you sell because that's what your customers buy. When you meet with a customer, they're interested in how you're going to take their pain away. They don't care about your product. And this was a this was another sort of insight I had back in 2016. And it came out of a single interview I had with a CIO. Now I was a CEO. Uh, I met this the CEO, and I I'll to be honest, he was not my favorite human being. I mean, he was kind of a gruff, you know, insensitive swaggering a-hole. Anyways. Um, so but then again, hey, a lot of CEOs are gruff and sensitive, swaggering a-holes. Uh none that I know, you know. None that I know, yeah. Not me, of course. Um anyways, I had this conversation about security with him, right? He was, you know, and he said something to me that just stuck in my head, which he says, I don't give a shit about those products. I don't care. I don't care what you use. I have no interest, it's irrelevant to me. I just whatever. Just fix it, make it all go away. I don't want to have to deal with this crap anymore. And he's like, I'm not interested in whatever fire thing you use. Like, he was like just totally dismissive of the product, right? And that made me realize, because in contrast, when I would meet with like security leaders, right? And I'd ask him, like, oh, tell me about your security program, they'd always say, Well, you know, we have a Palo Alto perimeter and we've got a Cisco, and they'd start rattling off product. And I'm like, wait a minute, you think in terms of product, you view your world in terms of the products that you manage and control. But the but the boss, the the CEO, the people who sign the paychecks, they don't care at all about the product, it's irrelevant to them. And that realization made me kind of get.

SPEAKER_01

I mean, it's it's it's just because the focus and the energy has already been spent on on their business.

SPEAKER_00

Right, right. And so once I realized that, I realized that in order to effectively sell security to decision makers, you you basically cannot talk about the product. You the product is not what's important to them. What's important to them is the finish line, is the I'm gonna take you from here to there. I'm gonna take you from, I'm gonna, you're here, I'm gonna get you here, and I'm gonna do that in 90 days. And when I get you here, I'm gonna have jumped over a bunch of hard work that if you have your internal people trying to do, they're not gonna be able to do it because they just don't know what they're doing. Um, and I'm gonna be able to do that because I've figured out a lot of ways to automate and a lot of shortcuts and a lot of quick, like I've got that process figured out really well. Worked out. And so you're gonna pay me and I'm gonna get you here. And that's the message. And that's I mean, that's the message of compliance automation, too, is I'm gonna take you from here to here and I'm gonna do it a lot quicker than if you tried to do it yourself, or just hired a bunch of consultants to do it. And that message is, I mean, it's inside every, it's inside your marketing. Absolutely. Well, it's inside everybody's marketing today.

SPEAKER_01

And we've had a few iterations of it too, as it dawned on us, like what value are our customers really trying to unlock, right? The uh the the main value, and and and like I said, we had to boil this out a couple times, but at first we thought, well, it's getting that FedRamp authorization, or it's getting that DOD authorization, or it's getting a CMMC certified, right? Uh not really. It's it's unlocking that contract opportunity, right? It's it's getting that first federal dollar. Um, that's when the value is fully unlocked and realized.

SPEAKER_00

What you are talking about is an opportunity barrier. So it was on then, and again, I keep bringing up this book I'm writing because that's exactly in my in my book. Um when you go out to when you go out to market, um you're essentially gonna resolve a handful of threats, is what I call them or problems. There's really only, and this is another insight that came out of my risk management background, is the realization that there's only a handful of threats that as a solutions provider, as a as a company, as a as a products company or a services company, there's only a handful of threats you really can solve. And one of the biggest ones, and there are others, but the biggest one is an opportunity barrier, which is your customer is facing some kind of barrier for them to make money. Whether that is, and compliance is one of the biggest, if not the biggest, because it just gets in the way of making money. And you that's exactly the point you're making right here, which is getting that first federal dollar, that certification stands in the way. And that is how a business person looks at it. They don't think, oh, I need to be compliant because it's the right thing to do. They think that's in my way. I want it out of my way. Um, and there are other threats that businesses face that you sell toward. And again, keep plugging my book here, but uh, but that's the big one, and that's the big one for for almost all security companies is security is an impediment. It is not an enabler, it is not viewed as an enabler. And I know we all, you know, all security people get together and we're like, we want to enable the business. I'm sorry, but that's not how the CEO sees you. He sees you, I don't mean you personally, I mean security in general. I mean, he sees security or she sees security as an impediment to get to where they want to go. Um, and so with that sort of insight in mind, your approach to things isn't I'm gonna, you know, I'm gonna enable the business, that's true, but I'm gonna enable it by I'm gonna get this impediment out of your way. I'm gonna remove it and I'm gonna do it quickly, and I'm gonna do it efficiently, and that's where automation, and frankly, that's where AI comes in too. The thing about AI that's so that so many people are so intoxicated about, to use an appropriate word, is that it's seen as something that can quickly remove impediments to getting things done. And I never know how to pronounce it, I always did it wrong.

SPEAKER_01

Um I always heard Nginx, and then I heard somebody call it Nginx.

SPEAKER_00

Yeah, Nginx is what I've heard. Uh Nginx configuration files, and I know that's a totally nerdy thing to say, but I like you want to talk about something that isn't impossible for normal human beings to write. Like I've tried. I have tried to write Nginx configuration files. I've read all the things, I've followed all the rules, I indented everything just perfectly. And I can tell you that you can burn a trillion hours trying to write those damn things. It doesn't matter how many times you iterate on them, you can never seem to get the gotta get the little call in here. Like it's impossible.

SPEAKER_01

And yet an AI engine could do it like that. Yeah, Claude Sonic can get it in in uh 30 seconds, right? Right. I mean, even Copilot can write it.

SPEAKER_00

I mean, copilot can't do anything. Copilot? Wow, that's true. But um that to me was sort of the like you know, once I could do that, I was like, ah, now I get why everybody's loves AI so much. Um But I mean that's that's the point is that all of these things are like getting like how do I get things out of my way? Like, and and compliance is a huge one, and AI is is simply accelerating that, just like automation accelerated that.

SPEAKER_01

Yeah, yeah, absolutely. So let's make a pivot and talk about your book.

SPEAKER_00

You mean the thing I've been plugging out on constantly, Darren? Um first of all, we have your first founders user manual. I have see, I have one too. I have a lot of them. Um founders Users manuals, yeah. So after I left my uh after I exited my my company, I exited in 2021. Um 2022, technically, the deal and all those stuff. And basically I because I brought in investors in 2019 and did an investment round, did a follow-on round, and uh that helped grow the business and accelerate it. And I took that compliance automation business from zero to about 14 million in ARR in 18 months. Uh and at that point, I mean the company was even I mean, we were just rocking and rolling. Uh things were going really great.

SPEAKER_01

And it's a lot of fun to grow quickly like that. We've we've had a couple of different bursty, bursty moments like that, and it and it's it's fun. You're adding people, the teams are getting bigger, and and uh customers are loving it, and it's good times. It is good times. It's also hard.

SPEAKER_00

It's also really stressful. Growing pains are real. The growing pains are real, it's really hard. It's really hard to change so rapidly, and we were doing this in the middle of COVID, which didn't help. Um, trying to grow a company, change, pivot, implement new things, and you got everybody, and all of a sudden you're all working at home. It was it was it was hard. Um in any event, um, I, you know, we had we we were growing pretty well, and and it was it was like I kind of hit that moment, like I it's time to exit. And there's a whole section in my founders user manual. I kind of talk about the reasoning behind that. Um, and why as a founder you want to exit at some point. Um, you you there's a great article from Harvard Business Review, and of course I'm not gonna remember the name of it right now, but it's in my book. Um, and it talks about um the founder's dilemma. Actually, that's the name of the article. I remembered it. Um The Founder's Dilemma. And uh it in essence makes an argument. It's a very powerful argument, and this this article's from like 2020 or something. Um and it makes a powerful argument that says when you're a founder, when you've built a business, you really kind of ultimately have two choices, which is you can be in control or you can be wealthy. And it's really hard to be both. Like, yes, there are some that you know, the Mark Zuckerberg is the the example that everybody pulls up. Yeah, Mark Zuckerberg is tightly controls Facebook, and of course, he's fabulously wealthy. Well, those are few and far between. Very few and very far between. The majority of founders, you kind of have a choice, which is you can stay in control of your company forever, and you may do fine and you may make okay money, but you'll probably never really be wealthy. You'll never achieve that kind of wealth of being able to do the things you want. I mean, you'll essentially build a lifestyle, which is fine. And there's that's totally legit. And it's a you know, a lot of people do it, and it's a it can be a very satisfying life. Or you can give up control and you can become wealthy, and you can let other people run it. Um, and I came to that conclusion. I'm like, I think I want to let other people run it out. I'm I'm yeah, I'm ready to go. So I exited in 2022, and that's that's when I started writing the founder's users manual. And I came out of a conversation I had with the founder. We were sitting around over drinks and steaks, I'm sure, because I'm thinking of the founder, and we always went out for steak and whiskey. Um, and we were talking about all the crazy, like we and and again, I'm sure you and I could have a similar story where we sit there and go, oh gosh, you know, remember this, remember when you did this, remember when you got that, like all the stresses and craziness of of building a company and all those times when you, you know, you realized, like, oh man, that was a stupid idea. Or oh my God, I really should not have hired that person. Um and and and and I I we were kind of going through all those, and at one point he says, you know, you should write a book about all this, because I I have 26 years of stories about you know, just employee craziness, customers, people yelling at me, people, you know, threatening me, people, you know, all the all the crazy tales of you know going to you know reinvent and all the parties and all the weirdos and all the people and all the the the just and just the challenges of day-to-day grinding along, running a business and all the things you can learn over the years. Um and I had learned a lot because in essence, I had made pretty much every mistake there is. I mean, any any mistake you could think of to build a business, I I made that mistake at one point. I hired the wrong people, I said the wrong things, I did the wrong things, I I bought the wrong, I mean, like I did everything wrong once. Um and so that became the basis of the book uh was you know, I've did it wrong, here's how to do it right. Um here are the key things and the the the lessons I've learned over the years of running a business. Um and a lot of it comes from my experience, some of it comes from uh research, some of it came from my own CEO coaching. I I've done and did. Um, but and that's what that's that's what the book's about.

SPEAKER_01

Yeah. Love it. Yeah, I've I've gained some insight from it. I I love the section where you talk about you know getting paid. Um like like like what what that's taken at at some times. And uh uh I don't know, just to give listeners kind of a quick overview of some insights there.

SPEAKER_00

So it's I've talked about this sometimes with other founders. Like you're a lot of founders get stuck on the product and the the they get they get stuck on what they're building and they don't they don't think about the business that they're building. Um and you have to build that business. And when you're a founder and CEO, which is what I was, I was not only running a company, I was also the founder of that company. So I was you're you're building it and managing it at the same time. And that's very different than just being a CEO who wanders in and takes over something else. Um you have to build it from the ground up, and in many cases, you're just you're literally just inventing things on a inventing it. Yeah, and that's tough. Um but uh there's so many of these operational things that you you you gotta do. And one of the simple ones is you gotta collect every single dime you bill all the time, every time, without fail. Because if you don't, you're not a business, you're a charity or something else. You know, yep, collecting on your bills is like you gotta do it, and you need a process to do it, and there's strategy to doing it, and there's strategy to doing it right. And for example, you never have a salesperson do collections. Ever. Because the minute you do that, the customer thinks, what the heck is wrong with that company? Like, seriously, why is the sales guy bugging me for money? He's my friend to think is they're small and failing. So never have a salesperson get even remotely involved in collections. It has to be a good thing. That's like asking your that's asking your good cop to be the bad cop. Right, exactly. And it's a good insight. You never want your salespeople to basically do anything that puts them in a bad light. Like your salespeople always need to be in a positive, good like they never be need to be the ones bringing problems. They're they're solving problems. But in the case of so many companies, they just they just don't think about these things. And you need a process for collections. You need the it's it's like this you need a process of increasing pressure. So like, you know, week by week you're increasing, you're ratcheting down the pressure on customers. And that just isn't something that a lot of founders even think about uh because they're so busy thinking about the product, or they're so busy thinking about how they're gonna get to the next sale or how they're gonna get into this next opportunity.

SPEAKER_01

What what what do you find that their AR is just growing out of control, they're not collecting, they've got too many that they're in late status, and they're just sort of not following up on that, or they're following up in the wrong ways.

SPEAKER_00

It's a combination of many times they're just not following up on it. Um they're just they they don't they haven't made that process. They don't have the process, and the whatever controller or finance person is in the company um isn't doing it. Um and as a like when you're a founder, like one there's really key positions you need around you. And one of them is you need a really, really good controller or CFO or whatever, you know, whatever for most smaller businesses, it's like a controller or a director of finance. You get a little bigger, it might be a CFO, but a finance person. And that person's job is to handle the books and the bookkeeping and all the payroll and all that. But they have some really critical functions in the business, and one of those is to be the the the bad cop, the the you know, I'm gonna collect from you. And that's one of their key jobs. I was very fortunate. I had a really great controller for many years. She was she was tough, she was she was hard, she, you know, she got customers to pay their bills. Um, and that's what you need. I mean, that you need that kind of person and that personality.

SPEAKER_01

Um we we talk about this a lot. This is uh and this is one of the reasons I'm going into depth on this one. But um, yeah, it's it's interesting to me in a in a in a world where if I don't pay my AWS bill, you know, they they just shut me off.

unknown

Right.

SPEAKER_01

And it's like, okay, but I can't do that to my customer because because why? You can and you should.

SPEAKER_00

I guess we can and we should, right? You should. You need to warn them that it's happening, and AWS warns you. I mean, it's not like they just shut you off like that.

SPEAKER_01

Um they give you a grace period and all that.

SPEAKER_00

Yeah, yeah, but that's the point of having like there's so many things inside a business where you need processes. Sales is another great one. You absolutely need a sales process, you need a methodology, you need an approach, you need a strategy. You can't just go out into the market and sell. Um, it just doesn't work. And I know I tried doing that for years and years. I tried just selling, and it doesn't work. You have to, you have to have a strategy, you have to understand your market, you have to analyze your market, you have to know your customers, you have to know their pain points, and you got to know those key points at which you're gonna click with a customer and go places, and you've got to know what you're looking for.

SPEAKER_01

Um, I got to cross-pointing strategy and and you know, inbound, outbound and strategies for both. That's right. Um, yeah.

SPEAKER_00

And in today's world, and I mean we can talk about sales, sales is something I spend a lot of time in the founders users manual, and again, it's in my new book, which I'll that's I think the 50th time I've but I better write this damn thing. Um but in sales, uh it it's you you you need to really, really understand your customers, but a lot of the traditional sales methods simply don't work anymore. And the one that I I just like to hammer on all the time is cold calling. Cold calling is totally useless, utterly. Isn't worth anything. I wouldn't spend a nickel on cold calling. It never, ever works. And neither does product pitching. I I gave some advice, you know, I posted this to LinkedIn just recently. I said, if you're going to RSA, uh, here's a message for every startup out there, do not talk about your product. Because the minute you go into a product pitch, the minute you start rattling off speeds and feeds and features and options and quirks and features and whatever, everybody around you just tunes out. I don't care. Because, and particularly anybody who's a CIO or C anybody who's in sort of a leadership role, because they hear product pitches night to day. And your product pitch, I mean, I mean no offense to you or any company out there, but I'm sorry, nobody's product pitch is any good. Nobody cares. The best product pitch is a sentence. We do this. That's it. You want to know more? Let's book a meeting. I'll show you. And my message to all startups is when you go into events like RSA, frankly, when you go into anything, anywhere, your goal is not to tell the world about your product. Your goal is to make the world go, that's interesting. I want to know more about that. Your goal is to get people to want to know about you.

SPEAKER_01

Yeah, what we say is at at the conferences where we where we have a presence, like at like a booth, right? We're really there about brand, about brand recognition, about somewhere to connect with customers or prospects that we've been talking to, and then brand awareness for everyone else, right? And then to make connections with folks that are that are interested. We also have part park partners that walk over folks to talk to us. Um, but yeah, I mean, I totally agree with that. And then, you know, some some conferences like RSA this year, we targeted just to send people, you know, send people to walk around, walk and talk, uh, have some outside meetings, uh, and that kind of thing. And RSA is a terrible conference to walk the expo and try to talk to booths about what they do and how it might intersect with what we do. Right. Right. It's just awful because it's it's it's bigger companies, marketing people, and they're like, they don't want to they don't want to talk about uh what what we do. I mean, it you know, they want to talk about what they do. Well, exactly. That's what they're paid to do, right? Right. But um I took this approach to FC O West, which uh the main part of the floor, it it's sort of like RSA, it's too big, but there's a a much bigger part of that expo that's upstairs that's medium, small businesses, and the folks at those booths are C levels, right? And I probably went to 20, 20 different booths up there that I I targeted ahead of time, right? And um had great conversations, you know. And and and I didn't do that by talking about our product or what we do. I I listened to them about what they do. And you know, they're all in the in the defense space, right? So I I know there's intersection. Um and no, it was it was wonderful and made some great connections. Um, some folks asked, what do you do? You know, and I was like, oh, let me tell you what we do. We help accelerate to get to aisle four and five in the DISA process. Right. And uh they're like, oh well, that's that's interesting because we've we've we're platformed over here in Sea Army and in NavC and these different uh defense clouds, and and well, maybe they're they're interested in DISA, or maybe they have an opportunity in Federant.

SPEAKER_02

Right.

SPEAKER_01

So yeah, I mean it it I used to hate the idea of sales, I really did, because I'm like, I don't like I don't like just pitching, you know, and I it's not about that, it's about getting to know people and trying to help them solve their pain. Right. And uh, you know, I could do that.

SPEAKER_00

Right. And that's the message for every startup is that and every company that's out there, frankly, until you're a big company, until you're huge, until you're a Palo Alto or somebody like that, um, you have to constantly be differentiating yourself and making yourself interesting. And you're not interesting if you sound and look like everybody else. And and I don't know how many startups they go to RSA and they spend all this money on marketing, they hire some marketing rock star, superstar, big shot, you know. Oh, I worked at Microsoft back in the 1990s, and and they they put together these booths that are that make them look like a big company. And it's like, great, you what's special about you? You just look like everybody else now. You sound like everybody else now. There's nothing unique about you. Why would I buy from a little dinky startup that looks and sounds like a big company when I could just buy from the big company that's already kind of got all the resources I want? And that's the challenge is that when you go into the marketplace as a small business or a sort or a startup, the odds are fundamentally against you in every dimension. Every your competitors have every advantage. They have the people, they have the resources, they have the name recognition, they have the branding. They can just throw, you know, they can just throw millions and billions at things. You can't. You don't have any of those resources. So your only advantage, your only way that you can even the odds, as I like to say, um, is to be different, to be unique, to sound interesting to people, to say something to them that makes them go, oh, that's an interesting idea. I kind of like that. Yeah, let's talk about that some more, to pique their interest so they want to know more about you. And then they come to you. Because once a customer or prospect comes to you, they're receptive, they're willing to hear you, they're willing to hear your innovations. When you go to them, they can forget it, they have no interest. You're just another vendor in the pool vendors. And I learned this from the VAR world. Um, right. This was a lesson I figured out about being a VAR, that it didn't matter if I had the smartest, bestest people, it didn't matter if I was a genius company that could solve every single problem my customer had, if the VAR down the street sold it for a hundredth of a cent cheaper, they got the bit. They won. And I'm like, that when I sort of figured that out after losing money a lot for a long time, um, then it it was like, okay, I I I gotta change up how I do this. I had to become interesting and unique and special, and not just yet another company out there doing this. Um and I think that's very important for I don't think it's by the way, this isn't just for security companies. I think this applies to any technology, frankly, any startup out there.

SPEAKER_01

Yeah. Um, dinky noisy startups. There, there's there's plenty that are getting into the the uh the space that we're in. And uh, I mean I I love it because we we we we go and and talk to customers that have talked to them as well, right? But the differentiation we have about uh and just being able to speak to the the the volume of work that we've done, right, uh and and the size of the companies that we've done it for, right? Um that's all they need to hear. And it's like, wow, that's that's that's different. And you know, you got platform, you've got you're you're selling more than a uh you know, some software.

SPEAKER_00

What you are selling is not a product, you're selling your credibility. Credibility and pain relief. Pain relief. Credibility is what sells today. And that's uh hey, by the way, and that's the basis of my next book. My next book is called Credibility Selling, and it's all about this concept that when you Hey Andrew, let's pivot to talk about your new book. Let's talk about the other book. I am a shameless self-promoter. I had I admit that. Okay. Um I am. Um uh in today's world, that's how you sell. You sell credibility, you don't sell product, you don't sell features. And when you adopt a credibility selling technique, a lot changes. A lot of traditional strategies, they invert, they change completely. And the big one, the big inversion that, and I I I've I just coached another company on this like just this last week. And I coached an MSSP a while back ago on this. They they did exactly what I said, and and their their business just skyrocketed. So I know it works. Um you you change the relationship between salespeople and subject matter experts. Traditional sales, salespeople lead the effort. The salesperson is in charge of the deal, they're in charge of the opportunity. They run the sales process. They're responsible for the initial contact, for sizing up the customer, for getting the opportunity. And at some point, they bring in the subject matter expert to answer questions, or or you know, a sales engineer is what we call them, or a solutions architect. They go by many different names, but a subject matter expert. Um, and that's your traditional sales model. And that's what VARs do, that's what most technology companies do, that's what a lot of startups do. Is you have salespeople and you have subject matter experts. In credibility sales, you flip those two. The the the subject matter expert is leading the sales expert is the process. They are in charge of that initial engagement. They're the ones. And that's, I mean, in an essence, that's how we operate, actually. Yeah, that's you. That's who you are. It's often the founder, by the way, uh, but not always, um, or a founder. Uh particularly in startups. It's you're leading with that, like you just did, creating relationships, talking about what you do. You're selling your credibility to everybody around you. You're saying, look, I know what the hell I'm talking about. I'm I'm in this, I do this, I'm an expert. I I live and breathe this every day. And so you're attracting people to your company, not because you have this awesome platform, because that's not what's going to make them come to you. What's going to make them come to you is they're like, Jason, he's a smart guy. He knows what the hell he's doing. He's got it figured out.

SPEAKER_01

Well, he's he's a smart guy, and he's got he's built a company around it too, right? He's built a company. Well, one thing Gary has talked about for years is that you know, he he uh he spent spent years growing his career at Booz Allen. He was there a couple different stints, and he, you know, he had he had very large businesses within Booz Allen with very important clients. And he's like, you know what, I could just go out on my own, get you know, hang my shingle and and uh start building the same thing, right? And um the reality was he didn't have the boozallen name behind him when he when he struck out on his own.

SPEAKER_00

At Booz Allen, it wasn't Gary that they were buying. They were buying Booz Allen. And Gary had to then build everything else around that, including hiring guys like Jason. You have to build, you're right, you have to build everything around that. It's more that because, and again, think about this. You go out into the you go out into RSA, right? And there's you're sitting next to the Palo Alto booth, and then it's you know, your you know, startup booth, right? Palo Alto has got 50 people in their booth, it's the size of a you know a small city. They've got, you know, you know, we can solve every problem you've ever had with our Palo Alto, blah, blah, blah, blah. You know, they've got everything, and it's all big and glossy, and they're huge and massive. And people go to the Palo Alto booth because they're buying Palo Alto. They don't care who works there, they don't care about sales person. Because the name is what gives Palo Alto credibility. Instantaneous credibility comes out of that name, comes out of their reputation, comes out of when you're a startup, you have none of that. You have absolutely none of that. They're like, who the hell are you? Yeah, yeah.

SPEAKER_01

I mean, the sting of losing some deals before uh just because of brand recognition. Right. It goes back to that old saying saying, like, no, no um CIO got fired for buying Microsoft, right?

SPEAKER_00

Like Yeah, I remember it when it was IBM, but yeah, yeah, same principle. So nobody gets fired for buying IBM. Yes, exactly. And so you walk into the market at a fundamental disadvantage, and that's gets into this idea of you have to, as I like to call it, change the conditions of the test, which was pulled from my favorite movie, Star Trek II. Um, this idea that you you can't you cannot play your competitors' game. You have to make them play your game. Um, and if you play your competitors' game, you lose because they have all the odds stacked in their favorites. One of the reasons why I absolutely do not like to gamble. I do not gamble. I I do not go to casinos. There's a simple rule the odds are against me. It's stacked against me. I'm gonna play a game where the odds are against me. The house never loses. Right. I I'm I'm always at a disadvantage and I can't change those odds. I mean, yeah, I could learn how to count cards and I can become better, but realistically, I'm only gonna improve my odds slightly. I don't have the ability to change those odds in any significant way. Um so why would I do that? And same principle with being a startup. Don't go into the market and just say, I'm gonna ram my head against my competitors because you lose, they win. Um you have to get them to play a different game, a game where the odds are in your favor, or at least the odds are even, which again comes from Star Trek 2. At the end, sauce for the goose, the odds will be even. You pull the reliant into the anyways.

SPEAKER_01

I'm sorry, I'm a Star Trek nerd. It's just playing, you know, to me, it's playing the game we've always played, right? And it's it's not, you know, there are those out there that are selling shortcuts to this stuff and saying it's gonna be easy. And um, you know, I'm like, well, the the bottom line is security is is still hard, right? Security's still hard. Um, yeah, I I think we've we definitely have a better way. And and I I totally agree that your concept of what we call now platform engineering, you know, come to us, right? Because we we we've um uh built this environment in a very opinionated way and built the tools um in in such a way that the automations are there and and the we built wrapper applications around it so that we we have full visibility. Uh and believe us, this is our business. You know, we can manage it better than you. Right. And uh and and customers love that. They love that that you know what, for this, for that wacky federal stuff, I those are my people, you know, and and and they're they're fixing it for me. They've they've got this going, they helped me get the authorization and more importantly, that first federal dollar. Right.

SPEAKER_00

Um but but yeah, um that's the uh that's the roofer dilemma. Well, that's what I call it. The roofers dilemma, which is I am intellectually and physically capable of putting a roof on a house. I I know how to do it, I can hammer nails, I I understand how shingles work, but I would not want to ever live in any house where I put the roof on it. Because at best, at best, I am gonna do a mediocre job because it's not what I do. I'm not a roofer, and realistically, I probably couldn't do it because I have a bad knee, but that's besides the point.

SPEAKER_01

Um the whole thing is, you know, I I probably couldn't get it done in time for the next rain, right?

SPEAKER_00

Yeah, and that that I mean it would take me nine times, a hundred times longer to do. Well, compliance is exactly the same way. Yes, you could make your IT team do compliance, and they could also hate you for the rest of their lives. Or you can hire somebody who's an expert who knows how to do it, who can do it fast, who has a platform, who has a product, like confusion points. Um, you can hire somebody who's already figured all this out and they can get it done for you quicker. And all you got to do is just follow along. Follow along with what they do, and it'll get done. Um, and that's that now notion of you're selling the finish line, not selling the process to get there is less important than the finish line. That's what that's what your customer ultimately cares about.

SPEAKER_01

Absolutely, yeah. And gosh, that sounds like a great place to to you know put a period on the conversation. Um I could go on forever, though. I mean, you're you're you're uh really fascinating guy to talk to, and I really appreciate you coming on the the podcast today.

SPEAKER_00

Sure. Thanks for having me. It's fun to talk about this stuff. I really appreciate it. Um and it's exciting to watch uh you know Infusion Points do so great, uh, you and Gary, and and you know, keep at it. I mean, there's there's plenty of business out there. It's great to see how you guys have expanded and gone on to greater things, and uh and uh I'm sure there's more great stuff to come. And and uh as always, uh reach out if you need help. I'm I'm always here. I mean, I'm uh yeah, thanks so much for that.

SPEAKER_01

Yeah, yeah, thank you.

SPEAKER_00

I'm happy to be a and I so I offer that to every startup founder. Like, look, you need help. Sometimes you just need a second opinion. And uh I did. And having an advisor, counselors, uh, you know, people you can bounce ideas off of is really important to be a founder to to run a company. So uh here for you, and I'm here for I'm here for all startups.

SPEAKER_01

Absolutely. Well, well, thanks so much for uh coming on again. Cheers. Yeah, thanks, Jason.