Read Time: 15 minutes
Welcome to Episode 38 of Students vs. Startups. This week, moderator John Gilroy talks with the founder of GovReady, Greg Elin. Greg is on a mission to do for compliance, what tax preparation software did for filing taxes. Listen below to hear how GovReady is helping
If you would like to get weekly updates sent straight to your phone, you can subscribe below on iTunes!
Thanks to our Sponsor:
John: Welcome to Students versus Startups: Showdown at the Potomac. My name is John Gilroy, I'll be your moderator today. Believe it or not, big show number 38. Round of applause. All right, I survived 38 shows. No policemen in the lobby, Greg didn't get dragged out of here, so we're doing something right.
If you've listened to this podcast before, you know what we're all about. We're here in Rosslyn, Virginia. We kinda took over a room at Eastern Foundry, a conference room. We have a table! Three students on one side of the table, startup on the other. We have a 26-minute conversation, then we all walk out of here friends. Mostly. More or less.
Let me introduce my students for this episode. To my left, your right, we have Peter Pilawa. Tell us about your background, please, Peter.
Peter: Yeah, I'm Peter Pilawa. I'm in the Tech Management program. I work in the automotive business, and I thoroughly enjoy the show and having some very tough questions for you, Greg.
John: It's a Georgetown School for Continuing Studies and it's a Technology Management Master's degree. We have graduate students here, and most of these people collect Master's degrees. You're at two or three, now, Peter?
Peter: Yeah, I'm at three.
John: At three, yeah. Three and counting.
Greg: I'm going to ask you some questions back.
John: Good, good, good, good, good, good, good.
Our next student is Rahul. Your background, please, Rahul.
Rahul: Hi. Rahul, also in the Tech Management program at Georgetown. Really enjoying the program. Look forward to having dialogue, here today, and learning more about your business.
John: Little bit of finance background for Rahul. He may ask more money questions than strategy questions.
And our third student is Maura Imparato, who graduated from this program. She does have that letter after her name. A bunch of letters, huh?
Mara: That's right, and I've been faculty at Georgetown, as well. I'm working on a Doctorate in neuroscience, and I'm doing [audio src="https://easternfoundry.files.wordpress.com/2017/09/students_vs_startups_podcast_episode_38-final.mp3"][/audio]website projects. I've been consulting since 2009.
John: All kinds of fun. Those are our students, and our startup is Greg Elin, and he has a company called GovReady, which could mean many things to many different people, but I'll let you describe the company. What does GovReady do, please?
Greg: GovReady makes it easier for small businesses and government contractors to get innovative technology used by government. We provide tools that make it easier to go through the cyber security compliance process. A really easy way to think about it is that we want to do for compliance what tax preparation software did for filing taxes.
John: Mm, interesting. And you have a pretty good background on that. You've a strong education background at really good schools, you've worked for-
John: ... private companies, you've worked for the Federal Government, you were the first Chief Data Officer of the FCC.
Greg: That's correct.
John: You've been around, you've been in the rodeo a few times, huh?
Greg: I have. Yes I have.
John: Real good background to start a company like this, and people are going to wonder, "Why in the heck would you start a company like this when you have this strong background?" But I'll let the students ask that.
So, I'll ask my question. Sitting in the Metro, I turn to you and go, "Well, tell me, Greg, what business problem does GovReady solve?"
Greg: Well, we really solve two business problems. For small businesses and for especially smaller IT organizations, government contractors, we make it much easier for them to get the government to use their software by lowering the barriers to cyber security compliance. We make it much easier for them to go through the cyber security process. For government agencies and larger organizations, what we're really doing is we are creating tools so that they can reduce the pain and cost associated with the compliance process.
John: Peter, I'm going to start with you. Pain and compliance. Kinda go together, don't they? It's like peanut butter and jelly. Pain and compliance.
Peter: When I read your profile, one of the first things that came in my head was, "Okay, compliance is incredibly difficult, complicated, and changes a lot." That's my fair assumption, here. How do you and your team, or your army of people, I don't know how that works, you can explain that to me, stay on top of this?
Greg: Well, the first thing that we do is we take a very particular perspective on what compliance is. A lot of people look at compliance as an aspect of security, but then you'll talk to other people and people will tell you that compliance is not security. We have embraced the notion that compliance is not security, so then that begs the question, "Well, what is compliance?" And our answer to that is compliance is really what we as human beings do when we want to trust very complex systems. Right?
If we think about the building that we're in, in this room, how do we know that this building isn't going to fall down? Why do we trust this building? As individuals, there's no way for us to individually check that this building is sound. Even if we knew how to do that, we wouldn't be able to rip open the walls and see it. So, human beings come back to this notion of compliance in which you scale the process of attestation and verification. You have people attest to various things, you have other people check and verify that they're doing it, and that that's embedded very deeply in the supply chain.
We don't look at it so much of, "My gosh, how do we manage all of these complex controls," et cetera, we look at it as a process of scale. How do you make it easier for people to attest and verify to various facts, whether you're doing that for a few facts or you're doing that for hundreds of facts.
The first thing that we do, we adopt that perspective where we look at the problem through that lens of scaling attestation and verification. And then I'll just add very quickly is my background is really in data, my team's background is really in data, so we also look at this as a data management problem, not a problem of cyber security.
John: Rahul, want to jump in?
Rahul: That was interesting. How do you enable small businesses to use the platform and what is the objective function for the small business to, in using the platform, to get government contracts ultimately? What is the process that you qualify a small business in getting them ready for compliance? Maybe you can just ... The workflow, at a very high level.
Greg: Well, I would say that we're still pretty new and we're trying to figure this out. Right? We're trying to make compliance easier, we're trying to figure out how to deliver it, so I think that we're still figuring out a lot of the specifics. We're really just kind of getting to product market fit in many ways. Our expectation is to be able to serve many small businesses.
I would say right now, the problem that the small business faces is that they just have something akin to the 'Game of Thrones' icewall that they have to go over if they want to do business with the Federal Government. Not only do they have to figure out the sales process and figure out all of that, they also have to demonstrate that their software is compliant, and they have no idea what that means, and they have no starting place to figure out that what means.
What we want to do is provide them with the starting point to guide them through it, and the way that we're doing that is instead of trying to teach them compliance, what we're doing is we are, in advance, taking the compliance frameworks and we are adopting them and mapping them to different technology frameworks. So, if you're using a particular technology framework, the idea is that you can come to us, say that, "This is the type of technology that I'm building," and we'd be able to say, "Oh, you're doing mail servers," or, "You're doing Windows networks," or, "You're doing websites. These are the components that you need, these are the processes that you need to follow in order to be compliant, and you don't have to worry about learning all of the jargon or becoming an expert in compliance in order to make it through the hoop."
John: To Maura, TurboTax for Compliance. Is that what you hear here?
Mara: It makes it sound so simple, but I have a little experience with this, with a VA contactor, and it took so incredibly long. I'm wondering, how do you charge these companies? Do they know that they're going to be compliant at the end of your process and how can they trust you? Are you asking for all of your money up front and then running?
John: The John Dillinger approach.
Greg: We run with them and we walk them through the process.
Greg: Well, I think all of us were really ... For all of us who are at a certain age who did our taxes when you'd get a form that you didn't understand, and a big instruction booklet that you didn't understand, and you tried to figure it out. When TurboTax and other software packages came along, they just asked you questions about yourself, what you were doing, and you'd answer the questions and they'd translate those questions into what it meant for the forms. We do have very much the same vision.
In terms of the price model, what we're aiming for is an inexpensive subscription where we can't really guarantee that you will be compliant any more than TurboTax can guarantee that you did your taxes correctly. But what they can do is say, "We've asked you the right questions, we've verified the answers, and we're willing to go with you if you get into trouble," right? "And we will back that up."
We are imagining a couple of different subscription models, ranging from you can sign up for an entire year and we'll help you organize your systems and we'll do that, and something we're going to try this fall is actually a 45 day compliance accelerator, where people can come in and we will actually help them in 45 days kind of organize all of their paperwork, organize all of their material, and get them significantly through the process of compliance.
John: Well, Greg, I'm going to ask . .
John: ... the 500 pound elephant question in the room. We're sitting in the offices of Eastern Foundry and there are a hundred different startups in this floor, here, and it seems like you could just go door to door and just tell them about your services and they'll be knocking on your door. I mean, this is a good place for you to be, the Eastern Foundry, isn't it?
Greg: It's a great place for us be, because, and I think one of the reasons that it was started, and that the founders of Eastern Foundry found us ... Oh, my gosh. That's .
John: Found founded found.
Greg: Was because we all recognize that, especially if you're a small business, there are these incredible hurdles to do business with the Federal Government, and that as a community we can address those hurdles together.
Now, as was mentioned earlier, nobody has really done what we're trying to do. There are a lot of tools that are in the what's known as the Governance Risk and Compliance Marketplace, but most of these tools really just kind of are repositories for your paperwork, and your artifacts, and all of that, but they don't guide you through the process. Right? And we're working on guiding people through the process. So, being at Eastern Foundry is a terrific place for us to find resources and to also partner with companies, and we hope to be a service provides to Eastern Foundry members. Having said that, for the past, really, two years, we've been working very much on the software itself.
In January 2016, we received a fairly substantial contract from the Department of Homeland Security Science and Technologies, which was to research and develop and create a prototype of software that made it easier to go through the compliance process.
John: Ah hah.
Greg: And so we started that. We really started working on this software in 2016, and have been building it out. I would say, this spring, we had a major insight and breakthrough, and now we're really starting to find a product market fit. And so I mentioned the compliance accelerator that we're doing, we're doing that initially with Eastern Foundry members, and we're, in fact, having our first meeting about that-
John: Makes sense.
Greg: ... in a couple of weeks.
John: Wow. Okay.
Greg: We're looking to really getting started with EF members.
John: Peter, you're familiar with GRC and the commercial role, everyone knows that term. What do you think of this idea?
Peter: I think the idea is fantastic. What is really-
Greg: Could you say that again? I'm sorry, I didn't ...
Peter: Okay. The idea is fantastic. There you go. Was there a pivotal moment in your career, in your life, that actually was the trigger for, say, "Okay, I need to do this" What-
John: Yeah, he had a nice job. I mean, he had a great job.
Peter: I mean, why did you leave your previous job?
Greg: I had a great job. I had a great job as one of the first Chief Data Officers in the Federal Government and the Federal Communications Commission, and as you all probably know, data is a growth industry. Right? CDOs have popped up, so it was very exciting opportunity, very cool. I'd been doing data, my background is actually in software and in databases for many years, so it was a great job. When you ask why I did it, and I would really say that the story that I tell is I couldn't do my job well as the Chief Data Officer, because cyber security compliance was the primary constraint on how fast we moved as an agency.
If every IT system has to go through the cyber security compliance process, and every piece of software that you want to bring in has to go through the compliance process, and you can only get four or six of those things through the process every year, then that-
John: Handcuffs you.
Rahul: Handcuffs, yeah.
Greg: ... becomes, literally, the primary constraint of the pace of innovation for the entire agency. And there are numerous circumstances in which you can see the government is three to five years behind where the state of the art is as technology, and my belief is that we are three to five years behind in government, because of the compliance bottleneck. Right?
If you are an innovative company doing something that's really interesting, even if you have $10 or $20 million dollars of VC startup fund, you're trying to get customers. And if you're told that doing business with the government is going to be a two or three year process before you get your first deal, you say, "I'll come back to that market in a couple of years. That's not my first market." And that means, as a person who was working inside of government and wanting to innovate, I couldn't use that technology.
That was kind of the general case and I think there were two things that happened. The first story that I like to tell is that I found this great piece of open software that I wanted to use, and I walked into my CIOs office, friendly guy, and I walked in and said, "Okay, I'm an earnest guy, how do I make this secure and compliant so that I can use it?" Right?
And now, do you think that he told me, A: "Well, we have an app for that, Greg, and I'm going to help you."
John: We have an app for that.
Greg: B: "Hey, I'll have security get started helping you."
C: "We've got a SharePoint site."
Or did he say, D: "Go read the NIST Special Publication, 800-50 PDF."
John: Put you right to sleep.
Greg: Right. So, here is the CIO, who's the head of technology at the agency, telling me to go read a 461 page document for supposedly one of the most important things we're supposed to be doing. That just seemed to represent a significant problem.
Now, there's another thing that happened, which I think it pretty fundamental, which is DevOps. Right? For people who don't really know DevOps, it's kind of a cultural movement of getting Dev and Ops to work together in maintaining systems, but underpinning DevOps is this notion of infrastructure as code. It's the notion of virtualization that comes with the cloud. What we really get from that is the ability to program our infrastructure. If you're familiar with DevOps, or you're familiar with the idea of a continuous integration and continuous delivery pipeline, this represents a fundamental shift, because what it means is if I, as a developer, or my team figures out how to make something secure, if we figure out the right combination of all the controls, we can do it over and over again without having to manually repeat the process.
And what it also means is that if developers want to take advantage of the speed that they get from the continuous deployment that you get through DevOps, you have to invest in automatic testing. Right? You can only do the continuous development and deployment if you have automated unit tests and integration tests, et cetera, which means developers have bought into the notion of writing automated tests, which means that security and compliance paperwork can be just another test that's in the CICD pipeline.
We have a driver of a significant problem that's affecting my job, and then we have a shift in the marketplace itself where developers are suddenly interested in writing tests, and you can piggyback on top of it, and you suddenly have the technology, so that many of these things which we've just been doing repetitively, manually, suddenly we have a framework for doing them continuously, automatically.
John: Mara, can you hear the emotion in the voice, there? It's like, "Hey, he found the promised land!"
Greg: It's kind of a long description, but I do think it can fix ... It is-
John: No, but I . . .
Mara: It is long. I actually ... I'm wondering if you need to hire a geek to human translator. I know somebody.
John: So, in my world, the developers are the software developers, and the operations people are usually locked inside a server room, and they hated each other. The developers would walk up underneath and beg for a server, and they'd say, "Call me in two months."
Mara: And they'd say, "Yeah." Right?
John: And so what DevOps is it puts them both together and says, "Hey, you're on the same team, here, boys and girls."
Mara: One's a cowboy, the other one is protecting the security around their server.
John: So they don't want to . . . ?
Greg: I think that that's true, but it's also worth noting I don't think that DevOps would have happened if it hadn't been for virtualization and infrastructure as code, because the infrastructure of code suddenly made operation look like development to developers. And to operations people, it suddenly made development look like operations. There was suddenly a common language that the developers and the system operators could talk about once you have tools like Chef, and Puppet, and these things appearing. Because before, they were very different cultures.
John: Yeah. I've got to translate for some of the listeners, here. In the open source world, there's ways to do continuous testing and Chef is one way to do continuous testing, and so is Puppet. They really get excited about these type of topics.
Mara, you have a question for us, please.
Mara: Uh, no. I was falling asleep, there.
John: Chef and Puppet.
Mara: Actually, as far as the geek to human translator, I was serious. There are technical writers and people who are good at translating business requirements, for instance. You said that you were explaining FISMA, compliance, those kinds of things to startup owners. So, are you looking for somebody who can personify your business, make it more understandable for the startups who aren't familiar with government compliance?
Greg: I would have to say we're very interested in translating compliance to the way that the businesses operate and the things that they know, and we are actually less interested in teaching them compliance, other than kind of some core concepts. I think the way compliance is done now is you have to become an expert before you can do it. And-
Mara: Sounds painful.
Greg: And it's very painful, and you can see it in various ways. I think if you walked into any organization that was dealing with the compliance process and you said that you, yourself, had that experience-
Greg: ... you would find only one or two people who were engaged in the process. Correct?
Mara: That's exactly what was happening. We has the genius, and the person who listened to the genius all the time, junior genius.
Greg: Right. And I-
Mara: They talked about it constantly. Yeah.
Greg: ... and I think often, whenever you see just one or two people dealing with it, what it says is that everyone else in the organization has decided that that is a minefield, or a toxic dump, and they want nothing to do with it. And you have to look at that and say, "If nobody wants to do it, maybe there's a problem. Maybe there's another way to look at it."
I think, obviously, there's some explanation. I obviously spent some time explaining it. But I think in general, other than me saying the 800-53 once, I haven't mentioned a single control or anything about compliance, in terms of what a typical-
John: There's over 400.
Greg: That's right. What a typical compliance expert might do is they would come in and they would describe this process and what you need to do, and I think that we try not to do that. We've gotten feedback from many people, and you said it yourself, we've gotten feedback from people in which, when they look up compliance online, they're asleep by the end of the first paragraph.
Mara: I apologize, but I just had to speak up for the little guys.
Greg: That's right. But I think that that's the problem is we're not gonna be successful scaling cyber security out to the number of products that are going to have software inside of them if everybody falls asleep after the first paragraph describing the process.
John: Peter, jump in for a last question, please.
Peter: We talked a little bit about geniuses. My question for you is who are the geniuses on your team and why?
Greg: Who are the geniuses on my team and why?
John: I hope they're listening, by the way.
Greg: I would say that one of our geniuses ... I don't know if I want to ... I'm not sure if I should ...
John: Name names! You're gonna name names!
Greg: One of our geniuses is Doctor Joshua Tauberer, the genius behind GovTrack.us, who has a PhD in linguistics. Right? And is also pretty amazing with databases, and was one of the first people to kind of take Congressional data and make it consumable, both by the general public and other parties.
John: Rahul, jump in.
Rahul: Two quick questions. I get it. Timing is great and network function virtualization is coming. You can automate a lot of stuff. How do you get the government to consume this is the question. If they're three to five years behind, how many people in government are like you? Right?
Greg: No, that's a good question. Right. Right.
Rahul: How do you-
Greg: If the government is reluctant to adopt new technologies, how do we, a new technology, get adopted by-
Rahul: That's right.
Greg: ... government?
Rahul: And then would you expedite that by creating a certification process kind of like the Apple store, right? I mean ...
Greg: And so I think-
Rahul: Just at a high level.
Greg: Yes, right, right. At a high level, I would say the best way to be adopted by government is to be backward compatible with government processes, not asking government to change. The burden-
Rahul: Do you feel that then the operational-
Greg: ... the burden is upon us, that even though we want to create a different way of doing compliance, we think that compliance is going to change in the future, we have to produce the artifacts and the other things that match the existing processes and roles that government has, so it's not a dramatic change for them.
I think we do that, and we do it by doing a really good job. Right? But the second question is, yes. I think part of our model is the idea of creating compliance apps, and the apps kind of guide you through the process. And because they're individual apps, we think that that will scale better than having a kind of single monolithic piece of software and will give us flexibility. And we do see in the future that those apps themselves, first we do them, then vendors start to do them, and then there becomes some type of certification process associated with the apps themselves as they get smarter and more powerful.
I think that the Apple store is a great example of an organization that has a type of compliance, that they're able to take things through in weeks rather than years.
Rahul: That's right. So, the machine learning will happen on your end?
Rahul: When you're processing the different apps and then ... Okay. That's interesting.
Greg: Yes. More and more.
John: Great job, students.
Rahul: That's interesting.
Greg: Thank you.
John: Great job, startup. If someone wants more information about your company, Greg, where should they go?
Greg: They should go to govready.com-
John: That's awful easy.
Greg: ... and they can learn about what we're doing and reach us. And our software, because it was funded by DHS, it's open source, so we're also on GitHub. A real easy way to start with us is with Docker, for the techs in the audience, and you can learn all about us.
Thank you very much for having me.
John: We're running out of time, here. If you would like show notes, links, or a transcript, you can visit theoakmontgroupllc.com.
I'd like to thank our sponsor, The Radiant Group. If you are interested in getting involved in geospatial projects, contact The Radiant Group.
We are hosted by Eastern Foundry, it's a community of government contractors who are bringing innovative solutions to the government marketplace. For more information, go to eastern-foundry.com.
If you would like to participate as a student or a startup, contact me, firstname.lastname@example.org.
Thanks for listening to Students versus Startups: Showdown on the Potomac.