In episode 64 of Venture Everywhere, Scott Hartley, Managing Partner of Everywhere Ventures chats with Richa Kaul, CEO and founder of Complyance, a GRC (Governance, Risk, and Compliance) platform designed for mid-market enterprises. Richa shares how Complyance helps businesses strengthen their security compliance through customized automation, enabling a proactive approach to cybersecurity. Scott and Richa also explore the evolving compliance landscape, shifting from a check-the-box mentality to building adaptive, strategic, and trust-driven security frameworks.

In this episode, you will hear:

• Balancing automation with customization in security policies.

• Federal regulations vs. trust-based compliance standards.

• Need for incident response planning, as well as prevention.

• Uses AI for additional custom checks with varying threshold levels.

If you liked this episode, please give us a rating wherever you found us. To learn more about our work, visit Everywhere.vc and subscribe to our Founders Everywhere Substack. You can also follow us on YouTube, LinkedIn and Twitter for regular updates and news.

RSS Link

TRANSCRIPT

00:00:00 VO: Everywhere Podcast Network.

00:00:14 Jenny Fielding: Hi and welcome to the Everywhere Podcast. We're a global community of founders and operators who've come together to support the next generation of builders. So the premise of the podcast is just that, founders interviewing other founders about the trials and tribulations of building a company. Hope you enjoy the episode.

00:00:34 Scott: Hi, everybody. Welcome to the Venture Everywhere podcast. I'm Scott Hartley, one of the co-founders of Everywhere Ventures here today with our friend and portfolio CEO, Richa Kaul. Richa is based in London. She's the founder of Complyance, which is a GRC platform really focused on the mid-market for enterprise.

00:00:54 Scott: Prior to founding Complyance, Richa was in a number of different roles doing things around controls management, risk management, vendor management. She was the Chief Revenue Officer at ContractPod. And before that, spent a number of years at McKinsey & Company. Richa, welcome to the podcast. And it's so fun to have you here.

00:01:13 Richa: Thanks so much, Scott. Always a pleasure to talk.

00:01:16 Scott: I know that I owe you another trip to London and I'm always talking about getting back on that side of the pond. Unfortunately, today, we're just over Zoom across the world, but we'll fix that soon enough.

00:01:27 Richa: Next time, for sure.

00:01:28 Scott: To kick us off, walk us through a little bit about what Complyance does and how you got to this point in your life.

00:01:34 Richa: I think that when it comes to what Complyance does, in short, it provides tailored automations to compliance teams and information security teams to help them manage their compliance standards, their risk, their third party risk policies and trust. And so we really focus on bringing responsible AI and tailored automation to those clients.

00:01:56 Richa: As everyone probably knows, the amount of data breaches in our world, it's all around us. The amount of cyber threats are just ever increasing. The amount of compliance standards and privacy standards are ever increasing. And a lot of these teams, their resources are not increasing to match the increase in what they need to manage.

00:02:15 Richa: And the Complyance platform allows them to tailor automation to essentially manage all of that ever increasing workload with the same resources and be more efficient while maintaining a grasp and real control over their GRC.

00:02:30 Scott: It's so interesting. I mean, one of the things that we talk a lot about in the way we invest in some of the areas of interest for Everywhere Ventures is looking at the A side of the record and the B side of the record and looking at what some of the heavy trends are, where people are really focused on speed of creation, speed of ability to do things with the genesis of AI and the productive side, not the counterproductive side.

00:02:53 Scott: And one of the areas that we've developed a strong interest in is on the cybersecurity, the compliance, the flip side of that coin, if you will. And I think that what you guys are really building, thinking about this intersection of you've got this genesis of AI, but then you have the ways that it creates, the ways that it optimizes, and then the ways that you have to play defense.

00:03:13 Scott: And I think that Complyance is on that defensive side versus the offensive. And how would you define that? How would you think about where you sit within this ecosystem and the broad base set of trends around what's happening with AI?

00:03:25 Richa: It's interesting because with a lot of different companies and startups, AI is an enabler. And on our side, it's an enabler for our product and it's also a fear for our clients because they're the information security folks who are trying to make sure that their company is being protected against newfangled AI that they don't necessarily trust yet.

00:03:46 Richa: It's such an interesting position that we're in. I think it's great actually, because we get to learn exactly what type of AI our clients trust, and that is the gold standard. So we've built with privacy and security in mind for our own AI features.

00:04:01 Richa: But sometimes even us, we try to think about how much should we invest in the furthest reach of what AI can provide our part of the market when our clients are not actually ready to jump all the way forward.

00:04:14 Richa: So when we think about AI and thinking about being more defensive, we really focus on preventative and proactive. I think that we use AI embedded in workflows where security teams and compliance teams are basically overstretched and they wish that they could get more control and visibility.

00:04:34 Richa: And where that's true, AI is more of a welcome addition than in places where they see it as maybe some additional oversight or next level support. Sometimes they're a little more skeptical of that.

00:04:48 Scott: Walk us through a little bit from a 60,000 foot view for those listeners that aren't familiar with the regulatory compliance space writ large. I guess for every large industry, there's a consumer protection government regulatory framework, let's say, that provides some guidance slash a compliance stick that says to the company, hey, you better protect this individual's personal information or financial information or healthcare data.

00:05:16 Scott: So people may be broadly familiar with HIPAA compliance or what the term SOC 2. But could you walk us through just a high level view of what are some of these buckets and who's the one holding the stick and what are these companies reacting to?

00:05:29 Scott: And it's ultimately for consumer protection and the fact that we've all gotten that email that says, hey, your compromised passwords are out there on the internet, the dark web, whatever. You need to update these 5,000 passwords that you have that are all probably about the same. And so it'd be great to get that 60,000 foot landscape.

00:05:47 Richa: Honestly, I feel like people don't realize how close information, security and privacy are to their daily lives. When people think about compliance and governance, risks and compliance tech, they think it is so unsexy and so boring.

00:06:01 Richa: But actually it is what helps to enable companies to protect consumer data every single day and what helps you get less of those emails that say that your data has been compromised. That's actually why I got into this in the first place at all.

00:06:14 Richa: But to answer your question and give the overview landscape, there's a number of different types of compliance. So there's things like food and safety compliance. There's financial compliance where we really focus is information security and privacy.

00:06:26 Richa: And the way that you can think of it at the 60,000 foot view is that there's both federal regulations that support this types of compliance. And there's almost a more bottoms up trust component that comes from almost a sales motion. So on one hand, you have a more federally regulated approach.

00:06:45 Richa: And actually in the U.S., this is not very overreaching. It's quite minimal, whereas in the EU it's a lot more. So, of course, in the EU, you have your GDPR and newly you have something called NIST2, which is coming out, which is more security focus to have your privacy and your security.

00:07:00 Richa: There's a number of other sector specific regulations like financial regulations and so on related to data security, which the EU imposes into its countries and its companies. In the U.S., you have a little bit more of a lighter version of this.

00:07:15 Richa: So from the privacy side, you have state level requirements rather than one federal approach. There's a lot to be said on that, but we won't go into it. On the pure data security side, you don't actually have a federal regulation that requires certain cybersecurity practices unless you're in certain sectors or you're at a certain level of providing software to the federal government.

00:07:35 Richa: In which case you have FedRAMP, you have CMMC. Of course, you have HIPAA for certain sectors themselves. That's the quick lay of the land. What I think is much more interesting is the fact that information security is not actually driven solely or primarily by federal regulation. It's driven wonderfully by trust and almost bottoms up.

00:07:54 Richa: Companies, especially enterprise companies, want to trust that their vendors are doing the right security practices to keep their data safe. And so what we've built up is this organization led. So, for example, ISO, International Standards Organization, or AICPA that runs SOC 2, NIST is one more example.

00:08:14 Richa: They're putting up these standards and folks voluntarily follow them. I use the word voluntary because obviously if you want to sell to enterprises, you need to follow them. I don't know how voluntary that is, but it's not federal.

00:08:25 Richa: And I think especially with some of the federal deregulation happening today, some of the more trust-based and trust-supported information security standards are completely unaffected, which is an interesting dynamic to watch play out in the market.

00:08:38 Scott: It's fascinating because I'd love to go into the state by state aspect of the U.S. and the complexity around that and the opportunity around that for a business to be able to help optimize for these variability layers.

00:08:50 Scott: Another company in the portfolio that you may know, k-ID, which is out of Singapore, which is helping provide an SDK and a way for game developers to launch and deploy games globally where consumers are, but then be compliant with all of the protection of minors, protection of school children in one country versus another country where the regulatory environments are vastly different. But to be able to do that from a seamless standpoint as a game developer.

00:09:16 Scott: So these asymmetries in regulatory landscape provide an interesting opportunity as a business to provide a one-stop plug-in for companies that operate across many modalities and need to be compliant in many locations.

00:09:31 Scott: But the one area that made me think as you were talking about this is you've got the federal stick on one side and you've got the consumer trust issue on the other side. And as it goes to market motion, it has to be challenging as a CEO.

00:09:44 Scott: If you think of Jeff Moore in his book, Crossing the Chasm, which is a 20, 30 year old book, but he used to be a venture partner, sat next to me at my old firm, so I know Jeff well. But Jeff always talks about how you sell to the early adopters first, and then you have the early majority, and then you have this middle ground, the late majority and the laggards.

00:10:02 Scott: And it strikes me a little bit when you're talking about compliance and just the stick, in some ways, those are the laggards. Those are the people that are like, ah, I guess I have to do this, so I'll buy this software.

00:10:12 Scott: And those that are on the front end of the tip of the spear are the ones maybe going after like, well, for the sales motion, we need to have the most trust. Therefore let's get ahead of this.

00:10:22 Scott: And so as you go to market motion, are you selling the two sides of the funnel at the same time? And what is that like? Because you have these very slow moving sclerotic, we have to do this laggards, maybe that are some of your early buyers.

00:10:35 Scott: And you also have some of these almost two sides of the funnel. But how do you think about that? Cause it seems like almost two different demographics that you'd have to pitch to.

00:10:44 Richa: I know. And it's something where at the beginning of the company, we tried to go after both and we did some self discovery, I would say just in the last year that we realized our clients, our real ICP are the folks at the tip of the spear.

00:11:00 Richa: They're the folks who really see compliance not just as a check the box exercise, but they see it as there's a reason behind it. And our company name is literally compliance with a Y, which is a play on words, compliance with the WHY, compliance for a reason.

00:11:17 Richa: And when folks are only looking at compliance as a check the box exercise, those are not the folks for us. But when they know their whys behind compliance to prevent risk or to reduce risk, to help manage risk, to reduce the potential for a data breach, when they're out for the whys behind compliance and compliance is just a happy byproduct of that, we're a perfect fit.

00:11:40 Scott: Going into that why, going back to your background and your bio, what was it in your experiences at ContractPod or at McKinsey or working with the government of Virginia, what were the points in your life that led you to have such a passion around this space?

00:11:57 Richa: It's so funny how it develops and how you look back and can paint a picture and connect dots that you don't realize in the moment that you have. When I was working at McKinsey, I did a lot of public sector work specifically around economic development and helping different regions in the U.S. and around the world to develop policies that basically supported the creation of tech jobs.

00:12:17 Richa: And I moved from there to Commonwealth of Virginia, to be precise, where I led the economic development for the tech sector. And as part of that job, I was on committees where I was essentially supposed to be the voice of the tech industry or the voice of economic development for the tech industry when folks were discussing privacy regulations and anything from consumer privacy to drone privacy to autonomous vehicle privacy.

00:12:42 Richa: And I started to see things from this lens of, okay, does this make it harder for a company to decide to move to Virginia because we have extra state level regulation that other states don't have? And does that mean that they're going to make a decision not to create jobs here?

00:12:59 Richa: And that made me start thinking about what does it actually take for these companies to become compliant with these regulations? At the same time, on a personal note, one of my best friends was affected by a huge data breach and it took him literally months to recover from it.

00:13:13 Richa: His data was shared. He was getting false bank alerts. It was a disaster. And so those two things happening at the same time. Then I moved to ContractPod and I was Chief Strategy Officer there. I oversaw compliance and information security.

00:13:27 Richa: And in that little window of watching us have to manage things in Excel and spend thousands of dollars on consultants, it felt like this isn't the best way.

00:13:38 Richa: I genuinely think cybersecurity should be a public good, be more accessible and be more tailored to every single company. And looking at the market right now is like a tale of two softwares.

00:13:48 Richa: On one side, you had cookie cutter automation. On the other side, you had manual customization. And it just felt like, why can't we have the best of both worlds? Why can't we have configurable automation and bringing that together so that people can make sure that compliance is just a byproduct of good security posture?

00:14:06 Richa: And certifications are just what happens when they're actually taking care of their controls. That's what we built. And that's why I care about it. We help mid-market and enterprise companies protect consumer data. That's what it's all about.

00:14:19 Scott: That's so fascinating. I mean, the graduation speech of my college graduation was the Steve Jobs speech where he said exactly those words that you said at the beginning.

00:14:27 Scott: The dots only make sense in the rear view mirror connecting them. You don't know what they are going forward, only looking backwards. That really resonates with me in my career, I suppose.

00:14:37 Scott: Moving at the speed of software on the offensive side. In some ways, regulatory and compliance is always lagging the bleeding edge of what nefarious actors can and will do on the attack side.

00:14:51 Scott: And I think what you're doing is so important because it's trying to speed along the defensive side to match pound for pound what some of these nefarious actors are coming to bat with against these mid-market companies that maybe have slightly fewer resources or need the automation.

00:15:08 Scott: They don't have the armies of people that can go after, not that armies of people can even compete with machines, but maybe talk a little bit about that and what it is in the tech or how the automation helps these companies level up or take certain human inputs that they have and make that 10x, 100x more effective.

00:15:25 Richa: You brought up two really important points there. One is just around the fact that regulation doesn't keep up with nefarious actors. And I think that that's a really interesting point. And then two is how does the tech actually help to keep up in short?

00:15:37 Richa: On the first point, I think that's why we're so lucky actually to have that more trust-based bottoms up approach where I was talking about most companies are not waiting for regulation. Some are, those are the laggards, as you rightly said. But many companies are not.

00:15:51 Richa: They're taking a more proactive stance and they're going even beyond some of the standards we discussed that are coming from a more trust-based way. And they're going to custom controls and custom controls that are tailored to their organization, which is a perfect lead into the second part of your question. How do we actually help that?

00:16:07 Richa: In our platform, you're able to set up fully custom controls based on what security means for your organization. So just as an example, a regulation may have a very broad brush statement that says the company must do X, Y, Z.

00:16:22 Richa: But that X, Y, Z can be interpreted in a million and one ways based on your actual organization, your setup, your tool set. Our platform says, hey, you can log the fact that your control meets that regulation, but let's make the control tailored to you. Then let's integrate with your source of truth system to test that control continuously.

00:16:44 Richa: Then let's add additional custom checks via AI that you can layer on and say, please fail this control if it doesn't meet the bare minimum standard. Please flag a finding if it doesn't meet my elevated standard. Please flag a consideration if it doesn't meet this way higher standard.

00:17:00 Richa: So now you're able to automatically get a review of your custom control set with your custom thresholds and risk profile built in that says, hey, we have some high alert things we got to go and deal with right now.

00:17:14 Richa: And it's proactively telling you so you don't have to wait for someone to take advantage of a potential hole in your security posture. You can be told every 12 hours, you get a little ping if there's an issue and you can be told, hey, go deal with this problem before someone exploits it.

00:17:29 Scott: Is there a corporate education piece in the sense that I think some maybe relatively naive company builders might think, well, there's a regulatory standard. I went to the website, I checked all the boxes, I became SOC 2 compliant, and then this happened. And woe is me because I did all the things right.

00:17:46 Scott: And I was compliant and not realizing that, okay, yes, government regulation will always lag the tip of the spear of what nefarious actors can do. It's always built for least common denominator, broadest bucket to put everyone into it. So therefore, it is the most muted potential low barrier to entry.

00:18:05 Scott: And so you can compliance shame the government and be like, well, they should have had a higher standard. But really, it's the company that is the one that needs to understand, probably, that this is a low barrier to entry. This is a low bar.

00:18:18 Scott: And it's up to them to understand their own toggles and understand how to dial up the things that make their business and the PII that they store, whatever the information is that they store, secure. And it's not blame the government, so to speak, because the standard wasn't good enough that they checked the box.

00:18:35 Scott: But how do you think about those dynamics of ultimately the consumer loses if the information is shared to the internet and blasted about? But the shaming that goes on between company blaming, we did the standard, we did the check the box and this still happened to us. And where do you guys sit in the middle of that conversation?

00:18:53 Richa: You're right. I believe the responsibility of the company. I believe it's the responsibility of the CEO, CISO, when in smaller companies, CEO and the CTO. It's the responsibility of those folks to really ask themselves, we could invest a little bit in this to check the box or we could invest a little bit more and see a lot of ROI from that additional investment so that we feel peace of mind.

00:19:17 Richa: And if you look around the companies that get data breaches, it's not like they're not compliant with SOC 2. They are compliant with SOC 2. They have those SOC 2 certifications every year, but things still happen.

00:19:30 Richa: That's why I don't like to breach shame, as we say in our industry, because it's not possible to fully avoid breaches. If someone's out to get you, they can find ways in and that's scary and that's real. And I think the fact is that a number of controls are not just about preventing it.

00:19:45 Richa: They're saying, how do you immediately react when it happens? So there was a big breach of a casino in Las Vegas. And one of the biggest things that happened was that they didn't have good protocols in place to stop the bleeding. And those are also compliance controls.

00:20:01 Richa: You have your compliance controls in place, many of them are about preventative and monitoring and preventing the issue. And then you have a number of controls that are about incident response and management of these issues and what do you do from there?

00:20:13 Richa: And do you have enough backups to be able to restore immediately? And all of those things matter, too. And all of those things need to be tailored to your organization, too. We see clients who say, we've checked the box and that's enough. We say, are you going to feel that way if something happens?

00:20:27 Richa: Are you going to feel like that's enough? You can define what enough is for you, but don't define it with the lowest common denominator. It's your risk threshold. You define it as you wish, but go to a place where you're going to not feel any regret if something happens along the way.

00:20:41 Scott: As you think about this environment, is there a mismatch in some sense or a regulatory overhang where new, faster moving businesses are part of standards that are older standards?

00:20:53 Scott: I know we were in a conversation with Mark Heynen from Knap.AI talking about the dynamics of what may be sufficient for a SaaS business is maybe not sufficient for a deeply embedded financial business that has way levels of deeper PII information about somebody.

00:21:10 Scott: Is there a need for greater granularity, let's say, on the compliance side of the house from the government? Is that something that can be led from the private sector with collaborations and partnerships in ways that companies like Complyance can push the envelope forward to make the world actually a safer place?

00:21:27 Richa: I love what you said there, the greater granularity that's needed 100%. Let's take SOC 2 as an example. SOC 2, the amount of difference, even just between a SOC 2 audit, you wouldn't believe.

00:21:39 Richa: To get the same SOC 2 certification, one auditor is requesting 15 pieces of sample evidence and one auditor is looking at a policy and a green check on a platform and saying, you're good to go.

00:21:50 Richa: And so even just with that, there's so much difference, but 100% right that certain sectors, certain data that's being held and the companies that hold it, they should be regulated in different ways. I don't want to use the word regulated.

00:22:03 Richa: I actually think that it helps our information security space, that it's not reliant only on regulations, which as you rightly said earlier, usually are lagging. And it's more based on these, again, more bottoms up independent organizations, which folks are adopting to support consumer trust and customer trust.

00:22:22 Richa: And I think that those ones are still need to be held to account to provide more granularity in their standards. So even SOC 2 is run not by the government, but by an organization called AICPA. And I think the AICPA could do more.

00:22:34 Richa: I think that companies themselves, though, could do more. And I think lastly, compliance tech could do more. And I think what we're proud about with our product is that we allow for that tailored automation. We allow for custom control sets.

00:22:46 Richa: We don't just give you SOC 2 controls off the shelf and say, here's the bare minimum, have a good day. We actively encourage you to tailor those controls directly to your business and the entire platform is built for that. We're here to support that exact vision.

00:22:58 Scott: When you think about your role as CEO and founder, and you think about, okay, here we are in 2025, in 2030 or 2035, where do you see Complyance going? And what is the dream state that the problem that you wake up in middle of the night seeking to solve and where you see taking the business and its ultimate successful end state? Where would you like to take Complyance?

00:23:22 Richa: I'm going to give you my real, and state my real honest answer, which I've never shared publicly before. I want to get the company to a place where we can actually offer our platform for free to startups, because I believe that tailored cybersecurity, tailored information security compliance should be a public good.

00:23:43 Richa: And if we're able to build in the mid-market enterprise as we wish, being able to offer tailored automation to startups would really level up the way that they currently think about information security.

00:23:54 Richa: And to do that, we need to really succeed at the mid-market enterprise level. But those folks are already convinced about tailored compliance. You don't need to convince a mid-market or enterprise company for the most part that they need to look at things in a tailored way.

00:24:06 Richa: Some, of course, yes, but many of them are bought in and increasingly bought in. But the startups who really are at the cutting edge and have the worst security while being adopted by some of these big enterprises, they need a boost towards tailored compliance and doing more than checking the box, but they don't want to spend money on it.

00:24:23 Richa: That's understandable. I really get that as a founder. So how can you make that real for them without the cost burden? That's the real end goal, Scott, to be honest, but we have a ways to go.

00:24:33 Scott: I love that. How do you define these trade-offs or between the transition from startup to mid-market to enterprise? Where are these lines roughly for you?

00:24:42 Richa: Roughly, I would say at 100 million is where you start to get from scale up to mid market. I don't want to say startup, but scale up to mid market. And maybe it's better measure at that time to honestly look at employee count a little bit more as well.

00:24:57 Richa: Because maybe 200, 300 employees, you're starting to move up a little bit, even if your revenue is not at that point yet. And then when it comes to mid-market to enterprise, I think it's about 1 billion to 2 billion mark starts to move you into the enterprise space.

00:25:10 Richa: And I think where we really meet the moment is for those mid-market enterprise teams, mid-market and smaller enterprise GRC teams who need to do a lot with not a lot of resources. And we are able to come in with tailored automation to help them really succeed.

00:25:29 Scott: As we get to the end of the episode toward the speed round, thinking a little bit about where you get your information, when you think forward to next 5, 10 years and where you're taking the business and obviously playing on the defensive side to some degree, how do you think about the trends and offense and how do you ingest information?

00:25:47 Scott: How do you learn about the evolving risk set to obviously have product development timelines, probably 12 months or 6 months behind. So you have to really be thinking as a CEO, ahead of the curve to set these product timelines to meet the market where the market is.

00:26:03 Scott: So how do you think about the future? And where is the information gathering? Is that mostly conversations with clients or are there other podcasts or things that you look to that are good resources?

00:26:14 Richa: It's definitely a lot of different components. I think one is conversations with our clients. One of my favorite sources of long term planning is those types of conversations. Two is conversations with just experts in the space, luckily, we have a number of advisors to Complyance who help us think about the next level.

00:26:33 Richa: And three is actually just really keeping up with information security news. Things that are really publicly available. What type of breaches are happening? Usually within a month or few months of a breach, they'll post a little bit more information about why it happened.

00:26:47 Richa: And you'll start to realize it was an access control issue or it was encryption issue, or it was an issue that was easy to fix, but then couldn’t stop the bleeding because of incident response.

00:26:55 Richa: And so there's so many signals in that for how do you then help the next company to firm up and be a little bit more protected. So that's a little bit of a smattering of where I get some of the information.

00:27:08 Scott: To zoom in on that last thing that you said, what are those risk points? If you had to name the top five risk points of access control, encryption, what are some of those? What do those mean and how do people play a little bit of defense on those issues?

00:27:21 Richa: First of all, access control is a really big one. The one that is the hardest to protect against that I just would want to call out specifically is actually phishing. Phishing and its really sophisticated sense of social engineering and folks reaching out. And you think that they're somebody on your team.

00:27:38 Richa: You think that they have an email that looks like one of your vendors emails and they're asking for something that doesn't seem like a big deal to give to your vendor or they target someone in the organization that's separate from the person who would have interfacing with that vendor, they seem so credible.

00:27:51 Richa: They know just enough about you and the organization to get you to give them one piece of information that they've then triangulated with someone else. And now the world was open to them.

00:28:01 Richa: And as maybe mundane as it sounds, training your employees on those things is maybe the biggest needle mover in terms of what folks can do to just low hanging fruit, stay protected.

00:28:15 Richa: And the second thing is create a good incident response plan. Create one that's not cookie cutter off the shelf, needs to be tailored to your organization. Make sure you can backup, make sure you can restore, make sure those backups are protected. In those moments when it matters, it matters more than folks can ever imagine.

00:28:33 Scott: Such good advice and truly scary, the level of sophistication around some of these phishing endeavors with spoofing and things that look very real. One of our newest investments in the portfolio, somebody that you'll chat with soon, Toby Rush is the founder of a company called Ideem, which is building an alternative to two-factor authentication or one-time password where there's all these probabilities determined.

00:28:59 Scott: If we're doing peer-to-peer payments between me and you thinking about where money leaves my wallet and goes to your wallet, if you are who you say you are. But all these things are probabilistic based on IP, based on two-factor authentication and all the new and evolved ways that we can, like what Complyance is doing, play defense at the speed of how some of these nefarious actors are playing offense.

00:29:21 Scott: So shifting gears here at the very end of the episode, we'd love to know if you weren't living in London, where else in the world would you choose to live?

00:29:30 Richa: Easy answer, Switzerland.

00:29:32 Scott: Switzerland. I'm with you.

00:29:33 Richa: It's too beautiful. I love the mountains, love the clear water. Just love it. Love it, love it.

00:29:40 Scott: Amazing. What book are you currently reading or podcasts do you enjoy other than the Venture Everywhere podcast?

00:29:47 Richa: I recently read Shoe Dog, loved it so much. What a great book. Phil Knight, about the story of Nike. Highly recommend. Highly, highly recommend. One of my just favorite books that I read on a recurring basis is The Hard Thing About Hard Things, which is my favorite founder go-to, “when I need a moment of inspiration” book. It's always nearby.

00:30:06 Scott: And that's the Ben Horowitz book, right?

00:30:08 Richa: Yes. Ben Horowitz's book.

00:30:10 Scott: Amazing. I have not read Shoe Dog, but it's on my shelf. It's on my list.

00:30:14 Richa: Read it. You'll love it.

00:30:16 Scott: Get the audio book out on one of my next long drives.

00:30:19 Richa: Exactly.

00:30:20 Scott: What's your favorite productivity hack? Do you have any go-tos as far as how you manage your calendar or how you navigate your day? You mentioned long-term planning and sort of how you think about these conversations.

00:30:31 Scott: And I thought to myself, gosh, how many of us actually set aside one day a month or one day every quarter to just think about long-term planning? We certainly don't necessarily block off a day doing that, but what are some of the ways that you think about running the company and running your calendar?

00:30:48 Richa: I'm going to give you a different answer to this. I genuinely think at this point in my career, the best productivity hack is to hire amazing people who you can trust and then do trust fully which then gives you the mind space to actually think and plan for the future and invest in hiring, invest in recruiting, invest in figuring out if that's the right person and trust your gut if it's not.

00:31:12 Richa: And when it is, trust them. And weirdly, that is the productivity hack that I think is the most sustainable for me since starting the company and before.

00:31:20 Scott: I think that's an extremely wise answer and an answer that not everybody gets to eventually is that the biggest productivity hack is probably creating culture, creating an ability to hire and then an ability to trust. And I love the phrase that culture is what happens when you leave the room.

00:31:39 Scott: And what happens when you're not managing somebody, when you're not talking to them, when you're not micromanaging them, that's culture, right? The extent to which you can create that and that trusted environment gives you massive leverage, which I think is amazing. And finally, where can listeners find you?

00:31:56 Richa: On LinkedIn. I'm actually starting a video series interviewing experts, consultants, and our clients about compliance and Complyance with a Why.

00:32:06 Scott: I love it.

00:32:07 Richa: Everything you're seeing. So find me on LinkedIn and we will continue the conversation.

00:32:12 Scott: Well, maybe we can get people to be guests on your show coming up.

00:32:16 Richa: Sounds great.

00:32:17 Scott: It sounds great. Well, Richa, thank you so much for joining us today. It's been a pleasure. We're super excited about what you're building at Complyance. Super fans of you as a CEO and founder and just very bullish on all the things that you've been creating over the last couple of years. So thanks for spending the time with us.

00:32:35 Richa: Thanks, Scott. Appreciate it.

00:32:38 Scott Hartley: Thanks for joining us and hope you enjoyed today's episode. For those of you listening, you might also be interested to learn more about Everywhere. We're a first check pre-seed fund that does exactly that invests everywhere. We're community of 500 founders and operators and we've invested in over 250 companies around the globe. Find us at our website, everywhere.vc, on LinkedIn, and through our regular founder spotlights on Substack. Be sure to subscribe, and we'll catch you on the next episode.