Do you know what no one ever asked me when I spent long days manually maintaining audit and compliance documentation? “Hey, Kenny, how do I get your job?”
Seventeen years ago, I accepted a role as an IT auditor at PwC in the San Francisco Bay Area. The people at the firm? Awesome. The clients? Awesome. The Bay Area? Awesome. The food? Awesome. The actual work? For me, soul-sucking.
I thought to myself so many times, “I’ve made a terrible mistake.” I didn’t feel I could quit—I was supporting a young family, which only added to the weight.
On the other hand, I knew clients were paying us lots of money to do things no one else wanted to do. There was plenty of friction right in my sphere of influence. I knew those problems also meant opportunity. That realization was the beginning of an amazing career in cybersecurity.
At PwC, I got amazing training and lots of awesome work serving clients like JP Morgan Chase, VMware and Google. I made lasting relationships. The things that bugged me also bugged a lot of other people, and we worked together to find great solutions. Every opportunity meant more exposure and training on how I could make things better for others. My outlook came with a new goal: I was going to make everything suck way less.
The Adobe Common Controls Framework
In 2012, Adobe was transitioning from a company that shipped DVDs to offering services in the cloud. Security was no longer a nice-to-have; it was a must-have to keep and gain business with enterprises and maintain the trust of customers and partners. I was recruited as one of the first cybersecurity hires in the GRC (governance, risk and compliance) space to help make this happen. Our team had to meet demands for a never-ending stream of compliance asks, from ad-hoc customer audits to acronym salads like PCI compliance, SOC 2, HIPAA and GLBA.
We built a team that architected the Adobe Common Controls Framework (CCF). We made it much simpler for engineering teams to implement controls and provide evidence for thousands of compliance requirements. We thought, instead of asking for over 1,000 things, could we get them below 100 and still be successful? It was a huge success and a game-changer for GRC professionals. We open-sourced the offering, and Adobe won tons of awards for this innovation.
When I went to cybersecurity conferences, though, some people said they couldn’t use the framework. We were apparently taking out important context required for the security engagement. It made sense to me: everything in compliance starts with understanding each requirement and then finding and implementing a solution for that requirement. Then, you need evidence and documentation of those solutions as prescribed. It was an unfortunate problem that bugged me a lot, but I didn’t do much about it.
Then, the F-word (FedRAMP) happened to us. Our team now had full responsibility for it, and I was exposed to pain so severe it changed my life forever. Manually maintaining thousands of pages of FedRAMP documents was not solved by our CCF innovation. We once estimated that 80 percent of our resources were going into manual maintenance of this insane document! Slow death. Slow. Death.
FedRAMP: The other F-word
If you’re a cloud service provider and want to sell to a federal government agency, your service will likely need to become FedRAMP compliant. Compliance requires hundreds to thousands of pages of documents that need to represent your security program accurately. Everything needs to be implemented correctly because it gets audited by the government. Scrutiny is as high as FedRAMP is complicated.
Soon, I didn’t care about making things suck less. I was outmatched. Besides, I was more interested in the hedge fund I was starting up. It felt like breaking up with cybersecurity; I was already forgetting its birthday and not texting back.
I started taking people to lunch to discuss my fund, but they’d steer our conversation back to security. A former Adobe colleague was at a new company and said, “Can you do the FedRAMP documentation for us?” I responded, “That’s a horrible idea!”
I quickly passed on this nightmare opportunity, but months later, I had a humbling day in the market and lost a lot of money. Then, the same colleague texted me again, asking if I could do FedRAMP for them. I gave them a high rate, and they accepted. With some regret, I gave an even higher rate. Again, they readily accepted. They didn’t even bat an eye. They needed serious help.
We started working together. I wanted to automate this awful document of theirs and make it suck less. There was no easy solution, but I was determined to create one. It became my obsession to free the GRC professionals trapped in FedRAMP compliance documentation hell.
An Iron Man suit for GRC professionals
I pulled in loads of data and set up systems that read it all to me in that mechanical robot voice. I’d go on long runs and just listen to it all, trying to understand it better. Eventually, I became an expert on my client and the way they did things. Once I saw everything clearly, I dreamed up an ideal way to organize and map security programs. I started coding and building prototypes. It worked! The client got what they needed, and I knew the tool I built could dramatically simplify the FedRAMP process for everyone.
Referrals started coming in, but all I had was this janky prototype. I was like the unseen man behind the curtain, pressing buttons and making things happen, but it continued to work. Throughout that process, I focused on building relationships with people and learning how I could give them better results. Solving their issues fueled my drive to continue making FedRAMP less painful.
Increased demand led to scaling issues. What was being asked of me was getting increasingly complex, and I needed more help. I wasn’t a great coder, but I was still doing business for Palo Alto Networks, Aumni, Podium and even some smaller companies within Utah.
The next step was to get a SaaS started. I went all over seeking help in building a better prototype, but it was 2021. Everyone had so much work already. So much money was being thrown at them. It seemed like I would have to build it on my own, and it would be costly.
I’m the father of five kids. We were living on a modest budget, but I thought I could make it work. I considered paying one company hundreds of thousands to build my prototype but sidestepped that quickly. I believed I could figure it out. I imagined I’d do some scaled-back look and hire somebody who could hack it out with me.
I started to visit universities to find someone to code with. Soon, I found someone great in Jacob West. He was a talented engineer and an even better person. We worked really well together. He passed away in a tragic accident at Topaz Mountain in central Utah.
After this tragedy, I decided it was time to push forward. I visited a Brigham Young University dev club to find help. I ordered pizza and pitched it to them. I found no one. I did get a call the next day from the brother of one of the dev club students, though. He put me in contact with Tyler Stephens, a unicorn of sorts who was not only a great coder but also amazing with design and product development.
When I showed him the design of what I was building, he said, “This seems like a really boring business…I am IN!” That still makes me chuckle to this day.
Tyler worked as a software engineer at RevRoad, where he invented transformative technology software for many companies. He had the muscles I needed and the backing of great entrepreneurs. We became fast friends. He encouraged me to apply to RevRoad as a portfolio company. After all I’d been through, I had finally found people who understood all I was trying to achieve and who were ready and equipped to help.
What’s more, Tyler became the founding engineer (co-founder) of Paramify.
A 15,000 percent increase in efficiency
Today, Paramify is radically simplifying compliance documentation. Manual documentation is unpredictable, expensive and soul-sucking. It slows business. Enterprises are constantly in a state of flux, which means manually created documents are usually outdated by the time you finish the last spell check. Using Paramify, tasks that otherwise take months or years can be finished in hours or days, keeping your documents more accurate and up to date with way less effort.
Paramify is like an Iron Man suit for GRC professionals. Instead of spending months on compliance documentation, you can get even better results in as little as 3.5 hours.
That doesn’t amount to just incremental progress. It’s quantum leaps in terms of efficiency gained. We’re not making things 50 percent more efficient; we’re promising to make it at least 150 times faster. It’s a revolution in terms of approach, a new category benefitting not only cybersecurity but all areas of risk management compliance documents.
Before I started this company, I had already felt every pain associated with planning an audit or compliance engagement. I felt every pain associated with gathering compliance evidence for audits. I felt every pain associated with doing documentation. For 17 years, I did a lot across many organizations. I’ve been able to jump in with a customer and understand specifically what they need to implement a security program for FedRAMP. That’s allowed us a colossal advantage as we’ve built our software.
The team at Paramify continues to grow, led by industry experts in security, governance risk and compliance, and software and product strategy.
Earned advice
Many people I run into, entrepreneur peers from all industries, are focused on doing what they are passionate about. They’ll advise others to follow their passions, and that’s fine.
Building a cool company is awesome, but what people need to do is experience pain. If you find yourself stuck on a Sunday night with a huge pit in your stomach that’s making you feel like you don’t want to go to work the next day, get excited by that. If you feel that pain and you’re getting paid a lot of money, get curious about that. Don’t react like I did at the beginning of my journey and say it generally hurts. Focus on exactly how it hurts. Get familiar with the problem. That’s the beginning of a huge business.
Even though I didn’t realize it at first, PwC was such great training. There was constant exposure to tough problems in a huge market, tackling problems no one wanted to solve. You’re not likely to find those kinds of opportunities while in high school or college. You need to develop domain expertise before attempting to solve those tough problems.
People are always looking for a guide. Think of it this way: If you want to go backcountry skiing, you ought to do so; it’s a great experience. But you’re going to want to take a guide. You’re going to want to listen to them. The cybersecurity world is a lot like that. Depending on how high the stakes are, they’re looking for expertise. It’s okay if you don’t have that expertise, but go get it. Be patient and understand that there are problems worth solving. They’re going to be hard to solve. If they weren’t, the market wouldn’t exist.
Just don’t forget to take time to foster and develop relationships. It’s important to understand that you can’t get anywhere meaningful without the right help. I’m fortunate that Tyler bought in on my vision in the beginning. He has helped us get to where we are.
Remember, you need partners who care about you. Your ability to make and keep good relationships and create an environment for people who want to work with you is everything. When you connect with someone who wants you to see you succeed, that goes way beyond money.