Intro Music
Tyler Finn
What if the way that we regulate breaches is is all but somewhat wrong? What if the legal system puniashes the victim and in the process, makes it harder to attract top security and privacy leaders to take on this sort of increased personal risk associated with these roles. Today, on the abstract, I am joined by Andy Lunsford, co-founder and CEO of breach RX, a company pioneering the automation of incident response for enterprises. Andy's story is interesting. It spans law compliance and entrepreneurship, which is kind of fitting given that the platform he's building today is sitting at the intersection of legal risk, operational chaos and executive accountability. We'll dive in to what inspired him to build breach RX, how the legal system may be in some ways failing both companies and their security leaders. And what he sees is the future of incident response. And Andy was actually a referral, which I love on the podcast from Joe Sullivan, a recent podcast guest. So yeah, Andy, thanks so much for joining me today for this episode of the abstract.
Andy Lundsford
Thanks for having me. Tyler, it's great to be here.
Tyler Finn
Okay, so you started your career trained to be a lawyer. You know, did the clerkship thing take us back to sort of the moment in time when, when you were getting started in the law and thinking about, hey, what do I want to do with this? What direction do I want to take it? And ultimately, ended up becoming more of a more of a consultant, like a litigation consultant,
Andy Lundsford
yeah, yeah. So, yes, it's crazy how fast the years go by, like, like a blanket, and you've gone through so many different parts of your career? Yeah, I think early days, I guess, for me, kind of my interest in law started in undergrad. I was a philosophy major, and I got exposed to a class called philosophy of law, and we talked about the right privacy. And I really got hooked into that idea. And that was like an early Foundation, and it actually kind of connects with, like in high school, some of my favorite books were 1984 and brave new world is just getting, you know, kind of in these ideas. But what is a surveillance society like and all these different things that are all around what is your personal privacy? And so I got so into it in that class that I ended up writing my honors thesis in college on right privacy. And then I going into law school, was like, hey, I want to do law in this space. I just like, love this intersection for technology, privacy, cybersecurity, the law, policy, it's all intersecting, and it's just incredibly intellectually stimulating for me to think. Stimulating for me to think about it. There's just so many trade offs and good things, so many bad things. And I feel like, as I've gone along in this career, all these things just continue to surface. And are, you know, it's, it's, yeah, it's just been super invigorating. But, yeah, that was my early foundation, but I jumped in law school. I actually thought about politics and try to get involved in the policy side of this stuff. For a bit, my family some ties to Arkansas politics, and so I actually did some interning on Capitol Hill office.
Tyler Finn
Cool.
Andy Lundsford
Very quickly saw what I felt like was very toxic environment developing for some game. It's all about winning and losing, alternative discussion here today. But decided, no, I just don't think I have the stomach for that business, even though my family had a lot of involvement there. And so then I said, let's let me think about the private side, like, how do I get involved with, you know, law firms that are in this space, in the early 2000s there really wasn't anybody doing what has become this privacy law, cybersecurity practice, this biggest growing practices of every major law firm. You know, when I went around, like, literally going to every law firm I could find online like nobody was doing privacy law. And then I found one firm that had a very boutique firm where the partner had actually for the privacy OGS out there. He worked with Alan Weston back in the day, and he was the FTC, and was getting work on some of these very earliest data breaches that went before the Federal Trade Commission. And so this awesome learning opportunity for me to be in privacy law, feel some of the what's the ramifications of, you know, when a company has a breach, and all those early, early, early things around litigation, yeah, and then I worked in house in Walmart's General Counsel's Office for a bit. Then had this opportunity where my brother was leaving a big consulting firm. He'd been doing litigation consulting, he introduced more of an engineering background and a few partners he worked with that we were going to come together and decided to build what became being group where we had a whole stable of experts that could testify on different topics. And my litigation legal background was a nice bridge between technical experts and legal teams. And yeah, did that for quite a while. Got more they've reached litigation experience along the way. And yeah, that's kind of the early part of the story.
Tyler Finn
Okay, that's pretty cool. So you got to actually work on or observe or watch some of the early data breaches. I don't know. I mean, here's a question, like, Did it feel like a little bit of a bigger deal then, or did it feel like the reputational sort of harm for a company was huge. I mean, on the one hand, you're kind of making it up, but also it hasn't happened a lot like maybe it was like front page news at the time, as opposed to today. In some ways, it feels like a data breaches. I get an email once a month from a company that my day. I think I got one from my insurance, my health insurance provider, like two weeks ago.
Andy Lundsford
Yeah, they're serious. What people don't reach fatigue, yeah, think about it, yeah. I think early days is certainly thought of as a black swan event, like, oh man, terrible thing. But it was there also, at that point, was very, it was the very early days where we had, not every state had a data breach law. It was like it was one of the ones that was out in front, and that was one of the issues. But basically, early litigation was around this article, five separate trade practices where there are issues around, what are you saying about your privacy and security on your website? That's always kind of been a piece of it, but it was also the fact that companies were making the choice to notify California residents, but maybe not all of the residents across the country that their data was impacted because there wasn't a legal requirement to do it, and it was just in these handful of states, the FTC is like, hey, Wait a minute, like everybody should be getting notified about this, and so that was what a lot of the early debates were about. And we quickly turned into a place where every state had its own law. We've moved now to where, internationally, we've got over 200 different data breach privacy.
Tyler Finn
Wow, nice. I didn't know that that's a big number.
Andy Lundsford
It's quite the maze. And it gets more complex. I think what's, you know, as a brief lawyer can appreciate, it's like, it's not just that you have these individual laws in all these places, but they get amended all the time and get changed. You have a new, you know, California classic example, where you had California data breach law, then you have CCPA, then you have CPRA, and then you've got more things that happen administratively for each of those laws. So it's really a lot to keep up with when you think about the multiplication of that, so it's like 200 base laws, but when you think about how many times they've been amended, you're talking about keeping up with, like, different things a lot to track down and stay on top of.
Tyler Finn
What was it in your experience? I mean, I guess you had this sort of privacy background. You're helping run the beacon group, you know, doing the sort of litigation consulting work. What starts to nudge you towards the idea that maybe there should be a sort of like tech solution in the data breach space? What was the sort of early thing that maybe led to breach RX?
Andy Lundsford
Yeah, I'd say there were, like, you know, a few different key pieces. I think one as just a we talked in a black swan event, or I could really see, and like anybody that was experienced in the cybersecurity and privacy space would start to say, it's not if, but when, like, it's like, everybody's gonna experience this. And then I think, and that was even in my mind at that time, underplaying the frequency, because it's not just everybody's gonna have one day to reach. It's like, right? Everybody has incidents. They're happening all the time. So that's a change in this dynamic. And then and on top of that, we've got more and more now. We've got 200 plus. We were starting a tipping point on the regulatory 2016 when it affected 2018 this was the first time we had a really short timeline on notification with what felt like very significant teeth on the penalty. So to be able to have to notify in 72 hours pace up to 4% of revenue as a penalty. Okay, this is the next wave. It's not just that we've got a duty to notify it's like, okay, you're gonna have to do this very fast. And when you've got this complex web of laws, how are you going to sort through that in a matter of hours? And then I think also so that that was probably factor that was factor two, and the third was just seeing in litigation, all this, all these times, all these cases of just how kind of footfalls in different ways about how a company would respond to an incident and didn't have a good enough record about it, or they were not transparent enough about it, and we had a real mentality across legal profession. It's like our best advice to clients on breaches and incidents was, don't write anything down. Minimize communication like, let's, let's contain this as small as possible, because every word about this is additional liability. And so in the reality was that part of why these breaches would go so badly was because companies had viewed them as a security technical issue and not bigger business problem, that it really becomes that over the long tail. And so felt like, okay, let's rethink the way we handle incidents. And one think about it's actually an area, an area of transparency. And so like, need to have a record. I need to show that I took responsible action, because these do happen all the time. It's not something that's black swan, unexpected and finally, didn't know you're doing. There's an expectation you take a systematic approach. And how can you end with 200 plus different obligations, regulatory wise, plus contracts, plus cyber insurance, plus controls, all these other things that dictate what you have to do with an incident. Sorting through that in seconds is not a good task for a human being. It really should apply some automation to and so you think about the way that we've used like Turbo Tax in the tax code. It's like,
Tyler Finn
Sure,
Andy Lundsford
You don't know, but nobody's memorizing every bit of tax code. Yeah, apply some automation here. And this was a space to me that made sense. It's like, let's apply automation around a lot of these obligations. Let's have a place where you can build a factual record work and really coordinate across the team in a meaningful way, so that it's clear who's doing what when, and making it very easy to have that record after the fact. And so that was part of my vision. And I think I also just said, Look, I've seen all I've seen, and lived all these worst case consequences with clients. Yeah, this is where it all fouls up. And how would I look at this problem? A lot of people look at problems head on, of like, okay, I come across this problem. What do I do next? What do I do next? Let's look at it actually, from backwards to forwards, and say, Okay, these are all the worst things that can happen. How do I engineer a process so that as many of these as possible are taken off the table. And so that was a real focus for my co founder and I, Matt, on how do we build a platform that really minimizes the impact? And we turn this from what every person, every always talks about is chaos to should be a routine business process, because it is an expected thing to happen.
Tyler Finn
When did you feel like you wanted to go all in? I mean, because, like, you know, beacon group was doing very well, right? Sort of successful business on the one hand, I suppose that gives you the confidence that you can do the entrepreneurship thing, right? You didn't just think of yourself as a lawyer, right? But, yeah, when did you decide that it was, it was time or that, like you wanted to go all in?
Andy Lundsford
Yeah, I think, you know, going into So, I guess being a risk averse lawyer, had these ideas about, about pre char X. I didn't have the name for the company at that point, but I like thought, you know, platform needs to exist here to do this. And I had the opportunity to do the executive MBAs program at Wharton, so I actually decided, hey, I'm going to go do this program, and I'm going to take my idea and I'm going to use all of their great entrepreneurship coursework. I had been a philosophy major and then a lawyer, and I hadn't had formal business. Like, I mean, I built a business. So I like, what I learned once I got to school was like, Oh, actually, I know a lot of this stuff. Like, I have experienced a number of these things, but it was awesome background, the network, all the long great reasons to go to warden. Very happy I did. But, yeah, I took, took it through that. And then it was right around that time, 2016 when GDPR was coming down, and was kind of like, okay, this is this is real. And for me as a lawyer, I'm like, okay, that's real penalty. Everybody's got to start getting in line with
Tyler Finn
Yeah.
Andy Lundsford
And this is where the vision of where things are going. What I did learn hard way was just because a law gets passed, doesn't mean everybody goes and changes their behavior. Propensity of let's wait and see some people get burned first, and then we might change the way we do things. And I think, as a CEO of a company, it's not that people do that because they don't want to do right by the law. There's just a reality of hardcore compliance with every single thing is a cost, and everybody's making risk-based decisions all the time. And what ends up happening in legal field, a lot of ways, is that you've got to start to see the shape of like, what do the regulators actually care about? What are they actually going to penalize people for? And then let's adjust our behavior to that. So that's just the common approach that has absolutely yeah. So it was, although it made sense to me in 2018 when I quit beacon group to do this full time. It was very early to market, and it took grinding through some early days. But now, like the vision of where I thought everything was going is really playing out and we’re you know really seeing the company take off which has been awesome.
Tyler Finn
We'll come back, I think, you know, towards the end of our conversation to talk a little bit more about the product and maybe your experiences as a founder, I am really curious in the substance of this, right? And like maybe talking for a minute about how data breach laws work, whether they work. I mean, you know, I mean, one idea, maybe something to start us off with, is it makes sense, if companies are not investing heavily in data security, that you would structure sort of incentive right, or a disincentive to not invest right, double negative, but like a disincentive to not invest right, if you don't invest in this and then this bad thing happens, and consumers are harmed. We're gonna find you, but the companies are victims here too, and the world has also evolved from that place. So I don't know what's your perspective on that and the way that most of these laws are structured?
Andy Lundsford
Yeah, yeah. I think that it’s to your point like the meaning, the reason they they're structured that way, is to incentivize people to be good with data. Is okay if you're going to take on good steward of it, you need to protect it, take it seriously. It gets out there. It can harm, harm people in different ways. But the reality is that I think that was the starting point with less education and understanding of what it actually means to the challenge, the evolving challenge it is to defend the digital economy. And that is, you know, there are we think, especially about what we have now today, between automation and AI around the amount of attacks that a business is under every single day, and they only have to win once, and you've got to defend them every time. And so it's like, I always, you know this idea that the law is set up in the cybersecurity world to punish victims is what really kind of burns at me. And that was like, also another piece of like, starting a company that really made this a very passionate endeavor for me is, but I, yes, I believe businesses need to be responsible with data, but I don't think it's fair when people are doing the right thing, doing the best they can, with smart people, that you should be coming and taking a hammer to them. So, you know, example I give is, like, say, your it's not a perfect analogy, but if your house gets broken into, and thief comes in and steals a bunch of your stuff, and so you had, like, good industry standard locks in the doors, but they found a way to get into your home if, after the fact, the police took you to jail or fined you. Everybody would say that is fundamentally not fair. That doesn't make any sense. Like that, you you lost you lost goods, you went through the trauma of getting attacked. But that's not the way we do it in cybersecurity. World. It's okay this has happened to you. You better do this with surgical precision and how you respond. You better tell people on this date, this date and this date, and you better have a record to show that you did everything perfectly after you got attacked. And I think there's so much focus on like in the cybersecurity world, on the defense side of this, and it's definitely important. You don't want to leave the doors wide open, but you're actually your company, the security team, the legal team, everybody is judged more on how they handle an incident than they are whether they defended because it is expensive and accidents happen. Stuff mistakenly gets shared in different directions. I fundamentally don't think that it's fair. If a company has a really good systematic approach, they take this seriously, responsible about it, that you should be having slice hammer come down on you for it. I think there's better, better ways to incentivize that behavior.
Tyler Finn
Yeah. I mean, I think the other thing that folks sometimes don't appreciate is some of these actors, nation state actors are backed by nation state actors. And I think we're going to see even more more of that. And, you know, I mean, even the largest corporate and most sophisticated sort of security teams in the world, the company like Microsoft or a meta or is going to struggle against a, you know, a team, a hacking team, that is funded by North Korea, or funded by China or funded by Russia, even if it's not an actual arm of the government, right? I don't know. So I think that this problem is not going away. In other words, and like, even the most sort of sophisticated corporations in the world are going to continue to get hacked. That just seems like a reality of doing business,
Andy Lundsford
yeah, well, and like, you know, unlike a physical theft where somebody's got to, like, break into your physical facility, like, you can be anywhere in the world and be sending out malicious code, doing all kinds of things because of our interconnected the way everything's connected to the web. And so in those countries, yes, jurisdiction over people to come after them. In some of these countries, and those countries, maybe, whether they sponsored them or not, don't have incentive to help us go after them. And so that's part of where, like the true wrongdoer, many years to bring that first adjustment, you've got to get lucky in a number of directions for that to happen. And so, yes, it's a real challenge.
Tyler Finn
I mean, the other thing that you layer, we see being layered on top of this, I guess, is calls for more executive level accountability, which I don't think, in a broad sense, is necessarily a bad thing, right? Like the idea that CEOs or others who are making decisions about where to allocate resources in businesses that have real world consequences or have consequences for consumers, right? Ordinary people, right? I mean, there should be accountability in corporate America. We started to see is a few cases, not a ton, but a few cases where CISOs, Chief Privacy officers are targeted for civil or sort of criminal enforcement actions based on how they've handled incidents like this, and no what I mean. What do you think about that and the potential sort of think chilling effect that some folks are worried about not trying to say no one should ever be held personally accountable for criminal activity or really bad decision making, right? But it seems like that could, could keep, keep good people from wanting to take on sort of the top job in these in these functions.
Andy Lundsford
yeah, I think we've seen that. We've seen especially the CISO community and and then some of the cybersecurity legal community, of people saying, hey, it's just not worth the personal risk to continue doing this. Because I think you think about other again, other areas of law, there's other things like, normally, if you're gonna hold executive personally accountable for something that, for criminal fraud, all these things they've done something truly nefarious, like they're stealing their state to shareholders, or, you know, there's things that they're doing that are truly bad, wherein, when you look at the cybersecurity workforce, and this like a bigger issue is, I think this space is unique in that we can't rely on, you know, our federal government to defend all these companies, like, have sort of teams within all of corporate America, and they're really ultimately the front line in defending Our economy. Like, you think about the impact if, if there's no good cybersecurity at all, these companies, like the whole the whole world's vulnerable to turmoil, really important that those people that are mission driven, that want to fight that fight kind of similar to you actually see a lot of people come from the military, that border security, because they love that mission aspect of it. We really need to incentivize them to want to do this job and feel that it's rewarding. And it's not just like, Oh, if I go there and I am doing my best, that I might actually end up in jail. It's obviously if you let, if you hack the company or insider, and you facilitate, that's something completely different than we got attacked and the business didn't respond well enough. You know, I think there's also so many business decisions get made in that incident response process and how you how much resources you dedicate towards cybersecurity. There's all of the these risk based decisions that go into having as good of a cybersecurity program as you can under the surface that yeah, it just really feels unfair to say, like, Hey, let's go after these people personally. And you know, that's where we kind of have a mission in our company about defend the defenders. You know that we want part of the solution that keeps those people feeling like they're covered. They like we're easing that liability for them, so they just need to go do their job and do what they're really good at. And I think, I think that is going to be a change over time. How long it takes us to get there, I don't know, but I think, yeah, it's, there's different. There's like, negligent acts and like, just saying, Hey, we're not gonna invest in cybersecurity. We're just gonna offer we're not gonna care about how we handle data. Like, that's one thing, but it's totally different. When you look at the people that have been, that have been, you know, charged personally in these cases, these high-profile cases, that it's, it hasn't been that type of situation.
Tyler Finn
Folks who are listening are mostly sort of in House lawyers, as you know, GCS, suppose they can advocate, but they're probably not going to change 50 different state data breach laws and the structures. They're not going to convince the SEC or US Attorney in a particular area not to go after their CISO. Something they can definitely control is as these incidents happen and will happen to their businesses. They can control the sort of response you've seen. I don't know how many, many hundreds, 1000s, probably, of breaches. I mean, what should companies do in these situations? How do they document in the right way? How has that changed, as we've sort of touched on over time. How is the approach? Very different today, sort of around transparency and showing your showing you're trying to do the right thing all the way through. Yeah. What can companies do? What can GCS who are listening do to protect their businesses? Yeah.
Andy Lundsford
I think it's starting with that fundamental understanding that, because you know, this is a real possibility, real risk is sick, how are we going to proactively prepare for it, so that when it happens, we're not running around trying to figure out what to do at the time? I think part of the older legacy mentality had been like, well, I'll just have really great experts on call, like, I'll have my outside counsel runner, I'll have forensic firm that I've got a retainer with my cyber insurance or whatever, and I'm just gonna dial them up. They'll come take care of it. But and, and there are super talented people that do great work in those spaces, but it's still a it's a business problem, and it actually requires being well coordinated across the business so, like, it doesn't matter if you have the best, the best professionals coming in after something happened, they can't fix your business coordination problem, and they're not going to have the record keeping in place for you to show that you really thoughtfully prepared for these type of incidents, and so that was having a real systematic approach. It's not just, I think this is a changing mentality too. Is it used to be like, Oh, I've got a paper incident response plan that we've written down, that the reality is a template that was given to them, or somebody else wrote it, or one person writes it, most people don't read it. It's really just an escalation. Document doesn't actually tell people what to do, but having that and running an annual tabletop, we've been proactively prepared, but that's really not sufficient today. Now it's like, no you, you need to have a cross functional team that practices together on a regular basis, and you need to have a system of record to show when an incident happens, who dealt with it, who escalated it, what time did they escalate it? And as that workflow spreads across the organization, that it's well coordinated. People are on the same page. There's a system of record that single source of truth and be very intentional about how you handle attorney client privilege that unfortunately, historically, it was like, Fine, just do this stuff in email or messaging apps like Slack. We're seeing that, you know, by not really intentionally separating out the factual record you have to build from your privilege communications, all of that's coming into evidence. And I've worked with the Sedona conference on some commentary in that space, and that's what we've seen when we look at all the different court cases we've had on privilege in cybersecurity context, but the mixing of that, those factual and using business systems that aren't specifically designed for the use case, all those things weigh against you, and all this evidence smoking guns come in that are
Tyler Finn
Interesting.
Andy Lundsford
yeah, should have passed this, you know, Two years ago, and a lot of the stuff that people think is going to be like internally protected, it all ends up coming into evidence which is is really unfortunate.
Tyler Finn
Interesting. So how it's, how do you solve for that? Like, how do you keep those sorts of communication streams separate or segregated in the right way?
Andy Lundsford
It's it's this intentional choice of doing it in, in you have a it's part of your policy, and it's, and it's actually the policy you follow that is, here is where we build the factual record, and this is the end of that, and this is the out of band place that we do, the communicating separated from that record, and they're not, they're not intertwined. That's the that's the real key from a technology perspective.
Tyler Finn
So I would imagine your role now, or your you know, as the founder, as the CEO, is an interesting kind of mix of advising clients on how the landscape is evolving, while also having to build a tech solution, implement, do tech implementation, etc. How do you draw on the different experiences you've had to do, to do both of those things? And do you like that sort of context switching? Talk to us a little bit about that.
Andy Lundsford
Yeah, I think that was, you know, one of the reasons why I love this job, I think that it taps so many different skill sets for me, where I think sometimes, you know, as a litigator, you know, it's been a lot of time on strategy and all the different aspects of what go into litigation, but there was an amount of where I felt like I felt like I wasn't really learning as much anymore, whereas, yeah, now I, you know, I have a board that I, you know, accountable to, and I have brilliant employee base that, you know, has all kinds of challenges as you're growing a company very fast. And, yeah, it's very different to sell an enterprise product, a software product, than it is to sell your services, like, as a service provider, consulting litigation lawyer, you're there's a lot you get a lot of like, I do really good work for this person, and then they refer me to others, and you're also getting paid for things immediately. In this type of business, you know, you spend a lot of effort building up this product, invest a lot in that, and then, and then you sell it. And obviously the business model is much more scalable once you get there with that early investment. It's just mentality. But, you know, back to your question, I love all the different problem solving you do in the different directions. And I think it's also you're more interacting with people, various types all the time, whether that's a partner, investor or customer, employee, all that stuff in the course of my day, versus kind of being in my like silo of like, I'm in the law, I'm in my case. I've got a couple people that I'm working on this case with. Maybe it's a broader team, but it's, it's not as diverse, and I feel very invigorated by all the different things I guess do every day.
Tyler Finn
Do you feel like you're because you were a leader and sort of like one of the execs who helped grow the beacon group. But do you feel like your leadership style or the way that you approach your work has had to evolve in any meaningful ways now that you're in more of the venture backspace, and probably have it more diverse sort of team than you used to working with software engineers, etc?
Andy Lundsford
Yeah. Yeah, I think that it's been certainly as very different, different types of business to build, whereas before, it's like I was selling my relationships, and I was finding ways to leverage to our team, like our services, my opportunities to like, grow, okay, we start with this level of service for a client, and what are the like, what's the next level, the next level? And then they bring us on this, you know, I've really built around me at reach RX, amazing leaders and different functions of the business, whereas, like, I feel like at Beacon, it was kind of like I was capable of doing everything. And it was like finding people that I could give pieces of it to, part of like, my role as CEO X is like one of the things gaps I have. Like, you know, I need a chief revenue officer. I need a head of marketing. I need my co founders, Chief Product Officer, Chief Technical, technology officer. He's, you know, everything tech, and he's got a team of engineers. And, like, I really enjoy, like, bringing on experts in their piece and having them have, like carte blanche, to run with that aspect of the business, and you know, we just work together on things that our issues overlap.
Tyler Finn
I've got a couple more substantive questions for you before we get to the sort of fun closing questions. You mentioned earlier that you felt like you were somewhat early to market with, with pre char X. I'm really curious about that, and how you sort of cross that chasm or chasm, or however you say that word, it's escaping me at the moment, you know, because that's, that's a hard thing, right? I mean, a lot of companies sort of die because they're five years too early or 10 years too early. And might be a really great idea, but they just can't get the sort of like product market fit or the traction that they need, the revenue that they need to keep going and raise another round and make it to sort of the next stage. Yeah. How was, how was that experience for you? How did you do that?
Andy Lundsford
Yeah. I mean, it was, yeah, one of the absolutely hardest part of the journey. I mean, it's been you believe in a vision. And I that I believed in and I kind of talked about all these motivations I had for, like, wanting to do it and really lean into that. When you're hitting the wall on things. You're like, okay, it gets so frustrating when you like, you have all these conversations with, you know, prospective customers, early days, like, yeah, that's a great idea. Like, everybody should be doing this. Why isn't everybody doing this? And then you're like, but then actually getting somebody to invest and pay the money into it was real challenge at first, because you don't have enough. Like, you haven't this product hasn't existed before. And like, why would we change from this existing way? Even though we know the existing way sucks for all these problems with it, so you have to, you know, you really you've got to find those early adopters that like that, like, share your vision, are excited about it, and then they, they really help you start to evangelize it beyond them. And then you start to build enough critical mass where that really helps, like, referenceable, like, oh yeah, we've already done this work for this, you know, and this other, and it starts that starts to build. I think it also for us was just like the fever pitch of what I knew was happening. And it's like, you know, we went GDP, I was in 2018 but you have these new SEC rules that came down new more and more of the global expansion of these laws, York DFS and financial services like much, much more hardcore on these issues. And so you start to see people say, okay, yeah, the status quo likes the approach isn't good enough. Then we really got to do got to do better. And so, but, yeah, it was, it was tough. And you have a lot of conversations at times with your family, like, okay, hey, how, how long are you gonna keep pushing on this, you know? And you've got to be a little crazy, like, a little bit, I believe in this So, badly that I'm, I'm gonna run this through to the last dog guys, like, we'll just continue to punch through brick wall after brick wall. And that's sort of, I think every entrepreneur you talk to has to do some of that. Like, I think that we, you know, if you read the story in the news, that sounds like, oh, this company just like, launched and just, you know, took off like a rocket ship. If you actually spend time with pretty much any entrepreneur they've it's a roller coaster. You have days where you're like, am I gonna be able to pay my payroll? Like people can face these things that, I think in, you know, bigger corporate America. They are just not things you face. But it's, it's, it's really fun, though it's so gratifying because you go through that it's like all the more when you start, start having success.
Tyler Finn
Last sort of substantive question for you, Andy, it's, where do you see it in response and breach RX going over the next few years, where do you where do you want to take not just your company, but sort of maybe, if you have an ability to shape this ecosystem way, you know, where do you want to take it?
Andy Lundsford
Yeah, I think it's setting the standard for the industry and saying, Look, this is that we're changing the bar as to what it means to be to do instant response, what, what is, what's, what it's not instant response. Isn't this technical, cybersecurity problem, business problem, and it means you need a holistic solution that is going to work across the business from the very beginning days, starting of an event, all the way through to the end. And you know that that it that level is just the expectation, and I think that that, I think hopefully, will also impact some of these bigger picture things that we're talking about before us. Before. It's like, okay, if that becomes a standard of how businesses are dealing with it, then this personal liability and massive fines for facing things that are outside of your control, it seems to be make more sense to say, okay, as long as you have a really good system in place and you dealt with this responsible responsibly, then no big deal. Like let’s …
And so I think if that narrative, we're able to change that narrative and set this new standard that is incredibly satisfying to me, and kind of where I think we're going
Tyler Finn
Some fun questions for you as as we start to wrap up that I like to ask all my guests. The first is, if you have a favorite part of your day to day,
Andy Lundsford
I would say getting back to just like the diversity of things that I'm doing. Yeah, I have, you know, click one on one with my co-founder, and I've got all these different people on the team that I interact with, but, yeah, to go through the course of a day and talk to my internal team, have meetings with customers, have meetings with partners, investors and and I think as time goes and you get more and more people on the journey with you, it's just really fun. And that's like, more and more people that, like, kind of celebrate with you when things are good, you know, things are going that are there to help you when things are not going so well. And it's like, but I think that broad expanding people on the boat with you is kind of fun to continue to interact with and grow with every day.
Tyler Finn
I think this is kind of a fun question. It's if you have a professional pet peeve, yeah,
Andy Lundsford
I'm generally, like, an easygoing guy in a number of ways. Obviously, I'm type a in a number of ways. But I think the biggest deal for me is I've got no patience for ***. It's just to waste energy on being sure to somebody like, you can disagree with people, you can have a heated argument, but there's just a baseline that, like, I just don't have tolerance for ***, and I don't want to, no matter how smart and whatever you are, if you're an asshole, I don't want to work with you.
Tyler Finn
That's a good rule. I agree with that rule. I think most businesses should have a no *** rule. Okay, I often ask my guests about a book they'd recommend, but I know you're a big podcast guy, so I'll take the opportunity to ask you if there's a podcast or two that you would recommend for our audience, things, something you think would be interesting for them to listen to?
Andy Lundsford
Yeah, I think for me, I get really into some of the more entrepreneurial enter type of podcast. And so like, when, like one that I bring up to people a lot that especially if you're someone that's listening, that's either on entrepreneurial journey or you're thinking about it when I was going through the hardest times, and this is also didn't even talk about it like middle of COVID, you know, and everything that was that was the same time we were going through the hardest parts of the business. But there's a podcast called the reboot that Jerry colonna started and and he was a former VC turned executive coach, but he basically has on entrepreneurs talking about their journey and talking about challenges they face. It kind of borders into like, therapy sessions, sort of like, but as an entrepreneur and a CEO founder, like, there's so many things that you deal with day to day where you kind of feel like you're on an island thinking about and figuring out it's like a way to everybody's got different things, but you're like, oh, yeah, I can understand that. You kind of just get into that person's shoes in a way that normalizes. I think some of this stuff, and I think that one was awesome. There's this StartUp podcast. I think it's called the startup you want media that one was fun. One, and I used to always enjoy the guy, Roz, like how we built this.
Tyler Finn
Oh, yeah, those are fun. I haven't listened to that in years. Oh, that's a good idea. I like that. All right. Andy, last question for you, my traditional closing question for my guests, it's if you could look back on your days as a young lawyer, just getting started something that you know now, that you wish that you'd known back then.
Andy Lundsford
I think the biggest thing is that there you can do so many things with a law degree. I think, going into law school, and the way that everything is so structured, the Socratic method, all the different things that you do, they're just like, Okay, this is the way we've always done it. This is the path. And I think, you know, a lot of the Career Services opportunities tend to be around like, Okay, well, this is, do, you know, check this box, and you can do the next thing, jump to this soup and this hoop, and it's like, there's just this one path in the legal world. And that was kind of like, permeates the mentality, I think, during law school, or did at the time. Hopefully it's evolving. But when you come out of law school and you realize, like, there are million different things you can do and you don't have to do the exact, you know, path that everybody else has done. And I think fully being ready for that, I think, is a piece too, is like, because I went, I was one of those that went straight undergrad to law school, and you just kind of get used to, like, okay, school always puts the next do it, and you get out working. It's like you've got to decide what's the hoop you want to jump through next. And I think also just don't, also don't lose, you know, faith. Sometimes you can get frustrated and not like what you're doing, but like when you look back at your life and your career path, a lot of these things you go through, they're meant to be, and they like, inform you for the next job you do, and like, there's things that you do at one point that really help you do something later in your life you don't realize at the time. And I think that's definitely true for me.
Tyler Finn
That's a great answer, and very fitting with the sort of thematic thread through all of these podcast episodes. Andy, thanks so much for joining me for this episode. This has been a lot of fun, my pleasure. Thanks for having me on and to all of our listeners. Thank you so much for tuning in, and we hope to see you next time you.
.webp){kind=small}
.svg)
.svg)
.avif)
.avif)
.avif)
.avif)
