Learn more about Living Security here
Follow Living Security on Twitter
Follow Living Security on Linkedin

Podcast Transcript as follows:

Sloan Foster: 00:32
Hello and welcome to Calavista Conversations with Living Security. Today we have Ashley Rose, Founder, and CEO of Living Security. Ashley is a serial entrepreneur. She was the former Founder of Bella Bear Wear swimwear for girls that she successfully launched through Kickstarter. She has experience in product design, development and launch marketing, sales and social media engagement. She moved to Austin in 2014 and launched her career in technology, gaining experience and technical project management, quality assurance, and the agile development process. She holds a Bachelor's of Business Administration from the University of Michigan. Her passions or family, health and personal development through new experiences. I might also add, she's a mom of three. Welcome, Ashley. Thanks for joining us today. So I'm happy to be here. So tell us a little bit about Living Security. What problem are you trying to solve?

Ashley Rose: 01:24
Cybercrime is expected to cost the world over 6 trillion by 2021. And what many people don't know is that a majority, some statistics say as much as 95%, of these breaches, are caused by human error. People making mistakes. Doing something that they should not be doing that then they shouldn't be doing or doing something that they shouldn't be doing. And historically, the way companies have tried to solve this problem is through an annual compliance training done for seminars or one-size-fits-all PowerPoint training. And what we know is that this type of training does not change behavior because breaches are still occurring. So Living Security was launched, we use immersive and gamified learning techniques to engage employees with the concepts to increase retention of the material and positively reinforce good security behaviors and just as important as providing a more effective training program to the employees are also solving the gap of insight into the human risks for the organization. Our platform is built on a foundation of metrics that looks human risk across multiple facets. We knew this was important to not only provide an ROI for our product, for our customers but to allow them to target training in the areas that needed it most.

Sloan Foster: 02:35
Well, that certainly sounds exciting. So tell me a little bit more about what led you to this idea and the genesis of it. It seems like a very complicated field, one where a lot of people are trying to solve problems in it. We know problems continually exists. So why did you decide now's the time for this?

Ashley Rose: 02:53
So I can't really take credit for the ideation of Living Security. Drew, my husband and my Co-Founder, he's been in IT and security for the last 10 years. The gap between training and behavior change was really first noticed during the time he spent in the Army. He was actually firing people for making mistakes when he really felt that there needed to be a greater investment in the training for the people. So when he moved into the private sector and had the opportunity to build his own program, he took an unscalable approach to training. He actually created board games and started playing them with employees really to form the relationship with the security team and to make them better, to help them to better understand the difficult security concepts.

Sloan Foster: 03:35
So your MVP at the end of the day was a board game that now you're taking into an immersive platform. How many people have you trained first on that board game and the Living Security Escape Room?

Ashley Rose: 03:47
The board game really launched us into this idea of the Living Security Escape Room, which is what we took to market originally. We take cybersecurity concepts and we immerse them into a highly engaging training experience that you can play as a team. We've trained thousands of people through this in-person training exercise. And the Escape Room was really our way to test out our hypotheses and prove out product-market fit. So we run the Escape Room on-site for clients and at security conferences all over the country and everyone loves it. And then, like you said, we're launching our platform Cyber Escape in August, which will scale the immersion engagement insight to thousands of organizations and hopefully millions of people.

Sloan Foster: 04:26
Ashley, where was the point that you decided you needed to scale those from a physical Escape Room to a platform or software product that you can take to the masses?

Ashley Rose: 04:36
So we even knew before launching the Escape Room that we were going to need to do something at some point to scale this to more employees. The Escape Room we were able to again test out our hypotheses. Find product [and] market fit and validation that all of our clients are loving this. Their biggest complaint is, "hey, we've got tens of thousands, 50,000 employees and we can't train them all through this Escape Room." And so through that experience, we were able to work with these customers and clients and figure out what is the best way to scale the same immersive experience that they were able to give these small group of employees through the Escape Room into something that could be larger.

Sloan Foster: 05:13
Great. So you realized during that process that while you and Drew understood cybersecurity and cybersecurity risk and prevention well. You may not know how to implement the actual technology platform, which is why you enlisted Calavista. Is that a fair assessment? And in that process, what made you decide Calavista over some of the other development teams out there?

Ashley Rose: 05:38
Yeah, because we were already working with some really important clients. October is actually Cybersecurity Awareness Month. We knew that that could be a really high value add to these clients by getting them something like our cybersecurity platform in October. So time-to-market and of course releasing a quality were really critical for us. And those were also the two biggest factors and reasons we chose Calavista. You know, we talked to you guys initially and your industry high success rate of on-time and on-budget really stuck out, and then you guys also came really highly referred from another customer that's in the cybersecurity space.

Sloan Foster: 06:15
Which is Cybernance who we also have a podcast with. You can check that out, that's podcast number two. Just for those keeping track at home. So how are you on track right now for product development, launch? I know you just got back from RSA and some other big conferences. So tell me a little bit about what your, where you are right now and where you expect to be.

Ashley Rose: 06:38
Yeah, so we're, we're on time, on target for launch this August. Again, October is really critical for us being national Cybersecurity Awareness Month. A lot of organizations that we're working with make a big push for their security awareness program and so we already have a lot of companies that are signed up to pilot this, though this platform in that month. And so yeah, everything's been going extremely well. We're really happy with our choice of Calavista and really excited that we're going to be able to offer them this valuable product on-time.

Sloan Foster: 07:07
And when you launch in October, what do you expect the splash to be? I know you've had quite a bit of traction and a lot of people excited about this product.

Ashley Rose: 07:17
Yeah. So we already have close to 45 companies signed up to pilot this. We have a couple customers that are pre-paying for the platform. So we're looking at between 20-30,000 users on our platform come October.

Sloan Foster: 07:31
Those represent companies that understand this need, where their human element has impacted their corporate cyber risk at some level. And understand that you can help solve that through this immersive training program for their employees, right?

Ashley Rose: 07:45
Yes, absolutely.

Sloan Foster: 07:47
So, this is not your first rodeo. You've been a serial entrepreneur. I like to say if you've done more than one and you're considered that. Some other people might have a different definition, but nonetheless, you've been down this road before at some level. What advice would you have for other founders who have an idea and want to bring something to market?

Ashley Rose: 08:08
Yeah. So get out and start talking to your potential customers as soon as possible. The more you know about your market and their pain-points the better you will be able to address them through your product. So we were fortunate we were able to work with some really awesome customers as design partners and the product certainly helped us mitigate a lot of risks.

Sloan Foster: 08:26
Great. And what do you think are the critical components for a successful launch of your platform?

Ashley Rose: 08:32
So we already talked about some of the big ones already. Time-to-market and delivering a quality product. We were able to find a product-market fit with an immersive training experience at the Escape Room and ensuring that we can digitize that to scale without losing the experience is critical. So our design partners and user testing are helping us to ensure that that is a success. And then lastly, I would say the execution of our go-to-market strategy. So we have a highly capital efficient strategy right now taking the Escape Room to conferences as a way of getting new clients and that's proven out to be really successful with our first product. And so we're going to continue to assess and adapt during and after the launch of our platform.

Sloan Foster: 09:12
Great. So I'm going to ask you a couple of more detailed questions about the platform because I don't think we've given enough for people to be kind of wet their appetite, but not giving them a full meal here. So what is your platform going to be in Phase One? What's the capability of doing? How are you going to address some of the issues going on in the market? As you said, 95% of problems are due to human error. So what do you ultimately, what's the detail or nugget that you're actually solving to help mitigate some of that?

Ashley Rose: 09:40
Yeah, so the first version of the platform is going to really be addressing the all-around critical security awareness issues. I'm talking about password security, IoT device, and default credentials and of course phishing links, and the way that we're differentiating ourselves from our competition is through these really highly immersive storylines. So people are actually taking part in the experience and they're part of solving the problem. We've also integrated some different many challenges and puzzles and to them to keep that engagement going, and also incorporating the gamification factor of developing points and being able to play as a team and then keeping score through a leaderboard to keep motivating them to progress through the story.

Sloan Foster: 10:25
How many companies are you hoping to scale those to? You want to touch every major company. What's your sweet spot of companies that would actually use this platform?

Ashley Rose: 10:34
We're really targeting the high compliance regulated industries. The ones that are most greatly affected by breaches, so people on the financial services, government, retail, manufacturing and education, the ones that have the most to lose by the risk of a data breach.

Sloan Foster: 10:53
The way that you're actually, you're business model is an actual software-as-a-service where it's a monthly fee, monthly recurring fee for you to be able to go, your employees be able to go in and engage on a real-time, continuous basis at this level and continue the education throughout the year. Not just at one time when they get given a test or something like that.

Ashley Rose: 11:13
Yeah. The first launch of our series will be set up as a four-week campaign. But, what we're really hoping to do is get people actively engaged with security awareness on a continuous approach as you mentioned. There's also some other areas of the business that we can implement our program into. Like HR on-boarding training so that people actually interact with security awareness when they first get into the company and really just help them build that strong culture from the ground up. In Phase Two and then onward, building out the role-based training and be able to really touch on other important areas like privacy. I'm looking at different compliance like PCI and HIPPA. And then, of course, the, insight and our human risk dashboard is going to be our next big push. Being able to start quantifying the risk and looking at different metrics that we can integrate with different technology systems.

Sloan Foster: 12:04
Great. So today if someone wants to get in touch with you and learn more about one, either the physical Escape Room, which I've actually done, I've done it at Innotech Austin last year and loved it. I'm not a techie. I just play one on tv, or the radio in this case and really enjoyed the interaction part of it and the team building. But so I wanted to learn about that and then also learn more about your platform. Where can they learn more?

Ashley Rose: 12:29
Yep. So we have a website, www.livingsecurity.com. Also, please feel free to email me. It's ashley.rose@livingsecurity.com.

Sloan Foster: 12:39
All right, Ashley. Thank you so much for joining us today and we're happy to be working with you and see great success with your product and excited to be a part of it. So thank you very much.

Ashley Rose: 12:49
Thank you, Sloan.

Full Podcast Transcript:

Sloan Foster: 00:32
Hello and welcome to Calavista Conversations! Today we have experts at outsourcing Russ Finny, principal ITMWeb, and Lawrence managing partner of Calavista. Russ Finny is an advisory partner in research, and are currently serving clients through both the ITMWeb Group and the Stratamation Network. He also assists startup communities all over the world through various entrepreneur programs at the Tech Ranch. He's a former CIO, and in 2016 Russ was named by the Apollo Research as one of the top-five most highly followed US CIO Influencers through social media. He can be found @RussFinney on Twitter. He began his career working with Ernst and Young. Lawrence graduated from MIT with degrees in Aerospace and Astronautical Engineering and Humanities before spending seven years as a US Navy carrier pilot. After leaving the Navy, he returned to graduate school earning his Master's degree in Computer Science from Stanford University. Prior to Calavista, Lawrence spent seven years at Trilogy Software working with various enterprise software companies and development and consulting roles ranging from individual contributor to VP of Engineering. Lawrence and his business partner Sandeep Gupta created Calavista in 2001 as a bootstrap company out of a shared vision in helping companies improve the quality of their software delivery and have been doing so for the past 16 years. Welcome to the show, Russ, and Lawrence. So I thought today we'd start with the state of outsourcing. A lot of companies are looking to outsource as a solution. So where are we, where have we been and where are we going?

Lawrence Waugh: 02:08
Great question. When we started Calavista 16 years ago, outsourcing was, I'm not going to say it was new, but it was not ubiquitous in the way that it is now. Often we had to convince our customers that outsourcing was something that was actually even a viable alternative for them as opposed to something that they just kind of had to do. I think we've come to a much more mature place in the industry where people see outsourcing is really practical matter and it's a business decision as opposed to a sort of a "bet the company decision".

Russ Finney: 02:38
I agree. Sloan, we did some research and I'm going to talk a little bit from some research that we did about three years ago. And in that research, we were looking across a wide variety of companies. We had 500 that participated in the research project and some of the participants were very large companies. One of the largest automakers, one of the largest food and beverage providers, several big technology firms, and also healthcare. And out of that group, we surveyed 500 and then we did deep dives in 20 of those companies and primarily we were looking at- What are you doing around outsourcing best practices? In conjunction with that, how about virtual teams and optimizing virtual team experiences so that we could create a guideline for companies that are thinking about doing outsourcing. What are the lessons learned from these organizations that have embraced it? And then especially if you're working with people that are not within the four walls of your building, they're out there potentially on the other side of the planet, what are the best practices and making that work function and be optimized to take advantage of it. So I'll talk a little bit with you as we go along here and let you know what some of the things that we found during that study.

Sloan Foster: 04:12
Excellent. So where are we now? Do they outsource? Do they not outsourced?

Russ Finney: 04:15
Well, I agree with Lawrence, I don't want to repeat too much of what he just said. I think it's a very commonly accepted in today's businesses to work with partners. The big enabler of that really has been the technology that we've built over the last 20 years, right? So we didn't have the ability to work with a team that was sitting in Bangalore, India without video conferencing and good internet connectivity and the ability to share our coding and also be able to collaborate in good tools. All that exists today. All that is an enabler for us to be able to work together, almost like we're in the same building. So I think that's been the key. But following up on that, I'm doing the best practices around those tools and technologies and it's still a human endeavor, right? So the way that you project manage it has challenges, right? So the way that you project management project manage that, the way that you interact, the way that you plan, it's got to be carefully thought out to be successful.

Lawrence Waugh: 05:28
I think that we've gone from, there are a couple of things that could be outsourced. Perhaps you know, your payroll, you know, back in the 80's, that was a big thing as well. "We have a company doing our payroll, we're not doing it ourselves." To now there are very few things that companies will not consider outsourcing, all the way to what was once considered purely creative content in terms of marketing, or a strategy and things like that where people are actually willing to accept the fact that there may be people who do this for a living who are really expert at that one thing. And those are the people you want to get doing that thing for you.

Sloan Foster: 06:04
So what would be some circumstances where outsourcing, and you just named a few where today, if someone is looking at outsourcing, where do you think they should look and assess? What would be the best thing to outsource?

Lawrence Waugh: 06:15
Well, it kind of goes through, there's a lot of reasons to outsource. One is if you have a skills gap. That is, and we'll just, you know, I could talk about software development, but let's look at payroll. So you know, if you have to hire someone, you can go to jail if you get your taxes wrong. So you want to get that right. And so you either hire someone who has spent a lot of time getting it right, or you outsource that to a group of people who have spent a lot of time getting that right. So if there are things that are very important to you to get right, and that's certainly something to talent source if you are not sure that you have that skill set easily available in-house. Other reasons of course, or to save money or to distribute risk or other things like that. So there are all sorts of different reasons outsource that apply to different areas of your business.

Russ Finney: 07:01
So, Sloan, I'm going to talk a little bit in the context of IT departments because most of our study focused on the IT function in these companies. Across not only the technology side of it, but also the application development side and where they were utilizing service providers that may have been in their own city. But again, that could be nearshore or offshore and so we did ask this question- "where are you employing outsourced resources?" And for now, let me just talk about the systems development life cycle. So if you think about that upfront on the planning and the analysis side of it, it's very tough for an outsource group to have the insight to be able to do the planning and analysis. It's generally those companies were using there inside the house resources or if there are product developers. Like right now we're seeing them agilize and were surrounded by product developers here in Austin, Texas. Same thing. They've got to be able to think through design and architect, whatever it is that they're going to build. So that tended to be a small percentage. So maybe 14 to 22 percent actually would use an outsource resource for something like that. The wide majority were using their own resources. As it got more into a design, it jumped up to about a third would you use some sort of an outsource resource to help. But then in the building and testing, uh, that's when it got really heavy with the companies that we were surveying. So eighty-six percent now, not across every single project, but eighty-six percent said that they would use outsource resources for building something. So coding, working in a framework, a configuring and then with testing that dropped down just a little bit, 75 percent. [It] drops way down and deployment, but then it goes way back up to 70 percent on maintenance.

Lawrence Waugh: 09:08
I think that one of the things that are most commonly seen as a benefit is the ability to leverage expertise that's difficult to find. So for instance, we had a prospect approach us about they wanted to migrate their applications off to Microsoft's Azure Cloud and weren't really sure how to go about starting to do that. What we've done that before. And there were some pitfalls, so we were able to sit down with them in a formal setting and go through, you know, a dozen or more managed services that the Cloud provides. And say, "All right, so here's the problems that we've run into when we do this. You think that this is going to work this way, but it's not. You need to make sure that you've done this." These are things that you only learn by experience. And so a good example is that sort of thing where a company either has to hire someone who has done this before or several people who've done these things before. And in the case, a dozen or two dozen managed services has done all of them or you know, 3-4 people who together have done this or you go find a provider who collectively has done that and can advise you. Again, the same way you hire a tax professional because they've done so many tax returns. They know the answer to the questions that are difficult to find. So very often one of the best things to outsources is something that is complicated but not necessarily core to your business. That is whether my data [that] lives in Azure or lives in AWS or lives on my server may not be fundamentally important to my business as a whole. In other words, it's not what my business is maybe an accounting firm or in this case, it's a bank. They don't really care about the software technology. They just want it to support them.

Sloan Foster: 10:49
So to that point, what are some overall best practices for getting the most from your external team, especially around agile processes?

Russ Finney: 10:58
Good question. So we uncovered about 10 factors and I'm not going to go through all 10 right now, but as we go through the conversation, we'll probably find our way through those. But a couple of things really stood out and we created a diagram which is a framework of this best practice for doing outsourcing and also doing virtual teams and being successful in virtual teams.

Sloan Foster: 11:24
Can that be found on your Twitter feed?

Russ Finney: 11:26
It can be found on my Twitter feed @RFinney. You'll find that diagram. But it's the real foundational at the top and the bottom of the diagram, two key components. One was what you choose to apply outsourcing resources to is very important. So the projects that you choose, the locations and also the aptitudes of the team-internal and external on being able to do this in a virtual outsource way. So not every single system, project, infrastructure, or even managed service will work well in an outsourced setting. So really trying to work your way through to find the ones that feels like it's going to be a fit. So that was number one from the companies that we talked with. You've really got to be selective on what you're going to apply this to. Make sure the teams that are gonna participate have an aptitude and a willingness to be working in that mode. I'll stop there for a minute if you have a comment.

Lawrence Waugh: 12:38
Yeah. So, you know, deciding what areas outsource from my point of view, it's- what do you need help with the most? There are ways to, outsource. Most of the things that you're going to want to consider outsourcing, it's, I do agree that sometimes, you need to make sure that the team, well, no, always, you need to make sure that the team you've chosen as appropriate. And the way you do that in my experience is you actually treat them like you treat any other employee. You should not think, "oh well, you know, I'm going to um, go outsource. So let me just go online and find the cheapest one or the closest one or the one that who's name I liked the most." You wouldn't do that when you're hiring an employee, and this is arguably you're hiring a bunch of employees.

Lawrence Waugh: 13:21
So you want to make sure that you're kind of doing your due diligence. For Calavista, we actually don't work with individuals. We only work with entities, so organizations that we have worked with in most cases, for over a decade now. So when we go bring on a new partner company to work with us, we'll spend a ton of time and that will go. We'll fly to whatever country they're in, whether it's an eastern Europe or South America or wherever. And we'll spend time with them. We'll look at their development processes, we'll meet their people, we'll interview people and on any project we'll interview those people pretty heavily. That is through resume screens and face to face via video conference to really make sure that there are people that we would want on our project just like you would do with an employee.

Lawrence Waugh: 14:01
So I think that one mistake that people make is thinking that hiring an outsourced (well in my case, you know, development group) might be like hiring someone to cut my lawn, which is, it doesn't really matter as long as they sort of know what they're doing, it'll be OK. And that's, that's not really the case. You need to have an organization who is not only very competent and more competent in arguably then you might need for a local hire because they're not going to be local. So they have to sort of step it up a little bit more. But not only do they have to be competent, but they have to fit in with the organization structure and they have to be able to work well in your environment.

Russ Finney: 14:34
That kind of leads into number two of best practices that we uncovered in. It's exactly what Lawrence is saying. The way that they expressed it, is about building trusted relationships. So it's not just utilizing resources based on resumes. Of course, you want to qualify who you're working with. I think it's also a best practice to try to if you've got somebody who's really uncovering and understanding of your business in depth, you want to incentivize them to stick around and stay your partner and also make sure that their resources are a hanging in there with your projects as well. So the continuity's important, but that all goes into the building the trusted relationship. And that's a year by year thing. You know, in the beginning, it starts out as a week by week thing. But for most of the companies that were in our study, they have a long relationship with these providers.

Speaker 3: 15:31
I don't want to really jump. I'm sure there's going to be a question about this later, but people talk about the pitfalls of outsourcing and "Oh, isn't there a high churn?" and things like that. And the answer that is no. Well, there can be, but you know what, what I always say is "if you hire someone and you treat them like fodder and you pay them poorly and you give him crappy things to work on, well your employees are going to quit." And if you do that with an outsource team, if you say, "well good, I've got a bunch of bodies here, I'm going to give them all this grunt work and I'm going to pay them poorly. I'm gonna expect them to be working, answering my phone calls and my text messages whenever I feel like reaching out to them."

Lawrence Waugh: 16:07
Yeah, they're going to get tired and they're going to leave. On the other hand, you feed people interesting work. You make them part of your team. You respect their opinions. You let them know that they're valued and by the way, you work with an organization that pays them fairly. They'll stay for years. We've had people on projects for well over five or six years. It's like an essay Humphreys wrote once about how developers don't quit, you drive them away. Once the developers happy at your organization, they will suffer through a lot to stay with you. And so same thing is true for outsourcing. Outsourcing can be an incredibly stable workforce if you do it right.

Russ Finney: 16:43
I want to make one other comment on this one before we move off Sloan. I know I know we've got a lot to cover here, but I think another little secret ingredient little magic formula is having an opportunity for face to face. Even if you're working with somebody halfway across the planet, getting one or two of their resources to come and in with your team for a little while or having the same happen in the other direction too where people have met each other. Maybe they've had lunch or dinner together. They've had some socialization. It makes it a lot easier than when you're working on the phone or through that video link when you have that relationship built.

Russ Finney: 17:34
People are empathetic to all the challenges that are in front of them when they've been through that.

Lawrence Waugh: 17:41
Yeah, you gotta do that. And Russ is absolutely right. We do that on almost every single project where we either bring most of the team over or all the team over and all of our Managers and Architects typically travel once or twice a year to go see the teams they work with. Because it's incredibly important to build that relationship. Again, you know, the whole thing is you don't want people to feel like cannon fodder. You want them to feel like a valued member of the team and the best way to do that is to make them a valued member of the team and respect their opinion and, and let them know that you care about them and want to want to face to face with them. And so that's a huge part of it.

Sloan Foster: 18:15
And take time to develop the relationship and feel a part of the relationship. So you've answered a couple of my next questions, so I'm gonna jump ahead. How do you validate a candidates firm, background, and credentials? You said video, you said, you know, kind of embedded with the team. Are there some other things that you do to make sure that before you get to that point they're who you want to work with and you validated them?

Lawrence Waugh: 18:38
There are a couple of things that we do. And I said before we only work with organizations, for a couple of reasons. One is it's kind of easier to check on an organization's reputation that is to check in individuals. I think I've told this story but I'll bore you with it. I think it's kind of illustrative of the one of the reasons we only work with organizations is you just don't know who an individual is. And so one case we had a customer we're working for and they brought in their own UI (User Interface) designer and the guy was in Romania and he was good. He did good work and we liked him. And that was fine until a week before the deliverable, we were making last-minute changes and you suddenly disappeared. He just dropped off the grid. No one could reach them. And of course, he's in Romania. So what are you going to do? You can't drive by his house? So you can text him and call them and email them and you know, who knows where the guy lives, he's just a name on it. So I'm at this point it was a sort of ubiquitous video conferencing, so we hadn't even seen the guy. But anyway, so he dropped off and we finally, Calavista had to hire someone locally to kind of finish his work so we get the thing out the door. That was painful and costly for the customer. And again, he was their guy so it wasn't, you know, there's only so much we can do. But anyway, week after the project went live, he showed back up suddenly like, "Hey, sorry how are things going?" you know, we're like, "where the hell did you go?" Well, so the answer was, "well, um, yeah, I was grounded, my mom took my computer away", and as it turns, as it turns out it was in high school and you're making good money for a high-school kid. But the point is you just don't know, so we work with organizations because it means that first of all, you know who they are. There's a record, you can go visit them, there's a recourse if they do something wrong or they violate they've breached their agreement. It's much, much easier to hold an organization accountable for IP protection, for instance, than it is to hold an individual. An organization is much more to lose if they let people kind of play fast and loose. And so that really helps. So when you're, again, trying to figure out who the people are to work with, you have to trust the first and you do that by reputation. Do that by visiting. Did you do that by meeting with Architects and Engineers and talking about, are we in sync on how we deliver software? And then once you like the organization, then you start meeting the individuals and see who would we work with and you know, and, and just meet as many of them as you can and realize, yeah, this is kind of a kindred organization and there are a lot of organizations that aren't you and OK, they're, you know, they're not stupid or anything like that. There are their methodologies and their work style is just not compatible with us.

Russ Finney: 21:16
So I might just add another point on what Lawrence just talked about and what we found as far as companies depending on the size and the sophistication, the company that was utilizing the resources. If it was a very small company, let's say, to start up and they have a very limited amount of money in their seed capital to build something and they may use some resources that are located in another country because the dollars are going to go so much further to utilize those resources. And they may not have a legal entity in the US. So they're just doing something via email in a foreign country and the wiring money to them. And getting the code back, right? It's very difficult to enforce the agreement in that situation. But a small startup company may take the risk, but a large firm, at least the ones that we were working with on this study, they wouldn't do that. So there has to be a legal entity established in the US and when they do their contract between the outsourcing firm and the company, it's a large automobile manufacturer that legal agreements going to be a US entity to entity us entity that entity agreement with some kind of a jurisdictional definition either in a certain state or county or whatever to resolve disputes.

Lawrence Waugh: 22:44
Sure. And that's one of the reasons actually customers use Calavista is because we are local US company and in many cases local to them, but we have resources all over the world via our partnership companies. It gives them a local, US-based, full weight of US law on our shoulders, a throat to choke. And that works really well for a lot of companies rather than just finding one themselves offshore. Because again, if you're not going to go out there and visit them and spend time, well it's a lot easier to do that with a US-based company.

Sloan Foster: 23:11
It kind of goes to my next question, about certain steps which should be taken to protect internal IP. It sounds like working with a legal entity, the legal entity to a US-based legal entity at least helps alleviate some of that. What are some other things that you would put in place, or have put in place to help protect your internal intellectual property when you're outsourcing?

Lawrence Waugh: 23:30
Well, I think that the first thing is IP is really a hot-button and people will say often "well the problem with outsourcing is it's hard to control your IP." Or "how do you protect your IP?" I don't mean to be the doomsayer, but I have to say the fact that you hire your own employees doesn't mean your IP is protected. It is really easy because it tastes a keystroke to send your entire code base to someone whom you don't want to see it. And it can be done just as easily from a desk inside your office most of the time as it can be done from someplace else. Right? So, so people delude themselves into thinking, "oh, because it's all US-based my IP is somehow safe." It's all about the people you work with.

Lawrence Waugh: 24:12
If you have people who want to steal your IP and they have access to it, well they can steal it. And so again, it comes back to reputation and it comes back to having a lever... Again, if you have one person in Romania, or you have one person who's far away, and they do something they shouldn't do with your IP. What are you gonna do? I mean, who in Romania do call to go try and put a stop to that? Well, if you're working with a 3000 person company in Romania or Slovakia or you know, wherever, wherever the company is, well, there is a much, much better chance that you can get them to cure your problem. And so the first thing to do for IP protection is to realize that the risk is not the fact that you're outsourcing, the risk is the technology you're using to actually manage you're coding, your IP. Then it is worth choosing who you work with carefully and investing the amount of time it's going to require to make sure you're working with people who are going to respect your IP. There are companies and countries that Calavista will not work with because we have seen, not through our experience, but through other companies experience, an inability to protect IP that in those cases.

Lawrence Waugh: 25:27
So basically know who you're dealing with, making sure that the entity is large enough that you can have an impact on them and they'll care. And then, um, reputation.

Russ Finney: 25:41
Just a couple of additional points on that one- It's really important. So I work with a lot of defense contractors, aerospace firms, they're very sensitive about designs and they're also sensitive about code, right? And in many ways, we're solving this problem through all the Cloud services that are coming up. Especially the high reputation, you know, big Cloud providers that we all know and that were somewhat taken advantage of even more every year. But what I've seen at the companies that really have high sensitivity about this, is not only the employee awareness that Lawrence was talking about, but also having the products in place, the repositories in place that have good access control, good audibility, making sure that depending on how sensitive things are that only need to know or need to see or need to touch. Right. And then when people are doing that and being able to trace through who was doing that or when did it happen. So that if a breach occurs or if you find your IP showing up somewhere else where it's not supposed to be, that you can actually build a trail back to determine how that occurred. And then you've got a better case to go get a resolution through whatever method you use.

Lawrence Waugh: 27:05
Yeah. And that really comes down to tools and processes. Like at Calavista when we work with a customer, we will internally provide them with their own IT sub-net and so, you know, Calavista may be working on a project, and because I'm on that project, I am on this subnet, I can't get to work from other companies, I just, I can't. And nor can any contractor from one project to see it and when we do that, so there are also tools in place, but the point is we even take it down to the hardware level to try and make it so that we are really aware of who has access to what and when and make it really easy to turn people off when they leave the project. It takes a little bit of discipline, but that's, there's no substitute for that.

Sloan Foster: 27:51
Well that actually answered one of my next questions which were creating a common development platform or for co-development, but you've answered that. So moving with that, so quite ahead of the curve here. So moving right along, are there any current security setups or audits which should be considered when you're outsourcing? You mentioned access control, you mentioned some other things. Are there any other best practices is perhaps part of that 10 that you mentioned that can help with security and really walking down that particular environment?

Russ Finney: 28:22
Well, talking about system development kind of things, really the best practices are going towards the outsourcer comes to you and you control the environment they're working in. That's really the state of the art best practice. But you still see companies where they'll do a mirroring of the source code and a mirroring into the system into their systems. But none of that reaches production without going through some kind of a quality check as it comes back. So I'd say that's the two probably most common that I see these days. I don't see it as much where they have full control over the whole environment or where they have the environment in their own country. It kind of depends on the company in this situation.

Lawrence Waugh: 29:11
And there are numerous certifications you can try to get, this isn't really the place for all of that. But we also do that exact thing where we basically provide a lot of stuff has done in the cloud nowadays and so it's really easy to have people, you know, from around the world accessing repository in the Cloud. What we'll do is actually set the Cloud up so it can only be accessed from Calavista and then require everyone to tunnel through Calavista on their way. And that way we know who's doing it, and when someone's not on the project we'll click their VPN is off and they can't get to the repository anymore. We don't have to go around and say, "oh well, you know, there are 18 servers in the cloud doing different things and let's go to each one and change the access list to this person." You want to make that as manageable as possible and as streamlined as possible.

Sloan Foster: 30:00
So wrapping up here, is there anything that you would suggest. You've mentioned some best practices, kind of one last parting thought about outsourcing and the value of it or things to be aware of when you're doing it.

Russ Finney: 30:14
Well. One other one would have a cadence of contact with your provider. So it could be a weekly meeting or daily meeting. It depends on what the project requires or what kind of services they're providing. But I think a good touchpoint cadence, and I know some companies like to have a, there are resources out there in a messaging, it could be a Microsoft messaging tool or any of the messaging tools that are out there. To where they actually see their online or they're not online or, or they're listening or they're not listening so they have a better feel for are the people that I don't actually see, are they really tuned in to what we're doing. So a little bit of cadence. I also think video helps a lot. So of the tools that are out there today, there's so many. Starting with Skype and then go into all kinds of different toolsets and Webex and Zoom and everything else. If you're able to do that. It gives you more confidence. Some cultures don't like to be as blunt as Americans are, you know, and expressing opinions. They're doing it non-verbally [through their] expressions and it really helps to be able to see the faces, especially in certain countries of the world where they're not agreeing. You're not seeing it, but they are definitely not agreeing. And I can see it.

Lawrence Waugh: 31:41
Russ is absolutely right. There is no substitute for video conference. We're really big on that. But not only just, "oh, there's a video conference" because we've had this where there's in the conference room a video camera, and so you see six people sitting around the table. That doesn't work. That's not enough. You can't see the micro-expressions, that flutter of doubt that crosses someone's face when you want them to do. You miss it because you just see this room of people who are kind of staring up at some point in the distance, which is the camera. You've got to be able to see their faces and it's gotta be clear. So that's basically HD and a camera, Webcam or whatever that is focused on their face. And so whatever technology you use from our point of view, Calavista's point of view, that's what it has to be. Otherwise, you're just kind of checking the block and not actually getting much out of it.

Russ Finney: 32:28
Well, I was just going to add... Also being a little bit balanced in a timezone so it doesn't always have to be in timezone and they are working in the middle of the night. I mean occasionally go ahead and stay late and that way they're working during the business day. So a little bit of those trade-offs helps a lot in morale on both sides.

Lawrence Waugh: 32:52
And that's sort of treating them like fodder thing. If you know, they've got lives, and you want to respect their lives, and you want them to be happy to come to work. And not see it as a death march. But I will say I have a blog about the top 10 ways to make your outsourcing project fail and the first way and the on the list is to not start.

Lawrence Waugh: 33:21
I find that a lot of people treat outsourcing as, you know, it's kind of when you are, you hire the cleaning company or you want to hire a cleaning company for your house. But first you have to clean your house because it's like, you know, you've got to kind of get things under control before you can hire somebody. And really what you should do is hire someone to come in and get your house under control. So people will say to us all the time, "oh, I really want to outsource this project but we're not ready. We need to like kind of get all of our ducks in a row." And what they don't realize is that there are companies, and you know, of course, Calavista is one of them, but we're certainly not the only one their companies that can help you get your ducks in a row.

Lawrence Waugh: 33:52
And so for instance, if you need to put down on paper the requirements for this project, well, again, there are people who do that for a living, that is what they do. They do software requirements and there are companies that are software development companies or even just companies that just do requirements that can do that for you. So if you can find a company that can provide you sort of the turnkey service of we will show up, become part of your team and help you get those requirements on paper and then help you put together a strategy for how to deploy them. And how much of that, if any, you want to outsource. And then what that's gonna look like. You can actually get a lot further than you'll think without being as ready as you would think you have to be. So I think what I'm trying to say is you actually, you know, for those of you out there who are thinking, "oh yeah, outsourcing sounds great, but we're not in a place to do that." You might be, you just need to pick the right partner who can help you get from where you are to where you want to be.

Sloan Foster: 34:43
So as far as more information, Russ, I know you mentioned you have this wonderful document you're using to talk about the research that can be found at...

Russ Finney: 34:51
I'll put a link out there on Twitter @Rfinney. I'll put a link to the report that I'm referencing and it's about 16 pages or so and it's full of best practices around what Lawrence and I are talking about. And this is mainly a discovered from these 500 companies, just what they, what their insights were on doing that.

Sloan Foster: 35:18
I will also post a link on the Calavista blog. It's www.calavista.com. And you can also follow Calavista on Twitter @Calavista. So thank you all for listening and look forward to having you tune in next time for Calavista Conversations! Thank you, Russ. Thank you, Lawrence.

Full Podcast Transcript:

Sloan Foster: 00:32
Thank you for joining Calavista Conversations today. We're happy to have the CEO and founder of Cybernance and the studio with us today, CEO Mike Schultz. Mike has spent over 40 years in technology software in cybersecurity experience, managing complex projects and sales programs for fortune 100 clients. He's widely recognized for his extensive and in-depth knowledge of all things cyber, security, risk management and compliance. He is the founder and Chief Executive Officer of Cybernance an industry leader in cybersecurity risk governance. Mike's been responsible for the security of massive database programs such as the airline and the TSA terrorists tracking program and insurance fraud, he is a frequent guest speaker at the University of Texas Mccomb School of Business and serves on the Cybernance Board of Directors. Hi Mike! Welcome to Calavista Conversations.

Mike Shultz: 01:23
Thank you. And thank you for having me. It's a pleasure to be here.

Sloan Foster: 01:26
Well, thank you for joining us. So Mike, tell me what problem are you solving at Cybernance, and what value are you providing to your customers?

Mike Shultz: 01:37
Cyber risk is becoming better known all the ime, and is now one of the three greatest risks to an enterprise according to the National Association of Corporate Directors. The financial risk is massive as most people know. The reputational risk is even greater. And so our business is based on solving cyber risk from a governance standpoint, lots and lots of businesses and billions of dollars have been invested in the creation of perimeter defenses for cyber protection. And what we've done is created the internal defenses, the people policy and processes part of that governance.

Sloan Foster: 02:15
That sounds really great. And you've done that through a technology format through the platform?

Mike Shultz: 02:20
Yes! What we've done is essentially automate in software the process to analyze and assess a company's maturity and resilience to the NIST CSF standard as the National Institute of Science and Technologies Cyber Security Framework, which only shows why they call it the NIST CSF instead of spelling out the whole name.

Sloan Foster: 02:41
And how many other platforms are NIST certified?

Mike Shultz: 02:47
Well, it's a fair question, but it can't be answered directly. So let me just say that this doesn't certify any platforms or anybody's organization. We did, however, submit platform and technology and the company to the analysis by the Department of Homeland Security Safety Act Office. The Safety Act office brings forward congressionally passed laws relative to the limitation of liability of companies in the event of a terrorist or cyber attack on a business. We are the only software that brings the NIST platform into the marketplace. It is approved and vetted by DHS and further than that, they provide liability limitations for our customers up to, and potentially including a hundred percent immunity from third-party liability.

Sloan Foster: 03:41
Which is really big on the market right now. You've heard about all the breaches. Obviously, I shouldn't say you. I know you have. I have. And everyone listening has as well. So I'm assuming that's how you identified this need in the market, was seeing the crazy headlines about all the breaches?

Mike Shultz: 04:00
Well, it was actually before that, we became intrigued by this opportunity, I had been the CEO of a company called Info Glide Software a number of years ago when we sold that company to Fico Fair Isaac. And during the period of non compete, I began looking at the marketplace and in the business and thinking through the "what's next" piece. And that was at about that time that I read a quote from a speech given by the head of the Securities and Exchange Commission, Luis Aguilar who said that the opinion of the SEC, members of Boards of Directors could and should be held personally liable in the event of a cyber breach. I'd never heard of any government officials say that before and it really intrigued me. We began looking at it and we clearly now are in a position where lawsuits are being brought against the management and the officers and directors of companies with names like Yahoo and Equifax and etc. The liability for individuals personally is massive. And the Equifax breach alone it could be into the billions that would be with a B, billions of dollars of personal liability.

Sloan Foster: 05:16
It's really very disheartening to think about, but also exciting that there is now a solution out there to perhaps solve that problem in the marketplace?

Mike Shultz: 05:21
We think so, yes. And we're excited to be doing it. I personally have precious little sympathy for companies who don't do the right thing with my personal identity. I've been breached so many times that I can hardly count them. I was breached by the federal government in the office of personnel management breach. I've been breached by the IRS have been breached by the FDIC, have been breached by Equifax. I've been breached by Experian. So, you know, maybe the right thing to do is to hold people's feet to the fire if they don't do the right thing. And of course, what we're trying to do is help people do the right thing.

Sloan Foster: 05:58
That's really great. And so how long once you solidified that idea that there was a need in the marketplace that it take you to go from idea to execution?

Mike Shultz: 06:06
Well, the first part of the first phase of the process was to define the problem in more detail and begin to define what we thought the overall solution might be. That took about six months. At that point, we then made a decision to outsource the development. And let me just say for me, this is the first time I've ever done that. I've run lots of software companies and I have never outsourced development before. I always thought that was part of my crown jewels. And so going through this process I had to get comfortable with the fact that that made sense. And we looked at several companies, we settled on Calavista, and the Calavista process from beginning to a minimally viable product was about six months. Very fast. I was more than a little bit shocked.

Sloan Foster: 06:55
Pleasantly so?

Mike Shultz: 06:55
Yes!

Sloan Foster: 06:59
And it worked. And as you said, it's one of the first or the first NIST certified platform that's out there.

Mike Shultz: 07:03
That's right.

Sloan Foster: 07:04
So it was a unique field, if you will, Greenfield, that you had to grow into and trust your technology partner to do that.

Mike Shultz: 07:10
That's exactly right. And at the end of the day, it was a very good experience.

Sloan Foster: 07:14
Good. How long have your customers been using your solution?

Mike Shultz: 07:18
We've been in the market place with paying customers for just a bit over a year.

Sloan Foster: 07:24
How large are your customers?

Mike Shultz: 07:32
They are as small as The Center for Child Protection here in Texas and as big as Northwestern University, Boy Scouts of America. We have 11 critical infrastructure energy delivery companies that are processed through our relationship with the Department of Energy. So they're very, very big and some that are not so big, you know, the Center (for Child Protection) has probably 80 employees and we're working on projects that have something in the range of 100,000 employees.

Sloan Foster: 08:05
And so ultimately, what is your goal? Mass domination, world domination with this product, or what are you doing? What's your plan for the next few years?

Mike Shultz: 08:15
Well, I've been at this for a long time. This is my sixth time to be a CEO of a technology company.

Sloan Foster: 08:20
Congratulations! I guess?

Mike Shultz: 08:28
You'd think I'd learn, but maybe not. So it's not about world domination and it's not about becoming rich. It's about building a business that makes sense, contributes to the business community. We're creating a great place for our employees and our partners to work and be engaged and I know that sounds sort of a little bit too philosophical, but that's actually the truth. That's what we're trying to get done.

Sloan Foster: 08:54
That's probably what you learn after many times of being CEO, what's really important, right? Do the right thing. And the right thing will happen.

Mike Shultz: 08:59
Yeah. And the rest of it we'll take care of itself. We believe very strongly that the cyber risk to our economy and our country is really, really substantial. And if we can do something to help with that in a meaningful way, that's all by itself was a good thing. If we do those things, everything else will take care of itself.

Sloan Foster: 09:23
That's great. Do you have any idea of how many risks you've prevented so far with this or with your platform? Are you able to articulate?

Mike Shultz: 09:38
Don't know, I wish we could. If you think about the level of breach activity in the and the rate at which it is increasing. We could extrapolate all kinds of crazy numbers, none of which I could justify, but if you consider the growth of cyber breaches and the number of events that are now logged. Folks that keep track IBM, Ponemon Institute in those, we're in the thousands and thousands of breaches a year now and it's getting worse.

Sloan Foster: 10:05
They find a way in it seems like.

Mike Shultz: 10:05
Yes.

Sloan Foster: 10:05
So you said that you've been in the market for a year and all your clients have been using just over a year. So you've seen quite a bit in your 40 years, as you said, several times a CEO, what ultimately made you decide to outsource the software and times when you haven't before? What was a deciding factor for you?

Mike Shultz: 10:27
Well, there were a whole set of criteria that we thought through as we were making the decision. The first is to determine whether we want to stand up a development organization, hire people, and all of the bits and pieces that go along with that. Our application was relatively straightforward and we didn't necessarily need to hire people with great expertise in a very specific area. We were going to be involved in more general sorts of applications with some need of some specialty capability in the area of user interfaces with an example, and also in the area of database design and database management. So rather than building a large and expensive organization, it made sense for us to outsource the development to get what we call a minimally viable product. That's a product that we could sell to somebody for money, which is different than giving it to them.

Sloan Foster: 11:31
Right, important when you're a company?

Mike Shultz: 11:32
Yes. Yes. Sell it to somebody for money and actually stand behind the product. So as we moved forward, the leadership at Calavista was known to some of my partners and we spent some time not just with Calavista but with several other businesses and other competing companies and concluded that the expertise that was nested within Calavista. This is going to sound a little bit silly, but their approach to the business was such that, I've got very comfortable with how they work. If you ever go visit Calavista, there's this crazy little tagline that they have, it says 'no drama!'. And you go yeah, right no drama and you keep going. But the fact of the matter is software development is chocked full of drama and anything that starts off by saying we're going to try to minimize drama, that's probably good. Drama is things like surprises, bugs, slipped events and schedules. All of those things create drama. And so for me, spending time with Lawrence and then thinking about the no drama piece and the level of expertise that they have on staff. It made it easier for him to make that decision. I got very comfortable.

Sloan Foster: 12:54
Yeah, it is. It's interesting how many things have drama in it when you're starting a company and as many things as you can minimize that drama with a better off to get your idea and product to market faster. Let the people do what they do well and keep that drama out. So as Cybersecurity, you mentioned there are thousands of breaches a year. It's an evolving problem/industry and there's a lot of quote "solutions" coming out on a consistent basis. How does Cybernance maintain the lead in this continuously changing environment?

Mike Shultz: 13:22
Several ways. Clearly, it's an ongoing challenge that isn't going to change. The interesting thing is that we approach the business from a little different a vector. Most businesses involved in protecting organizations from cyber threats are focused on the external threats, the perimeter defenses, and that's about building the walls higher in the moat deeper. As it turns out, north of two-thirds of all breaches over the last couple of years have not been external threats, but have been failures of the internal defenses and that's where we focused. So we focused on the application of the NIST CSF standards internally, and that's about managing the people activities, the policies, and processes within the company. That has the single most significant effect on protection from breaches. So first and foremost, the vast majority of the investment in cyber protection has been externally. And so we have less competitive, threats to us in the space that we've chosen to be in. The second is that the application of the standards has given us a substantial leg up because it isn't a Mike Schultz and his band of merry men saying that this is the right thing to do. This is a standard that was created, funded by the federal government, but quite wisely created with the input and constantly evolvement of thousands of contributors from government, industry, and academia. It's a constantly evolving standard as risks become better understood or appear on the scene. So we're able to continue to evolve with the standards so that we are rock solid on what we're standing on. This is not an opinion, these are the standards. This has become the gold standard for cyber governance. And so that's us. The other piece is we have a continuing relationship with our partners, Calavista, of course, being the leader of those, where we're involved in constant improvement, continuous improvement cycles. So we're able to continue to adapt the software and the application to the marketplaces changes. And we continue to do that, as an example the NIST organization and other organizations who have specific standards around industry or technical needs, like healthcare information that's governed by the HIPPA standards for cyber. Through the team at Calavista, we developed crosswalks between NIST and health and human services so that we can automate the HIPPA standard within the standard that we already have. We've done that also with a standard around financial institutions called FFIC, but we're also in the process of adding additional standards to the basic platform that include the New York Department of Financial Services standards, the International Standards Organization, ISO 27001 and et cetera. So we're able to very quickly respond and react to the marketplace as additional standards and additional crosswalks occur. So we're always at the very edge of what's available.

Sloan Foster: 17:05
That is actually quite impressive that you're meeting all of those different standards in those different market segments kind of through NIST and through those partnerships.

Mike Shultz: 17:15
It's a fascinating challenge! Back to the question, you asked me earlier, why did I elect to outsource versus a build a development team internally. As we move rapidly to face competitive threats and to make sure that we are always at the forefront. The ability to access a large organization with multiple capabilities and teams allows us to have a Chinese menu. You get egg roll and we can get, we can get user interface people, we can get a database, people we can get additional testing people that begins to match our need as we're developing product and moving into the marketplace. So that's a key part of our success is the ability to be able to depend upon our partners to help us stay at the forefront.

Sloan Foster: 18:10
Keeps you nimble.

Mike Shultz: 18:11
Sure does.

Sloan Foster: 18:14
And we know that's critical to business success in this day and age, right?

Mike Shultz: 18:15
That's right.

Sloan Foster: 18:17
Adapt or die, I think they say. Is that right?

Mike Shultz: 18:20
Yeah, I say it because I'm a lot older. I say things like, don't pour concrete.

Sloan Foster: 18:24
There's a saying for everything. Right? So as a serial entrepreneur and seasoned one, I'm sure you have experiences that others may benefit from. What is your number one lesson you would want another founder to hear if they were thinking about doing something in the market, any market?

Mike Shultz: 18:40
You'll hear people talk about cash, cash management and cash in your hand as being really important and I would suggest that they're wrong. It's not really important. It's way more important than that. So be careful about building large organizations, be careful about investing in things that don't bring you immediate results, but the marketplace is so tuned to providing specialty services and special capabilities that you don't need to build a big organization today. It's as simple as I can time slice my car by using Uber. So I need to, do I need to buy a car, do I only need to use Uber to get to where I want to get to? The same thing is true and office space, in compute capability and it even comes down to software development. I time slice software development by not building a big organization, but instead of buying the services that I need at the time that I need them and it helps me manage cash. And so I'd say that the number one issue for me is figuring out how to get your job done on the minimum dollars that it's going to take to get there. Then just manage that cash really, really hard.

Sloan Foster: 19:56
Great, that is a good motto. Right time, right action at the right time. Right? And that helps with that.

Mike Shultz: 19:59
That and the first guy who suggests that you put your name on the building outside. Fire him.

Sloan Foster: 20:06
That's a good one too. So I'm kind of wrapping up if a company wanted to use Cybernance, how would they find you? How would they engage with you? What does that process look like?

Mike Shultz: 20:18
We provide our capabilities both on a direct basis and through reseller partners. If we're back to today's world and only spending money on things that you should spend money on, we're really easy to find. If you just type cyber governance into any search engine, you'll find us. We're relatively well known in that part of the world. You also can find us through our partners and obviously our website is readily available.

Sloan Foster: 20:51
And that's www.cybernance.com?

Mike Shultz: 20:51
Precisely.

Sloan Foster: 20:59
Okay, great. Anything else you'd like to add today about Cybernance and the wonderful things you guys are doing?

Mike Shultz: 21:04
It's a great run. I'm sitting here now after having our first birthday some time ago and installing our platform for customers. We're a SAAS business and so we work on annual renewals. And this will give you a sense of the quality of the offering that we've presented, and kudos to my dear friends at Calavista, we have a hundred percent renewal rate.

Sloan Foster: 21:33
Congratulations! That's awesome!

Mike Shultz: 21:33
Thank you!

Mike Shultz: 21:40
I need to be doing business with more people, but that obviously never changes. I don't know if I would have believed a year and a half ago that I'd be sitting here today saying that a hundred percent of our customers have renewed. That's a pretty big statement about the quality of what we're doing.

Sloan Foster: 21:57
That's a huge statement. I mean churn rate isn't as a part of every sales conversation that I'm in, especially coaching startups. So congratulations to the one year birthday and to the 100 percent renewal rate! Both of those are very big successes and we need to celebrate success big or small. So congratulations and thank you very much for your time today. If you need more information about Cybernance, again, www.cybernance.com. Thank you.

Sloan Foster:
Hello everybody. Welcome to the first edition of Calavista Conversations. I'm Sloan Foster, CMO at Calavista and today we have a friend of mine, Jeanne Teshler in our studio, who has a young tech company focused on healthcare. We've known each other for quite a while and [I’m] excited to hear what her new adventure is today. So, Jeanne, welcome and why don't you tell me a little bit about yourself?

Jeanne Teshler:
Well, thanks, Sloan. It's good to see you again and be in the studio with you. I sure appreciate this time. My name is Jeanne Teshler, I’m the CEO of a young tech company called Wellsmith. Just for a little bit of a background before we get into what we're doing here. My husband and I are the founding partners of Wellsmith, and he and I have been in business together for as long as we've been married, so a good quarter of a century now. We have worked in a variety of different businesses, always entrepreneurial in how we do things. But we've run many companies, starting with, you know, production and catalog design, we've gone into creative services. We've done a lot of work in consulting. And over the course of the last 25 years or so, we've worked in a lot of fields including consumer product goods, technology, and healthcare.

Jeanne Teshler:
So our lifespan is working through the intersection of those and how to actually create great consumer experiences for all of our customers and all of our clients. And over time we've looked at problems and we've tried to figure out the most creative and the most consumer-centric way to solve them. So that's kind of the impetus for where we sit today. And what's interesting about what we're doing now is, Wellsith, sits at this interesting intersection of consumer behavior, technology and healthcare in such a way that it's bringing new light into how we solve what we see as personally as a problem in this country. And that is the growing amount of unhealthy people there are, if you look around, the statistics at the CDC saying that within the next 10 years, we're going to hit about a 50 percent obesity rate in the United States and we're going to see a lot more chronic conditions like diabetes, like heart failure and heart disease like COPD, which you know, is from smoking generally, but also has a lot of, a lot of basis in unhealthy behaviors in addition to smoking. So what we looked at is, as you know, personally, my family is full of, of bad health behaviors. There's nothing but heart disease and diabetes in my family, no matter how far I look.

Sloan Foster:
I think all of us probably have a little bit of that.

Jeanne Teshler:
That's true. And as we start looking at this, what fascinated me from a personal standpoint is having worked in all these different industries and the consumer product side, I'm in the technology side and in the healthcare side, we started to see over the last 10 years, in particular, all these little interesting bits and pieces of people trying to move the needle on health and what was missing is a way to bring all those pieces together. So that became a standing passion of ours is to figure out how to solve healthcare problems in new and interesting ways, and that’s where we came up with the idea of Wellsmith.

Sloan Foster:
The intersection of all those different elements and saw the intersection coming together at this point in time where it's needed and not any one company was solving the problem effectively, I'm sure.

Jeanne Teshler:
Correct. Correct.

Sloan Foster:
Well great, so where are you, what led you, I assume this is what led you to this idea is seen and what made you decide that now was the time to start a company? And time was of the essence?

Jeanne Teshler:
Well, we had prototype the idea of Wellsmith in our spare time during, you know, in between consulting gigs with our other company. And we started to realize that what was necessary was a brand new, basically a platform for solving this problem that, you know, if you look at the technology side, there are things like FitBits and different things that help people monitor their activity to be more active in healthcare. There are programs that you can join, for example, to help manage your diabetes or your weight loss. And on the consumer side, there's nothing but people trying to sell you on good healthy behavior, along with an equal number or greater number of people trying to get you not to eat healthy, etcetera. And all that. And so what we decided was there needed to be a platform way to solve this. And how do we bring all of those pieces together and make it work? And so our mission became a way, and we knew it was possible because the technology is now caught up in such a way to do so, the mission is to help reverse the trend of chronic conditions and bad health in the United States by giving people the right tools in a simple and memorable and actionable way to manage their own health. And that's what we've done with Wellsmith. We've created this platform by which consumers have an easy way to manage their health and healthcare has an easy way to help monitor and intervene as necessary in that care. And that's the Wellsmith platform in a nutshell.

Sloan Foster:
Great. And you've already had your first deployment. You've had been in the market for a brief period of time, but you actually launched the first part of 2018. So talk to me a little bit about where you are in the deployment of the platform and what you expected.

Jeanne Teshler:
Sure. So we're rolling out live. We've been in trial for the last year, year and a half, doing some testing with one of our customers on how this actually behaves in the wild, as we call it, in live action. So we start rolling out fully in, starting in January, so a couple of weeks from now, we start the new year with a turning this baby onto a live audience. And what we'll do is, we'll probably by the end of 2018, I have anywhere from tens of thousands to hundreds of thousands of users on the platform and none of the gate within about that year, we should be the largest population risk management platform in the country. It's just, there are few doing things like what we're doing, but no one to the scale and to the breadth of what we are doing.

Sloan Foster:
Obviously, time to market was very important and a product that works. So, what made you decide to partner with Calavista and trust a partner instead of doing it internally?

Jeanne Teshler:
Well, that was fairly simple on our part. We had brushed up against Calavista to during a couple of our other consulting agreements and consulting gigs over the years and had always been looking for an opportunity to work with Calavista in Lawrence and Sandeep. And so when we were, when we got the funding, when we got the go-ahead to actually build this product, we knew that we had to do it fast and all of my husband and I are great brilliant business, etcetera. Patting myself on the back of that. But we're not engineers. And the last thing we needed to do was trying to solve engineering at the same time we were trying to build a product. We had clearly the vision, we clearly had the prototypes. What we needed to do was get to market fast and we knew the team at Calavista could get us there.

Jeanne Teshler:
I mean, think about this Sloan. We went from nothing in October of 20, 2015 to a product in beta testing and in a clinical trial by January of 2017. Three and a half months to build actually was March. So six months we went from zero to a prototype in the market being used in a hospital system, compliance issues. Exactly. And so being able to jump through the hoops of not only designing a product but also designing it to those really rigid privacy standards and HIPAA standards for security, Calavista and didn't miss a beat. And anytime we needed to throw something at them that looked kind of odd, they would analyze it, they would, they would look at it and go, OK, I think we can do this. And they would. And that was one of the best things about is we did not have to worry about the engineering while we were trying to figure out the rest of the business.

Sloan Foster:
Sounds like that is a good partnership. I was going to ask how that impacted your time to market, but it actually accelerated your testing and opportunities, which I'm sure major investors happy again. I mean a lot of you don't have a whole lot of time to please or displease people. Our goal, of course, was not displeased them, but if we could bring it to market before they had a chance to think twice and go had, you know, you get rid of a lot of doubt when you can put something in the market and they can see it working. And the amazing part was our theories were right about customer engagement. If we could make it simple enough for people to follow simple plans and manage their own health, they would get better and it worked. And that was the most amazing thing to us. We knew internally and deepen our hearts. That was the problem that people are active in their own health and they're spending time on their health every day that they will get better and they will stay healthy.

Jeanne Teshler:
Convincing healthcare that's the case is a different problem than engineering. So I had Calavista and their teams building and managing this product. I was going out and reassuring the customers that this would work. And so I didn't have to do two jobs. I had one. And that was critical to me because getting them to understand the importance of what we were doing was harder than actually building the product. And that's the product. And you tested it. You've had quite an impact even though as only being piloted right now. So do you mind sharing some of those numbers? I know it hasn't scaled where you want it to go and have an officially launched, but I'm going to share some of the impacts you've had. Um, yes. And so during trial. So the philosophy that we've had from the beginning, and again this is our deep down in our souls understanding of how consumers behave is that people want to be healthy and if you make it easier for them, they'll do it.

Jeanne Teshler:
And the problem in healthcare is that you only really interact with your healthcare professional, your doctor or your nurse or whatever, 15 minutes at a time, four times a year. But health occurs every single day of your life. And it's the decisions you make that cause you to either have good health or bad health. It's a decision you make for what you're going to have for breakfast. It's the decision you make for what you're going to have for lunch. So decision you make, whether you're going to get off the couch and, and, and walk a little bit or sit down and watch Game of Thrones again. Right? And so those are the things that we can activate. And so our theory was if we could get people to move more every day and we could get people to be more interested in what happens to them when they eat poorly and what those results are, that they would make better decisions and over time they did.

Jeanne Teshler:
So the first thing we solved and can see and trial unbelievable scale is that people will actually do what doctors tell them to do. And when they do ask the doctors, they'll tell you the patients we tell. I told them, I told Sloan she needs to walk 30 minutes a day and I don't know if she's doing it or not. Right? And so we're taking that away from them and saying we believe consumers are well equipped to do what we asked them to do and when they do amazing things happen. So our trial, because this is the long story short, our trial was on people with type two diabetes, which is a lifestyle created disease, and we were able to get people to walk 50 percent more than they would otherwise because we had them on a digital step tracker and we gave them goals of steps to walk.

Jeanne Teshler:
We were able to get them to weigh themselves once a week and help them manage their weight. We were able to get them to log their food and try and keep their carb intakes, which is important for diabetes below a certain level. And we're able to get them to actually take their medicine on time. When you combine those four elements like we did, we saw that on average people lost about a pound a week using our platform. They are, their medication compliance went up dramatically. Did you know by the way that half of the people in the United States who are on medicine take their medication half the time, I'm not surprise, and so medication compliance across the board is no more than 50 percent part-time taking my vitamins on it exactly, but in prayer for people with chronic conditions, it's important that you do helps you manage it.

Jeanne Teshler:
We got medication compliance up to 75 percent, unheard of in that area. And on the A1C, which is a test for diabetes, we were able to drop everybody by a full point to a point and a half. So we're moving the needle, not just keeping people where they are, but helping them reverse conditions that can be reversed. Not all conditions can be reversed but were able to give people hope for the first time that there's a way to manage this. In fact, one of the best compliments we got was from one of our trial participants who ended the trial saying, I finally realize that diabetes is something I can live with, not something that I will die from. That to me was amazing thought from them.

Sloan Foster
Absolutely. I'm sure that made you get very passionate about waking up every day and going and being CEO of this amazing company that does save lives. That's a very important thing. So what advice would you have for other founders who have an idea on a vision much like yours are putting components together and they want to go to market? What do you think? You're a number one, number two, idea would be for them or advice I guess I should say.

Jeanne Teshler:
Right? Well, so I would say that, you know, think about who you are as a founder in what your core competencies are. Clearly, as I stated earlier, I'm not an engineer, never have been. I'm more about operations. I'm more about the business side of things and more about making things work. And so I didn't fancy myself an engineer. And so what you want to do is find the people who compliment what you can't do. And that's why, again, Calavista made perfect sense for us. We needed to focus on the business reasons for this. We needed to go after the funding we needed to understand and keep in contact with our customers, get them conditioned to the idea of this platform because it's new to them as it was even to a consumer. And so focus on what you're good at and what you're not good at.

Jeanne Teshler:
Find the right people and spend the money on finding the right people to, to fill out your team. So that's the number one thing that I would say. And again, obviously if you're an engineer, maybe you don't need a Calavista, although I'd even say even then, don't spend your time and your money on things that you don't need to do right now. The second thing is, you know, having Calavista by our side doing that engineering has allowed us to focus on building the culture we wanted. We were able to prototype and get to market fast and do rapid iterations with them over the last year. And we spent that time working with our investors, working with our customers, building the business plan the way we needed it to. And really just focusing on what kind of culture did we want to build for us and for our team as we bring them in because you trusted it would work and beyond time was critical to the success.

Sloan Foster
Especially in a hospital.

Jeanne Teshler:
Absolutely. The last thing you want to do is not have a product deliver on time.

Sloan Foster:
That is the death of any company, right? At the end of the day.

Jeanne Teshler:
And finally, I think it is really understand who it is you're trying to serve and really spend your effort on making sure that market is right and ready. And like I said, that's half the battle we're fighting and let Calavista to fight the engineering battle and keep that and ours is going out to market and making that happen.

Sloan Foster:
So speaking of when you get to the market and you said a launch is early January, how can people use this platform and find out more about your company?

Jeanne Teshler:
Right now it's a, it's a prescription only platform. So a doctor actually prescribes it. So you'd have to be one of our customers or your health system would have to be one of our customers. We don't have any in central Texas right now. Our focus right now is on an underserved market in the east coast, so, but you can learn more about us at www.wellsmith.com and you'll hear more about us as this year goes by as we add more systems to our roster of customers and as we continue to build out this platform.

Sloan Foster:
And how are the hospital system's going to adopt this or the health insurance companies, who actually is going to be adopting it and prescribe it? Obviously, the doctors prescribe it. But what do you expect that scale and roll out to look like?

Jeanne Teshler:
We should have by the end of 2018, five customers in the health system. And health again is one of those behemoth industries that's near the lagging edge of technology and innovation. Kind of like education is as well is one of the last unknown territories. And they're grappling for solutions like ours. And so I feel that in the next year we should get five new customers and then from there it should cascade. It's going to be an amazing experience to watch as it catches fire. So using a medical term, this is a viral product that once the first one or two customers that we already have adopted, everybody else will jump on.

Sloan Foster:
So I think that's an interesting model because we talked about the start-up, you know, for a founder, you are serving the consumer market, but your customer is not the consumer at the end of the day. So how do you balance those two customers, if you will, technically, between the needs of the consumer, which are the people using the platform and your actual customer, which is an insurance company or a healthcare system. Technically, what it that?

Jeanne Teshler:
It's going to be a risk provider. And the way healthcare is shaking out right now is that insurance and providers are combining because in. I'm not sure how I made a lot of people that are sophisticated about who the economic buyer of the product is. The economic buyer of healthcare right now is the insurance company, but the user is the consumer. That's the on the insurance and health provider's side. That's all coalescing into one so that the economic buyer is going to actually be the consumer and the way the affordable care act has been set up and the way insurance is now turning out, people are getting onto these really high deductible plans. So, they're taking on a tremendous burden on these out of pocket costs, so while it appears now that the buyers are the insurance companies, the real buyers are the consumers because they're shelling out more money. We're losing that line before between insurance and provider. Those are going to coalesce, so we will have a more balanced view and both sides of that picture both want the same thing. Both want consumers to be healthier, but they have different reasons for looking at that from a provider slash insurance point. It's to control costs, right? And from the user side, it's to simplify that journey towards better health. And so our platform, again, incentivize them to do it.

Sloan Foster:
Exactly. It solves both problems.

Jeanne Teshler:
We're going to see a complete change in how money is, is changing hands right now in healthcare because it's not going to be fixed you, I get paid for it if you're a doctor now, it's a value-based system, so all of that payment's going to change anyway, and we've designed our platform for that future state. How does money exchange, how does value exchange between a consumer and this new payer slash provider realm in a new way and it has to be on a platform that has never existed before and that's what we're building. It doesn't work in the old model, but it works perfectly in the new model.

Sloan Foster:
Well, that's exciting times.

Jeanne Teshler:
Yes, we are thrilled. I am again, this is a personal passion of ours, as business partners and husband and wife, you know, we expect our kids to grow up in an environment where health is promoted in new and interesting ways and better ways for them. So yeah, I'm just enjoying every minute of what I do every day.

Sloan Foster:
Well good, thank you. Thank you for being here and thank you for revolutionizing healthcare in an interesting way. I'm excited to see what happens. I hope for my sake I don't have to use the platform, but I certainly appreciate that it's out there and not. It is doing the important work of saving people's lives, so I appreciate it.

Jeanne Teshler:
Well, thanks, Sloan. I appreciate the time. Thank you.