The following interview is a conversation we had with Craig Unger, CEO and founder of Hyperproof, on our podcast Category Visionaries. You can view the full episode here: Over $22 Million Raised to Pioneer the Compliance Operations category
Craig Unger
You’re very welcome, Bret.
Brett
So, to kick things off, could we just start with a quick summary of who you are and maybe just a bit more about your background? Yeah.
Craig Unger
So I mean, again, Craig Unger, I’m the CEO and founder of Hyperproof, but I’ve been in the tech industry for about 31 years, or actually 32, originally from New York, went to Microsoft right out of school. So I spent about 21 years there working on everything from Pivot Tables. I was the designer for Pivot Tables, a product manager way back in the day in Excel. I was the GM for Microsoft Access for about five years. I used to lead the Dynamics CRM team, which is the Microsoft version of salesforce.com and a number of other things there. And then I did a startup afterwards, which was in the low code and integration space, a little bit like a tray or workado. And we built that as a techstars company, raised a seed round there, series A and A, really nice Series B, and then we sold that company to Okta.
Craig Unger
The name of the company was A Sukwa. And as of five years ago, since five years ago, I’ve been working on Hyperproof, which is my second startup.
Brett
Now take us back to the early ninety s. I see you joined Microsoft in 1991. That must have been a fascinating time to be part of the company. What was it like?
Craig Unger
Well, it was an Indian sized company at that time. I mean, there were probably 1415 products, so I happened to study computer science and math. So they said, hey, you’d probably be good on Excel. So they put me on Excel. But there weren’t that many products like things like Exchange hadn’t come out at that time. NTE, Windows Nt, I mean, just a bunch of the products we take for granted now just hadn’t come out. Visual Basic hadn’t come out. And yeah, so it was just a much smaller organization, but very fast growing and there was definitely a feeling that were changing the world.
Brett
And a couple of other questions we like to ask really just to better understand what makes you tick as a founder. First one is what founder or CEO do you admire the most and what do you admire about them?
Craig Unger
Well, I don’t have a specific one in kind of the small to medium size. What I really tend to admire are the founders as a class who take a lot of risk, in the sense that I’m a two time founder, but I worked for a long time in big tech, and so I had a cushion, and I wasn’t loading my credit card bills when it came time to start Zukwa and then start Hyperproof. So I’m always taken aback and very respectful of the folks who really put it all on the line. And I think those are really the true entrepreneurs. So that’s who I respect.
Brett
And what about books that have had a major impact on you? And the way we like to frame this is we call it a Quake book and we stole that phrase from someone else, but it’s defined as a book that really just rocks your worldview and changes how you think about the world. Do any Quake books come to mind?
Craig Unger
Well, I assume you mean beyond business books. I mean, there were some interesting business books I read, but other than that I’m just saying going back no, I would say maybe, I don’t know, maybe The Scarlet Letter. I don’t know. That was a really interesting book that I had read back when I was in high school, and I think it just kind of introduced a lot of topics that I wasn’t really kind of familiar with at the time. And I ended up really liking it. And it ended up being kind of an interesting part of how I got into college, because I ended up talking about it on my college essays. But I would say just that nice.
Brett
Well, let’s switch gears here and let’s dive a bit deeper into Hyperproof. So can you just paint a picture for us at a high level what the product does?
Craig Unger
Yeah, Hyperproof is a system for keeping compliant inside your organization. And so it’s really built as kind of an enterprise application that comes with a methodology associated with it. So in that methodology we call compliance operations. And so the basic gist of it is that Hyperproof allows you to set up all of your processes, your controls frameworks that you need to keep compliant with and really gives you a view of that during the entire year. So for instance, it allows you to make sure that all of your controls are having the most up to date evidence there. You can write tests for them, you can actually set up collaboration groups on them, set policies. And so it’s really a different, this ComOps approach is really a different approach than others have taken. Others tend to be a little bit more audit based, which is how do we pass an audit.
Craig Unger
And from our perspective, that checkbox approach to an audit doesn’t really secure you or benefit a company or your stakeholders. So we have a different approach which is really more about this compliance operations, which tends to keep you in a more continuous compliance mode.
Brett
And what’s your category then? Is it compliance operations or how do you think about category?
Craig Unger
Yeah, I mean we like to think we’re pioneering this compliance operations category, but of course everybody that follows us, whether it’s analysts or G two, they put us in either GRC Governance Risk and Compliance or Information Risk Management, which is IRM. So those are a couple of categories that we play in.
Brett
And are you making a big push to change that narrative with the analyst firms? And do you want to have this become a category or are you okay with taking a disruptor position in those established categories that you mentioned?
Craig Unger
I think our goal is to create a new category, a different way of thinking about it. At the end of the day, I think people will end up looking at it as an evolution of what previously before was GRC. We don’t really love the GRC moniker logo. We don’t really think GRC in the you know, the analysts also have to fit our product into categories that they understand or occasionally they create new ones. Like the IRM category I discussed was created fairly recently. So at the end of the day we’re okay if it evolves out of that category. But of course our vision is to change how things are done.
Brett
And how much effort are you putting into things like analyst relations right now?
Craig Unger
Yeah, analyst relations, we put a little effort in. It’s a little tough when you’re small because a lot of that tends to be more pay for play where you end up buying a subscription to the analyst reports and then you end up getting coverage that way. And we’re obviously trying to be pretty fiscally conservative, so we’re careful there. What we tend to do with our analyst dollars instead is go to events because some of the events for B2B could be super helpful. I mean, I’ll call out the Garner Conference, we go there, it’s actually real helpful. And then we also end up I think when you’re a smaller company, it’s more beneficial to build relationships with smaller analysts, folks who work individually, they tend to have more unique viewpoints and they can kind of bring you into more unique situations. So we have a few of those relationships as well.
Brett
And take me back to August 2018 when you were first launching the company. What were those early conversations like with your colleagues and what was it about this problem that made you say, yep, that’s it, I’m going to go back in again and build a company for this?
Craig Unger
Well, one of the roles I had when I was at Microsoft, Bret, was I used to lead all of our authentication systems. So with the Microsoft IDs to be called Microsoft Passport, and that’s the authentication service behind all of Xbox and Office 365. And all of the online services. And as part of that group we also built all of the commerce systems. So think of it as an internal stripe. And I did that role for seven years. Well, at one point, and this is kind of a public story, the government FTC came in and said they took exception to some of the claims our marketing team made about our services being secure. They didn’t like usage of that word and they ended up asking us to put ourselves on a pretty strict audit regime or they were going to take us to court to fix the underlying process that would have us make such a claim.
Craig Unger
So we ended up opting instead of going to court to have this every two year very deep audit on our services. And the fines were really punitive, about a million dollars user a day. We had 100 million unique users a month at the time in our services. So at that point I had to do these really very deep audits, very little tooling help or infrastructure and of course I was really just a product person at that time. I didn’t know anything about compliance and so it was a very scary time for me because one error could really be very impactful to the company. So I saw the problems that were rolled up and trying to prepare these audits and trying to have visibility ahead of time and just really being able to give people who are really trying to do very good work. For the company to give them the tooling that they need to do the best job instead of having them always on their back, on their heels.
Craig Unger
So I saw that, and then I also saw kind of a mini version of the same problem. When I was doing my first startup, where we had to do a lot of compliance for our larger customers, we had GE the IMF as customers and they wanted us to do more compliance as well. And still was doing it out of spreadsheets and sticking files up on file shares and lots of email. And, you know, there’s got to be a better way. Every workload at some point when it becomes important, serious and very high value will evolve out of a spreadsheet. And so I thought the world was ready for a new class of application that would really treat this particular workload as a first class citizen.
Brett
And just to understand the scale that you’re operating at today, are there any metrics or numbers that you can share.
Craig Unger
That highlight some of that growth and.
Brett
Traction that you’re seeing?
Craig Unger
Yeah, I mean we’ve been growing at least two x a know for a number of years. I won’t share tech revenue numbers, but hundreds of customers, dozens of partners, great kind of CSAT folks, love the product. We’re doing a significant amount of expansion in our customer base every year. So we entered on this kind of can we do the kind of triple, double, double type of idea. And we’ve been pretty much sticking to that. So it’s been great. It’s been fast paced, it’s been challenging, but the numbers are there.
Brett
And if you think back to 2018, given where you are today, would you have thought that you’d be further ahead, further behind, or exactly where you are right now?
Craig Unger
I was telling somebody about that recently. I think the easiest way to describe it, I can’t say whether it would be ahead or behind, but I could say if somebody put a button in front of me and said, push this button, then here’s where you’ll be 2023, I’d push the button 100% of the time. And meaning I think there’s a much greater likelihood of a poor outcome than a better outcome than we’ve had. So I’m pretty happy overall.
Brett
This show is brought to you by Front Lines Media, a podcast production studio that helps B2B founders launch, manage, and grow their own podcast. Now, if you’re a founder, you may be thinking, I don’t have time to host a podcast, I’ve got a company to build. Well, that’s exactly what we built our service to do. You show up and host and we handle literally everything else. To set up a call to discuss launching your own podcast, visit frontlines.io podcast. Now, back today’s episode and looking through the website, there’s some pretty incredible benefits there that you mentioned. So 70% increase in productivity, 90% increase in compliance, visibility, three X faster, adding new frameworks, those just seem like a no brainer. So what do you think is holding you back from having ten X more customers? Well, to some degree, these types of.
Craig Unger
Products that are doing audits and compliance, even if they were doing them in a different way than Hyperproof, they’ve been around for a while, so you can ask the same question about them even if they weren’t as good, let’s say, as Hyperproof. And I think a big part of it is, if you look historically, there just hasn’t been as much activity way back in the past on behalf of regulatory agencies, et cetera. One of the reasons I actually started the company was the Facebook Cuberge analytics, that whole debacle that happened back in 2018. And I’m like, look, the more tech that comes out, the more threat there is to our personal information, security, et cetera. This is just going to spiral. And since that time, the number of compliance frameworks and regulatory agencies that are kind of issuing guidance has grown much faster than I would have expected when I started the company.
Craig Unger
So I think the big thing that is really causing the growth now is just how much information we’re sharing, how much data is on the web, and doubling every, whatever, 18 months or so. Of course, you can put in a lot of things like blockchain and bitcoin and of course, more recently AI and all the large language models and some of those pieces, and you just look at it and say there’s more and more opportunity in just cloud digital web. And there’s also more and more of that scary. And so one of the reasons I got into it was to help organizations protect themselves and their stakeholders and have that waterfall down to us as consumers and individuals and say, well, when we consume products, digital or not, from these companies, we want to feel more trusting of it. And the company tagline is bringing trust to life, right?
Craig Unger
So that’s the vessel that we look at, all of our innovation, it’s not just compliance or risk, but it’s bringing trust to life. But back to your original question, it’s just really about how much digital product data and how much activity there is in governments across the world.
Brett
And when it comes to the actual end customer that you’re marketing to and typically speaking to, who is that? Is that like head of compliance? Is it head of cybersecurity? What’s that job title that you’re typically.
Craig Unger
Targeting about 75, 80% of the time? Bret we sell into the CISO, so we might start with the CISO and they’ll route to the compliance manager or chief compliance officer or somebody with a compliance title. It could start in organizations that don’t have dedicated compliance but still need to do it. There are plenty of smaller organizations like that. It could be like a security, somebody with a security analyst type of title. But the key thing is it tends to be in the CISO office. A lot of compliance used to be done out of legal. We have some customers that are also in the legal department, but a lot of the tech compliance has migrated away over to the CISO team. And then occasionally also well, not occasionally, but more than occasionally, but some part of the time it’s engineering groups who have to prepare their own controls and they’re the ones who are being looked at to see if they’re compliant.
Brett
And what are you doing to rise above that noise and connect with, let’s just focus on CISOs. There I’ve been to Black hat and just everywhere you look there was just noise. Everyone was saying the same thing. Everyone’s trying to capture the attention of CISOs. What are you doing to rise above all that noise and really capture their attention?
Craig Unger
Well, some of it is what we’re doing and some of it is the kind of solution that we offer. If you think about it inside an organization, Bret, there’s going to be a number, I mean, many point solutions for security, dozens and dozens. And the argument and the mode of selling those and the argument that gets to be made there is one of saying, hey, the more the merrier, the more tools I buy, the better, right? I’m just more secure, right? But that’s not the case with compliance. Compliance ends up being the opposite side of the coin of security. You might have 50 security tools but the data that you collect from them that proves that you’re doing what you need to do. And by the way, increasingly from the SEC, they’re asking organizations not just to disclose their breaches, but to disclose what they’re doing to prevent them, which would include security, but also all of their compliance work.
Craig Unger
So you’re really going to have one of those. And so picking the right platform to do that, one that actually is very extensible, one that actually works the way your organization works and puts the workload in the tools that they already use to do their work is actually really crucial to holding the security fabric of your organization together. So I mean that’s one aspect to it is this kind of bleed over between security and compliance and making sure you have the right platform. The other piece of it is also that generally if you look at why compliance activities are done, it’s to reduce risk. And so I think this idea of really connecting with the organization at a higher level around how can these kind of activities be more than just checkbox but really affect your risk and really kind of give you those views in a live way I think is another key piece of it.
Craig Unger
So I think those are some of the ways that we like to think that we can kind of stay above the noise of any single point solution and really look at it as a much more strategic discussion about where you’re trying to take your organization from a risk and compliance perspective to really hold everything together.
Brett
And from a product market fit perspective, how long did it take you until you really found like you had reached product market Fit and what did you learn along the way?
Craig Unger
Well, I mean, we probably got to a place where we felt we had solid product market fit. You start to feel that way when you get past the first 50 customers and then you really feel that way maybe get past the first 100 customers. So I would say that would be after about 18 months or between 18 to 24 months of selling is when we felt that way. And when you ask about lessons, there are a lot of different lessons that are associated with that question. But I guess one that I would highlight is to make sure that your organization stays focused in on your ICP, your ideal customer profile. Because there’s a natural tension between taking on all comers in the beginning because you want to make revenue. And then you may create obligations for yourself to support customers outside of your ICP that really isn’t helpful to you.
Craig Unger
And then what happens is you may experience some churn and if you experience churn that’s also unhelpful from the perspective of Investability right. The advice I would give is to try to lock in on your key customer, one that you can keep and expand and do that as fast as possible. It’s probably better to grow revenue slightly slower in order to do that. I’m not saying massively slower, but slightly slower and have a better, more solid user base because then you can also keep your development team focused as well.
Brett
And what would you say has been the single greatest go to market challenge that you faced and overcome and what was that challenge and how’d you overcome it?
Craig Unger
I think one of the big challenges is that there is some market education that needs to be done in our approach and in the space. So if you look at it, just historically the GRC category has been a pretty small star chamber of users in these very large companies. They were using older tools like Archer Et. But if you look at it, compliance is following the historical track of security where it started. Also as a small group of people, they may do penetration tests and send reports to the board and then you think your organization is secure. And as everybody who’s listening to this podcast knows, that’s no longer the case. Now everybody has a role to play security and everybody gets trained and all that stuff. Compliance is kind of the same way. And so there’s a change management piece of it which says, look, the way you really need to ensure your compliance is by having all hands on deck and making sure that everybody can play a role and that the software itself supports the contribution of anybody who has something to contribute.
Craig Unger
And so I think just educating on a new approach to something that’s been a little bit more of an obscure problem in the past, but is growing into something with a whole lot more relevance at a potentially different workflow to support it, that’s a challenge people to understand.
Brett
And final question here for you. Let’s zoom out three to five years from today. What’s that vision for the company? What are you hoping to build over the next three to five years?
Craig Unger
Well, again, I was mentioning how bringing trust to life is kind of the company mantra. And so we look at that as the vessel for different things that we’re going to build. And sure, we started with Compliance. We have additional software modules in the area of risk, third party risk management, but there’s other pieces around policy, different kinds of reporting that we want to build and really just other pieces that help organizations be more transparent about the trust that they have, that they’ve invested in with their clients. I’ll give you an example of that. 1015 years ago, if companies had outages, they really didn’t talk about them and then all of a sudden in order to be trustworthy, you just had to be the first one out to your customers telling them that you had an outage, right. Thus the rise of things like pager duty and some of these other pieces that you would use to be really responsive to that.
Craig Unger
The compliance and security world hasn’t really adjusted to that. In other words, they’re still laboring under the belief that in order to do well in the market, everybody that they serve needs to be convinced that they’re perfect and they don’t make mistakes. And so I think things that allow the normalization of and now is the likelihood of human error that’s going to happen, but it allows them to kind of build trust in those situations where it’s kind of most tense because a mistake might have been made. That’s just an example of the kind of behavioral changes that the right software, if it’s built correctly, will help bring to the industry. So, I mean, those are some of the areas when we talk about that vessel of really building trust that we think our software could help.
Brett
Amazing.
Craig Unger
I love it.
Brett
Well, Craig, we are up on time, so we’re going to have to wrap here before we do. If people want to follow along with your journey as you build an you on this vision, where should they go?
Craig Unger
Well, they can go to LinkedIn for sure. Follow me or the company. That’s probably the best place. We also have it on Facebook. Go to Hyperproof.io or you can always just kind of connect with me. Craig at Hyperproof.io.
Brett
Amazing. Well, thank you so much for taking the time to talk about what you’re building and share some of the lessons that you’ve learned along the way. I really enjoyed our conversation and appreciate you taking the time. You bet.
Craig Unger
Thanks, Brett.
Brett
All right. Keep in touch. This episode of Category Visionaries is brought to you by Front Lines Media, silicon Valley’s leading podcast production studio. If you’re a B2B founder looking for help launching and growing your own podcast, visit frontlines.io podcast. And for the latest episode, search for Category Visionaries on your podcast platform of choice. Thanks for listening and we’ll catch you on the next episode. You.