InFront’s CEO, Melissa Koch, talks with TAG Cyber Law Journal about why she founded InFront Compliance
By : Justin Kern
Melissa Koch has spent more than two decades in the legal field, carefully building her career. And that approach has presented welcome opportunities. But she has also demonstrated an appetite for making things happen, even when there were risks involved. Now she’s balancing risks and opportunities as the founder and CEO of a tech startup—one that happened to launch at the start of a pandemic. And she’s guiding her new company while continuing to practice law at Akerman, in Orlando. But somehow she doesn’t sound overwhelmed or daunted. It helps that her company, InFront Compliance, is a legal platform she’s completely comfortable with. And that her co-founder, Alia Luria, is also a lawyer—and the company’s chief technology officer. And that Koch has worked at big firms and big companies. And prepared further by earning an MBA (while working, of course). But she did allow that the experience so far has included both “high highs and low lows.” Yet, she doesn’t exhibit a shred of regret. In fact, she insists that the timing couldn’t have been more fortuitous. The tool InFront offers is particularly valuable now, she says, when compliance can’t be done the old way. And never should be again, she adds.
TAG Cyber Law Journal: You are of counsel at Akerman, and the co-founder and CEO of your own business. How does that work?
Melissa Koch: Akerman has been wonderful and supportive. I have a unique skill set as far as lawyers go, in terms of the depth of my technology background. I’ve been a technology lawyer for over 20 years. And my skill set comes in handy on everything from M&A to complex licensing deals. When InFront Compliance was born, my goal there was to be extremely transparent. I didn’t want it to conflict with my legal work. So for now, the day-to-day work at InFront is my primary responsibility. And I manage that against the legal work and obligations that I have at Akerman. It’s not unlike a lot of company founders, who do what they need to do to make sure that all the obligations get met.
TCLJ: When did the idea of starting your own company start percolating, and how did it begin?
MK: InFront was born out of a lot of frustration with what I’ll characterize as compliance processes. If you’re in the compliance space, doing compliance by spreadsheet or by checklist is the norm, and it’s a very manual process. My co-founder and I were really struggling with our clients on this. These are struggles that I experienced in-house as well. Compliance runs the gamut from regulatory to operational and covers everything from cybersecurity to health and safety. When you’re dealing with it in-house, and then you change your channel into law firms, you see how widespread the problems of doing compliance in this manner can be. Because it’s so manual, it’s error-laden. The people asked to respond aren’t necessarily the ones qualified to answer the assessment questions. People modify the spreadsheets. It can be a very risky proposition. And so my co-founder and I said, “OK, we’re both struggling with this—with large clients, with small clients, on the vendor side, on the enterprise side. We think that this is a problem that technology can solve.”
TCLJ: What did you and Alia decide you needed to do to solve the problem?
MK: We started asking our colleagues: “Is this something that you’re seeing? Are these the types of features that you think would be useful?” About a year later we got into Techstars, the accelerator program, which was very validating. We took the summer and went through the whole accelerator program, which is designed for startups to pressure-test what they’re doing. After we graduated, we came home and started developing pretty heavily. We developed a platform in late 2019, did a soft launch and then did a formal launch in March. We’ve spent a lot of time and care on usability. And we translate very complex regulatory and operational compliance frameworks into plain-language Q&A assessments. Those assessments are used by highly regulated industries to manage compliance in a way that we think mitigates the risks.
TCLJ: What does InFront do for companies that distinguishes you from your competitors There are companies like OneTrust that offer technological solutions and are pretty well established. What do you offer that distinguishes you?
MK: First is the expertise that’s built into the system. We’re not aware of any competing platforms that provide expertise in the way that ours does—in plain language and accessible across all kinds of different frameworks. You mentioned OneTrust. They’re known for privacy. We have privacy in ours as well. We have a very broad and deep library, including in financial services and cybersecurity as well as privacy. We built the platform to be super flexible in the types of assessments and compliance management functions you can use it for. Having that ease of use, that expertise built in, and that industry flexibility and variability is very different than what the platforms that exist are doing. It saves companies time and money and reduces risk. It also allows them to use one tool instead of 10. And allows them to rely on us to keep everything up to date, so they don’t have to use resources for that.
TCLJ: How did this step—deciding that you’re not only going to co-found a company, but are going to be the CEO of that company—compare to the previous experiences you’d had changing directions and deciding to do something you hadn’t done before?
MK: Given my interest in entrepreneurship and in business, in many respects it feels like a very natural progression. The fact that I can balance it and still have one foot in the legal world—that makes it very complementary. From the compliance perspective, it’s changing very fast. To be able to point the platform in areas that we know are really important, that we know organizations are struggling with, that we know organizations might be under-resourced for, that’s what really drives us. For me, it checked a lot of boxes in terms of doing something we feel really good about, doing something that we know is helping organizations and making it easier for organizations to do the right thing. All of these are principles that we hold dear, and things that, as a team, we get a lot of satisfaction from.
TCLJ: Is it scary having responsibility not just for the business but for your employees? If a company’s not doing well and you’re the general counsel, you’re along for the ride. You may be concerned about your own livelihood, but you’re not responsible for anybody else’s. This is different. Is it daunting?
MK: Yeah. You don’t sign up for startup life if that’s not for you. And you’re exactly right. It’s a huge trade-off if you value the comfort that comes with working with more established organizations. But you get to have a front-row seat on building something, and growing something, and having a lot of skin in the game. And for the team that I’m privileged enough to have at InFront, these are all well-informed decisions. Everybody knows what they got into when it comes to startup life.
TCLJ: Fair enough. But nobody anticipated that your hard launch would come at the beginning of a pandemic. And right now, you’re in Florida. We’re in New York. We were the country’s epicenter for a long time. And now it seems to have landed there. Hell of a time to start a business, in retrospect.
MK: You can’t plan for that. And you’re exactly right. When March happened and we in the U.S. started to understand the severity of what we were looking at, you take a step back and you try to figure out how you’re going to manage. Luckily for us—and we couldn’t have planned it, but it worked out great—we had already started diversifying. I mentioned that we’re in financial services. We had already started diversifying into cybersecurity and were already getting traction in that space. And we found for the organizations that we’re working with, one of the serendipitous things was that there is a new standard that has been launched by the Department of Defense called the CMMC, the cybersecurity maturity model certification standard. And we had already built tools for that. Unlike a lot of companies and startups that are struggling, that’s allowed us to accelerate into the current working environment that we’re operating in.
Also, we’re a platform and we’re accessible from anywhere. And I think for organizations that have really struggled with resiliency, they’re now taking a look at where they can make themselves more secure. Our platform fits perfectly. Not only is it used for internal compliance, it’s used for third-party vendor compliance across several different categories, including cybersecurity. When I talked about some of the manual processes that have historically been used for compliance, one of them is everybody getting into a conference room and marching through the requirements. You can’t really do that [now with Covid]. And who knows if that’s going to be the case going forward. So having a platform like ours—in addition to the functionality that I mentioned earlier, we have a lot of collaboration tools built in—makes it super easy to work with all of your different compliance stakeholders. And you can do it in a way that will give you much more confidence not only in the responses that you get, but in the consistency that you can drive. So for us, it has actually been fortuitous to launch when we did. For other startups, this may have been a tough call. But what works well for us is making sure we have the flexibility in the platform, and making sure we have our eyes on what the market is doing and what the market needs, so that we are well-positioned to take advantage. And even though we’re all in Florida, we’re a remote team. We’re very comfortable that way. So we didn’t experience any disruption. And we work with people all over the country. It really doesn’t matter geographically where you are. So now, when it’s important for everybody to stay safe and there’s still multitudes of people working from home, we give them a tool that they can use to do their jobs. And it will help make their vendors better, and help manage their entire internal compliance better, without falling victim to some of the pitfalls that we talked about earlier. For us, this has been a great way to validate what we’re doing.
TCLJ: What are some of the big differences you’ve found in being a CEO? Are there ways in which your previous work and preparation did not fully prepare you for this role?
MK: There’s a lot to being a startup CEO that corporate life just can’t prepare you for. When you talk to other founders, they talk about the emotionality of the job—the super high highs and the super low lows. And you might think you know what that means, but from my personal experience, until you’re doing the job, you really don’t. It’s everything from what you had indicated earlier about the hiring responsibility for our team, to making sure that we’re operating in a culture that supports the kind of work that we want to do, to making sure that the finances are in order. So you’re really the quarterback. In my experience with corporate life, I’ve had responsibilities for teams. I’ve had responsibilities for quarterbacking projects and being part of a larger organization. But it is really different when you’re birthing a technology, and you’re bringing on your first customers, and you’re doing your customer service calls. You’re doing everything that you need to do to get your business where you want it to be, because it becomes its own thing. When you work for a company, the company already is a thing. Coming from a corporate background doesn’t prepare you for the startup life. It really is its own experience. And for me, that’s something I’ve always wanted to have.
TCLJ: Was your legal background essential to what you do now? Could a non-lawyer do the job?
MK: For InFront, being a lawyer is absolutely essential. One of the reasons we’ve been able to build the system that we’ve built is because of my legal background, and because of Alia’s legal background. There’s no substitution for that type of experience. That’s one of the reasons why we stand out among competitive platforms. We sat in the chair, and we know what it looks like to do compliance in other ways. We came up with a way that we think is the best way to do it, which is a totally new way. In terms of running an organization and having those types of hard skills, we’re a team. While Alia and I have legal backgrounds, she also brings her technical expertise as our CTO. Mark Kuivilla, another member of our team, is also a lawyer, and he’s in charge of our expert content. Justin Kern doesn’t have a legal background. He’s our chief revenue officer. So it’s a mix of the different skills that you need. But for InFront, and to build this particular platform, I do think that my legal expertise was critical.
TCLJ: How much contact do you have with lawyers through InFront? Do they get involved in sales, or do they ever question you when they’re vetting the software?
MK: It depends on the organization that we’re dealing with. For banks and credit unions that we work with, we will typically work with compliance teams. But sometimes compliance falls under legal, and in those cases we will work with lawyers. But we’re seeing that more on the banking and credit union side than we are on cybersecurity, where we tend to work more with IT professionals. That said, I’m hoping that we’re going to see more lawyers on cybersecurity. This is something that lawyers could really benefit from. They could use a tool that helps them understand the requirements, and helps them manage cybersecurity compliance better than the existing processes or tools that we see. And we also recognize that sometimes there’s a pretty big gap, especially in the legal community, around technology and cybersecurity. So if you’re asking where we currently are, we don’t have a whole lot of exposure to legal teams on a regular basis. But I really hope that we have more. I think this is something that could be very useful for them and their teams.
TCLJ: How are spreadsheets and other manual processes introducing compliance risks that are particularly dangerous in a remote-only work world?
MK: I can’t underscore enough why this is such an important point. So many organizations use spreadsheets and checklists as a way to feel like they’re checking the box and doing what they need to do, instead of using them as an information-gathering, assessment and decision- making tool. When you’re working remotely and you are trying to be compliant by checklists or spreadsheets, or using a tool that doesn’t really work for you in this space, what ends up happening is you have requirements fail because they don’t get updated as frequently as they should. We see that often. We’ve seen requirements that were over a decade old. You can’t do that and feel like you have a good compliance program. You see a lot of manual error from not getting responses that are true, complete or accurate because you’re not asking the right person the right question. And when you get responses back, there’s no log saying who responded and when. You have email, and all of the errors that can happen when you’re trying to manage a process through email. You lose control of documents. Things fall through the cracks. It’s hard to know if you’ve gotten a complete response. And it’s also hard to know, when you get the responses back, where everything shakes out. You don’t get the big picture, from a compliance perspective, on where you stand or on where your third-party vendor stands. When you move to a platform like ours, it reduces the opportunity for those types of errors by an order of magnitude. You have the sight lines that you need. You have the transparency that you need. And you have the information that you need to make informed risk decisions.
TCLJ: A European Union court just threw the U.S. privacy world into turmoil by ruling that the Privacy Shield doesn’t sufficiently protect the privacy of European citizens when their data enters computers in the United States. Does this have you scrambling to change or modify your platform?
MK: We currently have GDPR assessments in our library as well as CCPA. When GDPR was issued, we focused our energies to make sure we had an assessment that could walk companies through what the requirements are—not only internally but for their third parties. So our library is current to GDPR. What the Privacy Shield decision highlights is the need for better processes for organizations to understand and assess the sufficiency of the technology measures, and whether the companies that they’re engaging with can actually meet the standard contractual clauses that are still recognized in the ruling as being valid. I understand and feel for a lot of organizations that were relying on Privacy Shield and only Privacy Shield. For those that now need to assess and adapt, our goal is to offer the tools that they need to do so.
TCLJ: How can businesses foster a culture of collaborative compliance?
MK: For businesses to establish a culture of collaborative compliance requires them to understand that compliance, in and of itself, is a culture. One of the ways that I like to analogize is when you’re working individual to individual, you talk about trust. You want to be able to establish that rapport and feel very confident when you’re working one on one. When you’re working organization to organization, compliance is the proxy for trust. It’s a way for you as an organization to have insight into the character of the organizations that you’re working with. Because if they take their compliance obligations seriously, you can have more confidence that they will treat your information more seriously, that they will meet their regulatory requirements—which could impact you—and that it’s part of their organizational DNA. Because we view compliance in this fashion, we recognize that the number of compliance stakeholders has proliferated greatly. It used to be just the compliance team, or just the legal team. It’s now your IT team. It’s your HR team. It’s your finance team. The touch points of compliance are all over organizations. When you view the compliance ecosystem in that way, you start to understand that you need a different tool for the job that supports a culture of compliance. We built InFront to do just that.
If you are interested in learning more about InFront’s digital risk/compliance assessment platform, please click here to request a demo – https://www.infrontcompliance.com/request-demo/.
For a link to the Tag Cyber Law Journal article, click here – https://www.cyberinsecuritynews.com/tech-startup