Welcome to our Blog

The Foundry Files


Students vs. Startups Episode 37: Risk Management Put Into a System

Students vs. Startups Episode 37: Risk Management Put Into a System


Featuring Ostendio

Read Time: 15 minutes

Welcome to Episode 36 of Students vs. Startups. This week, moderator John Gilroy talks with the CEO of Ostendio, Grant Elliott. Grant's background as a COO and CISO lead him to fill a gap which he saw throughout his career. Four years ago Grant set out to create the Sales Force of security, and today Ostendio helps teams put together security and compliance programs successfully. Listen to his story below!

[audio src="https://easternfoundry.files.wordpress.com/2017/09/students_vs_startups_podcast_episode_37-final.mp3"][/audio]

If you would like to get weekly updates sent straight to your phone, you can subscribe below on iTunes!


Thanks to our Sponsor:



John Gilroy: Welcome to Students versus Startups Showdown Potomac. My name is John Gilroy. I'll be your moderator today. A big round of applause here for show number 37.

Jennifer Lee: Whoa.

John Gilroy: Yeah. I cannot believe it. Show number 37 had a reach out to Scotland to bring in a startup, here, but anyway we're going to talk more about the startup here in a few minutes. We are sitting in the offices of Eastern Foundry. We took over a conference room kind of like takeover, takeover the conference room. On one wide of the table we have three students, and the other side of the table we have a startup, we have a 26-minute conversation and walk out of here fast friends, it's awful simple, here. First of all, our students. Our first student is Christen Hill, she just finished a master’s degree in Journalism from Georgetown University, your background, please, Christen.

Christen Hill: Hi, I'm Christen Hill, I'm a journalist in the Washington, DC area. I do a lot of stories in Southeast DC, mainly about whatever is happening out there.

John Gilroy: Interesting. Our next student is Wil Patterson, who's graduated from Georgetown with a degree in Systems Engineering.

Wil Patterson: And, my wife is definitely grateful that I've graduated, now that I can be home and take care of my four kids. During the day I work for the federal government, big old boring agency, and on one weekend a month I go and do military reserves.

John Gilroy: Yeah. And, Jennifer, she's in the middle of a Technology Management master’s degree at Georgetown University, and trying to survive and make through, huh?

Jennifer Lee: Yeah. Just a couple more months and then we'll be free, and thankfully I don't have four kids to go home and take care of.

John Gilroy: Where do you work?

Jennifer Lee: I work for PriceWaterhouseCoopers, in their public sector digital group.

John Gilroy: So, we've got three smart ones, here. I don't know if you can handle this, Grant. Do you think you can handle it?

Grant Elliott: I'll try.

John Gilroy: Our startup with the interesting accent is a gentleman by the name of Grant Elliott, and his company is called, Ostendio, and he's just three or four blocks from us, right here, across from the Potomac River. Give us a little about your background, and how you started with Ostendio, please.



Grant Elliott: Sure. Yeah. Ostendio has been going for about four years. We provide a cyber security and information management platform. We’re  setup based on my background as a former chief operations officer, and chief information security officer. During the process of doing that realized there was a lack of infrastructure to support organizations who were trying to put together security and compliance programs, and talking to a number of my peers, asked them if there was a sales force for security available, is that something they would use?

John Gilroy: Yeah.

Grant Elliott: They were all suffering from the same challenge. So, we launched the platform itself three years ago with six customers that we signed up before we even built the platform. Yeah. We've been going strong for the last few years.

John Gilroy: One of my neighbors, Dave Hall, has tried to help you in your company a little bit, hasn't he?

Grant Elliott: Yes. We've worked with Dave when we were working with MedStar Health. We worked with Dave and he was involved, there. Yeah. He's worked with a couple of consultants we've worked for, as well. Yeah.

John Gilroy: It's a small world, isn't it?

Grant Elliott: Absolutely.

John Gilroy: Yeah. If you're sitting in the Metro, and someone turns to you and says, "What business problems does your company solve," what's your answer?

Grant Elliott: Well, I mean, fundamentally, everyone needs to be secure. Every individual, every organization become secure. If we could basically make it really easy for you to do that and that's what we do, and we can automate that process as much as we possibly can, and everyone intuitively wants to do more, but for the same reason that we tend to use the same password for every application that we log into, we know we shouldn't, but we do it because it's easier to do that, and we solve that problem.

IMG_1976 Grant Elliot, CEO of Ostendio

John Gilroy: Christen, you don't have one password for every site you have, do you?

Christen Hill: I have a combination of three.

John Gilroy: Password one, two, three, four.

Christen Hill: From year to year, and they last about four months, each, so it's really great. A sales force for security. I'm very interested in how they work, I mean it sounds like a, I hate to say, cookie cutter way of looking at security, I mean, cyber security, is that right? Can you give us a little bit more about how you manage these cyber securities?

John Gilroy: Sure. Ironically, what we do is, we can, the cookie cutter part is basically the process.

Christen Hill: Mm-hmm.

John Gilroy: The results often are very, very different, because every organization, every business is different, every set of standards, every set of regulations, there's a lot of variety in how all this work, but the process isn't the same. You have to have good documentation. Right? You have to make sure your employees have read and understood that documentation. You have to train your staff. I always say that in order to secure data you need to know what data you have, where the data is, who's accessing it, and what you're doing to protect it.

So, when you breakdown the fundamental problems, the problems are the same for every organization. The answer isn't how you go about doing it, so the analogy to sales force is not by accident, if you think of it from the perspective of we don't, sales force don't sell anything for you, but sales is a process. What they do is they automate the process of selling, giving you the data to help you sell better, allow you to organize information where it allows smarter decisions about who you segment your audience, et cetera. We do something very similar, but we just focus on security.

John Gilroy: Jennifer, if I walked up to a typical CEO, and said the word, “compliance,” they'd run out of the room screaming, and that's the deal with compliance. I mean, I'm scared of that word.

Jennifer Lee: Right. I mean, being in business, myself, and I think security compliance, privacy, all those words essentially, I think, give people chills.

John Gilroy: Yeah.

Jennifer Lee: And, I took a quick look of a one-minute tutorial on what your solution does, and it seems very intuitive, but also doing a quick search it seems like there are also competitors in this industry, so what would you say are the top differentiators of your company?

Grant Elliott: It's funny, when we talk about digital marketing, specifically, that's one of the biggest challenges we have. When you're using the same buzzwords, when you're using the same terms, when using the very similar high-level descriptions, how do you differentiate yourself from the herd? Really the way we do that is by once we got a customer to do the demo, the platform, show them how the platform works, they can immediately see just how different. So, a lot of the tools that are out there, they call themselves, there's a term GRC, and government, risks, and compliance we do a bit of that, so I can understand the confusion, but what really differentiates us is fundamentally two things.

One, our platform is used by every single person within the organization, so it's not overlay, it's the actual core workflow of what people actually do. It's not just, you might, you're not, you're using a platform to run your training. You're using a platform to distribute your documentation. You're using a platform to track and manage your assets, so when we take information and data out of that, this is not a reporting engine where you're having to take multiple sources, the government manipulated data, the actual data that you're taking from our system is based on every single employee within the organization, working.

The reason that's important is because if I'm the security manager, and typically the way that things work is we have this concept, I've talked to journalists, before, you cannot outsource your fitness in the way you can outsource security, so a lot of organizations have a security manager say, "Oh. My security problems are solved because I have a security manager," that is not it, the security has to be everyone in the organization, so what we allow you to do is basically distribute a lot of activities, and responsibilities to everyone that makes it easier for the management team, and the team to do that.

John Gilroy: It almost sounds like a platform for compliance, is that what we understand this to be, too?

Wil Patterson: Yeah. But, I wish I could outsource my fitness.

John Gilroy: Yeah. Great. Grant, run a few miles for me.

Grant Elliott: Yeah.

Wil Patterson: I took a look at that same demo, and I was thinking, man, if were a decision maker, a buyer, it really breaks things down into a way that's meaningful to me as a business owner versus just an IT guy saying that it's not in compliance, have you seen any realization of your IT folks getting better relationships with their business owners and the companies?


IMG_1968 Wil Patterson


Grant Elliott: Absolutely. And, it's not just with the IT, but it's also with our partner organizations, as well, because we track all the activity, if you're a consultant, or you're a security officer, it's very hard for you to go to your CFO, and your CEO, and say, "This is what I do," because security is a lot like insurance it's about if nothing happens then there's no value to the role you provide, unless you're going through some sort of order. What our platform does, because it tracks all the activity, you can essentially go and see all of these are the transactions that we've conducted, we can actually measure the effectiveness of what we're doing.

We actually score everyone within the organization, and give the organization a score, but we don't just stop there, we're actually benchmarking within the organization, as well, so people within the organization just don't know what their score is, they know whether they're above average, or below average within the organization. We actually gamify, no one wants to be below average as I said to my son, one time, you know, that half of Americans are below average intelligence. Right? He said to me, "Really?" That just proved what half he was in. Right? So, the concept really is no one wants to be below average, but the reality is 50% of people always are, so it just drives everyone to try to do a little bit better.

John Gilroy: Grant, and like Wobegon, everyone is above average. Right? We're all the same, because all the kids are all above average. Christen, you got a question for us, please.

Christen Hill: Wow, this sounds like a really great operation you have going, here. How long did it take to develop Ostendio, things seems like a very complex system that you've developed, how long did it take to-

Grant Elliott: Yeah. I mean, the idea and the concept that we built out was run in about two hours. I mean, it was literally, a eureka moment, when I was doing an interview for someone for an organization I was joining, and the concept just literally, you know when I wrote the original product description, it literally was just one of those dumb, and I think I mentioned early on we already sold it to six customers before we even built the platform, and that was basically sold using an automated PowerPoint demo that just basically automated out, so the whole concept of you need a product to sell isn't necessarily always the case.

"That said, the harder part is not just selling a concept, the harder part is when you actually put it in operations, so it's really taken us three years to take what was a bunch of core functionality, and expand that into a truly enterprise capable tool." - Grant Elliot, CEO of Ostendio

There's 79 different models within the platform, each is really, really robust and to operate, but you got to build in things like API access, you got to build things on capabilities, there's a lot of standard functionality above and beyond just the core functionality of trying to sell, but it takes time to build in. We're still involved, we're still improving the two all the same, we get major releases coming out every few months, so it's an ongoing process.

John Gilroy: Jennifer, please.

Jennifer Lee: Yeah. It sounds like for this type of solution, where you're trying to keep track of compliance across your organizations, it sounds like it's probably, it optimizes its impact at larger organizations, rather than a startup with three people, where you would just know exactly where everyone stands with their compliance. When you first started out, were there particular organizations that you were targeting-


IMG_1974 Jennifer Lee


Grant Elliott: Yeah. A couple. First of all, we really focused on cyber security rather than compliance, because compliance is really . . . . we focus on helping organizations become more secure, and you can use a compliance structure to demonstrate your main objective. We are very focused in the short-term healthcare, mainly because my background was healthcare, and it was a digitally health company I was involved in, and clearly with HIPAA regulations with standards based organizations, what kind of trust.

There's a strong demand for security and compliance in the space, but interestingly, we don't actually sell based on fear, we really sell based on helping organizations increase their sales ability, because most of the companies we are selling to are selling into regulated entities, they're not going to win their business unless they demonstrate that they're actually operating in a secure manner. So, we sell on the basis of fact that our platform will help them move readily demonstrate that they're doing that, or shorten the sales cycle security audits much faster, and by selling based on revenue enhancement rather than cost cutting we're more successful.

John Gilroy: Christen, if you were a CEO of a company, if you heard the word, breach, just as scary as the word compliance, isn't it? Breach, is not what you want to hear.

Christen Hill: Exactly. You know, it just sounds, I mean, I'm going to be honest, here, I'm completely ignorant about the tech world, being a journalist, I'm learning so much from you guys, it just sounds like you're keeping so much information in one place with Ostendio, and it sounds like, you know, I'm wondering just how secure is Ostendio? Can it be like the big target, cyber tech, and then all of a sudden all of your clients are at risk? Is that a possibility?

Grant Elliott: First of all, we use our own platform for ourselves, so-

Christen Hill: Okay.

John Gilroy: Eating your dog food?

Christen Hill: Okay.

Grant Elliott: We always monitor ourselves through that process that gives us a step up. But, ironically, I mean, we're not storing that much sensitive data, we are managing a process.

Christen Hill: Mm-hmm.

Grant Elliott: Okay. So, maybe there are the policy documentation, and procedure documentation stored with us, and maybe some of their asset information, but none of the businesses core data, none of their sensitive data stored within our platform, so we are actually just managing our processes well. But, to take your interest, I think people do get a lot riskier about security, but I use analogy quite deliberately about our own life, I mean we live every day, and we're as much individually under attack as organizations are today, but we can amass assurance that we think it's never going to happen to us. And, businesses are an example of the same, they know that these things are happening out there.

"They know that these things are happening out there, but many of them just assume it's not going to happen to them, so the challenge for us is to try and wake them up, make them realize how real these things actually are."- Grant Elliot, CEO of Ostendio

John Gilroy: Jennifer.

Jennifer Lee: I'm going back, again, to the demo and the interface that I saw, because I'm just really, really impressed, I'm just curious, since the solution was launched have you guys found any iterative at enhancements, and if so, how do those get rolled out to your existing clients?

Grant Elliott: Yeah. Absolutely. We probably built the UI at least three times since we've done that, it's a SAS platform, so the nice thing, you know, I've worked in organizations before where we had platform releases, and you have different customers on different versions of a platform, so I never want to go back to do that. Now, yeah, every customer as soon as a new release goes out every customer gets it, everyone is just upgraded to that new version, and we're continually improving all the time. Yeah. If you were to look at the version of the platform that we have today, versus what we've launched three years ago it's kind of night and day.

Wil Patterson: How are your sales going? Is this something that's taken off? I'm always curious about just starting out, and you've got these six companies, and-

Grant Elliott: Well, we started with six, and we've got over a 100 or so in the platform, we're continuing to grow, we're adding four to six, or something like that at once, so I mean sales are going well, they could always be going better. We could always be saying  customers, we're very lucky we have incredible churn, we have 95% renewal rates, an actual negative churn, so we actually grow more from existing customers than we do in terms of losing any customers, as well. But, you know, we've not become Facebook, yet. Right? We still have some ways to go.

Jennifer Lee: Darn.

John Gilroy: Software as a service, any questions? Maybe, Jennifer. It's an interesting model, I mean this idea of churn is key, and running a software as a service company, way different from John's Donuts, or Will's Car Repair, or something, isn't it? It's SAS

Jennifer Lee: I like to ask a little bit more of a personal question.

Grant Elliott: Sure.

Christen Hill: If I were a person at a company, I'd buy into you Grant Elliott, because you sound like such a cool guy. I mean-

Christen Hill: How do you transition your likeability to your employees in that customer service part?


IMG_1970 Christen Hill


Grant Elliott: You know, it's a great question, and I'm not sure that I'm probably the person you should be asking that, you should probably be asking them. What I think, if I was to be asked the number one thing that I've been able to achieve, or success with this is, when I say this company I brought some great people with me from my previous organization, and those people sacrificed and gave up a lot, personally, and financially on an idea, and on faith of, on the faith that I can lead their organization to do the things I've said I was going to do. Without that leap of faith that they made we would not be achieving what we're achieving. Right? To this day, I'm still not sure why they made that decision, but I'm just very grateful that, that's because without that we wouldn't be here where we are.

John Gilroy: Grant, Washington, DC, rents high, you got to pay your people a lot of money, traffic, congestion, headache, why here?

Grant Elliott: Well, I mean, my wife and kids are here-

John Gilroy: That's a good reason.

Grant Elliott: So, they wouldn't be too happy if I moved, or maybe they would, who knows? You know, I think this is a great area from talent perspective. I spent a lot of time, a reasonable amount of time out west, I've been to, Palo Alto, Silicon Valley, et cetera, and it's easier to generate funding out there, but it's harder to retain talent. Right?

Grant Elliott: Because, again, there are so many organizations-

John Gilroy: Ahhhh both sides of the coin. Yeah.

Grant Elliott: Everyone wants to work for Google, everyone wants to work for Facebook, everyone wants to work for Microsoft, et cetera. Here, it's a much more stable workforce, so you can hire really talented people, here, and the economy is never that bad, or never that great, because the government, federal government can support a lot of stuff, here, as well. There's great security and engineering talent, here, as well. Believe it or not the DC area is becoming one of the four to five security, cyber security hubs in the US, with Boston, New York, and California.


IMG_1979 Grant Elliot, CEO of Ostendio


John Gilroy: Jennifer.

Jennifer Lee: You mentioned a little bit about, you touched upon funding, and I'm just curious, when you first started out how did you get funding? Did you have sufficient cashflow saved up?

Grant Elliott: You know, funding is always a thing, if you speak to any startup funding is a perennial challenge, it's the thing that I hear and love at the same time. So, we've been very lucky, and I say this retrospectively that we weren't able to raise money, much money, early on, because if we had I’d probably have blown in. So as a result we had to be really, really focused on generating and bringing in customers, and as a result of that we've been able to actually generate a lot of revenue and fund a lot of what we're doing through revenue, so when I speak to some other companies that I know that are either pre-revenue, or have a lot of revenue, even companies that raised six, 10 million dollars. Right?

We're generating more revenue than they are, even not having raised that money. Now, we're still looking to raise money, if there's anyone out there. We're definitely looking to raise more money, because we believe there's an opportunity to grow, we've just been talking about how more investment in marketing, and sales, because we've solved other core problems, that's what we want to do, but if we don't, that's not a problem either, we can continue to grow organically.

John Gilroy: But, especially because it's a software as a service type organization people aren't going to be writing checks for a $100,000.00, $200,000.00 these are small build, build, boom. He said he had a 100 customers each one of those are a heartfelt battle. That's a-

Grant Elliott: Yeah. You know, we have customers paying us tens of thousands of dollars for the platform, and that from personable perspective to take a product description, and have a customer paying you close to a $100,000.00 to use that platform, so we have small customers paying a few thousand, and larger customers paying multiple tens of thousands for the platform, as well.

John Gilroy: Oh, interesting. Will?

Wil Patterson: Yeah. So, you talked about there's a pool of talent, here, how do you go about making sure that you get the right people in your organization? I think that's a foundational skill to make sure that you have a lasting company, but making sure that you don't hire those below 50% of intelligence.

John Gilroy: We talked about those guys, earlier.

Grant Elliott: Well, I think, the reality is, I mean, you're going to have the people you can get to follow the rule, and let's take a stand here, you know, I've been in management a long time, I used to run a half a billion-dollar portfolio for AT&T, I've ran teams of 300, 400 people, and you don't want to fill a team full of the smartest people in the room. You want to fill a team with people that have goals for the specific job they have at the moment, because if everyone is the smartest person in the room, and everyone was A1, everyone wants to be the boss. Right? And, you need people that just come out every day and say, "This is my job, and this is all I want to do, and I just want to do that job really, really well." You really value those people as much as you possibly can, so it's about finding the right people, not necessarily the smartest people, but find the right people for the role.


IMG_1971 Christen Hill, Wil Patterson, Jennifer Lee


John Gilroy: There's hope for me getting a job, then, huh?

Grant Elliott: Yeah. I wouldn't go that far.

John Gilroy: Christen.

Christen Hill: You know, that's pretty much what I experience everyday going to Georgetown. All these smart people in one room. I wanted to ask you, just a general question, what book would you recommend to a startup?

Grant Elliott: Oh, to a startup.

Grant Elliott: That is a good question-

Christen Hill: To learn

John Gilroy: That's good.

Christen Hill: Infinite knowledge.

John Gilroy: It can’t be the bible. Okay?

Grant Elliott: As John knows, I actually teach an entrepreneurial class at Pratt in New York, so I teach a group of aspiring entrepreneurs and my, I'm going to not now, I'll give you one book in a moment for a different reason, but for me just understanding and learning as much as you can about management theory, I think is important for any startup. There's lots of startup books that are going to teach you lots of things, some are true and some are not true, there's lots of websites that you can read, and I found that reading as much as you can is useful, but to me, the most important skill to learn is basically management theory, if you understand, because I don't think there's anything you're doing in setting up a startup that management theory is 50 years ago, a 100 years ago weren't doing this, you know, there's no such thing as an original story, as they say, it's just a slightly different call on it, and if you understand that.

The book that probably influenced me more, most in my life was a book called, Understanding Organizations, by a British management guru called, Charles Handy, and what inspired me in that book was the fact that organizations have cultures and people of cultures, and the number one thing you want to make sure that you do is understand the organizational culture and how to operate then, and what culture you thrive in, and make sure you can match the two things together. Because not every person thrives in every culture, and you can be more successful if you understand. It took me a lot of time in my 20s to understand that, to understand even if I was being successful in an organization it was a real struggle, it's because the culture of the organization just wasn't a fit for me. So, finding that right culture, I think, to me, is as important as anything else.

John Gilroy: Grant Elliott on management, a new podcast.

Christen Hill: Grant Elliott, king of the north.

John Gilroy: Great job students, and great job, Grant. Now, if you want to get more information about company, what website should they visit?

Grant Elliott: Ostendio.com. That's O-S-T-E-N-D-I-O.com.

John Gilroy: Great. Ostendio.com with an O, that's great.

We're running out of time, here. If you would like show notes, links, or a transcript please visit theoakmontgroupllc.com.

I'll thank our sponsor, The Radiant Group. If you are interested in getting involved in geospatial projects contact The Radiant Group.

We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace, for more information go to eastern-foundry.com.

If you would like to participate as a student, or a startup, contact me, JohnGilroy@theoakmontgroupllc.com, and thanks for listening to Students vs. Startups.