Tech&Main podcast - The myths of audit automation

Grant Elliott, CEO of Ostendio, joins Tech & Main to discuss why relying 100% on audit automation could cause problems for your organization. Shaun and Grant also discuss industry trends in cybersecurity, venture capital funding, and the challenges of entrepreneurship.

Listen to the live recording below.

Transcript of the show

Shaun St.Hill 0:00
Thank you for joining another episode of Tech and Main Presents presents where we bring you the best insights from today's leaders and experts in technology. Today we have a real treat we will be speaking for a third time with Grant Elliott, Grant is the Chairman and CEO at Ostendio, a cybersecurity company based in Arlington, Virginia. Grant. Welcome back to the Tech and Main Presents podcast.

Grant Elliott  0:20
Super excited to be back again, I always enjoyed this conversation Shaun. So thank you for inviting me again.

Shaun St.Hill 0:26
You're welcome, Grant. You're welcome. It's like having your cousin back over. So this is good stuff, man. Well, Grant. So as I alluded to, you have been on a couple of different times. But for those that may not have heard those episodes, can you tell us a bit about your background and how you became the CEO of Ostendio?

Grant Elliott  0:45
Sure. Yeah. So it seems forever. Ostendio was formed back in 2013. So for almost becoming a veteran, and they can entrepreneurship space. From that perspective. My background is prior to that I worked for a digital health company, I was both the Chief Information Security Officer and the chief operations officer. And in that role, had the opportunity to build our information security program or compliance program, and cannot go through the process of having to demonstrate compliance to various large healthcare entities started to realize that it really was a difficult challenge that many organizations were facing and kind of felt there must be a simpler, or easier way. So as I kind of looked into the challenges there, there were traditional GRC platforms available. There were other kind of tools available, and none of them really solved the core problem that I felt I was facing, which was not just how do we become compliant? But how do we operationalize our security program? How do we involve everyone within the organization in that process to make sure they're all doing what they need to do? And how could we build a mechanism to support that I sort of created various different tools bundled together different systems and processes to do something like that. And my prior organization, we were a SaaS company really just at the point where SAS was unfolding at that time. And it kind of struck me why wasn't very good platform in the marketplace that did what I was looking to do, right there were a SaaS tools for selling through Salesforce CRM platforms like HubSpot, there were lots of evolving SaaS platforms for finance, QuickBooks, and there really wasn't anything from my mind that can did a good enough job from a security perspective. And so that was the candidate kind of genesis of the idea. And in 2013, I decided to leave the organization and see if we could actually build something that was better.

Shaun St.Hill 2:37
Oh, and Grant, here you are almost 10 years later?

Grant Elliott  2:41
Well, I don't know that I would, if someone had told me that back into their team, that would have been an interesting it. To be honest, in those early days, I've spoken about them in the past, and you just want to get something off the ground. So I don't know, I don't know what I would have been like, if someone had told me back then that here would be kind of almost 10 years later, still doing it. I think one side of me would be kind of thinking, Oh, my goodness, that means it must have been some level of success, because otherwise I wouldn't be here and never done anything in my life longer than seven or eight years. So there'll be another statement thinking, Oh, my goodness, what we're doing wrong, right.

Shaun St.Hill 3:14
Oh, great. That's actually a nice segue. Because the last time we talked, you had just raised a Series A round of funding. And before we were recording, we were kind of catching up and touched on the current VC market. But I want to get your recorded thoughts. What are you feeling? What are you thinking about the current VC market?

Grant Elliott  3:37
Yeah, I think that we get sucked into different trends within funding. I mean, there's no doubt that if you compare the way that funding works today, versus maybe 10 years ago, or 20 years ago, there's definitely a very different perspective to their way more firms out there, both in terms of private equity, as well as kind of venture firms today than there has ever been. There's the I don't have the data in front of me, but there's way more money being invested. And from what I understand speaking to, again, kind of some large private equity folks, they're still even given the current economic claim a lot of money on the side that has been built up over a period of time as well. So the opportunity for funding and if you're building an organization really has never been greater than it is today. But that creates a number of different scenarios, right? Not all firms that are investing are good firm, right? Like any market, you're going to have really effective ones and really ineffective ones. Even venture firms that maybe 10 years ago were considered to be blue. Every organization has a lifecycle and, so some of them are still coasting on reputation or brands rather than positive investments. And I also think that you are continuing to see this kind of self-determining ecosystem where some of the larger event is out are almost trying to create a self perpetuation ecosystem, so it's gonna look hungry invest in you. And then I'm also going to ensure that all of my portfolio companies buy you, right to get your kind of traction, which is, in some degrees creating this kind of almost like this gonna count huge Ponzi scheme, right where you're, you're investing or certain VCs are investing in companies today that are trying to grow it, they call it Blitzscaling that put so much money into sales and marketing, to try and generate economic momentum for the organization that goes beyond the quality of the product that's been built, with the view to eventually kind of handing off to either larger scale PE firms or institutional investors, this kind of this kind of race. And I think that's kind of creating an unhealthy element within the Investment ecosystem today. But that doesn't mean to say that I think on balance, right, will you have some of those kind of bad actors at least have some of those practices, I really think that on balance, that it's still a better ecosystem than maybe it was five years ago, or 10 years ago, because, again, any organization today, if you have an idea, you have someone that's going to give you money, you can find money, right? If you have the right concept and that great idea.

Shaun St.Hill 6:15
Oh, you're exactly right. If you look at TechCrunch, for instance, or any one of the other newsletters or alerts that come across, you'll see every day companies are getting series A series B Series, there's there's money to be had. I think the I think the thing that you have to look at and you can't argue with, especially in your case, is you waited a period of time to take on an investor. And I think that's something that maybe you could share and maybe encourage other founders honors with. There's a there's a timing of there's the timing of a thing. Would you agree?

Grant Elliott  7:01
Yeah. And I think that it really depends on the entrepreneur themselves in terms of what you're hoping to achieve, right? I mean, I don't want to say that there's one path and but it's not for me to criticize organizations that take a lot of money early and use that as an opportunity to try and grow faster, versus other organizations that maybe take a more organic approach, we've clearly tried to take a more organic approach. And that's, you know, I've deliberately chosen that mainly for reasons of control than any kind of get get, I mean, clearly have not chosen this as a get rich, quick scheme. And the more money you take, the more dilution you obviously receive. And that puts certain decisions in the hands of other people other than yourself. And that may or may not be a good thing, right? I mean, there's lots of smart people that invest in organizations. And there's lots of boards that provide great invaluable advice to the to the management team of the organization. But there's also the opposite of that, right? There's also potentially lead investors that have people on your board, potentially don't understand the market, or maybe based on spreadsheet analytics are comparing you to other organizations that they've seen within the portfolio that may be doing things in a different industry that may or may not apply to you. It is it's often hard for the investors to truly understand your your business when we took our Series A last year, and I got my new board together. One of the first things I did was I gave them a presentation called the quarter second coach and the quarter second coach presentation that I do is based on there's only 12 People in the history of tennis I've ever run a run within a quarter second of Usain Bolt's 100 meters world record. And so I mean, that's a really, really small number of people, right? And if you were to take their coaching job, or if you were to become the coach of one of those athletes, how would you how would you advise them? Right? You're not going to go up to that person say, Hey, have you thought about improving your diet? Right? Have you thought about exercising? Or have you thought about doing fartleks? Right? Because they're elite athletes, right? They know what they're doing. They've got to the point that within a core second of the world record, right, and so you spend time understanding the training regime, you spend time talking to them, you spend time understanding the physiology, you spend time understanding their psychology, right? You really invest time in understanding the environment and the athlete. So why is it that we have advisors that come into organizations and thing that within an hour's conversation, they can give you really this kind of advice to tell you how to run a business that you've been running for two or three years and don't get me wrong? There's certainly younger entrepreneurs who may come into an organization or are set this up that don't have a lot of experience. And I'm not saying that people can't add value. And I'm also not saying that I haven't spoken to people that have given me insightful generic advice from time to time. But I think the reality is that if you're thinking of reasons for why you want To raise money, clearly funding alternatives and having more money does open more options to you. But finding the right investment partner that's going to provide advice is going to exercise patience is going to spend the time understanding your business and be there to be supportive, that's probably even more of a reason to raise money than the money itself.

Shaun St.Hill 10:25
Now, I think that's a good point Grant. Let's pivot a little bit and talk about something that you've spoken on, which is called the myth of automation. What exactly do you mean by that?

Grant Elliott  10:41
 So this is actually tied also into the can I guess, investment conversation as well, we were ship is all about trying to, you know, simplify things make things easier, create cost efficiencies, and there's some great examples of that over the history of time, right? In my space, and security and compliance, the Holy Grail is it's a complicated space, right? There's a lot of work that's involved, I don't think anyone needs to be explained, anyone who has been involved in going through a security audit, just how challenging that is how time consuming as how cumbersome that can be. And if you're the person who's responsible as I was for pulling that information, together, you can understand this adoption of someone can coming in telling you, hey, we have a silver bullet for that, right, we have an easy button, right? And your Silicon Valley, and I guess the investment community generally is been amazing. And its ability to find organizations that create automation efficiencies that take more routine, mundane tasks and find ways to automate them. The interesting thing about compliance as an industry to some degree is, when you think of it the core ethos of what you're trying to do compliance Germany, many of the tasks that you're performing are to protect against the dangers of automation, right. And when you think about automating repetitive tasks, you will be some of the major breaches we've had over the past few years. It's not through a lack of technology that those breaches have occurred, right? Oftentimes, it can be because we've implemented this technology. And we've overlaid on whether that's technology was rolled out properly, what will rely on that technology, the monitors, that we have a whole industry right now, or some tools about tracking and managing audit information, we got a whole new emerging breed of tools that would soar that can do security orchestration to try and again, automatically react to events and activities within your network. So there's this arms race, we've talked about all the time where the bad guys are developing more sophisticated tools. And so the good guys have to develop more sophisticated tools in the cybersecurity industry is just growing exponentially with the amount of choice that's available. But the reality is that we've seen over the course of the last 10 or so years, and I've spoken to this a lot is that our environment has become more complex, we've long since passed the can the castle with more approach to security, we can no longer just trust on with our data as in protecting it like a bank vault, right that that that went years ago, right, we then started to try and protect information based on who was accessing information where they were accessing it from. And with, with the cloud, understanding that data is everywhere, it's replicated, your suppliers are in the cloud, it's it's harder and harder to understand where your data as let alone who has access to that data. And then with COVID. And with the pandemic, we can even do it based on people being in an office of people using the equipment we give them, right? Increasingly, people are working from home on different devices. And so the whole complexity of your security environment. And don't get me wrong, there is an amazing array of great security tools that are coming out. There's device management capabilities, there's again, a you know, ability to look at data going through your networks and identify what type of data that is and alert you if they're sensitive they've been parsed, that the more tools there are, the more management of those tools you require. And that's hard to automate as well. And so, me what we've seen in our industry over the last couple of years is this kind of explosion of organizations. So again, are using this kind of Silicon Valley Blitzscaling method of spending 80% of the funding the raising and sales and marketing and only 20% on the product, where they can go out with this kind of really kind of Blitzscaling approach to tell these organizations. And that's a huge problem that you have, that you're really struggling to solve with a really really nice slick solution that just automates for you. And it's like telling someone who basically has health issues that you have a tablet, that means that they don't have to dye it and they don't have to exercise it really is this gonna doing these people a bit of a disservice. But when boards are under pressure organizations are under pressure. It's an incredibly seductive and compelling sales proposition. So we're seeing lots of organizations fall in for that most of organizations falling for it. terms like two weeks, or candidates or get your so called it done within just a few weeks, that accelerates all. And that's not to say that efficiencies can be implemented as process. That's what we offer as well. But they've just taken that message too far, right? Automation in itself is not a bad thing. But you can automate everything and to give the impression that you're automating everything is kind of irresponsible, from our perspective. But when you raise as much money as some of these organizations have raised, because, again, you've got these investors focused on the art of the possible not the art of the probable, then they're gonna have some success. If you're spending $10 million a month to grow your business, of course, you're gonna grow revenue, of course, even the customer base, right? And question then becomes, can you sustain that, right. And what we're already seeing, though this this lifecycle is occurring, is that because we've got more responsible growth, because we get a more responsible approach to how we, we manage our clients, because we make sure that we are selling to clients, as soon as we know, we can implement it, we can maintain, and we can retain that client. A lot of these organizations have started to see huge term issues, right, they're starting to see that eventually, clients will they'll maybe fall for that original sales proposition when you can implement the solution. And when you can meet the promise that you've determined in your sales pitch, that they're gonna get wasted. And they're going to start realizing that they've been oversold, and they're going to start churning. And now what you're seeing is you're seeing some of these organizations that raised hundreds of millions of dollars, and they're actually having to raise more just to stay viable. And now going into cost reduction exercises laying people off, which again, to me comes to that concept of a responsible reason.

Shaun St.Hill 16:42
And, this actually is a nice setup for this next question, because to your point, if I, as a customer, have been told that I can get my SOC 2 audit done in two weeks. Well, then Grant Elliott, that's what I'm expecting. Right. And so, when that doesn't happen, obviously, there are issues. And so this next question I have for you is, what are some of the issues, automation can cause for a data security program?

Grant Elliott  17:17
So it really comes down to what are your objectives as an organization? And look, the answer to that question is going to be depending on the maturity of the organization, we and I think this is maybe somewhat surprising to many people, we live in an environment where there's really actually not a huge amount of emphasis for organizations to operate securely to put the investment and, and again, I'll come back to the health analogy I use many, many times, we all know that we should live more healthily, we all know that we should exercise more we all know we should eat and maintain a better diet. And but different people to different extents will basically follow that guidance, some people not at all some people to an extreme, right. But we generally for the most part, all know, we should do more. So gaining a good security posture. And we all agree that that's important, right? We all see the news of the breaches, we see how vulnerable we are with ransomware attacks with supply chain issues that are happening across the market. But we always think that it's never really gonna happen to us. It's really easy, because it's like insurance. It's really a problem we think is going to happen tomorrow, not today. So what you tend to find is a correlation earlier stage companies and I understand this right, having been at that stage, their focus is they want to be they want to sell, right, they're not they're not fearful of the of the regulatory authorities, for the most part, you were not in Europe, right? So there's not a huge amount of oversight when it comes to the regulatory authorities and temperature is your biggest fear as your supplier. So your customers, can you persuade your customers that you're a secure organization. And for the most part, what's happened there is that more because of the complexity and the heterogeneous nature of the supply chain I mentioned earlier on with Cloud suppliers. larger organizations don't have the resources to do the level of introspection they need to do in their suppliers. So they require their vendors to have gone through some sort of external third party audit, the fastest growing of those frameworks is sought to overseen by AICPA and so you're seeing an absolutely explosion of firms out there conducting assault to engagements. And so that's why you're seeing a lot of these companies coming in complete and seeing that they can they can get you through a SOC 2 the challenges that SOC is a framework right is pretty malleable, right? There are other frameworks out there are very prescriptive, but you can SOC for the most part our SOC 2 is about doing what you see you do. And step one is what do I see I do. And so when you receive a SOC to report for one of your vendors, you should really read it carefully about what they're that you can basically get a report That suggests that they've passed that SOC 2 audit. There's no exceptions noted. But when you actually look at the scope, it's pretty narrow right in terms of what they're seeing that they actually do. And so these organizations, for the most part, are doing whatever they need to do in order to get that SOC 2 report. So they can give it to their client to basically say that, hey, we're secure. The problem is that increasingly, passing a SOC 2 does not necessarily mean to say that you're secure. There's so many ways for you to get a SOC 2 report today they're through managing scope, or through going through a HGC, less scrupulous audit firm, right? Who we're seeing some audit firms and some organizations quoting two or $3,000, to do a thought to. And there's just no way that you can spend the time going through the level of diligence required to review someone's controls to do in that period of time. And so the question for the UN I ask is, are you looking to just get sought to, to to give to your client? Are you actively looking to build a more secure infrastructure in your organization, so that you're not going through some form of breach. So I think that's the challenge that the biggest threat as people organizations with a soul too, are not actually secure. And they're going to experience some form of vulnerability,

Shaun St.Hill 21:18
or Grant, as I'm listening to you, the thing that pops into my mind is the difference between a vulnerability scan or a quick assessment and an actual pen test. Right. And for a lot of companies, they're just looking to get that quick assessment, they want to be able to say, so I'm an up and coming supplier, and Coca Cola and Verizon are two of the companies that I'm looking to be a supplier for. And of course, Coca Cola, Verizon, say you need to be compliant. And so what I do is, I think of the quickest way to get that accomplished, right? And so I would look at that $2,000 SOC 2 automated assessment in a couple of weeks. Because I want to be a vendor of record for Coca Cola and Verizon and to be able to have those logos, right means everything and so I'm, Hey, I gotta get it done. But not  everything that glitters is gold, right. So yeah, that quick SOC 2 assessment, or that SOC 2 done in two weeks, there is a price to be paid for that type of thing.

Grant Elliott  22:36
Well, it completely devalues. That's the problem, right? I think that as I said, Look, we when we started looking at our suppliers will not want to just trust the fact that they have a SOC 2 report, right. I mean, it completely devalues it. And that creates a problem, right? Because now the question becomes, well, how then do it? How do I demonstrate that my vendors are secure, right? If I can't trust the SOC 2 report, right, then what do you do, and maybe other frameworks can start coming into place, what we see is more serious security, professional training slightly more mature organizations, they understand the importance of building an effective security program, not just building a compliance program, one of the core. And when we talk about the reason for building their standard platform, we see yourself as a security company, not a compliance company, right? We built the platform to help organizations operationalize the security program, we just happen to have this incredibly valuable byproduct called compliance data, right? If you're using our platform effectively, and you're operating every aspect of your security program, right, from policy control, audit, management, assessments, training, all aspects of every aspect across whatever standard, the regulation, right, and you use our platform to manage that in a day to day basis, everyone within your organization is logging into the platform, you can make sure that everyone from the receptionist all the way through to the CEO, are performing the tasks that they need to be performing on a routine basis. And you mentioned some examples of things that pen-testing. The important thing to bear in mind is there are so many tasks beyond the technical controls that are important for a security audit. One of the examples I like to give. And again, this helps to differentiate the difference between some of these automation platforms that are out there just now is you just take a simple example of background checks. And again, if you go and you talk to one of these automation providers, they're gonna say, Yes, we have a dashboard, we're going to be able to you're going to be able to see users and there's gonna be a check box here that's going to show you absolutely, that that person has had a background check that you're good and they expect in many cases, the audit firm to accept that checkbox, that that employee has had a background check. But when you've got when you've done this job and you understand in a more mature environment to realize that not all background checks are equal, right. certain jobs require a background check can be done before the person is put in a position of responsibility. The background check itself might vary between international and national and may vary between different states and make You may require to have three employment verification or five employment verifications, you may be required to have education or certification verifications and validations. There's a lot that goes into it and you have to step one define specifically by rule, what the criteria of that background check needs to be for that particular role, you have to define that point, we call that defining that what should be right. So you have to define what should be. And then you have to ensure that the what is actually happening matches the what should be, you can see straight away a simple checkbox is not going to meet that standard, you have to literally go on and potentially lose, to verify that the background check is actually meeting the criteria has been been set. And even if you provide an integration into a third party background check services, there are so many aspects to that, again, anyone who's gone through and performed background checks or has been through that process, we'll realize more often than not, there's some sort of issue with a background check, and may just be a data issue. And maybe there's a matching address information for employee verification, or, again, most of these companies only call an ex employer three times before they'll give up. And again, that's going to highlight a flag, there's lots of issues that typically need to be managed with a particular brand, but a background that's managed by the HR organization. Again, this is just a simple example where when the automation provider promises you, we can automate things, and we're going to give you that chat box, and everything's going to be okay, the series audit firm is going to not accept that. And it's really want to see the background checks, or at least a sample of the background checks that be conducted. And again, that's not possible to do in some of these simplistic automation. And that's definitely something that's not really happening in a two week period.

Shaun St.Hill 26:42
I think that's a great point. And so yeah, that's the thing, you you do get what you pay for, and a company that and this isn't to denigrate what others are doing or as you said, it's not to say that automation doesn't have its place or that it hasn't, or that it hasn't helped move forward some of the analog or manual processes that that we're used to. But when you are talking about something as complex as security and compliance, you have to be serious, and you have to be diligent.

Grant Elliott  27:18
 Absolutely. And to echo your point that there is a place for automating activities, our platform automates a lot of tasks. Right. But again, the fundamental aspect is automation has to be a component part to the broader perspective, right. As I said earlier, one, the whole process of compliance is defining what the target state should be, right? What is the optimal state, what is the state of your organization? How does it need to perform to operate in line with the security program that you're you're putting in place, and then the compliance aspect of that is verifying that your organization does operate in that way, pulling in a dashboard of how your organization operates. Without that comparison is pointless killing in an integration from an AWS environment, that simply just shows your ad, get your AWS dashboard, and a different format. Again, I'm not saying there's not value to seeing a lot of information in one place, but how are you comparing your AWS configuration to how it shouldn't be set up. And that's the key aspect that needs to be done, and it's being missed. And he reputable audit firm, right will come in. And the reason that you can do this for $2,000 is because they're going to spend at least 100 200 300 hours depending on the size organization, looking at every single control making sure that again, you've defined exactly what the the should be stay as, and then competing at least a son a sample to verify that the as the match is there, what should be seen? 

Shaun St.Hill 28:50
All right, great, let's let's look at this concept of partnerships and bringing in partnerships for the benefit of the company. And its customers how, how have you developed partnerships over time? What are some examples of recent partnerships that you've entered into?

Grant Elliott  29:08
So obviously, we've been doing this for a while. And so we've listened a lot to our clients. And as I've said many, many times, this is not easy, right? Again, I truly understand why people want that that easy button, right? Because for many organizations, this is more complex than they think it should be. So we've worked really hard with the clients, we have to understand how can we make your life better? I mean, our platform is only gonna go so far. Right? So we've obviously we have a professional services organization, again, there are experienced some of them x auditors, some of them security professionals who have kind of been former CISOs, etc. And they're they've been through and they've lived this but at the end of the day, we also understand we are a platform company, so there's only a limit as to how big we can scale that kind of resources. So we've now gone into different parts from a partnership perspective. One part is we've started to work with managed service providers, and managed security service providers. As I said, one of my pet peeves is when people look at this and chunks, obviously, you have to break the problem down into component pieces. But security is such a broad over encompassing part of your organization, that even just to sort of break our part out, that can be bad and challenging for an organization. So we work with and managed service providers who went in organizations say, hey, we will do everything from managing your laptops, managing it, office 365, environment manager or security. And increasingly, we will manage your security compliance program as well. And the bundling of a platform as part of that process as a way to kind of project manage, or activity is a really nice synergistic approach to making sure that especially some of these can earlier stage, less mature organizations have a kind of one stop shop for everything, rather than having to do things in a desperate matter. And so that works really well for us, because we believe that we don't have to support those clients to the same extent, because we have qualified partners and doing the same thing. The other area is what I mentioned earlier about understanding controlling the audit, right? We know that it's not easy for our organizations, especially some of the earliest stage organizations to know who is a reputable audit firm, right, and, and that audit process is cumbersome. So from an early age of our development, we realized that was operationalized in the security program as a huge way we can we can introduce efficiency, again, trying to make the audit itself more efficient, is also a huge win for both it for the client and audit partner. So we built on part of our platform specifically for audit firms, right, we basically are the only platform in the market that allows an organization to conduct 100% of their audit, without exporting a single artifact from our platform. And the way we do this, again, is because again, we give the organizations the ability to manage all aspects of the security program, even the manual elements can be managed within our platform. But we also create an assessment function within our audit partners, where they have a version of our platform, and these assessment as can be shared with each other. So I can simply just map within my organization, all the evidence I need based on every single control, and then share that with the audit partner who has their own version of the platform. And then they can, again, from logging into their version of platform, they can actually go through and conduct 100% of the audit within their version of platform. And we've implemented tools that make that process simple, like the ability to lock questions and share information, etc. And so that's going to really, and then what that allows us to do is because we are in control of both the preparation of the client, so we're supporting the claim to build out their security program, because our platform is the platform that's been used to track monitor, measure and manage their entire security program. And because we understand the requirements of the security auditor, we give them the ability to actually import into the platform, their proprietary information request lists their proprietary audit criteria, right, we know that they're going to conduct the audit to an appropriate standard, which actually allows us because of these partnership relationships, to actually guarantee to our clients that we actually offer an audit guarantee, we guarantee to our clients that they can pass their audit. And we don't do that because we are reducing quality, we do that because we control the input, we control the management, and then we understand the audit relationship to the point that we know that we've prepared them to the extent that they're going to pass and it's almost like this is gonna sound a little bit strange. It's almost like we know the test criteria. So we basically are able to prepare the client to actually complete to that test, prepare everything. And we know the test criteria, because through the partnership, the audit firm shares that test criteria with us at the beginning of the journey, which reduces risk of the beat any kind of observations found.

Shaun St.Hill 33:56
So rent as the as the husband of a third grade teacher and with a daughter in high school. You're familiar with the concept of open book, right? And, and I think people when they hear open book, they think, oh, automatic, a easy a, not necessarily there's still work involved, right, you still have to understand the material, you still have to have been in class and grasp the concepts. It's just it makes it easier for you to complete the task. Now that you've been given the option of open book, and I think that that's what's so cool about what you just said, You're working, helping your clients get to their end state without them having to kind of fumble through and figure out the steps that you've already taken on their path.

Grant Elliott  34:53
Yeah, there is no secret here, right? I mean, and this is a challenge right? Going through in order, right? As so much If you've done the preparation, if you already are operating an effective security program, and you've already been able to map all of those activities to the specific control, there's no gotcha here. No one's trying to come in and say, Well, you didn't answer this question because you didn't know the answer, right? It's a very transparent process, right? The auditor is going to share upfront in advance, right? This is what we're going to measure you want, right? And where I think a lot of organizations can afford owners, they've just simply not done the preparation to meet that requirement, they've not spent their time trying to understand the reason for that I speak to many CEOs are organizations to try and argue particular, that doesn't make sense, or it's not about whether it makes sense. There's a trust but verify process, you might be doing a lot of this stuff, right? And you probably are. But I noticed that doesn't know that they're not going to connect, they're not gonna say, hey, Shawn, you seem like a nice guy. So I'm just gonna take your word for that, right? There's a trust with verifying audit process. So if you can provide the evidence that you're doing it, they're going to assume that you're not, and that's not going to go well for you. And so what we basically help our clients to understand what they should be doing, though, within the platform, make sure they're doing it and make sure we're tracking the evidence to confirm that it's been done in a simple and easy manner. So by the time they actually come to conduct the audit, that audit process, I mean, we have some audit partners that claim up to 60 to 70% efficiency in conducting the audit. And that's just because the information is organized, structured, mature, and it's there, their traditional audit processes go into an organization. So you can you upload all this evidence and FTP document or FTP file, right, or to your SharePoint environment, and they get all this uncluttered data, that is decapitated files, their time zones, and they have to sort through all that information. And that's not an easy process of the fall. So again, making sure this client is operationalizing all the activity as a huge part of it. And we build that into our philosophy again, because fundamentally, and this is the part that we're really trying to explain to as many people as possible. Compliance is not a means in its end, right. being compliant should not be your endgame, that should not be your objective, building an effective security program should be what you're trying to do. Compliance is just evidence that you're doing that, right. And if you try and achieve compliance, its own right. And the challenge, again, coming back to a lot of these very well-funded automation players, they are not doing that, right, they're basically almost teaching to the test, it's you do the minimum you need to do to get the checkmarks. And you get to school, right, the whole focus is on minimizing efforts, rather than being effective. And to me, I mean, aside from going to spend a little bit altruistically on this, that's not making our country safe, right, we have a real issue in our country, but maintaining the security of our infrastructure, right. And these organizations are not making our country safe. They're basically dumbing us down to the lowest common denominator. And that's not a good thing for our country. And so I again, I genuinely believe that our objective, for the most part, we want to ensure that and we believe we make our clients more secure, they just happen to get through their audits faster as well. But more importantly, they're more secure. And that's fundamental to who we are.

Shaun St.Hill 38:13
I think that's a great point. All right. So Grant, along the same lines, tell us about any exciting new developments or initiatives that Ostendio is working on.

Grant Elliott  38:24
There's a whole bunch that we're trying to focus on, right now, we just launched a recent new module called our compliance manager module. And what we realized was, we probably spent too much time on what I just said there, but making sure that the tool is operational, and that people can use it on a day to day basis. And we realize that there's probably a better way for if we, instead of logging in as a security manager, and as most people do, we just created a more compliance auditors perspective. So you can literally log into the platform, and you can pick whatever standard the regulation you want. And you can see real time control for control domain for domain, person by person, how they set in that moment, related to that particular framework, as well. So it's really cool. And we've really kind of spent a lot of time focusing on code paths. And product development, I spent a lot of years in product development was going to multiple evolutions to how a product develops, right, you start off with a basic product, which is normally pretty intuitive and pretty simple, because it only supports a limited number of use cases. And we see a lot of our competitors coming into this space and this stage. And they look like they're really intuitive tools, because again, they only support half a dozen or a dozen different use cases. But they're obviously limited in functionality. And once you start coming to a use case that either extends beyond the capability to tool or as a use case as a support for the tool, then clearly that product starts to run into problems. So what do you do you build more use cases. And the consequence of doing that you get to phase two of product development, which means you end up with a much more complicated product. We've added all of those different use cases into the platform. And so your platform does a lot more. It solves many many use cases, but maybe isn't as easy to use as As a simpler product or simpler platform, we see this all the time with the evolution of organizations like Salesforce again, people complain for the longest time that it was a really difficult platform to use. That comes up to the third stage of maturity, which is, how do I understand intuitively what the user wants to do? How do I have user base and design within the concept? If they're on this part of the platform? What should the drop down look like? When they click on here? What do I think their next click is likely to be. And that's the kind of stage we're into this kind of user base design makes me really excited the platform. So the idea is that is not about adding more functionality. It's about finding the shortest path to the right functionality for that particular user at that particular time. And that's really exciting to work through those ideas, right? Again, because again, it's all about trying to reduce the amount of time that our clients have to spend on the platform, giving them the fastest path to get done, what they want to do make the platform as intuitive as possible. And that's the kind of third kind of generation where I so I'm really excited about all the work we're doing in that area, just to try and make the platform way more intuitive to your users.

Shaun St.Hill 41:05
And so Grant beyond that, what emerging tech are you most optimistic about, or least optimistic about, and why?

Grant Elliott  41:14
So I think that we're seeing a lot of focus on integrations, right? We asked a lot at the time about how many applications do we integrate with, and we definitely see some of our competition. They promote themselves. We have 60 integrations, we have 100 integration, we have 150 integrations. And I think that as I mentioned before, the way that the supply chain has worked right with the fact that not only is your data in the cloud, not only are you your organization broken out, most of you are as an undeclared, as well, from how you host your data and AWS or xuer. To productivity apps you use, right? They're all cloud based, right? Everything's across them. So I can definitely understand the value of managing those integrations in a way that simplifies understanding that how they work and interoperate with your core environment, the challenges and one of the advantages, one of the few advantages to being a little bit older. And this space is I've seen trends over the course of time, right when the internet came in. I'm a former networking guy at TBT. So I'm used to drawing lines between connection points that create a network. And I was always amazed that when the internet arrived, and people started drawing the internet as a close rather than direct line points, suddenly, even really, really smart people suddenly started to believe that the impossible could happen. And underneath all that was was not just actually a series of lines and connections, and they had to start inventing and magical things happened in the cloud. And we see to some degree, some of that with the cloud, generally, in terms of storage, because people don't realize that again, underneath all of that is just servers. So it's just physical infrastructure, that as it is located somewhere, right? We call it the cloud, because we do some really smart things from a technology perspective, still translates down. And when we talk about things like API's, when we talk about integrations, I think people, I ask this question, Who do you integrate with? At the end of the day, you still have to have a business logic, and there still has to be a purpose. For that connection point, you still have to sit there and write in what is the use case? What information are you sharing, right? It's not as straightforward as Oh, we have a magic API that just interconnected with that right? And, and, again, simple, we do some stuff on SSO and some other areas. And if you're trying to integrate two datasets, I mean, just take, for example, the concept of a name, right? Insurance in how right how is that expressed within the database? Is it expressed as first name, middle name, last name, as expressed as one name, hope, especially people that have as St.Hill, there's lots of different ways that a particular data table can express your name. And another platform may express it a different way. You can't just say an automatic API to just connect those two data fields. There has to be some rationality built in there to understand okay, how am I going to manage these different exceptions, these different scenarios, and you have to do that field, the field, and you have to decide what fields are basically mapping and then you have to have a purpose, right? Are you giving them readwrite? Are you giving them edit? So creating an API script, understanding and making sure that our platform is built through an API oriented architecture, our entire front end uses API's to connect with the back end logic within the application. Providing API's is a simple thing to do. But when I get asked this question, what API's do support, right? Is this this guy was what's in the cloud, right? What business processes are you looking for us to support? Right? And so I think to answer your question to me, I'm super excited about the ability for us to interact and integrate with different applications and to create that connectivity. But my fears around that as a lack of understanding of what that actually entails and the purpose for doing it. And the potential risks that creates right we've all seen recently about the potential security issues with the Slack integration Some issues, right? I mean, we even have a situation where I was integrating with our HR Payroll company, where I deleted the user for my payroll company, and it deleted their Google account, right, because of the integration in there, right. And so people have to be really, really careful that whilst there's a lot of potential utility, on building API connections between systems, understand the power of that connection, understand the power you're potentially giving away. Because again, someone can basically hack into a third party site as an API connection. And if you haven't built that securely, right, either, they can basically hit you up with a high volume of transactions that can bring your system down, or they can use as a backdoor access into your system. So you really have to be careful with those integrations. And I think there's too many companies today for missing integrations without really defining the business case that supports them, the reason for them, and the security to the voting and to make sure that again, those integrations can become a backdoor access to your platform.

Shaun St.Hill 46:00
That's the thing you so zoom, integrates with Salesforce. Salesforce integrates with something else. And there's, it's like a jigsaw puzzle. Right? Yeah. And the thing is, who is sitting helping you put together this jigsaw puzzle, right? Because, because that's, that's the thing. It's, and we hear a lot of the keys to the kingdom. And well, you, you really are giving someone access, when that that code allows them to automatically sign in, or have some sort of have some form of access to your environment, you have to be controlling the access as well, right.

Grant Elliott  46:48
 And it's not just through the API, but let's just say for example, right? You want to integrate Asana into your applications, that productivity tool, right. So you basically say, you sign up with your SSO environment, and then you have users within your team. Do you set up where every person or organization has a silo? No, you have to go through a process the mechanism who's authorized within your SSR to be unable to Asana, that's a process, you have to understand that when people move departments leave the organization, you have a way to reverse that process. And then you have to define policies for okay, what kind of data should we be having in Asana? Right? Should I be because my projects have a customer management or client management should have a 32 bit client data? And so that Asana environment, right, just for productivity reasons. And then what happens if that client data is in that environment? does that become regulated through privacy? Does it become regulated from the healthcare through healthcare through HIPAA? And then how am I controlling and understanding that what the it is there? So there are huge implications across any community around all of these integrations. And so you really have to go through a very structured review that to say, Do we really want this integration, I understand is that we started this whole thing about this, the seductiveness of an easy button, right? It really sounds like a great idea to say, hey, I can automate all this stuff for you academic, there really is no such thing as a free lunch, right? Every single one of these integrations has to be thought through has to be configured and integrated the correct way, you have to review to make sure that you understand exactly the purpose of the integration and the impact of integration. And again, to just work and promote to the market here we have 7080 100 300 integrations is almost as if that somehow has value in itself as a responsible because, again, organizations need to think clearly, why do I want? Do I really need this integration? Do I really understand the risk of this integration? Is it really going to be before and many of them do, but they have to be managing control. And so when employees leave, or when that platform is taken away, use it also understand the reverse aspect as well. 

Shaun St.Hill 48:45
And that's the thing you as I was listening to you were taking me back to earlier in the conversation where there really is no shortcut to a thing, Grant, but it's like, and I'll just say it because it comes to mind. It's like when I first started dating my wife, we went out with another couple. And the husband said, if it's worth having, it's worth fighting for. And I and again, that comes to mind and it ties into there's really no shortcut to a thing, whether it's compliance, or relationships. Right, you have to do the work, right?

Grant Elliott  49:25
I can, yeah, I couldn't be more into that is that you get what you pay for but we never tell our clients that we make it easy, right? We tell them we can make it easier. When clients will say to us no look at our platform or look at what our platform does. They say, Oh, it's complex. And again, we reiterate, it's not our platform. It's complex. It's the number of use cases we're supporting is the environment that we're supporting. It's complex. We're trying to make it easier. We're trying to make it more simple, right? But we're never going to simplify that it's an easy button right and whenever They make that claim. We win clients many, many times. Right? I was talking to a client just the other day, the reason they taught the reason they selected us as a vendor was because we told the truth. They went and they had demonstrations by multiple other organizations, that industry, all of them telling the same story. We can make it easy. We can simplify, we can automate it, we can deliver stuff. And we were the only one that said, yeah, it's not easy. It's hard work. And we can help you do that hard work. But we're not going to tell you it's easy, because that's our work. And that's the reason that that particular client chose us because, again, we were speaking the truth, I hope that more organizations start to realize that there is no easy button. And I think we are starting to see that right? Some of these incredibly well funded organizations who have raised hundreds of millions of dollars are already laying people off, right? I can simulate 20, or 30 competitors in a space in the last two or three years. And the sad thing for me is they're all falling into the same trap. They're all going for the easy automation angle, right. And I understand that because again, if you're trying to blitzscale an organization, you want to go off to the susceptible, you want to go off to the people that are going to say no deal in therapy, the 60 days, you want to exactly go and skip all those people are right and basically sell them one, that's easy, because they're the ones that want the easy soul to understand why that is proven to be successful. And you build momentum. And you say, hey, look, guys, we've got to fill all these clients, but it's not sustainable, right. And so the largest organizations in this space have had to go back and raise even more money, because they're not hitting their target, right, they're running at a market share, there's too much competition going after the same set of clients. And more importantly, and I know this from talking to some of them, they can upgrade those clients, those when those clients grow and become more complicated, these platforms don't grow with them. And then maybe that we've overtime as they invest more money, and at the end of the day, you raise 200 $300 million, you buy yourself a lot of time to get things right. And so maybe they will eventually. But I think the reality is that what we're trying to do here is hard. It's complex. And we're trying to help our clients through that more complex and that more arduous journey.

Shaun St.Hill 52:12
So Grant, let's, let's do this, let's pivot into a, what I call philosophical question, what are your highest priorities in life? And where does work fit in?

Grant Elliott  52:23
So I'm sure anyone who's done what I do is going to probably realize that it's not, it's not for the faint of heart, right? No, organization goes in a straight line. And as I've just mentioned, right, when you're when you've been building a company for many, many years, and hopefully making reasonable success and growth within it, and then all of a sudden, a whole bunch of new organizations come in, which are significantly better funded, and you have investors looking at it, well, they must be doing something right. It does definitely make you question, you know, your approach and what you're doing. But I think I learned early on in this journey, that it has to be the journey that you enjoy, right, you have the philosophical component, this is not about the destination. If you focus just on the destination, then you really can make it a binary component, right? Either we get there or we don't get there. And that's a lot of stress to carry. And so I try really, really hard to try and maintain a focus on enjoying the journey. And what's made that somewhat easier as each stage has been very, very different the stage we're at as an organization. Now, as differently even a year ago, we've more than doubled in terms of our employee base, I have a leadership team that are amazing, that I didn't necessarily always have. So there's smarter people in the organization there's ever been. And that creates a very, very different challenge. The other aspect is I now have two high schoolers, one of them's about to go to college. So with my wife and I, we've been through that whole process. And it's really interesting taken out again, at one end of my career, right, how much more I will do after this particular journey. I don't know that there's no doubt I'm closer to the end of my career than I am at the beginning. And so sitting down with my 18 year old and thinking about what he wants to do and thinking about what skills he wants to go to and what his life looks like is it makes you can to really evaluate take stock and appreciate just how much it's exciting for how much he has in front of them and how much life is and you want to impart Oh, this experience that for the most part is going to be okay. Right? It's just it's going to be okay. Right as much as anything else. And so that really helps kind of put things in context as well that we have a good life. I enjoy my job. We have relative success. I have a great family. I really enjoy my family. enjoy spending time with them and life's good.

Shaun St.Hill 54:36
That's awesome. Well Grant we have come almost to the end of our time and like I said, this is like having your cousin come over. This is some good quality time here, man. But before we go, I want to ask you this one last thing. What's one thing we can't get from your LinkedIn profile? 

Grant Elliott  54:54
So I don't think you'd be able to see this in my LinkedIn profile, but I'll bring this up since obviously, the World Cup is on animal When people might guess it from where I come from and my accent, but I'm a huge football fan - soccer, right? I've played since I think the moment I can walk, I still play adult league soccer. I watch soccer all the time. I'm loving the World Cup is just as some of the best thing that I have. And so I guess I organized my meeting calendar around World Cup games, right? I when I used to work in Europe I used to work in London, and I used to run a European group at a stay organized my flights back from Rome, or from wherever, so I can be back in time for my football practice that night as well. So maybe that's what they are just a complete, complete football junkie. I love it. I love all sport, I love playing it. And the nice thing is that transition to my kids, right on all three of my kids are huge fans, they all play to various different degrees. And I think that's almost one of the biggest gifts that I could possibly give them.  The thing I found in life is that I've traveled to many places, I've lived in a number of different places. And wherever I've gone, you just find that with a local football team, that's right, either as a professional team to go and watch or as a recreational team to go and play. And it creates an instant community for you, which has been an amazing gift that I've had in my life. And I'm hopefully passing that on to my kids too.

Shaun St.Hill 56:22
Oh, that's awesome. So I do have to ask because the US and Mexico will be hosting the 2026 World Cup. And there's about 11 different cities, Atlanta being one of them, which is where I'm located that will be hosting games. So what are your thoughts that far out?

Grant Elliott  56:43
Philadelphia is the closest place for us. And so I definitely exceeded to try and get my kids through some of those games, I think that's going to be a great experience. My hope, amongst all hopes is that Scotland qualify, we haven't been at a World Cup since 1998. I was actually at that game. It was in 18, in France, against Morocco, ironically enough, and we lost for now. But it was still an amazing experience I used to, I used to travel to various different cities around Europe and watch Scotland play, which was again, just an amazing experience. But yeah, we've not been to a major tournament since 1998 until the Euros two years ago. And that wasn't the best experience, unfortunately. So I'm excited that I think the extending the competition to more countries getting in. So I think there's a higher chance that Scotland will be able to qualify for that. And so yeah, my big hope is that Scotland's there, and I get to take my kids to see the games. And then they get to get the same joy and thrill that I've had supporting my country.

Shaun St.Hill 57:43
Yeah, well, let's let's hope that Scotland does make the 2026 . Grant again, thank you so much for your time. Thank you for your friendship, I have enjoyed connecting again. And before we go, what's the best way for people to connect with you?

Grant Elliott  57:58
Feel free to contact information on our website www.ostendio.com you can contact me through Twitter, which is  @Ostendio_CEO and again, if you want to email me I'm always happy for email people to email personally, and it's gelliott@ostendio.com. I look forward to if anyone's got any questions or anyone wants to share any Worldcup tips then I feel free to email.

Shaun St.Hill 58:21
Alright, awesome. And so again, Grant, thank you for being with us a third time and I know there'll be a fourth time coming up in the near future. And with that Tech&Main presents family thank you as always for listening. Be sure to tune in next time when we will have another technology expert share their wisdom. Bye for now.

Transcribed by https://otter.ai.