Sacra Logo Sign In

Sam Li and Austin Ogilvie, co-CEOs of Laika, on the compliance-as-a-service business model

Jan-Erik Asplund
None

Background

Sam Li and Austin Ogilvie are the co-CEOs of Laika. We talked to them to learn more about the revenue mix of compliance-as-a-service businesses, how they're thinking about evolving their models and margins over time, and how large the universe of expandable TAM is for these kinds of companies.

Questions

  1. What’s the core problem you're solving at Laika, and what does your core customer profile look like?
  2. What are the inefficiencies in the compliance process, or why is compliance difficult for companies to deal with? What’s the opportunity for Laika there?
  3. Is there any kind of milestone or product-market fit signal that you would want to share?
  4. How exactly does your product work? What’s the core model or benefit—is it about connecting all these different stakeholders on a single platform, or more about e.g. being a single source of truth?
  5. What’s your relationship with auditors? Does Laika employ auditors in-house, or is it more of a marketplace? Is Laika the core tool for those auditors, or is there a software stack that Laika is a part of, for them?
  6. Is Laika effectively replacing high-touch services businesses whose software consultants hand-hold companies in this segment? Or are you purely self-serve for compliance?
  7. Do you think what the software can do vs. what it does today might change over time? If so, how? Will the human in the loop part be as important, always?
  8. With regard to the SOC 2 and the certification, is it more of a checkbox—black and white—or is it like a gradient of how strong the certification is? Do enterprise buyers care about what's found, who did it, who the auditor is, and who's responsible for the SOC 2?
  9. Your business model is a recurring subscription SaaS model. What’s the recurring value that people are paying for monthly? Is it that folk are adding enough new frameworks so you pay monthly to keep acquiring them?
  10. Revenue from software or revenue from services—what’s your take, for not just Laika but all the SOC 2 compliance companies? To what extent would the mix shift to a place where you have more software revenue over time?
  11. What’s your perspective on the tension between the short-term, land grab mentality with all of the money being raised in the space vs. building a sustainable business in the long-term?

Interview

What’s the core problem you're solving at Laika, and what does your core customer profile look like?

Laika's mission is to ensure that compliance is never a blocker for innovation. 

We started the business about three years ago. I was a fintech entrepreneur before Laika, and my company went through a SOC 2 audit process. We were a small, 12-person insurtech, YC-backed company in New York. I thought it would be a four-week exercise. Six months later, I still didn’t have my report—not even close.

I had to take my engineers off from writing revenue generating code to writing information security policies. The auditors had no idea what a cloud native company was and asked me where my servers were. I had to upload evidence to their SharePoint with an Excel tracker and email back and forth. 

Inspired by companies like Carta and Pilot, we thought of a playbook to turn a mundane, consulting-heavy, once-a-year kind of experience into a digital experience for modern companies. That's how we started Laika

We built technology to automate the evidence collection, control validation for SOC 2, and a series of other frameworks.

Over the past three years, we realized there is a much bigger market opportunity in this whole space. Getting a business ready for an audit and setting up the compliance program is really just step one. Step two is getting through the IT audit itself. 

We started thinking about how we could equip the auditors with the same set of automation and tools so they could complete audits more efficiently.

The concept of an IT audit is great. However, real-world execution has been found wanting because these audits are being done by accountants with very old school technology. We're here to change that, too.

The third part is that these same companies suffer from what we call enterprise buyer due diligence processes. Basically, they put all their vendors through a very painful security questionnaire process. It’s entirely self-reported, and it usually comes in the form of an Excel spreadsheet. Laika helps companies handle that as well. 

Over the past three years, we’ve gone from solving this specific pain point around SOC 2 to this comprehensive worldview of being the all-in-one solution for technology companies to solve their information security compliance needs.

What are the inefficiencies in the compliance process, or why is compliance difficult for companies to deal with? What’s the opportunity for Laika there?

Whether you’re a B2B software company or a services provider, you can't get your foot in the door with any enterprise customer anymore without demonstrating that you can operate your business within secure systems and protect data according to that particular party’s  expectations.

Every company on Earth now has at least a couple software engineers. So whether or not they consider themselves to be a software company, they are one, in the context of this compliance question. Now, are they all going to have a one-to-one mapping of engineers to domain compliance experts to meet all the different requirements out there? That’s untenable.

The second reason is that there are just not enough properly trained compliance and information security professionals.

The "academy" will catch up at some point and produce more cybersecurity, data privacy, and digital compliance pros. In the meantime, how are these organizations going to stay abreast of the requirements?

Is there any kind of milestone or product-market fit signal that you would want to share?

We wrote the first lines of code in June 2019, and got our first group of customers shortly after. We have grown substantially since then and went from 100% founder-led sales to almost 0% of that in less than a year. To us that is the best sign of product market fit and gave us the conviction to raise subsequent rounds and build up the team.

How exactly does your product work? What’s the core model or benefit—is it about connecting all these different stakeholders on a single platform, or more about e.g. being a single source of truth?

When customers get onboarded to Laika, they subscribe to a service where they are instructed to integrate and connect a series of relevant SaaS tools they're already using—from cloud service providers like AWS, Google Cloud Platform, GitHub, and JIRA down to HR platforms.

Once the tools are connected, our integrations and monitor start working to not only collect data—essential from an audit preparation perspective—but also, dynamically monitor compliance gestures from those tools. We have off-the-shelf monitors that follow industry best practices and what the standards require to offer you a bird's eye view over how you are doing with all those tools you're using.

We also allow you to customize your monitors to fit your organization's specific needs because sometimes, the standards are relatively vague. You need to have encryption but that requirement may manifest itself very differently when you're a Walmart or a 50-person startup. So, our system allows you to configure the monitor logic at that level.

As a compliance platform, we also cater to policies, vendor management, training, and other less technical requirements that are crucial in the compliance context. Our customer goes through a TurboTax-type experience with the application which helps set up all their compliance programs while ensuring that all the requirements are met based on the framework they’ve subscribed to.

Many of our customers have multiple frameworks that they have to be compliant with. They use a shared set of controls which act as building blocks for their compliance program. Subsequently, they are mapped to various industry and regulatory standards  so they see their levels of compliance across a series of different frameworks. 

That’s the phase where they’re setting up their compliance program, ensuring continuous monitoring, and getting alerted for anything that goes out of compliance.

Where we went the extra mile is in creating an integrated audit experience for them.

When we first started the business, we built the integrations and the guided step-by-step experience, leading our customers towards their compliance goals. 

What we realized was there was a kind of messy handoff problem when the actual audit comes in, since SOC 2 is one of those frameworks that have a very explicit, external audit that needs to be completed by a CPA. 

We realized that you could go through our platform, integrate all your tools, and get all the monitors passing, but in the end, the auditor might not take all of those results at face value. 

Over the past two years, we’ve set ourselves a goal to really revolutionize how things are done there.

It’s similar to how Carta started working with third-party 409A valuation firms, and eventually integrating the system to build a set of tools for the 409A valuation professionals so that they could really scale that team to be super-efficient, error-free, and complete the experience in a digital setting. We're doing the same for information security audits.

What’s your relationship with auditors? Does Laika employ auditors in-house, or is it more of a marketplace? Is Laika the core tool for those auditors, or is there a software stack that Laika is a part of, for them?

We do not employ auditors. What matters is that the auditors are using Laika's software, which is connected to the company-facing software. That's how efficiency is gained, workflow becomes consistent, and data gets shared and verified without having to leave the overall Laika ecosystem.

Is Laika effectively replacing high-touch services businesses whose software consultants hand-hold companies in this segment? Or are you purely self-serve for compliance?

We love the idea of automating bureaucracy away, and believe that software can do things way better than humans in a lot of cases. In compliance, it’s just not realistic. It's a fantasy to imagine that you log in, connect your systems, red lights go green, and universally, that means that whatever the entity is, it’s compliant.

The idea of an audit, traced back to the core principles of the concept itself, is having an independent, systematic approach to scrutinizing something. We think you need experts in order to live up to auditor standards, which are rigorous, but what is the point of collecting all of this digital exhaust if you then have to dump everything to a CSV and use pen and paper? 

This whole point is having the technology to empower the experts, and bring the experts along for the ride.

Do you think what the software can do vs. what it does today might change over time? If so, how? Will the human in the loop part be as important, always?

One truth about a business models like Carta’s or Pilot’s is that it's very difficult to reimagine entirely abstract new ways of working without understanding the work itself.

We spent a lot of time with Henry Ward talking about how Carta did it and thinking about how to design the software correctly. We considered how modern compliance professionals ought to be doing the same work that our co-founder Eva did with her massive team at Citi years ago.

In the last three years, we have gone from zero to essentially fully automating all compliance checks for certain types of businesses. If you're a small digital-native company with a modern tech stack, using recently written code and using modern tools such as GitHub, then that’s the kind of business our software is extraordinarily good at automating.

On the other hand, experts need to continue to be an important part of the experience, because of the complexity of audits. One way to ensure we don’t lose relevance is to provide technology for those experts.

With regard to the SOC 2 and the certification, is it more of a checkbox—black and white—or is it like a gradient of how strong the certification is? Do enterprise buyers care about what's found, who did it, who the auditor is, and who's responsible for the SOC 2?

SOC 2 is great and has its benefits, but many of the requirements are a little generic. While it accommodates the nuanced differences between companies, it's often up to the auditor's interpretation on what constitutes as compliant and what doesn’t.

SOC 2 is one of the most, if not the most popular information security framework in the US. It is widely accepted and fairly comprehensive. But is it perfect? No. We acknowledge that.

Also, there aren’t enough highly technically trained IT auditors who are also CPAs, that can perform a high quality SOC 2 audit. So while the framework is designed nicely, the implementation varies by individual auditors. The way EY does it is different from the way Coalfire does it which is different from the way that a five-person audit shop does it. It's very hard to quality-control.

That’s the risk of this framework, and that’s why Laika is so important as a solution. With the technology we have, we can verify what’s accurate and what’s not. A screenshot—the most widely used format of audit in the SOC 2 world—just can’t tell the full story, is easy to game, and is time consuming to collect at scale.

Lastly, although we knew SOC 2 was a highly popular pain point, we never built our technology to be SOC 2-centric.

There are many smart people who look at the shortcomings of SOC 2 and say they want to go build a new framework that’s going to be perfect. That will never happen, because every CISO has his or her magic dust to incorporate.  There will never be a universal framework that everybody loves and uses and trusts.

The proliferation of compliance frameworks is unstoppable. What we can do is to componentize our software to accomondate them all. Multi-factor authentication is multi-factor authentication is multi-factor authentication, but it maps to different compliance requirements in various frameworks. 

That’s why our software is highly componentized, so that you can create your own framework if you want to, and still leverage the monitoring technology and the different workload tools that we have built to meet whatever requirements are there.

Your business model is a recurring subscription SaaS model. What’s the recurring value that people are paying for monthly? Is it that folk are adding enough new frameworks so you pay monthly to keep acquiring them?

All of the old software tools in this space are static compliance tools that are only as good as the people manning the ship and the data they put in.

The glory of a modern compliance automation platforms like Laika is that it is living and breathing. Anything that can be asserted from a compliance test requirement is asserted behind the scenes, automatically. Those checks allow you to catch compliance violations as they happen.

Additionally, these standards call for a lot of important non-technical things. For big banks or big enterprises, the risk of attack from a nation state using a zero-day is a real problem. But the majority of companies out there are not being targeted in that capacity. 

The biggest threat is employee misuse of systems or data either by accident or nefariously. You can put a lot of controls in place that are very effective to eliminate that. Sometimes those are technical controls, and sometimes they're not. 

It's about having a second set of eyes to review who has access to what systems on a regular cadence, and asking an intellectual question about the relevance of those permissions for those people. That's a fairly straightforward workflow that you can do, which I would argue should be done by a person familiar with the business and employees.

Of course you can roll your own way to do that in Google Sheets, but our customers are not interested in paying employees to recreate the wheel. In Laika, risk assessments, tabletop exercises, and testing your business continuity plan are very straightforward. You have to demonstrate to an auditor once or twice a year, however the auditor deems it to be effective, simulate a whole sale, and if employees can't turn on their laptops or if there's a virus that affects the global economy, there are benefits to subscribing to a workload tool that eliminates the pain and complexity.

Revenue from software or revenue from services—what’s your take, for not just Laika but all the SOC 2 compliance companies? To what extent would the mix shift to a place where you have more software revenue over time?

We obviously care about margin like any SaaS company out there but we care more about having a pleasant, joyful customer journey. For certain things, automation and a Turbo Tax-like experience is the best solution. For other things, you want a personal touch to be built-in into your experience. A lot of our R&D budget is being spent on automation and trying to automate (if not obliterate) a considerable number of service components that we may be doing with expert-in-the loop in the past.

But before you can craft a plausible software experience to replace humans, you need to have an intimate knowledge into what those consultants have been doing, historically. You can't make up, "I think this UI tool is going to eliminate the need to talk to a customer." For example, we have a commenting feature in our app for people to ask questions. Those questions are gold mines for our product management team to understand what content we have to provide. “What software features do we have to build, so our customers can complete their compliance journey without asking questions, or checking in with their compliance architect?”

To me, this is a continuously iterative learning process, where we want to provide the customer the best-in-class experience throughout while learning from what our compliance architects are doing to determine our automation and software roadmap.

What’s your perspective on the tension between the short-term, land grab mentality with all of the money being raised in the space vs. building a sustainable business in the long-term?

We respect what everyone is working on. It is a validation for the market and the pain points that exist. Our differentiators lie in our integrated audit and our understanding of compliance. 

It isn’t a check-the-box SOC 2 exercise, but a more comprehensive one that answers, “How do we demonstrate compliance to enterprise software buyers? How do we continuously monitor compliance, even if it's not part of an explicit audit? How do we make the audit process itself more seamless, and create efficiency on both the company and the auditor side?” That's what we did over the past two years.

There's definitely some land-grab dynamic here, and it could be hand-to-hand combat in some cases. But overall, I'm glad that people are finally paying attention to this market and this problem, which excites me. 

We make compliance a little less intimidating, ensuring that the entrepreneurs who run fantastic companies and who’re our customers, can focus on their own innovations and not suffer brain damage worrying about compliance. That ultimately, is what makes us smile. That’s why we exist.

Disclaimers

This transcript is for information purposes only and does not constitute advice of any type or trade recommendation and should not form the basis of any investment decision. Sacra accepts no liability for the transcript or for any errors, omissions or inaccuracies in respect of it. The views of the experts expressed in the transcript are those of the experts and they are not endorsed by, nor do they represent the opinion of Sacra. Sacra reserves all copyright, intellectual property rights in the transcript. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any transcript is strictly prohibited.

Read more from

Read more from

Christina Cacioppo, CEO of Vanta, on the value of SOC 2 compliance for startups

lightningbolt_icon Unlocked Report
Continue Reading
None