0:00:05 Hi everyone, welcome to the A6NZ podcast. I’m Sonal and today’s episode is all about a compliance
0:00:10 topic, FedRamp, which is going to affect a lot of enterprise SaaS companies selling to government,
0:00:15 and actually even if not. So, we share everything that startups need to know in this episode.
0:00:19 Please note you can find all the pointers, templates, and other links they mention
0:00:24 in the show notes at A6NZ.com/FedRamp. I highly recommend you check that out, too,
0:00:29 to get all the resources after listening to this episode. Okay, so now onto the intros.
0:00:35 This episode is hosted by A6NZ board partner Stephen Sinovsky, who interviews Lisa Hock,
0:00:40 VP of Security and Compliance at A6NZ company Everlaw. By the way, you can also catch both
0:00:45 Lisa and Stephen on another interesting compliance topic that applies to many tech startups as well,
0:00:52 GDPR, which we covered last year by going to a6nz.com/GDPR. But this episode is all about FedRamp,
0:00:57 which stands for the Federal Risk and Authorization Management Program.
0:01:02 And here’s what they cover, what risk means in selling to the government depending on your
0:01:06 product features, some of the most commonly used acronyms to be aware of, which they quickly
0:01:12 lightning round in between, how similar or different FedRamp is to other types of certification,
0:01:18 authorization, and compliance, such as ISO, SOC2, GDPR, even HIPAA. Most importantly,
0:01:23 they break down the steps to FedRamp certification, including how and when to engage third-party
0:01:28 auditors and advisors, how long it takes, and how it affects sales. They also share the best
0:01:33 strategy for moving forward with a customer lined up first, but they begin by discussing
0:01:39 why startups should consider FedRamp in the first place. Before everybody gets cynical about
0:01:46 acronyms with the word Fed in them and security and the government and all this other stuff,
0:01:51 this is some pretty interesting things that you can do for your company, and it opens up a world
0:01:57 of opportunity in terms of selling to the United States government and beyond, as we’ll talk about.
0:02:02 So first, welcome, Lisa. Thanks, Stephen. So if you’re the CEO of a company, what are the core
0:02:09 benefits of pursuing a FedRamp authorization? So if you’re the CEO of a cloud company and you
0:02:14 want to sell your product to federal agencies, FedRamp is probably going to be the only way in.
0:02:19 There are some exceptions, very limited, for instance, if you wanted to a private deployment
0:02:23 in a facility for a single agency, but that’s not what we’re talking about today. We’re talking
0:02:29 about having a FedRamp authorization, which, for the record, we are in process at Everla. We don’t
0:02:34 have our authorization yet, but it does open up a whole new market for you for all of the federal
0:02:39 agencies, and as well, it provides some credibility to the general market from a security standpoint
0:02:43 outside of government. Yeah, that’s something that we hear all the time, is that even if you want
0:02:50 to sell to a company, a private or public company that isn’t the government, they might look to see
0:02:55 like, “Hey, did you get FedRamp certified?” So we know now that FedRamp’s a requirement to sell
0:02:59 to the government, and in most markets, especially in the US, the government is potentially a very
0:03:06 big or the biggest potential customer for enterprise SaaS. No matter which agency you want to sell to,
0:03:11 you know, from DoD to Ag or HHS or whatever, FedRamp is going to be required. And in many cases,
0:03:15 like these connected or affiliated state organizations as well, something we learned in
0:03:20 Everla is that if you want to sell to a state attorney general, they’re going to want FedRamp
0:03:25 authorization as well, just because chances are they’re going to be involved in litigation with
0:03:31 the federal agencies. So what is it that FedRamp actually, you know, quote, tests for in its process?
0:03:38 So FedRamp stands for the Federal Risk and Authorization Management Program. So FedRamp,
0:03:44 like the acronym says, it’s all about risk. It’s really a program that’s designed to provide
0:03:50 federal agencies with the information they need to make their own informed risk-based decision
0:03:55 about whether to adopt cloud and, you know, a specific product. I think there was a general
0:04:01 recognition that in order for federal agencies to adopt cloud, they had to put in place a way for
0:04:08 companies to meet the federal standards and, you know, allow the federal agencies to do these risk
0:04:13 assessments. Risk is a very amorphous concept. How do they actually evaluate what risk? Well,
0:04:18 for the security folks listening, hopefully this will be comforting in the sense that
0:04:27 they didn’t make up something new. They use the CIA framework. Not the CIA. No, confidentiality,
0:04:34 integrity, and availability. So for companies that have been through, say, a SOC2 or maybe ISO,
0:04:41 they’ll have heard these terms. And in addition, they also look at baseline or impact levels,
0:04:45 high, moderate, or low. The high, moderate, or low are actually pretty important because that
0:04:51 puts people into buckets of sort of users of the product. Yeah, exactly. So when you’re going
0:04:56 through a FedRamp authorization, you’re going to have to look at your product and figure out,
0:05:02 okay, based on the impact and the information that is going to be in that cloud product,
0:05:10 what level are you high? So think law enforcement for high. Think DoD, federal criminal information,
0:05:15 or are you moderate? Like normal, the agriculture department or something like that, where it’s
0:05:23 sort of routine work. Yeah, exactly. And then for low or there’s even another… Like a low or low?
0:05:28 A low or low. Yeah, it’s called low impact SaaS. That’s a mean name. We don’t mean that your product
0:05:34 is low impact. No, but they did create the low impact SaaS for products that only contain enough
0:05:39 personal information to essentially set up an account. So they need your name, they need your
0:05:44 email, there’s going to be a password, but you’re not holding really confidential or sensitive
0:05:50 agency information. So based on those impact levels, that is going to determine which baseline,
0:05:56 and the baseline is the set of controls, and they have on the high end, the most controls on the
0:06:02 moderate, around 300. The four levels of impact levels, it’s super interesting. There’s only
0:06:07 seven authorizations for high security stuff, and they’re all mostly… They’re just the
0:06:11 cloud infrastructure providers. In fact, of the seven highs, I actually went and looked at
0:06:14 those, I thought it was interesting, three of them are Microsoft, just the different parts of
0:06:20 Microsoft, and then Oracle and some specialized ones and AWS. So nobody has to worry about this
0:06:25 extreme bar if you’re mostly an app. They’ll guide you to moderate or low.
0:06:31 One cool thing about the FedRAMP.gov website is they have a marketplace for the folks out there
0:06:35 kind of wondering, all right, what companies are doing the high, who’s doing low, who’s doing
0:06:40 moderate, you can sort by that. And it’s kind of interesting because like you pointed out,
0:06:45 the great majority are in the moderate category. And then there’s a handful of highs and a handful
0:06:50 of lows. So given that they’re not there to really bug Silicon Valley companies and make it hard for
0:06:54 the government to become a cloud provider, it’s the opposite. The directive was specifically,
0:06:59 we want to get the government on cloud. Like it’s too expensive to be on-prem, it’s let’s secure,
0:07:03 it’s harder to do, it’s less agile. So we want to get the government on cloud.
0:07:08 If you’re a government agency, what are some of the things that you observe right away when you
0:07:13 see a FedRAMP authorized product sort of show up? Like what is it different about it?
0:07:19 Well, I think if you’ve gone through FedRAMP, you’re going to show up looking a lot more organized.
0:07:24 You’re going to have that governance infrastructure in place because FedRAMP is a mix of very
0:07:30 technical things, but also governance related things. So if you’ve set up your security program
0:07:36 in a way that addresses things like personnel security, policies and procedures for specific
0:07:41 things like role-based access control, then you’re going to show up as looking like you really have
0:07:47 your act together compared to a company that has these various security controls in place,
0:07:52 but maybe hasn’t gelled them into a program. I should have mentioned this earlier. So all of
0:07:58 these sets of controls for the high, moderate and low baseline are separated into control families.
0:08:02 So for example, incident responses of family, but the more technical ones are things like
0:08:07 configuration management, which deals with creating blueprints for the server types to
0:08:12 meet functionality and hardening requirements, things that require implementing center for
0:08:18 internet security benchmarks. And we’ll provide a link to the CIS benchmarks as well.
0:08:23 Obviously, one of the things that ends up mattering the most security is just sort of access and
0:08:28 identity and the role of authorization in general. Where does that fit in in these families?
0:08:34 So it spans several of them, but there is one control family called IA, which means identification
0:08:39 and authorization, which deals with how you implement your system accounts, including credential
0:08:44 management, version control, multi-factor authentication, which has to meet certain
0:08:51 cryptographic standards. And it’s worth noting that in these control families, sometimes you,
0:08:57 as a cloud service provider, are going to have the responsibility for the implementation,
0:09:03 like something for authentication, but also sometimes the federal agency also has a responsibility
0:09:08 in terms of how they implement their users and distribute out their user names and so forth.
0:09:12 So that is also something that’s noted in the control family.
0:09:16 So you don’t go through this authorization process and it’s a recipe. There’s like
0:09:22 lots of decisions to make, lots of product design questions that are favorable to enterprise SASS
0:09:26 and have to sort of allow room to adapt to the variations across the government.
0:09:31 And most of the controls a company can implement them in their commercial
0:09:35 environment as well. We want all of our commercial customers to benefit from the
0:09:39 same level of security as our future federal customers.
0:09:43 Because chances are, whether you try to sell to a big tech company or a non-tech company,
0:09:49 that they’ve probably developed some list of things that look like these families,
0:09:53 but might not be exactly the same and ultimately you’re going to end up in the same boat trying
0:09:57 to get all these done. I mean, the federal government and federal agencies are not the
0:10:01 only ones that use the NIST framework for security and privacy. Many companies do it.
0:10:05 A lot of security questionnaires are going to be based around NIST. So
0:10:08 it’s one of many acronyms. I think we’re going to go over it today, right?
0:10:11 Yeah. So I’m just going to go through a few of them and like make sure people know because
0:10:15 we’ll say them and then we’ll forget to expand them. And so NIST is one of my favorites because
0:10:20 that goes so far back. That feels like 1950s NASA and they’re like in charge of
0:10:24 weights and measures and stuff like that. But what do they do with this?
0:10:28 NIST does a lot of cool stuff. But as it relates to what we’re talking about today,
0:10:33 NIST, the National Institute of Standards and Technology is the agency that defines
0:10:39 government-wide standards for technology and security. And the one specific NIST document
0:10:44 that we’re talking about today is a special publication, 853, which deals with security
0:10:50 and privacy controls for federal information systems. So FISMA? Yeah. So FISMA stands for
0:10:55 Federal Information Security Management Act. And this is something that applies
0:11:01 to federal government agencies and requires them to put in place a security framework
0:11:04 to secure their information. So it doesn’t apply to the private sector.
0:11:07 So next was obviously a big government agency called OMB?
0:11:13 Yeah. OMB is sort of like the COO for the federal government. They oversee budgeting
0:11:21 and spending. And then their sibling agency GSA is the General Services Administration
0:11:25 and the FedRAMP office. So our friends in the FedRAMP PMO, which means Project Management
0:11:31 Office, they sit under GSA. Awesome. And then finally, this whole thing is about
0:11:36 the acronym they invented called CSPs. Yeah. CSP stands for Cloud Service Provider,
0:11:42 and you’ll also hear CSO, which stands for Cloud Service Offering. So FedRAMP is all about cloud,
0:11:46 which is why I think we’re here today talking about it for the SAS folks out there.
0:11:50 Okay. So we have a bunch of acronyms out of the way. I got to tell you, as Lisa took me through
0:11:56 the EverLaw certification, I have never seen so many acronyms exist in this process.
0:12:03 So your typical Series B enterprise startup, is FedRAMP anything like what they’ve done before
0:12:10 in terms of running the sales process or a security process? Is it like SOX2? Is it like GDPR?
0:12:15 I think it depends on what a company has done up until the point they decide, “Hey, let’s do FedRAMP.”
0:12:21 So if you’ve been through a SOX2 type 2, which is the audit that tests your operational effectiveness,
0:12:26 then you’re probably in a better position than if you’d only done a SOX2 type 1,
0:12:31 which is just, “Do I have a program in place?” So I would say it really depends on what the
0:12:34 company has done up until then. And what are some of the dimensions to really think about?
0:12:38 Like, is it the size of the company thing? Is it the number of people you have dedicated
0:12:42 security? Is it like how much data you store? Like, what are some of the variables that people
0:12:49 should be aware of that might impact their time and effort and need and complexity of going through
0:12:55 authorization? Yeah, it’s a great question. The first thing is that if you have a motivated
0:12:59 federal agency, that is going to be the biggest factor that either pushes you ahead or slows you
0:13:04 down. So if you’re in a place where a federal agency has already expressed interest in your
0:13:09 product or you’ve already been in conversations and they’re motivated to be your partner in the
0:13:15 process and give you the confidence you need to make that financial commitment because it’s
0:13:20 going to take internal resources, which has a cost. Like, one of the things that you mentioned was
0:13:26 just how the lens of FedRAMP changed the Everlaw culture a little bit to be much more focused
0:13:32 on sort of this continuous monitoring sort of mindset. How did that come about? From a continuous
0:13:39 monitoring standpoint, we found that the FedRAMP controls helped us gel around things like configuration
0:13:46 management, making sure there are security checks and security impact analyses. So putting in some
0:13:51 of those processes, which on a continuous basis, now we’re doing every release, in addition to the
0:13:55 things that are just straight up required by continuous monitoring like vuln scanning. I think
0:14:01 there’s a perception of FedRAMP that it’s, you know, a lot of policy, it’s a lot of checking
0:14:08 the box. And like any team that is staring down the face of a major security compliance and
0:14:13 technical project, we were kind of thinking, oh no, there are going to be so many controls in
0:14:19 here that are just check the box. And like any compliance framework, there certainly is some
0:14:25 box checking involved. It’s a lot of governance, which is true. There are a lot of control families
0:14:31 that deal with a company’s infrastructure like personnel security is the PS control, AT is
0:14:35 the awareness training control. But we found that on the whole, a lot of the controls really
0:14:40 pushed us forward. And a lot of things we were already doing, there were some things that we
0:14:46 needed to improve. But the process has really made our entire infrastructure more secure.
0:14:51 No one at Everla had FedRAMP experience before. I mean, we’d been through SOC2,
0:14:57 and we’d been through, we were actually undertook it at the same time as GDPR, which looking back
0:15:01 is a little bit crazy. We didn’t really get a choice in GDPR though, so. That’s true.
0:15:05 So if you’re a startup where the team has varying levels of experience and actually
0:15:09 haven’t gone through all of these things collectively, it sounds like what you’re
0:15:13 saying is just by virtue of having gone through the process, the whole organization
0:15:18 sort of gets up leveled and consistent based on just using this as a framework.
0:15:22 You mentioned that it is also deeply technical. Like this is not just a list of, you know,
0:15:26 do you have a security policy manual? Do you have cipher locks on your door?
0:15:31 There’s stuff about the code and the product. What are some of the things that are technical
0:15:36 that you had to sort of bring in engineering or product or DevOps and security ops to really
0:15:41 think about? Yeah, and I’ve already mentioned a few of the other more governance-related
0:15:46 controls before. There’s also IR, which is incident response, but some are very technical and just
0:15:52 anecdotally in the system where Everla tracks sort of our features and what the things our
0:15:56 engineers are working on, there were over a hundred tickets in there. I don’t know if
0:16:01 ticket’s the right word, but basically, you know, feature ideas, functionality that we
0:16:06 were going to implement that all required dev resources. And they ranged from simple things
0:16:10 like adding a banner into the platform that says, you know, you’re entering a federal
0:16:14 environment in our federal environment to very complicated things.
0:16:18 I think one of the things that is kind of interesting too is that this is not like a
0:16:23 secret part of the government. Like all the CIOs across all the agencies sort of know this is
0:16:28 going on. And so it sounds like it’s become their common vocabulary and security is for the
0:16:32 government the first order priority before functionality. So their sales team is just
0:16:37 going to need to know all of these words just to interact with the customer.
0:16:42 Yeah, I presented our sales kickoff this year presentation on selling security to help them
0:16:48 understand what does it mean to be FedRAMP in process to make sure that they’re not misrepresenting
0:16:52 what our status is to the market, but also so that they can talk about it confidently and
0:16:55 understand how it’s different from our SOC2 and so forth.
0:17:01 So clearly there’s a series of steps that have to happen. Like what are these steps?
0:17:07 So that flowchart is actually in the cloud service provider playbook, which will provide a link to.
0:17:12 And the first step is going to be establishing a partnership with a federal agency. I mean,
0:17:16 like we were talking about before, it’s just really critical that you have that agency support.
0:17:21 And then once you have that agency support, then you’re probably going to feel confident enough to
0:17:26 start using your internal resources. So that’s going to be putting together the package. And when
0:17:31 I say the package, it means system security package or SSP, which is another acronym.
0:17:36 So working on that documentation and then also working on any technical remediation you might
0:17:41 have to do. And so then eventually, like someone who doesn’t work for the agency or
0:17:44 forever law is going to show up and sort of test you.
0:17:50 That’s right. The step before that authorization is a full security assessment by an independent
0:17:57 auditing firm. And in FedRAMP lingo, it’s called a 3POW. It’s a third party assessing organization.
0:18:02 And there’s a small set of companies that can do this because they have to meet FedRAMP standards.
0:18:07 And so you have to bring them in just like any other independent auditor and they review all of…
0:18:08 And this is like on site?
0:18:14 Yeah. Yeah, they came on site for a week, but they review all of your implementations. I mean,
0:18:18 your screenshotting, your work in the command line in front of them to show them how you’ve
0:18:20 implemented specific things.
0:18:23 And do they like snoop around and everybody’s like, who are these people in suits?
0:18:27 And like, do they have special badges? Like, how does this really work?
0:18:33 I mean, they’re very technical. And they’re there to make sure that what you’ve represented
0:18:36 in your security documentation is the actual thing you’ve implemented.
0:18:41 I mean, the federal agency is trusting them to help them form their risk-based decisions.
0:18:43 So they’re serious about it, but they’re great. They’re nice.
0:18:50 And they’re basically consultants that come in on behalf of the OMB basically execute on this plan.
0:18:54 I mean, they are working for the agency, not for you. You can engage an advisor.
0:18:55 What does that entail?
0:19:00 So there are other companies that can serve as the independent assessor or they can serve
0:19:06 as a consulting advisor. The key thing though is that if you engage a FedRAMP consulting advisor
0:19:10 to help you put together your documentation, you can’t use them as then the independent assessor.
0:19:11 So you’ve got to swap.
0:19:17 Basically, there are these specialists in doing security audits and there are a list of them
0:19:23 that OMB supports and you can use them either to help you or to audit you.
0:19:23 Yeah.
0:19:26 And you just pick and you might end up engaging too.
0:19:27 But they’re basically it’s a consulting engagement.
0:19:30 That’s right. And you might be thinking, why would I want to engage a consultant?
0:19:32 To help you with a consultant.
0:19:38 Yeah, exactly. But the fact is, even with all of the program documentation that we had at Everlaw,
0:19:42 you know, the whole suite of infosec policies, we had great procedures around personnel security
0:19:47 and training. But we still needed to engage a consulting advisor to help us put together
0:19:52 the system security package. It’s of course a template that you can pull down from FedRAMP.gov.
0:19:58 And since we’re an AWS customer and we inherit a lot of the cloud infrastructure controls from AWS,
0:20:01 AWS will also provide you with that as well.
0:20:08 But some things are just hard to navigate without the experience of knowing what the
0:20:14 agency will accept. So a couple of examples are the consulting advisor can help you translate
0:20:17 what the agency is actually looking for when it comes to an implementation.
0:20:21 So if you have to do a deviation from a CIS benchmark.
0:20:25 Ultimately, this process boils down to creating a lot of documentation.
0:20:27 Like they don’t just have a phone call and take your word for it.
0:20:32 So a lot of it sounds, I mean, like you said, like, oh, you inherit some of it from AWS.
0:20:36 So it sounds like sort of this large amount of paper that has a bunch of forms that are all
0:20:42 filled in already. Well, our full SSP without the attachments with the implementations described
0:20:47 is around 500 pages. But the template itself, even without those is probably, I don’t know,
0:20:52 it’s probably 30 pages or 40 pages just without all our info in it. It’s a big lift to do that.
0:20:58 So we found that a consulting advisor could we could spend some time talking with them chatting
0:21:02 with them on the phone explaining things. And then they would go write it up for us.
0:21:06 And then we would QA it. So instead of us having to do that big lift,
0:21:10 they did that for us. And then it was much more efficient that way.
0:21:13 So, you know, obviously, there’s a bunch of sections and chapters and different parts,
0:21:17 which part of it was the part that really was like a ton of work where like,
0:21:22 the engineers needed to engage and you needed really detailed technical answers.
0:21:24 Like, what was the scope of that and where in the process?
0:21:28 So we went back and forth with our consulting advisor. So we would
0:21:34 describe our technical implementations and then they would take the first crack at writing them
0:21:38 up. And then our director of infrastructure had to edit things out because every once in a while,
0:21:45 but also describing our entire system architecture and doing the architecture diagrams. Those are
0:21:48 all things that, you know, our engineering team definitely had a hand in.
0:21:51 Right. And it turns out it’s one of those things that like, well, we didn’t really
0:21:56 have a good architecture diagram of our system. And so now we have one. And now we keep it up to
0:22:00 date because we have to because of con mon and all that, but sort of ended up being beneficial.
0:22:07 Anyway, okay. So you’ve got like this 500 page SSP thing sort of all bound up and ready to go.
0:22:12 How do you know you’re getting to the finishing line? And what does that start to look like?
0:22:17 So once we had all of the documentation wrapped up and, you know, you can’t get too hung up on,
0:22:21 you know, the final product, because the whole thing is meant to be a living document,
0:22:25 because, you know, when we finished documenting it, then we knew we were going to implement
0:22:28 something else. So it’s sort of, you know, you’re going to have to keep updating it.
0:22:33 But the finish line comes when you’re ready to actually hand that package over to the independent
0:22:37 auditor and to say, all right, you know, here is all our stuff. We’re putting it out there for
0:22:43 you to review and schedule that onsite audit. And so then the auditors show up, they read a lot,
0:22:49 they watch you doing the work. And then what happens? Then they put together what’s called
0:22:56 a SAR, which means security assessment report. The SAR is the auditor’s report on your overarching
0:23:02 compliance with the baseline. And if they have findings, they’ll rank them as, you know, high,
0:23:11 medium or low. Like concern? Yeah, exactly. Because what their job is, is to describe to the agency
0:23:16 what the risks are to using the system. So if they find things during the audit that they deem as a
0:23:21 high risk, and, you know, it’s all scoped out what those risk categories are, but they’ll deliver
0:23:27 that to the agency. And again, to your point about risk, it’s not like a pass fail, because then the
0:23:34 agency who’s the customer looks and says, ooh, you have two highs, that might be too, too many. Or
0:23:37 are you planning on fixing this? If you’re planning on it, there’s like a whole give or take.
0:23:42 After you do 18 months worth of work or nine months worth of work, you don’t fail and have to go back.
0:23:48 And the customer is in control of evaluating the risk of like still buying you or not.
0:23:54 Yeah. And those findings would go on to what’s called a POAM or plan of action and milestones.
0:24:00 So once you have those findings, then you would describe what you’re going to do to fix it. What’s
0:24:04 your timeline? What are your milestones and so forth. And one of the benefits of having that
0:24:07 consulting advisor looking at your package and helping you do that is they’ll tell you what a
0:24:12 showstopper is. They’ll say, hey, that implementation is not going to cut it. Don’t do that. Let us help
0:24:17 you. So sometimes people think about compliance. They think about it as sort of like getting your
0:24:21 driver’s license. Like you get annoyed, you go through a process, you take a test and then poof
0:24:26 you have a driver’s license basically for the rest of your life. But FedRAMP isn’t really like
0:24:30 that. There’s a lot about monitoring and keeping things. And so what did you learn going through
0:24:34 the process that was different than other types of certification or authorization?
0:24:39 I mean, the one thing I’ve learned is that FedRAMP is not over. And I have to laugh.
0:24:43 Okay. That’s like an uplifting motion. Like, yeah, please list our podcast for the thing that’s
0:24:48 never going to end. Well, it’s just funny because we’ve been working on this and every time we hit
0:24:52 a big milestone, we like to celebrate it with the wider team and everybody’s like, yay. And then
0:24:58 they’re like, oh, you’re done with FedRAMP now, right? And we’re like, no. So continuous monitoring
0:25:04 is one thing we already mentioned where even once you obtain your authority to operate or your ATO
0:25:08 and you have that authorization, you’re still going to be working with the agency on a regular
0:25:13 basis. So you have your ATO and you’ve got a bunch of Kanman going on just to use all the
0:25:18 acronyms in one sentence. Yeah. And we’ll link to the Kanman guide, which talks about what that
0:25:24 looks like. But in a nutshell, you’re doing monthly scanning, your ranking vulnerabilities,
0:25:28 you’re responding to those on a specified time basis, et cetera.
0:25:34 So let’s say that the company is ready to dive in. They have a product that they’ve been selling to
0:25:40 commercial customers. The first cohorts believe it meets their needs for security and privacy and
0:25:44 things like that. The product is selling, but now if agency is interested, for whatever reason,
0:25:50 that inbound or you spoke at a conference or something. So first, how long do the salespeople
0:25:57 have to wait until the deal is closed now? Well, be nice. Yeah. I mean, again, it depends on how
0:26:02 motivated the agency is. That’s a super important point. It’s not just how motivated you are as
0:26:06 the company. Like if the agency really wants you, they can pull you through in a lot of ways.
0:26:12 Yeah. Because again, it’s all about risk and the agency is the decider of what kind of risk
0:26:18 they’re going to tolerate. And so if an agency is really motivated, then they can help push you
0:26:25 along to becoming in process. And in process is a designation that requires explicit agency support.
0:26:30 But if you’re at that stage where you’ve got that interest, you have to choose, okay, am I going to
0:26:34 go, there are two ways to get authorized. There’s the agency route and then there’s something called
0:26:39 the JAB, which is the Joint Authorization Board, which is a little bit harder to do because you
0:26:44 have to do a business case. So I think for our purposes, it makes more sense to address the agency
0:26:49 route, which is probably the situation you’re talking about, where somebody expresses interest.
0:26:53 Right. So that’s probably a good lesson for folks, which is that the best bet for going
0:26:58 through this is in a sense to first line up a potential customer rather than just sort of say,
0:27:01 oh, well, let’s preemptively go and do FedRAM because it actually makes more work for yourself
0:27:05 if you don’t have the first customer lined up. Yeah, that’s right. And they do have that JAB
0:27:11 process, which is for companies that might have a broad application, but it’s a much different
0:27:17 process. Okay. So there’s a bunch of actual bureaucracy stuff about getting on the GSA list
0:27:24 and filling out those forms. But then is it a year, two years, five years? How long is this exactly?
0:27:28 Yeah, let’s not keep the sales team hanging too long. So if you’re counting from the time you
0:27:33 have your package already, it could be as little as a few months, maybe even six weeks we’ve heard
0:27:39 for the agency to review that package and grant you the authorization. I think if you’re counting
0:27:44 from the day, the team says, hey, let’s do FedRAMP and you still have to put the package together,
0:27:50 you’re probably looking at at least nine months or a year possibly. So it’s actually not wildly
0:27:54 out of bounds with what a procurement team might do or like any of the large tech companies that
0:27:59 just do what they call a security audit or something might easily take that same length of time.
0:28:04 It comes down to how many resources the company has to bring to bear on the project because,
0:28:08 you know, we took a little bit longer, but that’s because we didn’t stop people
0:28:13 from doing their full-time jobs only to work on FedRAMP. We didn’t stop feature development for
0:28:18 the product. So you decided you’re like flipping the switch and you’re going to go for it. Did
0:28:23 you have a team of 10? Like how many people have to do all of this checkboxing and process
0:28:30 documentation and conmon stuff? So when we started, it was just myself on the security team.
0:28:36 We had our engineers that were involved in sort of scoping and looking at how much work we thought
0:28:41 it would be. And then over time, we brought on a DevOps person. We hired a couple of people onto
0:28:47 my team. But again, none of us have been doing it full-time. So it’s been probably a core group
0:28:53 of five people working on various elements of it. And then when we were doing the push to
0:28:57 complete a lot of the technical and engineering work, we brought in other engineers.
0:29:01 And this is an interesting point because of the way you chose to do it. But you overlaid
0:29:07 like SOC2 and GDPR and other privacy work sort of all at the same time, which sounds overwhelming,
0:29:11 but it’s also closely related. Was it more efficient to do it that way?
0:29:17 Doing a lot of these broader things like GDPR and FedRAMP, you know, there is overlap. So
0:29:23 it certainly helps. I don’t know that I would wish that all those things on anyone, but certainly
0:29:28 you’re doing a lot of the same things. And, you know, for folks that do SOC2, you probably know
0:29:34 the COSO standards were added, I think last year. Okay. So one last thing, which is you go through
0:29:40 all of this, you’re given the label like in-process, authorized, like what is the specifics of that?
0:29:44 Because that’s something that salespeople often do get confused because of the FedRAMP lingo,
0:29:50 so to speak. The lingo can be slightly confusing. So in order to be listed in the FedRAMP marketplace
0:29:54 on the website, a marketplace, which is literally like these are the cloud things you can go buy
0:30:01 as a federal agency. Yeah, exactly. So there’s FedRAMP ready and FedRAMP in-process. And I think
0:30:07 people swap those around a lot. So FedRAMP ready means that you’ve gone through sort of a high
0:30:14 level of valuation. And if you get that ready stamp, it means that they think that you’re capable to
0:30:19 meet the FedRAMP requirements. And it’s just intended to help agencies look out there and say,
0:30:24 oh, well, you know, there’s an independent assessment that these folks are ready and can
0:30:31 probably do it. Whereas in-process is a designation where you have to have the authorizing official
0:30:36 add an agency, tell the FedRAMP office that we are working with this cloud service provider on
0:30:41 an authorization. You’re not authorized yet, but you’re affirmatively working on that authorization.
0:30:45 And don’t play fast and loose with those terms with your salespeople. Like,
0:30:50 don’t make up what they mean and don’t say what you aren’t. Because they like branding guidelines
0:30:54 and stuff. Yeah, the FedRAMP office has branding guidelines. And, you know, for a good reason,
0:30:59 they don’t want companies out there saying that, you know, they have a FedRAMP authorization if
0:31:04 they don’t. They’ve worked hard on creating this process and creating this framework. And
0:31:09 they don’t want companies misrepresenting. And so ultimately with security things, the reason,
0:31:13 you know, nobody wants anything to happen, like a breach or anything like that. But
0:31:17 if you’re operating in this environment where you’ve committed to a customer, in this case,
0:31:24 a federal agency that you do all this stuff, and then something happens, does FedRAMP have say in,
0:31:28 like, are they part of like adjudicating the failure? Or do they have remediation duties?
0:31:32 Like, or is they’re not involved in that? Like, where does the government come in
0:31:38 in terms of a security issue? Well, fortunately, I don’t have direct experience with that. But
0:31:45 the Kanban guide on continuous monitoring does cover various types of escalations like incidents.
0:31:51 And so I think if a company had an authorization and they had some kind of security incident or
0:31:57 breach occur, it would go through that escalation process in the Kanban. And certainly they contemplate
0:32:03 revocation of your authorization. But I imagine it would be a conversation with the folks at the
0:32:07 agency, you know, talking about your plan for remediation. Did you catch it? Did you limit the
0:32:12 damage? So I don’t have sort of a black and white answer on what would happen there, but
0:32:16 I know that they’ve put a framework in place to address those kinds of things.
0:32:20 All right. So in your role in Everlaw, you’ve gone through quite a few certifications. Like,
0:32:26 you’ve gone through GPR, you’ve gone through SOC2, you’re working on FedRAMP. Like, where does this
0:32:31 fall in the spectrum of effort and time and complexity compared to you’ve done some health
0:32:36 care, even though HIPAA is not a certification? Yeah, we’ve done the privacy SOC2, but we’ve
0:32:41 also done an independent sort of HIPAA compliance assessment as well. And FedRAMP has definitely
0:32:47 been the most work because it involves, you know, from an architectural standpoint, you know,
0:32:53 we’re creating a federal environment and there’s a lot of work that we’ve done to improve on the
0:32:59 back end. But I’m trying to think because GDPR is also a ton of work. It’s actually a good time
0:33:02 to mention too. One of the things that I found particularly interesting as I dove into this
0:33:10 with you is that at every step, the OMB has really worked to make this like attractive and easy.
0:33:15 That sounds weird, but their goal is not to stop you from getting authorized. It’s actually to
0:33:21 find ways to get you authorized. And for what it’s worth, the FedRAMP.gov website is one of the best
0:33:26 federal websites out there. They have a person who’s the customer success manager. So they really
0:33:32 are trying to make it easier for cloud companies to go through this process to understand. And,
0:33:37 you know, EverLaw, we met with those folks and they helped us. They helped guide us. And so
0:33:41 we found that to be really helpful. Yeah. So unlike what you’d normally think of in terms of
0:33:45 regulation or certification, they don’t come across as like, we’re here to prevent you from
0:33:50 getting this. No, not at all. It’s not even like the DMV in that regard. They actually just want
0:33:55 to help you. Yeah. I mean, their mandate is to help carry out the cloud first or, you know,
0:34:00 the policy that the government has to push IT modernization and cloud adoption in the federal
0:34:05 government. Well, this was super fun. So thanks so much. This has been Stephen Sinoski and
0:34:07 Lisa Hawk. Thank you. Thank you very much.

0:00:05 Hi everyone, welcome to the A6NZ podcast. I’m Sonal and this is our seventh episode of 16 Minutes,
0:00:10 our news show, which in addition to our regular podcast show in this feed, is where we cover
0:00:15 recent headlines of the week, the A6NZ way, why they’re in the news, why they matter from our
0:00:19 vantage point in tech, and share our experts’ views on the trends involved. You can catch up
0:00:26 on past episodes at a6nz.com/16minutes or subscribe to the 16-minute show directly wherever you get
0:00:30 your audio. And to be clear, none of the following should be taken as investment advice. Please be
0:00:37 sure to see a6nz.com/disclosures for more important information. This week, we cover two topics.
0:00:41 We briefly discussed the latest news from the front lines of cyber fraud, where the FBI made a huge
0:00:47 number of arrests for BEC scams in what was described as one of the largest cases of its kind in U.S.
0:00:53 history. But first, we go deep on the new Apple credit card, what it means beyond the headlines.
0:00:58 Okay, so the first news item we’re covering this week is that Apple released a credit card,
0:01:03 and it was actually announced a while ago, but only became available this week to U.S. iPhone
0:01:07 users. And let me quickly summarize the news, and then I’ll introduce our A6NZ expert. They’re
0:01:11 partnering at Goldman Sachs as the issuing bank and mastercard for the Global Payments Network.
0:01:16 The card, which is of course coded white, is made of titanium, but that’s still heavier than other
0:01:20 plastic cards in the market. And by the way, a funny little anecdote here is that Verge reported
0:01:25 via MAC rumors that Apple is advising against keeping the card in a leather wallet or in direct
0:01:30 contact with Denim as such fabrics, and I quote, “might cause permanent discoloration that will
0:01:36 not wash off.” That part’s pretty LOL. That said, it is news that Apple, a tech company, is moving
0:01:40 into financial services. And this matters in the bigger picture of credit, which drives personal
0:01:45 finance and our economy overall in so many ways for better or worse. So let me quickly also summarize
0:01:48 some of the salient details here. There are no typical credit card fees, such as sign-up fees,
0:01:53 late fees, international fees, annual fees, overdraft fees, et cetera. And there are other
0:01:58 features such as greater transparency into interest paid and so on. So that’s a quick context. And
0:02:03 now let me welcome our A6NZ expert to put that news in context. Our newest general partner for
0:02:07 Fintech, Anisha Charya, who is most recently VP of product at Credit Karma. Welcome, Anish.
0:02:10 Thank you. Excited to be here. Excited to have you on here.
0:02:14 Long time listener, first time guest. I’m excited. So the real question here,
0:02:20 why does this news matter and why the hell should we care? I’m not supposed to cuss anymore.
0:02:28 You can with me. So the least interesting way to think about this is Apple released a new credit
0:02:32 card because, you know, a credit card is a credit card. There are more interesting credit cards with
0:02:37 better rewards or credit cards that have fancier designs. And a lot of the discussion has been
0:02:41 about that and it’s just sort of a distraction in my view. So what do you think the real significance
0:02:45 here is? Well, I think there’s two things to talk about. First of all, you know, whenever Apple enters
0:02:49 a category, it’s worth looking carefully at what they’re doing because they’ve reinvented
0:02:55 existing categories over and over again. If you take a look at the actual features of the card,
0:03:00 they’ve taken a bunch of things that credit card companies do sort of behind the scenes to the
0:03:06 detriment of consumers like charge fees for being late, charge fees for overdrafts, charge fees whenever
0:03:11 you swipe the card internationally as well as giving you a terrible FX rate. So these are
0:03:16 all lines of business that credit card companies have historically monetized and
0:03:20 it’s mostly been invisible to consumers and really has done them a bit of harm.
0:03:25 So Apple has actually changed all of that. The second thing they’re doing is showing you how
0:03:29 much interest you’re actually paying. So if you actually just pay the minimum amount that your
0:03:32 card company asks you to pay every month, it is going to take you years and years and potentially
0:03:37 even decades to pay that card off. And that trade off has never been clear to consumers.
0:03:41 Consumer credit card debt is over a trillion dollars right now. We’re starting to approach
0:03:46 historical highs. There’s never been a better time for us to be thinking and talking about
0:03:51 credit card debt. And the first step is a product that’s really transparent. So that’s sort of level
0:03:56 one of what’s interesting. I have a quick question. The transparency feature, that seems like something
0:04:01 that’s very easy for other credit card companies to do. Yes. So A, why haven’t they done that yet?
0:04:05 And B, can’t they just quickly copy this now? Yeah. So it’s really interesting. There’s this sort of
0:04:11 innovators dilemma and it looks a lot like SMS did 10 years ago. That’s right. If you look at what
0:04:16 happened with carriers, they knew that SMS was going away, but there was some powerful executive
0:04:21 whose name was attached to the SMS revenue line and they would not let it go away. And as a result,
0:04:25 carriers missed messaging. Right. So basically the innovators dilemma in the classic context of
0:04:29 disruption theory where an entrenched business does not want to disrupt its core business when
0:04:33 there is a new business on the horizon because even if they know it’s coming, they are actually
0:04:36 making money off their core business. You’re essentially cannibalizing yourself in order to
0:04:40 go into the new area. Exactly. Powerful internal stakeholders don’t want to see it happen. So
0:04:44 it doesn’t. And by the time they realize that Apple’s got a significant edge by offering this
0:04:48 transparency, it may be too late. Okay. So now let’s go back to the next level. Yeah. So least
0:04:53 interesting is that it’s a new credit card. But I think the most interesting thing here is that
0:04:57 Apple is actually unbundling the credit card. Tell me what that means because I feel like
0:05:00 people in tech talk a lot about cycles of bundling and unbundling, whether it comes to things like
0:05:04 cable and TV or media, software packages. I mean, the phrase comes up in lots of different
0:05:09 contexts. What does bundling and unbundling specifically mean in this context? So there’s
0:05:13 a few aspects of the credit card. There’s a physical piece of plastic that I have in my wallet.
0:05:19 There is a payment network that processes the payment when I swipe that piece of plastic.
0:05:25 And then there is a debt provider beneath it that typically provides me with this unsecured debt
0:05:30 that I’ve made a commitment to pay back. So what this means in terms of unbundling is that Apple
0:05:36 actually owns the customer relationship. They’ve partnered with Mastercard to handle the payments
0:05:40 and then they’ve partnered with Goldman to handle all of the debt. If tomorrow they decide, “Hey,
0:05:44 Goldman, we’re going to replace you with Capital One,” or more importantly,
0:05:48 Goldman and Capital One, we’re going to allow you to compete to see who can give the customer
0:05:52 the lowest price debt. All of a sudden, those companies have very little leverage to say no.
0:05:56 It’s like they’re almost white labeled, essentially. Exactly. We did a wonderful podcast
0:06:00 a couple of years ago on B2B2C business models where we actually go in a lot of depth around
0:06:06 the challenge of that kind of thing. So on that note, why then are Goldman and Mastercard
0:06:10 incented to work with Apple on this? And has Goldman actually ever had a consumer-facing
0:06:15 line of business like this ever? Well, I think there’s a short-term, long-term trade-off happening
0:06:20 here. The street has really wanted to see Goldman grow their business. Goldman typically has not
0:06:24 been a big consumer lender. They dip their toe in it with the launch of personal loans via Marcus
0:06:30 over the last two years. So great brand Apple, huge footprint. It’s a great way to drive growth
0:06:35 in the short term, but it may be a peric victory. Okay. Let’s talk about the connection between
0:06:40 Apple’s new credit card and Apple Wallet. So there’s been a lot of hype, quite frankly,
0:06:44 over the years around digital wallets, and there’s been many forms. Can you help orient
0:06:49 where this fits in that sort of arc of where we are in the wallet space, digital wallet space?
0:06:55 Yeah. My partner, Alex, has done a ton of thinking and published some important work on
0:06:59 the wallet. So it’s worth referencing that. One of the things that’s happening here is Apple is
0:07:06 offering 3% cashback for purchases from Apple and 2% when you use Apple Pay. 1% if you use a
0:07:12 physical card. So you effectively double from 1% to 2% if you’re using their payment mechanism.
0:07:17 And the word is that the fee that Apple charges merchants is on the high side, the interchange
0:07:22 fee. If they can then start to take a portion of those fees at scale for whenever people are
0:07:27 spending money, it becomes a very large business. If Apple becomes your default payment instrument,
0:07:34 if Apple effectively white labels the way that you get debt, if Apple owns all aspects of the
0:07:39 consumer product experience around financial services, they’ve talked about pivoting to being a
0:07:44 services company, there’s no bigger segment of the industry that’s more backwards and has more
0:07:48 opportunity for product innovation than money. So what do you make of the fact that they have no
0:07:53 points? And how does a role of kind of loyalty programs play into all this? The thing is the
0:07:57 cashback is actually the simplest form of points. It’s largely the same thing. Some of the most
0:08:01 popular cards out there are cashback cards because you don’t have to navigate some crazy
0:08:07 matrix of blackout dates and conversion rates. So it’s very Apple of them to actually go after
0:08:12 the thing that’s most clearly understood by consumers, which is cashback. If you take a look
0:08:17 at what’s happening with credit card companies, they effectively have to acquire customers by
0:08:21 using messages that they can put on billboards. So what are things that you can put on billboards?
0:08:27 You can put eye popping rewards rates, cashback rates, some of them do it using a big brand
0:08:33 presence like American Express. So this has really been a way to drive customer acquisition
0:08:39 for credit card companies. But the question is, are customers actually receiving value from it?
0:08:43 How many are using their rewards and how many are overpaying for the rewards because they’ve got
0:08:48 a really expensive line of credit card debt that they actually revolve on month after month
0:08:53 after month. So I think the reorientation opportunity here is to things that are actually
0:08:56 in consumers financial benefit versus things that look good on a billboard.
0:09:00 Then let’s go into the tech because the elephant in the room or maybe the opportunity in the room
0:09:05 that we haven’t really talked about here is that this is really one of the first, maybe not the
0:09:10 first times a significant tech company is really moving into financial services. So let’s talk
0:09:13 about what that means on the technology side. And just to quickly summarize some of those tech
0:09:18 aspects. First of all, Apple Card uses machine learning and they also have geo location with
0:09:22 Apple Maps to clearly label where and when people made a purchase. You also already mentioned
0:09:28 transparency and interest paid. And while apparently 74 of the top 100 US merchants already accept
0:09:34 Apple Pay, including Target, Taco Bell, and Hi-V supermarkets in the Midwest, the budgeting
0:09:38 feature is actually not integrated with other credit cards in an Apple Pay account,
0:09:41 which is something that David Pierce pointed out in the Wall Street Journal. But the point is that
0:09:46 Apple is giving users weekly and monthly spending reports that help turn wallet into a budgeting
0:09:51 app that can help them keep track of purchases. So I think one of the most interesting opportunities
0:09:55 on the tech side is today a lot of product features are built in a functional way.
0:10:00 And if you take a look at our relationship with money, it’s actually much more emotionally
0:10:04 oriented than functionally oriented. That’s such a good point. Yeah. And ironically,
0:10:08 all of the financial services products that have existed in the past. Now the technology
0:10:11 companies are sort of making the same mistake are highly functional. Here’s your budget,
0:10:15 here’s what you spent money on, here’s what the end of the month looks like.
0:10:20 So I think actually the real product inflection point here is to start to lean into that emotion,
0:10:25 to acknowledge that emotion, and start to help people make financial decisions they feel good
0:10:31 about versus makes sense in some abstract, classically rational sense. And when it comes
0:10:35 to the product features, guess what? Most people don’t like to budget because most people don’t
0:10:40 like to diet. It’s the same concept. Nobody actually wants to be reminded every week that,
0:10:43 “Hey, you went out for Mexican last night and you blew your calorie limit out of the water.”
0:10:48 Totally. So the magic product feature here is not a budget. The magic product feature here is
0:10:54 actually helping to automate all of the small financial decisions to help you achieve a better
0:10:59 outcome. Angela has spoken about this, Alex has spoken about this. A lot of great founders
0:11:03 have talked about the concept of self-driving money. Tell me more, that’s fascinating.
0:11:09 Self-driving money means not having to actually make all of the decisions to optimize your financial
0:11:14 life. So if you look at how much we’re overpaying on our mortgages, our credit cards, our personal
0:11:18 loans, there are better products that we could get today that we just don’t have because we either
0:11:24 don’t know about them or it’s too high friction to apply for them. So I think that the orthodox
0:11:28 see is that we need to tell people to stop drinking Starbucks every day to save money.
0:11:34 That’s actually not true. If we can just use technology to efficiently price all the financial
0:11:37 products they have, we put a lot more money back in Americans’ pockets.
0:11:41 So speaking of putting money back into America’s pockets, what do you make of the headlines from
0:11:46 analysts at Nomura that Goldman could lose money here if losses come? Because basically the analyst
0:11:52 is assuming that Goldman has to spend about $350 to acquire each new user, which means it would
0:11:56 only break even after four years. But what happens if a recession comes before that,
0:11:59 then they would lose revenue, especially because the margin is already tight to begin with.
0:12:03 So how do I tie that back into the Apple news? Because Goldman Sachs is approving the subprime
0:12:08 borrowers. Yeah, I think the story here is that traditionally credit cards have a whole approval
0:12:14 process that is very onerous. Not everyone gets approved. Apple has clearly been pushing their
0:12:20 partner to approve a larger set of people. In the future, there will be no credit card application
0:12:25 as retrograde that we even need that. And everyone should have access to some form of payment and
0:12:30 unsecured debt, even if it’s a low credit limit. There’s many orthodoxies which are not true when
0:12:35 it comes to money. One of the orthodoxies that’s not true is we have this belief that there are
0:12:39 people who are credit worthy, who have great credit scores, who are good people. And there are people
0:12:44 who never pay their bills and have bad credit scores. And when there is a recession, things are
0:12:50 going to go haywire, it’s overblown. The truth is for people who have a lot of fluctuation in
0:12:55 their means or limited means, they’re always living in a recession. So the variability that you see
0:13:00 while it exists, it’s not as high as the perception is. And often people who have these great credit
0:13:06 scores are on the edge of being wealthy, end up being ones who get in trouble. So I think that
0:13:13 there’s a broader discussion about “subprime credit card” sort of customers and how do you
0:13:18 think about them? And I think that we take an overly negative view. We should actually be thinking
0:13:23 about them in a more holistic sense. All right. So Anish, bottom line it for me. How should we
0:13:28 think about this news and its broader significance in the financial services ecosystem? Bottom line,
0:13:32 it’s not just another piece of plastic in your wallet. It has the opportunity to fundamentally
0:13:36 change the way that we think about our money. This product has the opportunity to change
0:13:40 Americans’ relationship with their credit cards, with their debt, and potentially with their money
0:13:44 more holistically. Fantastic. Well, thank you for joining the 16 Minutes. You’re welcome.
0:13:49 Okay. So for the next segment of 16 Minutes, we are going to be talking about the news this week
0:13:56 about a type of fraud, BEC scams, where the FBI recently made a huge number of arrests. And 14
0:14:02 arrests were made in a 252 count federal grand jury indictment that was unsealed just this past
0:14:08 Thursday. And it named 80 defendants charged with defrauding victims of up to $10 million in what
0:14:14 was described as one of the largest cases of its kind in U.S. history. The type of fraud is BEC,
0:14:18 which stands for business email compromise. And just to quickly summarize a bit more of the stats
0:14:25 and context of why this matters here, just in the period from 2013 to 2018 and five year period,
0:14:31 $12 billion of losses were due to this kind of fraud. And this kind of fraud is growing at a rate
0:14:37 of 123% year over year, which is basically more than doubling every year. And it costs about
0:14:43 $300 million per month. So it’s very costly and dangerous in that context and a big effing deal.
0:14:48 So I’m now going to introduce Joel de la Garza, who’s actually becoming a bit of a regular unfortunately
0:14:53 on 16 Minutes to talk about all the security news and whatnot. Joel, let’s talk about this
0:14:58 news and what it is and why it matters. Yeah, absolutely. So this is actually one of the
0:15:03 simplest and just kind of most ridiculously easy forms of fraud. Business email compromise
0:15:10 is basically a form of fraud where I create an email address that seems somewhat similar
0:15:15 to someone you may know and be working with in your company. So I could create a fake email
0:15:22 address for your CEO or your CEO, make it sound like their name. And I send email messages into
0:15:27 your company asking people sort of lower down the stack to send me money. Is this like spearfishing?
0:15:33 It is even more simplistic than spearfishing. The way it typically works is people in the
0:15:37 workplace are generally conditioned to respond very quickly to anyone above them who sends them
0:15:42 an email. So in the way that emails are typically displayed in an email client is that you just
0:15:47 see the name of the sender. And so when your CEO sends you an email saying, I need money,
0:15:50 I can’t get into my work account, can you please route the money to this address,
0:15:55 people tend to do it. And they do it to the extent of losing $300 million a month.
0:15:59 I feel shocking that they would do that. So it goes back to sort of the everything that’s old
0:16:03 is new again, right? This is the oldest form of fraud, right? It’s the walking around asking
0:16:07 people to give you money and seeing who’ll give you a dollar out of their pocket.
0:16:09 Can you tell me a little bit more about why this matters in the context of all the other
0:16:12 frauds and cyber crimes that we’ve talked about on this podcast? Oh, yeah. Well,
0:16:17 I think broad strokes, if you sit back and you take a look at the way that fraud is evolving,
0:16:22 in the very beginning of online fraud, attacks were super sophisticated. They use custom malware.
0:16:27 You had all these different intermediaries. A whole industry popped up to support them.
0:16:31 Whole businesses were dedicated to actually solving and finding the malware that created
0:16:35 this fraud. As we’ve actually gotten better at technical security, we patch our systems,
0:16:39 web application vulnerabilities are harder to find. Fraud is now just asking individuals
0:16:42 to send you money, right? Like you said, everything old is new again. It’s basically
0:16:46 back to basics. We’re back to social engineering. And that’s the most effective form of fraud that
0:16:50 exists. Okay. So bottom line it for me, Joel. How should we think about this news? So the
0:16:54 interesting thing about this fraud is that it’s able to grow at such a rapid rate and it sort of
0:16:59 creates this new fraud at scale category that we’ve never seen before. And I think that fraud
0:17:03 in its current form is going to continue to grow and scale in ways like this,
0:17:06 in very simple, trivial ways that can hit multiple people and steal lots of money.
0:17:11 It’s just an incredibly low effort to do. You create an email that looks like someone that’s
0:17:15 already out there in the public domain and you start sending messages to people that work inside
0:17:18 their country to send you money. And is technology going to be able to fix this if it’s a social
0:17:22 engineering problem? So obviously there are things that technology providers can do. They can
0:17:26 flag email messages to say they’re coming from outside of your company. They can actually give
0:17:30 you warnings to say be careful. We’ve seen other scams that look like that. And we’re seeing a
0:17:34 lot of providers start to do that. I think ultimately this is the kind of problem that gets
0:17:38 solved with knowledge, that gets solved with information. It’s one of those things where
0:17:42 the user is ultimately kind of the last line of defense and a lot of attacks like this. And if
0:17:46 someone asks you to send the money and you send the money, there’s not a whole lot that technology
0:17:50 can do there. Making people aware of these frauds tends to be the most effective way to prevent
0:17:54 them and it’s the path that I advocate. So education basically? Absolutely. Knowledge is power.
0:17:55 Thank you. Thank you.

0:00:04 The content here is for informational purposes only, should not be taken as legal business
0:00:10 tax or investment advice, or be used to evaluate any investment or security, and is not directed
0:00:13 at any investors or potential investors in any A16Z fund.
0:00:16 For more details, please see a16z.com/disclosures.
0:00:20 Hi, and welcome to the A16Z podcast.
0:00:21 I’m Hannah.
0:00:26 In this episode, A16Z co-founder Mark Andreessen and general partner on the bio fund Jorge
0:00:30 Andre, take a look back at Mark’s software will eat the world thesis and think about where
0:00:33 we are now, nearly a decade later.
0:00:36 How software has delivered on that promise and where it is yet to come.
0:00:40 In the wide-ranging conversation, the two partners discuss everything from the learnings
0:00:44 of software’s transformation of the music and automotive industries to how software
0:00:49 will now eat healthcare, including what exactly changed in the fields of bio and computer
0:00:52 science to make Mark eat his own words.
0:00:57 This conversation was originally recorded as an event at A16Z, so you’ll also hear me
0:01:02 sharing the questions that were asked at the end so that you listeners can hear Mark’s
0:01:03 answers.
0:01:08 So thrilled here to have our founder, our co-founder and general partner, Mark Andreessen.
0:01:14 For those of you that are traveling home after this via an airport, you will probably see
0:01:17 this smiling face on the cover of a magazine.
0:01:23 I’m told that this is a new technological device, it’s content that comes pre-printed
0:01:24 on a paper.
0:01:31 Apparently, it’s got excellent battery life, but it doesn’t update very fast, so.
0:01:36 You can swipe, you can rip it, you can try swiping.
0:01:41 So what we thought we’d do here is spend some time talking about how technology can transform
0:01:47 industries and I think there’s no better person really anywhere to talk a bit about
0:01:50 how technology does transform the world we live in.
0:01:53 So, I thought we’d start from the very, very beginning.
0:02:00 Part of the reason why you’re on the cover of a paper computer right now is because the
0:02:06 firm is about 10 years old and around the launch of the firm, you articulated your vision
0:02:11 of what was happening in the world as software is eating the world.
0:02:15 I’ve seen you on stage with Clay Christensen, who is a Harvard Business School professor
0:02:18 who coined the term disruptive innovation.
0:02:23 One of the things he spends a lot of his time on is describing what disruptive innovation
0:02:25 is and what it is not.
0:02:28 So I thought maybe one place to start is to have you describe what in your mind, software
0:02:30 eating the world means and what it doesn’t mean.
0:02:31 Sure.
0:02:36 So, the term is from an essay that I wrote that’s the Wall Street Journal random in I
0:02:40 think 2011, so shortly after we started the firm.
0:02:45 And so the basic observation was that the tech industry, the sort of modern tech industry
0:02:48 kind of as we understand it in the Silicon Valley, that you’re sitting in the middle
0:02:49 of right now.
0:02:53 It was about a 70-year-old industry, started right after World War II when there were like
0:02:57 a total of like five computers on the planet.
0:03:01 And then over the course of the next 70 years, basically figured out a way to pack leading
0:03:05 edged state-of-the-art supercomputer technology that used to cost $25 or $50 million into a
0:03:07 $500 product that we all now have.
0:03:11 There’s like four billion smartphones on the planet now on the way to seven billion.
0:03:14 So there’s like the seven-year journey to basically get everybody on a computer and everybody
0:03:18 on the internet that worked and it was a long journey and lots of drama and lots of fits
0:03:19 and starts.
0:03:20 But it did fundamentally work.
0:03:22 And then so it’s kind of like, okay, is the industry finished?
0:03:23 Like are we done?
0:03:26 Like congratulations, everybody has a computer, mission accomplished.
0:03:27 What’s next?
0:03:28 Everybody’s on the internet, mission accomplished.
0:03:29 What’s next?
0:03:30 Is there anything that follows?
0:03:34 And especially back then, this is after the financial crisis, there was like a prevailing
0:03:37 kind of mood of like pessimism about the global economy and the American economy and the
0:03:38 technology industry.
0:03:41 And there were lots of press coverage at the time was like, “Text just in another stupid
0:03:43 bubble and there’s nothing interesting happening.
0:03:44 There’s nothing left to do.
0:03:45 Innovation is dead.
0:03:48 This stuff is all, from here on out, it’s all just stupid little silly games and things
0:03:50 that don’t matter.”
0:03:52 And so my view is sort of the exact opposite, right?
0:03:54 Which is not only we’re not done, we’re just beginning, right?
0:03:59 Which is okay, now we have a computer in everybody’s pocket with like incredibly powerful computer
0:04:02 with like a lot of capabilities, which we’ll talk about related to health.
0:04:06 And then everybody’s on the internet, everybody’s connected to everybody else and to kind of
0:04:10 an entire universe of services and information and communications and everything else.
0:04:12 Like to me, it’s just like, okay, that’s the beginning, right?
0:04:15 It took 70 years to build the platform, get in the position, it’s like, “Okay, now what
0:04:17 can we do on top of that?”
0:04:19 And so what I tried to do with the concept of software is the world was kind of say,
0:04:22 “Okay, how does this unfold from here kind of across industries?”
0:04:27 And the way I described it was in three layers and I was sort of three claims, which I would
0:04:32 say increase as you go in audacity or arrogance, depending on your point of view, or just flat
0:04:33 out hubris, which is another possibility.
0:04:38 So the base level claim is, the first claim is any product or service in any field that
0:04:41 can become a software product will become a software product, right?
0:04:44 And so if you’re used to doing something on the phone, that’ll go to software.
0:04:46 If you’re used to doing something on paper, that’ll go to software.
0:04:48 If you’re used to doing something in person, and then that can go to software, it’ll go
0:04:50 to software.
0:04:53 If you’ve had a physical product and think about things like, remember telephone answering
0:04:55 machines, right?
0:04:59 Or tape players, boomboxes, all the things Radio Shack used to sell, they’re all apps
0:05:00 on the phone, right?
0:05:01 Cameras, yeah.
0:05:05 Remember, there used to be a physical product called a camera.
0:05:06 That got paperized, right?
0:05:10 By the way, physical newspapers, physical magazines, if it can become bits, it becomes bits, right?
0:05:11 Why does it become bits?
0:05:14 It’s like, well, if it’s bits, it’s better in a lot of ways.
0:05:20 So bits like our zero marginal cost, so they’re easier to replicate at scale, become much
0:05:21 more cost effective.
0:05:22 A lot of bits just drop to free.
0:05:26 By the way, they’re much more environmentally friendly, which is an increasing thing for
0:05:27 a lot of people.
0:05:29 You can change bits much more quickly.
0:05:32 You can innovate much more quickly, add new features, add new capabilities.
0:05:35 So there’s just lots and lots of reasons why it’s good to get things from physical form
0:05:37 into software if you can.
0:05:40 And so anything that can get into software will get into software.
0:05:45 The next claim from there then is every company in the world that is in any of these markets
0:05:49 in which this process is happening therefore has to become a software company.
0:05:53 So companies that historically either did not have a technology component to what they
0:05:57 did, or maybe have the classic conception of technology and business, which is called
0:05:58 IT.
0:06:03 We’ve got these gnomes in the back office, and they’ve got their lab coats, and they’ve
0:06:06 got their mainframes, and they do their thing, and they print out these reports, and for
0:06:10 some reason the reports are still in all caps.
0:06:11 There’s that.
0:06:14 But then there’s like, okay, like modern, which you might call sort of modern software
0:06:15 development, right?
0:06:19 And especially like customer experiences, like what’s the actual interface to the customer.
0:06:22 Any company that deals with customers, especially consumers, is going to have to, I think, really
0:06:26 radically up its game in terms of its ability to build the kinds of UIs and experiences
0:06:28 that people expect these days.
0:06:32 So every company becomes a software company, and then the most audacious claim is as a consequence
0:06:37 of one and two, in the long run in every market, the best software company will win.
0:06:41 And that doesn’t mean necessarily that it would be a new company that starts as a software
0:06:44 company that enters an existing market that wins, but it also doesn’t necessarily mean
0:06:47 that an incumbent that adapts to being a software company will win.
0:06:51 And increasingly, and you’ll see this in many industries, including healthcare, including
0:06:52 insurance, right?
0:06:56 You’ll see many cases now where you’ll have kind of these new pure play software companies
0:07:00 entering these incumbent markets, and usually from a position of like youth and naivete,
0:07:03 and maybe they’re wrong, and maybe the idea is stupid, or maybe it’s Uber and Lyft entering
0:07:07 the taxi market, and maybe they just have a fundamentally better software driven approach,
0:07:10 and then you’ve got incumbents, right, scrambling to try to basically figure out how to become
0:07:14 software companies, which is tricky, because software, the way we think about it, like
0:07:15 it’s different.
0:07:16 It’s not the same.
0:07:17 It’s different.
0:07:19 It’s a different kind of product to develop than a lot of people are used to.
0:07:22 The culture of a software company is different than the culture of most existing companies,
0:07:25 and then the kinds of people you need to hire to build software, especially modern software,
0:07:29 especially things like mobile software, AI software, cloud software, like these are special
0:07:35 people, and I say special, you know, multiple definitions of special, like these are, these
0:07:38 are, let’s say, highly creative individuals.
0:07:41 Just a random example, the defense contractors and intelligence agencies are having to revamp
0:07:45 all their drug use policies, like right now, like the whole P and a cup thing before you
0:07:49 get hired, like, doesn’t work if you’re trying to hire modern software development capabilities.
0:07:53 It’s just like one random example, but like there are lots of instances where these cultures
0:07:54 are different.
0:07:57 And then you can kind of say, okay, if that’s the framework, then you can kind of go industry
0:08:00 by industry, and say, okay, for each industry, like which industries are more prone for that
0:08:03 to happen, and obviously in some industries, it’s like super clear.
0:08:06 The media industry is an example where it’s just like obvious how fast that’s happening.
0:08:09 There are other industries, like I would say cars is an example we might talk about quite
0:08:12 a bit, so transportation, I would say it’s kind of right in the middle, which is like
0:08:16 the incumbents in the auto industry have a really good claim on the idea that building
0:08:20 cars is like incredibly hard, incredibly dangerous, very regulated, and the idea that a bunch
0:08:24 of software founders out in the valley are going to start car companies is kind of absurd.
0:08:28 But there’s, you know, 500 self-driving car startups within 50 miles of where we sit,
0:08:31 and what those founders would tell you is all the value, 90% of the value of the car
0:08:35 in five or 10 years is going to be in software, because the car is going to be an autonomous
0:08:36 electric vehicle, right?
0:08:38 So it’s going to be autonomous, it’s going to be self-driving, which means it’s going
0:08:41 to have all this software that the car, the legacy car companies don’t know how to make,
0:08:44 and then it’s going to be electric, so it’s not going to have all the internal combustion
0:08:47 components of these car companies that’s been 100 years optimizing.
0:08:50 And then by the way, the car might go from being a consumer product that people buy to
0:08:52 just being a service that people access on demand, right?
0:08:56 And so ride sharing networks in the self-driving world might just be you don’t own a car, you
0:08:59 just press a button, and a self-driving car shows up and takes you where you need to go.
0:09:03 And so, you know, so I would say there’s like a pitch battle kind of shaping up in the auto
0:09:06 industry, and then there’s a bunch of other industries in which I would say the incumbents
0:09:10 are much more comfortable that they don’t face this kind of disruptive challenge, and
0:09:11 maybe they’re right.
0:09:12 Yeah.
0:09:16 They’re entrepreneurs now, they’re software-driven entrepreneurs, Silicon Valley-style entrepreneurs,
0:09:21 sort of trying to figure out, like, by the way, including like really big, like education.
0:09:23 Education is becoming a very hot market, right?
0:09:27 Education is not a market that you would characterize as having had a lot of innovation over the
0:09:29 last thousand years.
0:09:33 And there’s, you know, there’s a new generation of founder out here that has this pretty compelling
0:09:38 new offerings to education, I would say, even real estate, there’s a lot of surprising
0:09:42 motivation happening in real estate, actually law as a field, which again, it’s not like
0:09:45 traditionally super innovative, there’s a lot of new software interest into the legal
0:09:46 field.
0:09:51 And so there’s, people are going to be trying in basically every industry.
0:09:52 Yeah.
0:09:56 And so I want to make sure we get to the healthcare-shaped elephant at some point in the room.
0:10:02 But to look back on the software, each of the world thesis, the three audacious claims,
0:10:06 as you called them, any surprises that you’ve seen in the intervening years that you’ve
0:10:11 said, okay, you know, if I were to rewrite that today, I would have taken a different
0:10:12 view.
0:10:13 Yeah.
0:10:15 So I think the big one I mentioned already, but I think that what’s happening in the car
0:10:18 industry, like when we started the firm 10 years ago, I would never imagine that we’d
0:10:20 be investing in like literally new car companies like that.
0:10:24 Just think about how crazy that, the auto industry was, the auto industry was like an
0:10:27 entrepreneurial industry in like 1890, right?
0:10:32 And then in the 1920s, like Henry Ford, it’s kind of the Bill Gates of his era, kind of
0:10:33 figured the whole thing out.
0:10:36 And then there were literally no new American car companies.
0:10:40 There was one major new American car company since the 1920s, so there were like hundreds
0:10:43 of new car companies in like the 1910s, and they shrunk to basically three.
0:10:44 And then they stabilized.
0:10:47 And then there was a huge new car, there was an attempt, there was an entrepreneur named
0:10:51 Preston Tucker in the 1950s that created a car company called Tucker Automotive.
0:10:55 It was the bold new thing, and it was such a catastrophe, they made a movie about what
0:10:57 a catastrophe it was called Tucker.
0:11:00 And so like if you were an entrepreneur tempted to start a car company, just watch the movie
0:11:02 Tucker and it’s like, okay, I’m not doing that.
0:11:07 And so the idea that that, you know, an industry that established would be opening up the way
0:11:10 that it is has been very striking.
0:11:11 That’s been the most striking one.
0:11:15 By the way, I use the term kind of software very broadly just in the sense of like code
0:11:18 that runs on chips and networks, while I’ve sure been reading about and seeing the rise
0:11:22 of this sort of concept you hear under the terms machine learning, deep learning, artificial
0:11:23 intelligence.
0:11:27 Like in the valley, that’s in the valley, there are like two profound technological revolutions
0:11:33 happening right now and that have the best engineers the most excited, and that’s one
0:11:34 of them.
0:11:38 By the way, the other one is cryptocurrency blockchain, which is a whole other conversation,
0:11:43 but the sort of machine learning, deep learning AI is an incredibly fertile area of creativity
0:11:48 right now and is advancing at an incredibly high rate of speed technologically.
0:11:52 And so the other question that I think is increasingly coming up when we think about
0:11:56 the kinds of companies and founders we back is kind of how AI native or ML is sort of
0:12:00 machine learning native, the founders are and the companies are, and even in the valley
0:12:03 there’s a big, there’s a big spread, I think, between the software founders that have really
0:12:06 figured out this new technology and how to use it and the founders that still haven’t
0:12:07 kind of tuned up on it.
0:12:11 And so it’s like very much in flux and if that stuff works the way that it looks like
0:12:14 it might work, you know, that could really be transformative even beyond just the idea
0:12:15 of software.
0:12:17 Oh, I think that’s right.
0:12:21 So if we look at a couple of the industries that have been responsive and receptive, I
0:12:25 mean, the auto industry, right, I think it’s a big surprise that they would have adapted
0:12:29 to the fact that cars are becoming more sort of software centric.
0:12:32 What about industries that have been almost entirely transformed?
0:12:33 So take, for example, the music industry.
0:12:39 I think if you live outside of Silicon Valley, if you sort of looked at the first wave of
0:12:43 the internet, one of the first industries that was fundamentally transformed was the
0:12:45 music industry.
0:12:51 Do you think, you know, that other industries have will likely suffer that fate that music
0:12:52 has?
0:12:53 Yes.
0:12:54 It’s a funny thing.
0:12:55 So music was like, I think it’s something like a triple whammy.
0:12:58 So, so first of all, one of the interesting things about music was it turns out people
0:13:00 really love music.
0:13:03 And I say that because like generally when we fund startups, like the question always
0:13:05 is like, well, the dogs eat the dog food, like are people actually going to want this
0:13:06 thing?
0:13:08 And the thing with music is like, what was the huge issue with music?
0:13:09 It was like piracy.
0:13:13 Like all of a sudden, you know, the music listeners went crazy and I’ll start to break
0:13:16 in the law and I’ll start to listen to music online and the record labels are freaked out
0:13:19 and they were like, well, what, what, you know, basically like our customers have turned
0:13:22 evil and it’s like, well, you know, maybe.
0:13:25 But like, first of all, like, wow, isn’t it great that they all love music so much?
0:13:28 And for some reason, the music executives, I knew never thought that was a very good
0:13:29 point.
0:13:30 But I thought, I thought it was interesting.
0:13:34 I’m like, look, they want, they want the thing like they’re showing normally in business
0:13:37 when the customers line about the door and they’re like, I want to consume, you know,
0:13:38 music digitally.
0:13:40 You would normally want to say, okay, I want to find a way to service them.
0:13:43 You know, the music label heads went, no, you shouldn’t be able to get music digitally.
0:13:45 And so that, that, that was the first interesting thing.
0:13:48 It was, it was the reverse of the normal supply and demand problem you have.
0:13:51 And it was literally overwhelming consumer demand for online music, streaming music,
0:13:52 digital music.
0:13:55 And it was overwhelmingly suppliers refusing to accommodate it.
0:13:56 So that was weird.
0:13:58 So then it was like, okay, well, why is that happening?
0:14:00 Well, then you get into the, into the pricing, right?
0:14:04 And then as you guys all know, like the pricing had become, you know, there’s 12 album, you
0:14:07 know, there’s 12 songs in the album, the album costs 17 bucks and I want one of the songs,
0:14:08 right?
0:14:12 You know, I can just pay $17 for a song with, you know, and then another 11 songs I don’t
0:14:13 want.
0:14:17 And so then it’s like, okay, well, that’s weird, like, you know, is that really, but
0:14:20 the whole structure of the record industry had gotten built up around that.
0:14:23 And then there was the thing that it actually got down to, which took a while to kind of
0:14:27 surface, but it ultimately did finally come out, which was, it was, it was a cartel.
0:14:31 It was like a full on and a competitive, monopolistic cartel with price fixing.
0:14:34 And we now know that because there were antitrust cases from this era that finally impealed the
0:14:35 whole thing.
0:14:38 So this, this has all become since public record, but they, they were all colluding.
0:14:41 And so they were, you know, four or five labels and they were all getting together and setting
0:14:42 prices.
0:14:45 And that’s why they were, that’s in retrospect why they were so dug in.
0:14:47 Because it was, and it was a magical business model, right?
0:14:50 I mean, it’s like, if you could, like, let’s imagine you could collude and then let’s imagine
0:14:53 as a consequence of that, you could overcharge by like a factor of 10, like, wouldn’t that
0:14:55 be great?
0:14:59 And so that, that in retrospect was the thing that I think a lot of us out here missed because
0:15:04 their behavior was just so illogical otherwise, you know, the problem was that lasted until
0:15:05 it didn’t last, right?
0:15:09 And then, you know, the way that didn’t last is first the consumers, the consumers, I think,
0:15:14 like, the consumers were breaking the law, but however, they had, they had actually,
0:15:15 they were breaking the law.
0:15:17 They were doing the wrong thing, but for the right reasons, they had concluded that the
0:15:21 industry that was servicing them was actually immoral, which was actually correct.
0:15:22 It actually was immoral.
0:15:24 It is immoral to price fix and collude and illegal.
0:15:28 So, right, you had illegal customers, illegal customer behavior and illegal supplier behavior,
0:15:32 like super healthy market.
0:15:34 And so, you know, so what’s the moral of the story?
0:15:35 You know, what’s the moral of the story?
0:15:38 Well, it’s like, okay, that which can become software will become software.
0:15:41 There was just overwhelming, you know, look, we all live this today, like, how do I want
0:15:42 to listen to music?
0:15:46 I pull up Spotify on my phone and listen to music, like the idea of being forced back
0:15:49 to, you know, figuring out which box in the garage has the CDs, you know, it’s just, you
0:15:52 know, sounds like medieval torture.
0:15:55 And so, the thing that can become software will become software.
0:15:58 And then, you know, prices are going to rationalize, and we could talk more about that, but there’s
0:16:01 like, there’s a big, I think, rationalization of prices happening across the economy that’s
0:16:04 pretty interesting as a consequence of the increased transparency.
0:16:07 And then, you know, the suppliers, like the cartels, you know, the cartels, the cartels
0:16:09 attach the old technology aren’t going to survive.
0:16:13 Like that kind of transformation is going to be a really big deal.
0:16:16 And it took time, like it, you know, it took 15 years, maybe is the other thing, like it,
0:16:18 you know, it was 15 years of the record labels trying to hold out.
0:16:21 And by the way, it was 15 years of tech startups that tried to solve this problem.
0:16:24 And so, there, you probably remember, if you’re into music, it’s like, I don’t know, there
0:16:27 was, I forget, you know, there was Napster, which got put, you know, put out a business
0:16:30 early on that could have been the thing, but then there was Kaza, there was LimeWire, and
0:16:33 there was BitTorrent, and then there were all the early streaming services.
0:16:36 And actually, what’s interesting is they were all terrible venture investments.
0:16:39 They were all catastrophes, right, because they were too early, like, because they couldn’t
0:16:42 get the rights to the music, because the labels wouldn’t do the trade, they wouldn’t do the
0:16:43 deal.
0:16:45 And so, they could never get the rights to the music, and so, they could never actually
0:16:48 offer a service the consumers actually wanted that was also legal.
0:16:50 And so, they were actually all bad investments.
0:16:53 But then finally, after 15 years, the pressure built to the point where it actually was time
0:16:55 for fundamental change, and that’s when Spotify kind of catalyzed.
0:16:59 Actually, a lot of, a lot of VCs like us actually did not invest in Spotify at that time, because
0:17:03 there was this 15-year history that all the other attempts to do what Spotify was doing
0:17:04 had failed.
0:17:07 But the time had actually come, right, and now it’s obvious what happens, which is like
0:17:11 music is like 10 bucks a month and it’s all you want, you listen to it, and Spotify has,
0:17:14 I don’t know how many, but Spotify is going to end up with like a half billion or a billion
0:17:18 subs at like 10 bucks a month, and then they’ll, they’re parceling out all the money to the
0:17:19 artists.
0:17:22 And everything that in music could become software has become software.
0:17:23 It has become software.
0:17:27 The one thing that still you have to do in person is the experiential part of going to
0:17:29 see a musician perform.
0:17:34 So that’s where musicians today make a lot of their money, right, in terms of going and
0:17:35 having the in-person piece.
0:17:38 And I think if you look at the healthcare industry, I mean, I think there’s probably
0:17:39 some element to that.
0:17:42 There’s still, there’s always going to be a human element, an in-person component to
0:17:45 treating and managing disease and patients.
0:17:48 Well, actually, there’s a related point there, which is actually, there’s this weird, Clay
0:17:49 Christiansen actually points this out.
0:17:53 There’s this weird thing where, you often see in many industry structures, when one layer
0:17:56 commoditizes, the next layer can become incredibly valuable.
0:17:59 And so it’s this deceptive thing, because people are focused on the layer that’s commoditizing
0:18:02 and kind of the shrinkage, kind of, you know, revenue in the market cap that’s happening.
0:18:04 And they tend to think that means the whole industry is going down.
0:18:07 But like, you know, look, the music industry contracted, right, the amount of money people
0:18:09 spent on recorded music shrunk dramatically.
0:18:12 It’s finally started to grow again with streaming, but like it shrunk dramatically over the course
0:18:14 of, you know, 15, 20 years.
0:18:17 What actually happened is super interesting is the complement expanded dramatically.
0:18:21 So over that same time period, I think the U.S. market for live concerts over the last
0:18:23 15 years grew 4X.
0:18:24 Wow.
0:18:28 And that’s in aggregate dollars, aggregate inflation-adjusted demand.
0:18:32 And it kind of makes sense, which is like, okay, congratulations, you know, Mr. Consumer,
0:18:33 congratulations.
0:18:35 You now have unlimited access to all the recorded music you want.
0:18:36 It’s now free.
0:18:37 Everybody has it.
0:18:38 You know, there’s no status.
0:18:41 Like, there’s, you know, there’s no, you don’t have the, like, record labels.
0:18:44 You know, you don’t have the, you know, the LPs lined up on your shelf, and if you’re,
0:18:46 you know, courting a young man or young woman, and they come over and you want to show off
0:18:49 your music, you don’t get to do, you know, it’s like, hey, look at my Spotify, right?
0:18:50 It’s not the same.
0:18:52 So, you know, so there’s no social effect to it.
0:18:53 It’s not really funny.
0:18:55 It’s good.
0:18:58 It’s like, it’s consumer nirvana, except it’s like they’ve drained out all the fun.
0:19:01 And so what’s fun is like going to the concert, right?
0:19:03 And by the way, I’m not spending as much money in recording music, and therefore I have more
0:19:05 money available to actually buy concert tickets.
0:19:09 And so the concert business, the sort of experience side of it has exploded in revenue, and you
0:19:14 might, you could easily hypothesize the exact same thing happening in healthcare, right?
0:19:18 For example, if more of the actual products and services in healthcare could get commoditized,
0:19:21 and over time you could break the cost curves and actually shrink it, you know, maybe concierge
0:19:24 medicine would just explode, right?
0:19:27 Maybe what people actually, maybe a lot more people actually want the kind of concierge
0:19:28 experience today.
0:19:29 They can’t afford it.
0:19:30 But if you, if you, if you correct the price curve and a lot of the other stuff, maybe you
0:19:31 could open that up.
0:19:32 And so, yeah.
0:19:35 So it’s basically the moral of that is just pay attention to the compliments.
0:19:36 It’s not, it’s not just a thing.
0:19:37 It’s never a single factor.
0:19:40 There are other implications for other errors in spending.
0:19:41 Yeah.
0:19:44 And so actually on that note, you know, given in the healthcare industry, we’re of course
0:19:49 one way, shape, or form, we’re all customers of the healthcare industry over our lifetime
0:19:50 we will be.
0:19:55 You served on the board of the Stanford hospital for five, six years.
0:20:00 Could you talk a little bit about what you learned about the delivery of healthcare from
0:20:06 that, from serving on the board of a hospital and really coming in as, as a layperson to
0:20:07 the industry?
0:20:09 I would say the best thing about it was, you know, the mission of the place was obviously
0:20:10 just amazing.
0:20:13 And I’d say that the mission, both in terms of the actual healthcare, but also the mission
0:20:18 of the translation of, of, of medical research, you know, the, the integration with the medical
0:20:19 school, you know, the research happening.
0:20:23 It was an on profit with highly motivated people, people, which was exciting to see.
0:20:26 You know, then, yeah, there was innovation happening all over the place.
0:20:28 And in fact, it was actually exciting because we got, we had the chance to actually design
0:20:34 and build a new hospital, which I’m delighted to say is opening finally this fall.
0:20:39 So we, we agree, we agree and let the project, I believe in 2005 and we’re opening it in
0:20:40 2019.
0:20:41 These are all 15 year cycles.
0:20:43 These are 15, 15, 15 year, 15 year cycles.
0:20:45 And then, you know, that, that got, you know, that we spent a lot of time on the design
0:20:47 of the new hospital, which was super interesting.
0:20:50 You know, the two things that were probably the biggest, I don’t know, the surprises, the
0:20:54 things that just kind of really jumped out, it’s like 25 board members, right?
0:20:57 So our boards, like our well functioning boards at our companies, it’s like seven people,
0:21:00 beyond seven people, you can’t have a good discussion.
0:21:04 And so, you know, 25 people is like a UN summit.
0:21:07 And so I would not describe the board meetings as highly dynamic and we didn’t really get
0:21:09 into a lot of the issues.
0:21:12 And then the other kind of just really thing that blew me away, which I’m still kind of
0:21:15 tracking and I’m fascinated by was the issue of quality.
0:21:19 So I happened to join the board right after we hired our first chief quality officer,
0:21:23 which was a guy who had come out of management consulting at Six Sigma, kind of, you know,
0:21:24 manufacturing quality thing.
0:21:27 You know, for those of you who kind of know the, kind of the history of these things,
0:21:31 the U.S. auto industry, like, was a huge ascended industry in the 50s and 60s, but had this
0:21:35 massive quality problem, which was like literally people were dying, like there were no seatbelts
0:21:38 in the cars, like the steering columns were like impaling people, like there were all
0:21:40 kinds of horrific problems.
0:21:43 And then when the Japanese and the Germans came in with safer cars, like it catalyzed
0:21:48 a huge crisis in the U.S. auto industry, and Ralph Nader made his name originally by crusading.
0:21:51 The book was called “Unsafe at Any Speed,” which was a reference both to the car and
0:21:52 to the industry.
0:21:56 And then starting in the ’70s, ’80s, ’90s, the auto industry implemented this thing,
0:22:00 the TQM Total Quality Management, Six Sigma, which is a process to kind of get all the
0:22:04 bugs out, you know, kind of the idea of defect-free manufacturing, which is why generally if you
0:22:08 buy a car today, like it’s a far higher quality experience than a car 50 years ago, and usually
0:22:12 it’s actually a much better experience even than a car 10 or 20 years ago, like they’re
0:22:13 quite good now.
0:22:16 You read these histories of, like, I don’t know, when they figured out collar on the
0:22:17 water or stuff like this.
0:22:19 They figured out, like, what germs are and what infection is.
0:22:22 And it’s like, you know, it was 18, whatever, 1880 or something, they figured out it’s
0:22:25 a good idea to wash your hands before you perform surgery.
0:22:30 And so it’s 2004, and there’s still doctors walking into rooms and getting people sick.
0:22:34 The compliance rates for the scrubbing into the rooms is, like, I don’t know, 34 percent
0:22:35 or something.
0:22:36 And I’m just like, “Oh, fuck.”
0:22:37 Like, sorry.
0:22:41 It’s like, how can you—anyway, so that was at the front end of that.
0:22:44 You know, it’s been fascinating to track that because, on the one hand, it’s very clear
0:22:45 that they’ve made a lot of progress.
0:22:48 On the other hand, there is innovation yet to be done.
0:22:52 I mean, so—and you guys, I think you guys must know—yeah, I’m sure you guys know all
0:22:55 this, but, like, you know, medication compliance, like, the data on medication compliance is
0:22:56 absolutely horrifying, right?
0:22:59 It’s like, I don’t know, something like two-thirds of all prescribed medications are
0:23:03 not—it’s like a third of all prescribed medications are unfilled, right?
0:23:06 Another third are not—people don’t take them on schedule, right?
0:23:09 And then you get the details on it, and, like, a lot of people, especially older people,
0:23:12 you give them, like, eight or ten or twelve different medications, they’re supposed to
0:23:13 track it.
0:23:16 They’ll just dump all their medications into, like, the candy bowl and, like, mix it all
0:23:18 up, and every day they’ll take a handful of pills, right?
0:23:22 Like, and actually, that’s pretty good, right?
0:23:25 That’s better than just it’s all on a shelf somewhere or they can’t get the bottles open.
0:23:27 And so, you know, medication compliance is a train wreck.
0:23:31 It’s actually the—I read this thing the other day—medication compliance on—medication
0:23:35 compliance on the medication after organ transplants is actually terrible.
0:23:38 It’s only like—you know, like, kidney transplants, it’s only, like, 60% compliance.
0:23:39 That’s incredible.
0:23:40 It’s incredible, right?
0:23:43 And, like, it’s in the other 40%, like, you’re going to die, right, and they still can’t
0:23:44 get compliance, right?
0:23:47 And so, and there, you know, there’s eight different reasons for that.
0:23:48 And so, there’s that issue.
0:23:51 Another is just, like, yeah, literally tracking the doctors.
0:23:56 Like an idea—just an idea that we should fund, like, we’re seeing all these new—actually,
0:23:59 we’re seeing all these new technologies now to do things like, for example, to watch in
0:24:03 assembly line environments, to have, like, cameras that, like, watch everybody’s, you
0:24:06 know, basically time and motion, like, in the factory, and then you can use these machine
0:24:09 learning technologies to kind of decode, like, are people doing the right thing?
0:24:10 Are they tightening the screws?
0:24:11 Tightening the bolts?
0:24:12 Are the machines running properly?
0:24:14 You know, and maybe we should have, like, a camera outside, you know, every patient
0:24:17 door and, like, is the—are the doctors and nurses actually, like, scrubbing their hands?
0:24:18 Like, you know, Pure-El.
0:24:20 Yeah, Pure-El, like, you know, Pure-El track.
0:24:24 So, like, fairly basic stuff is still—I mean, I think the reality is I think there’s a lot
0:24:26 of basic stuff that’s still not being done.
0:24:29 And so, there’s—yeah, there’s—yeah, and the problem with this kind of thing is it’s
0:24:35 like, okay, like, you know, what is it—what’s the—medical errors are the what most common
0:24:36 in the hospital?
0:24:37 Or the third?
0:24:38 Yeah.
0:24:39 And then, of course, and then this whole issue of infection, you know, hospital-borne infections,
0:24:45 like, it’s, I think, an open question, how much of that is fixable or, you know, compliance
0:24:46 issues.
0:24:47 And it’s definitely not getting better.
0:24:48 Yeah, right, exactly.
0:24:49 Yeah, and so—
0:24:52 And while you were on the board of the hospital, you know, a lot of—when folks think about
0:24:57 software and healthcare, people just automatically assume, you know, EMR is sort of the example
0:25:00 that a lot of people gravitate towards.
0:25:05 Did you go through the experience of incorporating and implementing an EMR at Stanford while you
0:25:06 were on the board?
0:25:07 Yep.
0:25:08 Tell us a little bit about that process.
0:25:09 Oh, yeah, yeah, yeah, yeah, we put that out to bed.
0:25:12 I think we got back one viable bed, I think, for the complexity of Stanford Hospital.
0:25:13 It was EPIC.
0:25:18 It was a $400 million project, probably—well, I don’t know, probably a hundred to EPIC or
0:25:19 something like that.
0:25:23 And then after 300, we went out for integration bids, and this is where I almost started crying.
0:25:25 It was Perot Systems.
0:25:26 Ross Perot.
0:25:31 Ross Perot Systems, which—Perot Systems was the follow-up to EDS, Ross Perot’s company,
0:25:33 which is now owned by Dell.
0:25:36 And so, yes, it’s a $400 million project, Perot Systems.
0:25:41 This was 2005, I think, when we started the EPIC implementation, and they were very excited.
0:25:42 They were very excited.
0:25:44 I was very excited because I was like, “Wow, this is like a new hospital, it’s probably
0:25:45 going to be mobile.”
0:25:47 This is when smartphones are starting to take off, and it’s going to be mobile, and it’s
0:25:49 going to be sensors, and all this stuff.
0:25:50 It’s going to be great.
0:25:54 And it was like they were super excited because they had just moved to the Windows 95 UI in
0:25:55 2005.
0:25:58 It was like the big upgrade from Windows 3.1.
0:26:01 And I was like, “Oh, my God.”
0:26:06 And it’s 2019, and it’s still—right, it’s obviously still the same thing.
0:26:07 Right.
0:26:08 Yeah.
0:26:10 The other incredibly entertaining thing about EPIC is that they are so—out here, it’s
0:26:13 like—out here, there’s a big focus on software interoperability.
0:26:16 And so, it’s like in one piece of software, work with another, there’s this whole concept
0:26:19 of what I call—there’s entire companies now that are called API companies that basically
0:26:21 software building blocks that you plug together, there’s open source.
0:26:24 And so, out here, it’s just this constant process of everybody building and everybody
0:26:29 else’s creativity, and the whole thing rises, except for EPIC, which has an absolute prohibition
0:26:32 on third-party integration that does not tolerate it.
0:26:35 We’ll sue you if you attempt to integrate with it, so—
0:26:39 So when you launched the firm, you famously said—or in the early days of the firm, you
0:26:45 famously said that you won’t see A16Z investing in bio and healthcare, and that’s obviously
0:26:46 changed.
0:26:47 Yeah, that’s changed.
0:26:50 Can you talk a little bit about the evolution of that thought process?
0:26:51 Modern venture capital is like roughly 50 years old.
0:26:54 It kind of started in the 1970s in kind of the modern form, and there are basically two
0:26:57 fields within venture that actually worked.
0:27:01 There’s sort of what you might call digital technologies, computer-based technologies,
0:27:06 IT broadly defined, and then there’s biotech, and biotech kind of broke down traditionally
0:27:10 into new pharma, new therapies, and then new treatments, and then new medical devices.
0:27:14 And actually, a lot of the best venture capital firms actually had dual practices, right?
0:27:15 And so, there are many examples of this.
0:27:17 Kleiner Perkins being a very prominent one for a long time.
0:27:20 They had dual practices, and so they have the digital—they call it the digital team,
0:27:22 and then they have the healthcare team.
0:27:25 And once upon a time, they kind of collaborated, they all worked together.
0:27:29 And then what happened, right, is the economics of those two sectors just like fundamentally
0:27:30 diverged.
0:27:34 And the fundamental reason for this is, right, in the sort of digital technologies and digital
0:27:38 venture, you’re fundamentally writing this curve called Moore’s Law, right, which is
0:27:41 sort of the—basically the price of the underlying components for software and hardware basically
0:27:43 falls in half every 18 months.
0:27:46 So, you get this amazing kind of downward cost curve, and that’s why you keep coming
0:27:50 up with new applications for computers because everything keeps getting cheaper.
0:27:51 And really quickly, right?
0:27:54 And then in new pharma and in new medical devices, you had the reverse of Moore’s Law
0:27:59 literally, which is called Erum’s Law, E-R-O-O-M, which is more backwards.
0:28:06 And Erum’s—and Erum’s Law is the cost to bring a new drug or a new medical device
0:28:09 to market doubles every end years, right?
0:28:13 So the cost goes—it goes the wrong direction, right, up to—and 20 years ago or 15 years
0:28:17 ago, what happened was the VCs that were in both basically decided that they didn’t work
0:28:19 anymore, that the economic cycles were too different.
0:28:23 So you could fund, you know, Facebook, you know, with whatever, $20 million, or you could
0:28:27 fund a new pharma effort with a billion dollars, right, and still probably have to raise another
0:28:31 $3 million by the time you’re done, right, or end up selling out to big pharma at some
0:28:32 point.
0:28:35 And so they just became kind of two fundamentally different domains, and then by the way, they
0:28:38 were two fundamentally different sciences, right, because they were sort of computer
0:28:41 science on the one side, biological science on the other side, and they didn’t really
0:28:42 intersect.
0:28:45 You don’t really use computers that much doing new drug discovery or new medical devices.
0:28:49 And so that was—that was the situation we saw in 2009, was kind of—they were actually
0:28:53 separating out, and actually the leading kind of biotech VCs now are not names that anybody
0:28:57 in Silicon Valley would even necessarily know, because it’s just such different worlds.
0:29:03 What we started to see starting about six years ago, starting around 2012, probably 2013,
0:29:06 we started to see a new kind of founder show up, and we started seeing founders showing
0:29:11 up with PhDs in biology, you know, often MDs, and then also either degrees in computer science
0:29:15 or the equivalent of degrees in computer science, sometimes actually like dual PhDs, but also
0:29:19 sometimes it was just, you know, I’m a PhD in bio, but I’ve actually been programming
0:29:20 computer since I was 10.
0:29:23 Like, I’ve got, you know, 25 years, you know, I’ve got 20 years or whatever, sort
0:29:27 of the equivalent of like, you know, educational experience in computer science.
0:29:31 And then these founders are showing up with these kinds of hybrid, right, technologies
0:29:34 that were kind of half bio, half computer science.
0:29:37 And then, honestly, they would come in and pitch us, right, and then this is why I always
0:29:40 call the dogs watching TV, you know, phenomenon, you know, because they’d be up there and
0:29:44 they’d be talking about the genome and this and, you know, the exome and riblinocleic this
0:29:48 and that and the other thing, and you know, we’re all just kind of like, you know, sort
0:29:51 of vey, you know, I’ve heard these words before, I don’t quite know what they mean.
0:29:55 And then they would say, you know, algorithm, and we’d all go woof, right, like, you know,
0:29:56 we get that.
0:29:59 And then, you know, and then we didn’t know quite what to make of these, right, and so
0:30:02 then we’d ask the founders, just feel like, well, what happened when you go pitch the
0:30:04 bio VCs, the healthcare VCs, like, what are they doing?
0:30:08 It’s like, you know, it’s so weird, it’s like dogs watching TV, you know, except, you
0:30:10 know, we go on and on and on about machine learning and they just look at us puzzled
0:30:13 and then we say, you know, riblinocleic and they get all excited.
0:30:17 And so what happened was we basically said there’s this missing middle, right, which
0:30:20 is basically the convergence of these, actually, it’s interesting, it’s the convergence of
0:30:24 the scientific domains, right, and then as a consequence, it’s the converging of the
0:30:27 technological domains and then that means the convergence of the industries.
0:30:30 And so we just started to see this repeating pattern of these new kinds of founders and
0:30:35 we said, well, look, we said it’s unlikely that these bio VCs, these bio VCs have gotten
0:30:38 so detached from computer science that they’re unlikely to figure this out.
0:30:42 A bunch of the computer science VCs just got done shutting down their healthcare practices,
0:30:44 they’re not probably going to leap back into it.
0:30:47 Maybe there’s this new thing in the middle and then there we got VJ, our partner VJ,
0:30:50 who was a professor at Stanford where he was literally right in the middle of this convergence
0:30:54 in his time at Stanford and he came over and he kind of spun us up on this whole domain
0:30:57 and then Jorge joined us subsequently.
0:31:00 And I think we’ve, like, I think we’ve discovered, like, there’s a real, there’s a real vein
0:31:01 here, right.
0:31:05 And it’s interesting because like we are seeing more of the CS focused VCs starting to edge
0:31:09 in now and adapt, we’re also seeing more of the life sciences VCs starting to edge in
0:31:11 but it’s still, there’s this thing in the middle.
0:31:15 And then as you were indicating, like, with the epic question, like, you know, there’s
0:31:18 for sure, it’s like, I mean, there’s like the pure like convergence, which is like the
0:31:19 concept of digital therapeutics, right.
0:31:22 So, you know, and things like, for example, diabetes and so forth.
0:31:26 And then there’s all these potentially new kinds of diagnostic, new kinds of sensors,
0:31:28 you know, use the sensors in the phone to do diagnostics, things like that.
0:31:31 And then there’s a lot of work happening in like bioinformatics and, you know, the research
0:31:35 side, you know, sort of cloud, cloud biology is a big thing that we have.
0:31:38 And then there’s actually applying information technology to the operations of the actual
0:31:43 healthcare industry, which gets into things like medical records and hospital management
0:31:44 services and stuff like that.
0:31:47 And so we basically decided we’re taking a very broad, we’re taking a very broad brush
0:31:50 at this and we’ll basically, we’re working in all those areas.
0:31:54 And I think we’re finding it to be a very dynamic and very fertile area.
0:31:55 Absolutely.
0:31:59 What advice that someone who’s been investing in has been an entrepreneur has been investing
0:32:02 in entrepreneurs now for above a decade.
0:32:08 What advice would you give industry leaders in terms of how to engage with innovators
0:32:10 with entrepreneurs?
0:32:13 And conversely, what advice should we be given to entrepreneurs to engage with folks that
0:32:14 are leading the industry?
0:32:15 Yeah.
0:32:19 So the big thing to think about, the big difference between kind of how the valley works and kind
0:32:23 of the rest of the business world works is as follows, which is like in most of the business
0:32:26 world, like you’ve got some existing position in something and you’re trying to figure out
0:32:27 like what to do with it.
0:32:29 And you’re trying to figure out how to defend it, you know, defend a market or you’re trying
0:32:31 to figure out how to advance, innovate within the market.
0:32:34 But like you’re kind of dealing with a big existing, you know, big existing companies,
0:32:36 big existing businesses.
0:32:40 You know, out here, we don’t generally have that, you know, we’re generally starting from
0:32:41 scratch.
0:32:45 And I think the way to think about it is selling of all these startups, they’re experiments
0:32:46 first and foremost.
0:32:50 And they’re experiments often in technology, we’re trying to take actually much scientific
0:32:54 experimental risk, but they are technological experiments, can we build the product?
0:32:57 And they’re business experiments, which is like, you know, is anybody going to want
0:32:58 this thing?
0:32:59 Am I going to be able to make a business on it?
0:33:01 Am I ever going to be able to turn a profit on it?
0:33:02 They’re experiments.
0:33:05 And like you might say, well, that’s dumb, like why would you like to, you know, risk all
0:33:08 this money and effort and launching experiment for a product that you don’t know whether
0:33:10 you can build and you don’t know what anybody would want.
0:33:12 And most of the world doesn’t run those experiments.
0:33:14 And so maybe there should be one place that does, right?
0:33:15 And this is that place.
0:33:18 And so the ethos of the valley is these are experiments.
0:33:21 And that’s actually what leads to this interesting phenomenon in the valley, which is you’ll have
0:33:25 founders that have a company that’s like just like almost in some cases like a famous train
0:33:26 wreck.
0:33:27 Like it just didn’t work at all.
0:33:29 And like, you know, five years later, they’ll go start the next company and they’ll easily
0:33:30 raise money for it.
0:33:31 Right.
0:33:32 And again, like a lot of the rest of the world would be like, well, why are you getting behind
0:33:33 somebody who already failed?
0:33:37 And the valley is like, well, if they learned along the way, right, and they’re now better
0:33:40 at running the experiments the second time, let’s find them to run the second experiment.
0:33:43 And in fact, a lot of the best companies in the valley are founded by people who had one
0:33:48 or two significant failures before they, you know, before they founded the winner.
0:33:52 And so, so I’d view it as like it’s an incredibly fertile landscape of experiments in and there’s,
0:33:55 you know, there’s thousands of experiments being run and, you know, these are pretty big,
0:33:59 you know, can we build the self-driving cars like a pretty big experiment.
0:34:01 So then it’s when kind of, you know, people, especially from established industries come
0:34:06 here, it’s kind of like the temptation is to evaluate like each experiment one by one.
0:34:09 So it’s like, you know, you look at a given startup and it’s like, well, I don’t know,
0:34:11 like, you know, this thing might work, the technology might work, the business might
0:34:13 work, you know, this, whatever, this might be the right founder.
0:34:14 Don’t quite know.
0:34:17 There’s all this idiosyncratic risk with this experiment.
0:34:20 And I feel like I should make the decision whether or not to talk to the startup or work
0:34:25 with the startup based on the characteristic of this, you know, of this particular instance.
0:34:26 That’s one way to do it.
0:34:29 The other way to do it is more like what we do, which is also what I think the big
0:34:32 companies that are good at doing this also do, which is you can say, well, look, it never
0:34:35 makes sense to just run one experiment, but it might make sense to run 10 experiments.
0:34:40 And so it might be that the partnership model that makes sense is let’s put together a portfolio.
0:34:43 Like let’s figure out 10 areas that we think are potentially interesting.
0:34:45 Let’s find the 10 most interesting startups in those areas.
0:34:49 And then let’s run, let’s, let’s try 10 partnerships and let’s, and let’s think about it very explicitly
0:34:53 as a portfolio of part, you know, portfolio investments, a portfolio partnerships, a portfolio
0:34:55 of new supply relationships, whatever it is.
0:35:00 And then let’s evaluate the result of those 10 experiments as a basket, right?
0:35:02 And just the nature of probabilities being what it is.
0:35:03 Some of them are going to work.
0:35:04 Some of them are not, right?
0:35:07 But the ones that are going to work might work really, really well, right?
0:35:11 And what I just described you as literally what we do, it’s like, it’s the venture capital
0:35:15 mentality, but it’s also, I think the best construct for thinking through how to engage
0:35:17 with startups as a, as a big company.
0:35:21 By the way, the other side of it is the temptation for thinking about like, you know, a new joint
0:35:25 venture or a new investment or something, a new product is, you know, will it succeed
0:35:26 or not?
0:35:29 And so it’s like, and the traditional way you report this to the board is it’s like,
0:35:31 you know, green light, yellow light, red light, like a famous management consulting
0:35:32 shirt with like the bulbs, right?
0:35:35 And you want all the lights to be green, and if any of the lights are yellow, people have
0:35:36 very stern looks in their face.
0:35:39 And if any of the lights are red, like as a disaster and somebody gets fired.
0:35:40 And so, you know, it’s past fail, right?
0:35:44 I actually think that the way that you want to think about this is, you know, it’s not
0:35:45 a question of like, does it work?
0:35:48 It’s a question of like, if it works, like how big can it get?
0:35:50 Like if it works, how big of an impact could it have?
0:35:53 So a new technology you might be looking at in your business that might be a new route
0:35:56 to market or a new way to cut costs, a new way to cut costs.
0:36:00 Like if it works, you know, if it costs good, does it cut a million dollars worth of cost
0:36:02 or a billion dollars worth of cost, right?
0:36:04 That might be the actual relevant question, right?
0:36:08 So as opposed to just success, failure, and just the nature of these things is like they
0:36:11 often, these experiments often don’t work, but when they do work, they can actually work
0:36:12 really, really well.
0:36:14 They can get really, really big and have a really, really big impact.
0:36:19 And so, yeah, so that’s the general model is a portfolio approach and then an understanding
0:36:23 and appreciation of the asymmetric nature of the winds relative to the odds that there
0:36:24 will be some set of losses.
0:36:25 Great.
0:36:31 Silicon Valley has been pretty visible in movies and television, et cetera.
0:36:36 You may have had a hand in some of that yourself in terms of advising some of these shows.
0:36:37 No comment.
0:36:40 Only the good ones.
0:36:45 What do you wish that people that didn’t live here in Silicon Valley knew about Silicon
0:36:46 Valley?
0:36:47 It’s funny.
0:36:48 I’ve been listening to the Elon Musk audiobook.
0:36:51 He gives me a remember like before the Model S shipped, like everybody thought he was just
0:36:52 completely full of it, right?
0:36:54 And like he was going to make this car and just, there’s just like no way it’s impossible,
0:36:55 can’t be done.
0:36:57 And then this freaking car comes out, right?
0:37:00 It’s like the Model S comes out and it literally wins like hard of the year awards everywhere.
0:37:02 It has like the best safety rating of any car ever made.
0:37:04 And there were all these people who were like, oh yeah, he’s a fraud.
0:37:07 They’re literally mouse hanging open, like cannot believe it, right?
0:37:10 And so that actually is kind of the more common story.
0:37:14 And so the scientific and technical substance of what happens out here does tend to be quite
0:37:15 real.
0:37:17 But then the other side of it is what I said.
0:37:18 These are experiments.
0:37:24 Like if this stuff was a slam dunk, like if it was, if it’s obvious how to apply a scientific
0:37:28 result into a technological product and then build a business around it, like big companies
0:37:29 are going to do all that.
0:37:32 Like there are lots and lots of big companies in the world, you know, in healthcare, outside
0:37:35 of healthcare in the tech industry that are good at doing the obvious stuff.
0:37:38 And so by the nature of the Valley, we’re doing the non-obvious stuff.
0:37:40 We’re doing the stuff that’s not yet proven.
0:37:41 We’re doing the stuff that’s controversial.
0:37:43 We’re doing the stuff that really might fail.
0:37:47 And so there is risk with each and everything that we do, whether or not it will work.
0:37:50 But, God willing, when it does work, it could get really big.
0:37:51 Wonderful.
0:37:52 Thank you.
0:37:55 So let me see if there are any questions in the audience that we could field.
0:37:59 So we’re here today in a place that’s known as a center of innovation, but many of us
0:38:04 have to go be agents for innovation and change in industries that aren’t necessarily as open
0:38:05 to it.
0:38:06 What’s your advice for that?
0:38:09 How do you think about doing something innovative that you believe in, that you think will work
0:38:11 when others might say, “Oh, we’re more traditional.
0:38:13 This is the way things are done.”
0:38:17 So there’s actually a term of art in the industry in the Valley for what’s called the
0:38:18 evangelistic sale.
0:38:19 And it’s actually really interesting.
0:38:23 It’s like our companies come to market with a new product, a new widget that does something.
0:38:26 They’ll go hire sales reps out of companies that sell normal products, and those sales
0:38:29 reps will come in and they’ll just completely whiff, because they’ll get back this reaction
0:38:32 from every customer, being like, “Yeah, I’m used to buying whatever Oracle database is
0:38:34 from you, but I don’t know what to do with this new thing.”
0:38:37 And then those sales reps actually don’t know how to sell that thing, and those marketing
0:38:39 people don’t know how to market that thing.
0:38:40 It’s a different kind of thing.
0:38:44 And so there’s a specific kind of seller sales rep and marketing person out here, sort
0:38:49 of the evangelistic seller, the evangelistic marketer, and honestly, I don’t know if there’s
0:38:50 magic in it.
0:38:52 It has to do with painting a vision, right?
0:38:54 It has to do with painting a vision of the future.
0:38:55 There’s the marketing.
0:39:00 It’s sort of the Steve Jobs used to say, “The problem with consumer research is nobody knew
0:39:04 they wanted a Macintosh, until the Macintosh, or until nobody knew they wanted an iPhone,
0:39:07 like until the thing showed up, people can’t visualize new products on their own.”
0:39:11 And so you have to paint a picture, and that picture has to be vivid, right?
0:39:14 And this is where some of these guys like Elon get criticized for kind of overselling,
0:39:15 but like they have to paint a vivid picture.
0:39:16 That’s an example.
0:39:18 So Elon comes out with a Model S, or he was a great example.
0:39:22 Elon comes out with a Model S, “Congratulations, it’s a car that you plug into, specialized
0:39:23 charging ports.”
0:39:26 Well, how many specialized charging ports are out there that I can plug this car into?
0:39:27 Zero.
0:39:28 Okay, so now I’m going to buy a model.
0:39:29 It’s like buying the first fax machine.
0:39:31 It’s like, “Congratulations, I now have the first fax machine.
0:39:32 Who can I fax?”
0:39:35 You know, I now have a very expensive doorstop, like, you know, good job.
0:39:38 And so like, so what Elon did when he launched the Model S is he painted a picture.
0:39:39 You know, he painted a picture.
0:39:40 He went up and gave a big presentation.
0:39:44 He said, “Look, we’re going to put these supercharger stations, right, in all these different locations
0:39:45 along all these freeways.”
0:39:46 And he mapped the whole thing out.
0:39:49 And he’s like, “Here, you’re going to be able to drive cross country, you know, and
0:39:50 you’re going to get, you’re going to charge for free the entire way.”
0:39:53 And by the way, none of those charging stations existed at that point, but he did, he did
0:39:54 lay that vision out.
0:39:57 And then he said, “Look, here’s the thing you’ll put in your garage, you know, and it’ll hook
0:39:58 up and here’s how much it’ll cost.”
0:40:00 And then, you know, within a year, he had the, you know, people were putting these things
0:40:04 in their garages and he was putting the charging stations, the superchargers were up and like
0:40:05 it worked.
0:40:08 And then he sold enough of the cars into that vision that he was actually able to afford
0:40:10 to build all those charging stations.
0:40:12 And so it’s painting the picture in a way that people can believe.
0:40:16 It’s painting the picture, by the way, also consistent with reality, like I believe, you
0:40:20 know, there does have to be a substantive claim that the whole thing can work.
0:40:23 And then I think, honestly, I think the other thing is it has to attach, maybe obvious, it
0:40:26 has to attach to human psychology and this is the other thing that evangelistic sellers
0:40:30 are really good at, which is, so in sales speak, the evangelistic sellers are really
0:40:34 good at qualifying, which is there are certain customers where they’re just not going to
0:40:35 do new things.
0:40:38 Like where they’re just focused on downside risk, they want, you know, it’s like they
0:40:42 go to work every day, they go home with their family, like I don’t want to do anything that
0:40:43 might cause me to look bad and get fired.
0:40:46 And that’s a completely legitimate, you know, way to operate and a lot of people are like
0:40:47 that.
0:40:50 And so the evangelistic seller, one of the things they do is they just qualify those
0:40:51 people out.
0:40:52 I’m not going to spend any time with those people.
0:40:55 But what they find are the minority of people who are like, okay, like I don’t want to spend
0:40:59 my career just protecting downside, I would like to become known as within my own company
0:41:03 as somebody who’s innovative, right, and in the future.
0:41:07 And I would like to basically stake a career bet myself right on a new technology and the
0:41:08 nature of that career bet.
0:41:09 If it doesn’t work, I’m going to look bad.
0:41:12 But if it does work, wow, I’m going to look like a hero and I’m going to get promoted
0:41:14 and I’m going to be the next CEO of the company.
0:41:19 And so it’s kind of like the evangelistic seller meets the early adopter buyer who’s
0:41:21 got the right psychological mindset.
0:41:26 And then what’s super interesting actually is those people actually become very close.
0:41:29 You know, the salesperson then becomes what we call a consultative seller, they become
0:41:33 actually very tightly integrated into the lives of the sponsoring executives on the other
0:41:34 side of the table.
0:41:37 And they’re basically fundamentally trying to make each other heroes in their respective
0:41:38 organizations.
0:41:41 And they often end up extremely personally close because they’re on a shared mission
0:41:42 to do something new.
0:41:46 And so anyway, this is kind of what we advise our companies to do, but like that’s the
0:41:47 process.
0:41:51 And then it’s the process of like, okay, then it’s the gut check, which is like, okay,
0:41:53 are those early adopters actually out there, right?
0:41:55 Do they actually exist, right?
0:42:00 Do they have the authority to actually make those kinds of decisions, right?
0:42:03 Or at some point, by the way, if they don’t exist, that itself is an interesting market
0:42:04 signal.
0:42:06 Like if the early adopters don’t exist, it may just be time to start a new company in
0:42:07 that market.
0:42:11 So that’s the other thing that happens is the founders are like, oh, it’s like imagine
0:42:14 being Travis Callan, I can try to start Uber and your first idea is I’m going to build
0:42:17 taxi dispatch software and I’m going to try to sell it to taxi cab companies.
0:42:20 And then you spend two years trying to get taxi cab companies to buy this taxi dispatch
0:42:23 software and they all say, no, you might as, no, that isn’t literally what happened.
0:42:25 But you could very easily imagine that happening.
0:42:28 And so that is the other thing that emerges out of this is people just decide to start
0:42:29 the company.
0:42:32 What do you believe are some of the biggest challenges to getting new technologies and
0:42:35 solutions adopted, particularly in the healthcare space?
0:42:39 The general thing that happens, which is really relevant to all these healthcare markets,
0:42:42 is the product works and I can’t get paid.
0:42:46 One form of that problem is I just can’t get paid, literally the customer is not going
0:42:48 to pay for this product because it’s going to be reimbursed.
0:42:52 It’s a third-party model and it doesn’t matter how many patients want X if the insurance
0:42:53 company is not going to pay for it.
0:42:55 And so that’s a particularly stark example of can’t get paid.
0:42:59 There’s another example of can’t get paid, which is I just can’t get paid enough.
0:43:02 We have a lot of companies that have a problem that I call too hungry to eat, which is basically
0:43:06 like, imagine a starving person 10 feet away from a plate of filet mignon, but like I’m
0:43:09 starving and I don’t have the energy to pull myself to the plate.
0:43:12 The Silicon Valley version of that is I have a great product.
0:43:15 My customers really want it, but I’m charging very little money for it.
0:43:19 Usually these are naive product founders who don’t quite understand business and so they
0:43:22 think if they charge less, they’ll sell more, but they actually charge less, they end up
0:43:23 selling less.
0:43:24 And the reason is because they don’t charge enough for the product, they’re not getting
0:43:26 enough revenue back into the company.
0:43:30 They’re not getting literally enough calories back into the company, dollars into the company.
0:43:32 And then they can’t afford to hire the kinds of sales and marketing people to do the kind
0:43:34 of sale that we’re talking about.
0:43:36 And then they just get stuck, right, they get stuck.
0:43:40 It’s like the product works in theory, the customers want it in theory, but the company
0:43:43 doesn’t have the internal funding, they’re not making enough money on each sale to be
0:43:45 able to justify the cost of sale.
0:43:48 And this is actually a very funny conversation I have with the founder, because it’s literally
0:43:52 like the conversation is so weird, it’s like, okay, tell me about your product.
0:43:54 Oh, it’s the best product ever, and machine learning and this and that, it revolutionizes,
0:43:58 it’s going to save our companies $10 million each in saved expenses, and it’s okay, what
0:44:00 are you charging for it?
0:44:01 $50,000.
0:44:04 It’s like, well, you’re going to save them $10 million, why are you only charging $50,000?
0:44:06 Well, it’s going to be because it’s going to be easy to sell, like it’s, you know, it’s
0:44:09 just going to, we’re going to sell it to the next customer, it’s like, well, what do you
0:44:12 have to do to convince the customer to buy the thing that’s going to save them $10 million?
0:44:15 And it’s like, oh, we got to send in, you know, eight people for, you know, six months.
0:44:16 Well, what does that cost?
0:44:18 Well, it costs a million and a half bucks.
0:44:19 Right.
0:44:20 Okay, so congratulations, right?
0:44:25 You’re now down, you know, $1.45 million, a negative cash burn on every sale you make.
0:44:26 That’s your strategy, right?
0:44:28 And you’re going to make it up in volume, right?
0:44:32 That’s just like, and literally what I’m describing is like literally what we see happens.
0:44:35 And by the way, a lot of the time it’s actually the founder themselves who’s actually on site
0:44:36 with the customer.
0:44:38 And right, it’s like, what’s their time worth?
0:44:39 Right.
0:44:40 Because their time’s getting sucked down.
0:44:43 It’s like the entire future of the company, right, is being basically bled out.
0:44:47 And so like a big rule we have, a big thing we always have here, like the principle is
0:44:52 like, you have to get paid, like the customer has to pay for the thing.
0:44:54 If it’s an indirect thing, you have to, and this is the thing with, right, all the healthcare
0:44:57 startups, like they have to be able to decode the system, right, which is why it’s so great
0:44:59 to have you all here.
0:45:02 And then on top of that, like you really do in a lot of cases, like the right answer
0:45:06 actually is raise prices, which is weird because it’s like, well, technology is supposed to
0:45:07 drive down prices.
0:45:08 What are you doing?
0:45:09 Raising prices.
0:45:10 It’s like, well, you have to make enough money per sale.
0:45:13 The internal economics of your business have to be such that you make enough money per
0:45:16 sale that you can afford to actually build the company, right?
0:45:17 And then you can build the company.
0:45:18 You can build the sales and marketing engine.
0:45:20 You can get the thing known and get the thing adopted.
0:45:21 You can get references.
0:45:23 And then once you’re at scale, then you can start to drive the price down.
0:45:24 Yeah.
0:45:28 And I would just add in the healthcare realm, and this is an overgeneralization, but what
0:45:35 we often see is the business model failures are often a lack of recognition that the person
0:45:39 who will benefit from your solution is often not the buyer.
0:45:42 So you have sort of this mismatch that often happens in the healthcare system that you’re
0:45:45 targeting your customer, but your customer, there’s a different buyer.
0:45:49 So that’s a very difficult thing that can usually be addressed with business model,
0:45:50 but it has to be recognized.
0:45:53 The second one is point solution versus complete solution.
0:46:00 It’s very hard for a startup to big bang an A to Z solution, but often times it’s what
0:46:02 a buyer needs because they don’t need another point solution.
0:46:07 So it’s figuring out what the insertion point is going to be for any particular innovation.
0:46:11 And then the third one that we always see with a lot of our startups that they have to be
0:46:16 very thoughtful as to how they approach it is recognizing how you can introduce a new
0:46:20 technology without disrupting existing workflows.
0:46:24 Because the job that happens in healthcare delivery is incredibly complex.
0:46:27 So even if you have a better mousetrap, if that better mousetrap requires you to change
0:46:30 the way you work, it’s very hard to implement.
0:46:34 So those are, I think, the three big challenges that all of our entrepreneurs see from business
0:46:35 model standpoint.
0:46:38 So if you can overcome those, I think you have a much better chance of having an innovation
0:46:39 get adopted.
0:46:40 Thank you for having us.
0:46:41 Thanks very much.
0:46:42 Thank you, Mark.
0:46:43 Thank you.
0:46:43 [applause]
0:46:44 [end of transcript]
0:46:54 [BLANK_AUDIO]