Fall in Love With the Pain Point: Sam Li on the Evolving World of Compliance and How to Meet Customers’ Complex Needs
2x founder talks about how his current business, Thoropass, streamlines the audit process for business owners, the path to finding product-market-fit, and how they’re tackling compliance in the age of AI to safeguard user data.
Having started two b2b SaaS companies, CEO of Thoropass, Sam Li, understands the deep research required to validate an idea and identify early signals of product market fit. Thoropass is an information security compliance and audit solution that helps customers streamline audit processes and manage compliance posture to ultimately unlock new markets or customer segments.
I sat down with Sam about how a pain point encountered in the process of building his previous company became the inspiration for Thoropass, their process in navigating to product-market fit, and how the introduction of AI is increasing the complexity of navigating a properly compliant posture.
I would love to start with the backstory on how you landed on this problem and what ultimately inspired you to start Thoropass.
Before Thoropass, I was running a company called Zinc Platform that specialized in InsureTech. Everything was going great until one of the first enterprise partners we started talking to asked, “Can I see your information security policy? I’m sure you have done a SOC 2 audit, can I check out your reports?” That was probably my first exposure to this problem of compliance. We realized there was an urgent need to invest in a SOC 2 audit. I Googled and found the cheapest auditor out there. I thought it would be a four week process; but six months later, I still didn’t have the report in hand.
I wasted a lot of time going back and forth with the auditor, sending Excel trackers, and attaching screenshots to their SharePoint. Most importantly, I had to pull my team of engineers away from writing what I call “revenue-generating code”, to hack together an information security policy. I didn't get a lot of guidance from the auditing team I had hired, and overall it was a very bad experience for my early stage startup. This was 2017 and 2018, and back then everything was done manually. After Zinc, I spent a year at Bain Capital Ventures as an EIR. I was thinking a lot about different startup ideas, and this compliance bit just kept coming up. I wished there was a solution that turned a traditionally manual, very service-heavy process into a software-driven subscription experience.
Having a compliance program in place is a challenge that every B2B, FinTech, HealthTech, and SaaS company faces because their customers demand them, but there hadn’t been a very good modern solution for this. Identifying this gap really paved the way for Thoropass. I teamed up with my co-founders and together we thought, why don’t we build the Carta for information security compliance? The rest is history. We started the company in 2019. Four years later now, with four rounds of financing and a team of almost 200, we continue to help startups and established tech companies with their compliance needs in information security and privacy.
This problem feels pretty universal to pretty much any enterprise software company and the status quo you outlined is such a painful experience. Why do you think it hadn’t been solved yet?
We were one of the first, but eventually other entrepreneurs did figure it out. And now today I think we have good competition, which to me is a great indication that we found a problem worth solving.
Back in the day, though, there were two camps. On one side, you had GRC software. This was, and still is, an established category built with multinational or large enterprise in mind. This calls to mind the early days of Salesforce, where you need experienced users and a team of experts to manage those systems. However, this option is clearly not a good fit for an early stage startup. The other potential camp was working with consultants. You would hire a guy who has done HIPAA before, and someone else who knows about GDPR. This approach obviously has a lot of problems too. You don't have a very consistent experience, there are a lot of offline Excel trackers, emails going back and forth, etc. In that case, it was back to the manual processes we were seeking to solve.
But above all else, IT compliance is very important, and companies deserve a better experience than they were getting because their businesses literally depend on it in many cases. Compliance, afterall, is something that every company will face at some point in their journey. At Thoropass, we want to help take away all of the busy work so that customers can focus on the more important piece of security and strategy, not getting bogged down by taking screenshots. As a result, we realized that we needed to create a better, third camp to service modern companies.
Okay so it sounds like at the outset you’d landed on a problem that you’d personally encountered. As you started thinking about building a business here, how did you go about figuring out how universal this problem is?
One big lesson I learned with my two companies, especially in the early stages, is that product market fit is the prerequisite to any startup success. I'm lucky to match the persona I'm selling to, so that gave us a lot of confidence in this idea. Also worth noting, I have two awesome cofounders, Austin and Eva. Austin came from a similar background to me, so we worked together to hone in on this startup tech founder persona. Eva is very different; she spent 20 years at Citigroup before starting her own consulting practice. Her persona more represents executives at a larger company, or mature organizations where dedicated teams exist to ensure their adherence to any law and regulations. So, that creates an additional lens of expertise we can rely on.
Obviously, we also spend a lot of time with our customers and prospects. There’s no such thing as a static ICP, so talking to our customers is super important as we continue to evolve.
Was there an “ah ha” moment when you knew you’d found product market fit? How did the experience compare to your previous company?
My last company didn't hit product market fit, which we were not very honest about at the time, and eventually ran out of money, so I learned a lot and reflected from that experience. As I said, we're lucky that for Thoropass, previously known as Laika, we were the personae we're selling to. I think that's very important because we obviously also did surveys and expert calls, but the understanding was from somewhere deeper from day one. So if you're a founder starting from an industry where you are not the expert or practitioner, I strongly recommend either spending a lot of time with people who are, or have someone on your founding team with that expertise. I can't stress enough the importance of that because it doesn't matter how cool your software is— if it doesn't dramatically eliminate the pain point for your target customer, then it's not very useful.
In terms of actual discovery, I like using the book The Mom Test as an example. The high level idea of the book is, if you ask people questions like, "I built this product. Would you buy it or use it?" sometimes you get the answer that you want to hear, rather than the truth. Instead, it’s really about observing and understanding what your buyer persona is actually doing on a day-to-day basis and extracting the pain point through observation. Simply jumping to solutioning in the product market fit exploration phase is a recipe for disaster.
Lastly, after the first year or so, revenue becomes the validator for everything. If people are willing to pay for it, chances are you have something.
How have your customer’s needs changed given all the buzz around gen AI?
Great question. Maybe five years ago, it felt like SOC 2 and IT compliance was a series B problem. It was a matter to address once your company achieved a certain scale, and you set up your compliance program. More recently, the demand has materially shifted early - once you start your company, you get your insurance, register a company in Delaware, and then set up your compliance program. I think this wave of LLM applications will push us further in that direction, and open up many new interesting areas for infosec compliance.
As an example, a lot of the new Gen AI projects are largely building applications on top of foundational models, like PaLM 2 and GPT. So, what’s the expectation for compliance for the application layer (which often doesn’t go far beyond prompt tuning), when most of the heavy lifting is done by the cloud providers? How do companies, again at the application layer, add safeguards to make sure AI doesn't (mis)use your user data?
Another example is on the people management side. You probably want AI to help with your team’s productivity but don’t want your employees to leak customer data or business metrics to GPT. What’s a reasonable set of policies and procedures on protecting that data? Are the compliance standard makers going to set limitations on using AI in a productivity context?
So, I think the industry is still figuring out what the rules are here. The regulations and the authorities usually come last, but that doesn't stop the industry from starting to form the view on self-regulation, and Thoropass is active in those discussions and debates. At the same time, we're keeping a very close eye on how the team uses AI. We have a set of best practices we're actively sharing with our customers as well.
Tell me about the experience of starting and building a venture backed company in New York. How do you think that has impacted the trajectory of the company?
I love New York. Before starting my last company, I was at Goldman Sachs and Google in New York. I’m very much someone who grew up in this ecosystem. The industry has changed a lot though since 2011 when I graduated college. Back then, the developers all worked for big banks, and going to Google was a “risky” move. It’s a completely different scene now. The NYC community is a very close-knit community, and within that there’s equally good access to investors and different financial services. Also, giants like JP Morgan, who led our series B, represent some of the more traditional players fully embracing technology. I think that creates a unique support network within the ecosystem here.
I recently read that Manhattan has had more new early stage startups than San Francisco this year or so—so this is the place to be. I think what’s available now that was missing in 2017 when I started my last company is a much larger startup and venture community, which means more person-to-person conversation, people you can grab drinks with and have breakfast with for advice on a text message notice. I think that's very important, and more prevalent compared to five years ago.
Any other advice for other early stage other founders that haven’t yet reached product-market fit?
I think the economy has gone through a rollercoaster the past couple of years. We raised our series A during the height of COVID, and everybody was in panic. Now it's sort of normalized. The examples of COVID and rate hikes gave my generation our first real-life economics lession there are cycles in business, but there are no shortcuts in terms of building a great company. If you completely ride the momentum of founding a company without thinking deeply on the substance, you are set up to fail. Success requires intellectual honesty—first is honing in on product market fit, and after that it’s assessing your team’s capability, or figuring out how well your go-to-market flywheel is working. Hard business operation discipline is crucial in the good times and the bad.
So again, as a founder I think you want to be super honest about product market fit in the early stage. And once you scale, your role quickly transforms into managing the team, making sure the right people are in the seat, holding them accountable for business results. These two roles require very different skill sets, but I've seen many people transition smoothly—as long as you’re mentally aware that transition will happen and try to block as much noise as possible from the outside.