The following interview is a conversation we had with Austin Ogilvy, Founder of Thoropass, on our podcast Category Visionaries. You can view the full episode here: $98 Million Raised to Power the Future of Continuous Compliance
Austin Ogilvy
Thanks so much. Glad to be here. Not a problem.
Brett
Really looking forward to this conversation. I’d love to just kick off with a quick summary of who you are and a bit more about your background.
Austin Ogilvy
Yeah, sure. So currently running my second startup, which is called Thoroughpass. We are an audit and assurance platform for all things digital. So security and privacy. We help customers get through enterprise security reviews and get audited by the increasingly relied upon set of security and privacy standards like sock two, ISO 27,001. We’re a certified external high trust assessor. We audit PCI. If you’re handling card data, PCI levels one to four, et cetera. So sort of a one stop shop, single pane of glass for all things related to security and privacy compliance.
Brett
And what about that first startup that you started? Can you tell us a bit more about that?
Austin Ogilvy
Yeah, sure. So, to take you back to the early days of my career, I started my career in tech, working for a small business lending startup called Ondeck Capital. Basically, thesis was, can we use applied machine learning and the digital exhaust that small businesses are shelling off to underwrite loans more effectively than pen and paper underwriters at banks have been doing for ages. And a lot of the technology that were building, 2010 to 2013, was when I was out on deck, relied on R and Python in particular. These open source statistical programming languages were coming about and overtaking the quantitative tools from Matlab and a company called SAS. Sort of this renaissance in the data science space.
Austin Ogilvy
A lot of the engineering challenges that we encountered there inspired me and another product manager at Ondeck to start a data science company to help other data science teams overcome a lot of the challenges that we painstakingly had to code our way through at ondeck. So, yeah, my first startup was called yhat, and were a data science platform. We had a bunch of different products, but sort of our flagship product was infrastructure for running very low latency APIs on top of any arbitrary r or python code. The long and the short of it is we built that company from 2013 to 2017, when were acquired by a bigger data science company called Altrix. We spent about a year at Altrix putting the team technology into the byte, train, all the sellers on the acquired product, et cetera.
Austin Ogilvy
And then that sort of segues into thoroughpass for a number of different reasons. Like a lot of our sales motions when were building Wyhat involved very big customers. Intuit, doximity, Stripe, PayPal, Johnson. These types of brands of consequence have very, let’s just say, strict rules about the different vendor technologies that they bring into their tech. You know, when were going to market in the early days of building yhat, it was very different sort of sales motion with small software customers versus those bigger enterprise deals that were closing towards the end, before the acquisition. So like a lot of the compliance checks, security reviews, all of the sort of governance that goes into third party vendor risk management at those big companies were really problematic for us from a go to market perspective.
Austin Ogilvy
So the connection between compliance and sort of the bottom line is fairly obvious. I think to most people, operating your company within compliance is a critical way to behave in the ecosystem in order to protect the company from all kinds of different risks. What’s not obvious to people is the relationship between compliance and the top line, right? If you’re a software company and you don’t take security and privacy controls seriously, not only is that a bad thing to do because it puts the company theoretically in jeopardy, but it also is really damaging to streamlined sales. You just wind up underwater with all kinds of security reviews that don’t go very well, and ultimately that blocks sales. So that was sort of the impetus for starting thermopass.
Brett
I want to also ask about CIA. Lol. Your angel investing website. I was playing around on that today. I thought that was a great domain. Tell us about your angel investing you’ve been doing.
Austin Ogilvy
Sure. So I’m not like a prolific angel investor by any stretch of the imagination, but by virtue of just being a member of the startup community, having raised venture rounds in the past, the types of customers that I work with today, the opportunity to play a small role in another company’s story at the early days is extremely rewarding. So I’ve done some of it. As far as the domain goes, I just got a real kick out of CIA, Lol and had to have it. There’s not much more behind that. But yeah, I like it. Generally, on the matter of angel investing, I think there’s sort of one camp of opinions that say founders ought to be exclusively focused only on their own company and not distracted by angel investing. I come at it from a pretty different lens, actually.
Austin Ogilvy
I think keeping a pulse on trends in different technologies, keeping a pulse on what investor interest looks like in different geographies, different domains, different trends, all of that is extremely beneficial to all kinds of things that you encounter if you make a career in building companies. So not only is it rewarding, hopefully lucrative at some moment, but I think super beneficial. And I recommend to anybody who’s considering getting into it’s been a lot of fun.
Brett
Yeah, I do a lot of angel investing as well, and it is fun. I describe it to friends as like, you get a contact high for founders building these big, massive companies, but at least I don’t have the stress levels that they have as they go out and build and execute on these big, ambitious plans. So I found it to be very fun and very rewarding.
Austin Ogilvy
Yeah, I mean, totally. Startups are super hard, and the sense of community that comes on board is very valuable, I think bi directionally in most instances. Right. We’ve got some great angel investors on our cap table. They have been tremendously helpful along the way. At the end of the day, I sort of feel like most problems in business and technology aren’t really that unique. I think every business has at least some unique technical and business problems, but by and large, pattern recognition is a real thing. And if you can have access to some great ceos and ctos and other founders that have stepped in a variety of potholes, that can be hugely beneficial to avoiding common errors and that kind of thing.
Austin Ogilvy
And then, of course, once you’ve stepped in enough potholes of your own, just like you said, it’s tremendously fulfilling to be able to help others get through those types of problems.
Brett
Absolutely. Let’s switch gears now and let’s dive a bit deeper into the company. So let’s talk about the early days. What were those early days like? And how long did it take until you started to really feel like there was traction and there was a viable business?
Austin Ogilvy
Yeah, sure. So I have two amazing co founders, Sam and Eva. And Sam and I, from a professional perspective, come from actually pretty similar backgrounds. We both went to UVa, though we didn’t know each other at the time. We both were working in New York at different tech companies. Sam, an engineer at Google and Goldman. We both did y combinator with our prior startups in two different batches. We sort of walked these parallel lives and never connected somehow. And after Sam wound down, his last company didn’t work out, which is a whole other story that he could tell you about sometime if you’re interested. And I had sold my company and stayed for the retention period. He was working as an entrepreneur in residence at Bain Capital, where we got introduced through a mutual mentor, Matt Harris, who’s a partner there.
Austin Ogilvy
Just a wonderful guy. And it was like, on first meeting, it was like entrepreneurs love it for sight kind of a situation. Sam and I were pretty certain within the first hour that this is a really strong fit. And I’d been thinking about a bunch of ideas, as had he, and we pretty much landed on digital compliance right away. I mean, we looked at a couple other things that were interested in, but kept coming back to what ultimately would become thoroughPass. It was just like a whole bunch of challenges that we had in our own ways encountered with respect to audits and security reviews, et cetera. And the missing piece was like, sam and I came to be commercially and intellectually interested in this space, but we don’t come from the solution side. Right?
Austin Ogilvy
We care about this set of problems because we ourselves have these problems. Eva, totally different profile. She was managing director at Citigroup for 20 plus years, overseeing cybersecurity governance, third party vendor, risk management. All kinds of digital compliance rolled up under her for essentially half the bank, the institutional side, that whole side of the bank. And she had left city and started a boutique consulting practice, helping startups in a fully analog way, but very much spiritually aligned with what we do at thoroughpass, helping companies become HIPAA compliant, get through sock two audits, et cetera. And Sam got introduced to Eva about a month before he and I met. And everything in life, on some level, comes down to timing. It just was the right moment in time for the three of us to team up. So that was June 2019.
Austin Ogilvy
We wrote the first lines of code, and we raised our seed round. I think it closed in August 2019.
Brett
What were some painful moments, any painful moments in those early days?
Austin Ogilvy
It’s always a slow start. It takes a lot to get a startup to really start to. I will say this is a real first hand learning experience for me to see just how important it is to pick a big market, and ideally, a fast growing market at the right time. And we’ve just gotten quite lucky with good timing. That’s one thing I’ll say. My last company, Winehat took us four years to get to a million and a half or so in ARR, we hit that number in, I don’t know, 1213 months. And then the one to 10 million we achieved in six quarters or something like that. The growth has just been tremendous. So that’s been. Obviously, I feel very grateful for that.
Brett
From a marketing and sales and just a go to market perspective, what have you done to achieve that type of growth? I’m sure any founder that’s listening in wants to be able to answer that question in that way as well, and to be able to say that as well. So what have you done right? And what do you do to rise above all the noise that just exists in this space?
Austin Ogilvy
Well, there’s a lot more noise in the space today than there was. There’s a handful of other companies that are direct competitors that are now out there that have created a lot of noise in the space. But when we first incorporated, we didn’t know about any of those. So we just ran our playbook, we just ran our game, and we’re very focused on serving our customers with the best experience for getting through it audits in a way that we ourselves would want. And there’s a lot to be said about the benefits of not getting distracted by all kinds of shiny objects, including competitors, and over obsession with what others are doing. I think that really played to our favor in a lot of ways.
Austin Ogilvy
One of the big differences, not to get too specific about compliance, but one of the things that we saw very early on, is that, okay, if you’re passively collecting all of the digital exhaust that’s relevant in compliance audits, that’s great. But if you have to export all the data and go talk to a separate cottage industry audit firm, it really defeats the purpose of all of the automation in the first place. And that was an insight that we arrived at day one, essentially. And our whole r and D investment since the very beginning has been calibrated around not just the tools that companies need to collect all of the verifiable compliance data automatically, but also the tools for auditors to take advantage of all of that structured data.
Austin Ogilvy
That was one thing where we had high conviction and weren’t distracted by anything that would push us away from that part of our vision.
Brett
This show is brought to you by Front Lines Media, a podcast production studio that helps B2B founders launch, manage, and grow their own podcast. Now, if you’re a founder, you may be thinking, I don’t have time to host a podcast I’ve got a company to build. Well, that’s exactly what we’ve built our service to do. You show up and host and we handle literally everything else. To set up a call to discuss launching your own podcast, visit Frontlines.io podcast. Now back today’s episode. What about your market category? I think I pulled continuous compliance and audit management from a recent press release, or maybe it was a press release from a year ago. Is that the market category, or what do you think is the market category here? Yeah.
Austin Ogilvy
So we really sit at the intersection of three different markets that each individually would be exciting to any enterprise focused entrepreneur, but together they get really exciting. The first sort of category that we are intersecting is GRC governance, risk and compliance. This is the sort of generation one tool for compliance teams to keep track of their controls, keep track of remediation when there’s a compliance interaction. And these are like very old school. And it would be what the analysts and the compliance team at Citigroup look at when they sit down at their desk in the morning, they see huge category, but it’s very long overdue for a know no APIs. The uis are terrible, et cetera. So that’s sort of category one. Category two is this it audit world.
Austin Ogilvy
So the idea of having a trained professional in security and privacy systematically test your controls every once in a while was sort of born initially from a tradition in finance accounting. Like the idea that you would have a company that never gets their books audited seems ridiculous, hopefully to any reasonable person. Well, the same has become true with respect to our technology. And this is frustrating from a go to market perspective if you’re a SaaS company, but if you’re just wearing your citizen of the world hat. Everything that we care about in life has been digitized. And we should hope and expect that our software providers that we use personally or that we use commercially are going through a proper process of evaluating how secure their operating protocols and systems are every once in a while.
Austin Ogilvy
And that idea is a whole enormous second category that we are participating in, there’s dozens and dozens of different audit standards, and it keeps growing with more coming out. It seems like every month almost. And then the last of the categories is third party vendor risk management. You take a bank like JPMorgan, who led our series B two, three years ago, they have 5000 software vendors. That’s an incredible amount of risk. Maybe not with any one particular vendor, but there’s going to be something problematic that occurs across that large volume vendors, whether it’s a data breach bad acting, going out of business, the whole spectrum. So there’s a whole class of software products oriented around helping due diligence at a bank or at a big company across that bank, or that big company’s collection of software providers.
Austin Ogilvy
So by ingesting all of the digital exhaust that’s relevant in any of these compliance contexts, and then building the tools for auditors and the tools for enterprises to do what they need to do in the context of audits and in the context of vendor due diligence, we sort of unify these three markets and make an even bigger and better version of all three.
Brett
What about your messaging? How have you seen that evolve over the last couple of years?
Austin Ogilvy
That’s a good question. So when we first incorporated, we actually were called Leica, and we have two primary competitors that have very similar sounding names to Leica. And were just finding that it was very difficult for our customers to tell the difference between the three of us, basically. And we did a wholesale rebrand, changed the name of the company, changed the name of all the email addresses and the website and the whole thing, all an entirely new messaging framework, totally different copy. And fair to say that we couldn’t possibly have changed our messaging anymore. It was truly like a reset on the entire brand.
Brett
What was the most painful part of that journey? Rebranding. And when did you do that?
Austin Ogilvy
The most painful part was that we had to do it. I mean, it really does become an it nightmare towards the end. Like, we have whatever 100 or so SaaS products that we ourselves use. Our web application integrates with tons of different APIs. We have APIs that are consumed by other companies, all of that. Everything has to change. All the code has to be rewritten, all the copy, all the one pagers, all the pitch decks, all the everything. It just really does become a very big daunting list that I highly recommend to any founders who may be listening. Get the name of the company right as early as possible and just buy the you’re going to want it and just pay the piper on getting both of those set correctly.
Austin Ogilvy
But yeah, just like the amount of risk, nothing went sideways, like there were no outages. It’s quite amazing given how many balls are in the air when you make a switch like that.
Brett
Yeah, I can imagine. Now, as I mentioned there in the intro, you’ve raised 98 million to date. What have you learned about fundraising throughout this journey?
Austin Ogilvy
The importance of storytelling, I think, is often overlooked, especially when you’re creating a new category or tying together categories that don’t seem to be connected in an obvious way, going out of your way, to be clear, in your verbal messaging, your written messaging, things like original art and creative to describe concepts that are really important for people to get. I think leaning into design and thoughtful storytelling, you can get a lot of leverage out of that. Another one is like, it could be easy to accidentally run two or more parallel fundraising processes if you’re not careful. Basically, you want one process that any number of investors can be a part of. What you don’t want is to talk to five investors and have five different sets of due diligence materials and five totally different timelines.
Austin Ogilvy
Fortunately, we’ve been pretty good about that in each of the four rounds that we’ve done. But definitely, I’m acutely aware now just how much of a drag on time resources, just like intellectual allocation of brain space if you’re not careful to keep one, and just one process.
Brett
On the topic of storytelling, if a founder is not a good storyteller, what do you recommend they do? Are there any resources that you found very helpful there?
Austin Ogilvy
I think, honestly, angel investors and customers are like two really good mirrors or sounding boards that you can get a lot of leverage from. Like if you excite a customer, you should be writing down why they are excited and how they express that excitement. And in the case of investors, if you’re talking to other ceos and other ctos who are excited about your business, if yourself have doubts about your own storytelling ability, lean into the fact that others are out there, that you’re getting these people excited. What is it about those individual investors that gets them energized? And be thoughtful in debriefing those conversations. And you can do a lot more with respect to creative storytelling than I think most appreciate.
Brett
Let’s imagine that you were starting again today from scratch. Based on everything you’ve learned so far, what would be the number one piece of advice you’d give yourself?
Austin Ogilvy
Definitely get the name of the company right. The rebrand took ten months, and then a lot of money that would be one. Another would be in general like brand building. It takes a really long time and the investment being made day one to go deep on brand. I think we didn’t take quite as seriously in the beginning as we would later learn we would have preferred. In retrospect, our best converting inbound marketing resources are long tail content and long term brand related stuff. Awareness has been a huge thing for us in being discoverable by customers. That kind of stuff you just don’t get there overnight. And so I think there’s an important capital allocation question even very early that we should have taken seriously and that probably other B, two B SaaS companies ought to take more seriously as well.
Brett
Final question for you. Let’s zoom out three to five years into the future. What’s the big picture vision that you’re.
Austin Ogilvy
Building this single pane of glass where all software companies come to manage their it audits across any of these standards? The idea that we’re like mapping the entire digital compliance landscape implies some really interesting future products that we can bring to market for all kinds of stakeholders, from enterprises to regulators to software companies who are increasingly diligencing one another. Right. If Slack is selling or buying something from another software company, they’re now engaging in these kinds of third party vendor risk management problems. That map is the destiny of, you know, three to five. Like, we want to occupy the lion’s share of SaaS companies across the entire problem space.
Brett
Amazing. Love the vision. All right, Austin, we are up on time, so we’re going to have to wrap here before we do, if there’s any founders that are listening in that want to follow along with your journey, where do they go?
Austin Ogilvy
So the company is thoroughpass.com thoropass.com. I’m austin@thoropass.com. And you can find me on LinkedIn Austinoglevy and on Twitter at austinoglevy.
Brett
Amazing. Austin, thanks so much for taking the time.
Austin Ogilvy
Thank you. It’s a pleasure.
Brett
All right, keep in touch. This episode of Category Visionaries is brought to you by Front Lines Media, Silicon Valley’s leading podcast production studio. If you’re a B2B founder looking for help launching and growing your own podcast, visit Frontlines.io – podcast. And for the latest episode, search for category visionaries on your podcast platform of choice. Thanks for listening, and we’ll catch you on the next episode.
Twitter
facebook
linkedin