William Leonard

Hey, ladies and gentlemen. Welcome back to the Atlanta Startup Podcast. I’m William Leonard, your host and investor here at Valor Ventures, a leading seed-stage VC firm in Atlanta, Georgia. And today, I’m really excited to sit down with Nick Santora, CEO of Curricula. Nick, welcome to the podcast. 

Nick Santora

Thank you for having me. 

William Leonard

Awesome. Awesome. Before we get going here, for the benefit of our listeners, can you give us the lowdown on Curricula and what you and the team are building here in Atlanta?

Nick Santora

Our mission is to teach companies how to not get hacked. That’s kind of easier said than done. The way we do it is, a lot of companies have to go through some boring death by PowerPoint training to try to learn about all the different things they should be doing to stop hacks and we all know that boring death by PowerPoint isn’t really that effective. What we’ve done is kind of create this story world with heroes, villains, and characters to help communicate cybersecurity concepts to employees and get them to kind of have fun while learning.

William Leonard

Interesting. This is a topic that is top of mind right now for a lot of institutions. We’ll get into that a little bit later. But, Nick, what’s your background? How did you come to start Curricula? What were you seeing or not seeing in a market that really compelled you to launch this thing?

Nick Santora

I was just talking about this yesterday, actually, but I actually came from a critical infrastructure background as a regulator. I worked for an agency called NERC, which is the North American Electric Reliability Corporation. They’re kind of like the IRS, but instead of regulating the tax code, they regulate the power grid in North America. I spent about seven years of my early career helping utilities across the country defend against the bad guys from compliance rules and cybersecurity infrastructure, advisory, different things, audit, and stuff like that. That is where I saw the problem. That is where I saw that there were massive utilities that we all rely on to keep our electricity up and running. We can live in the world we live in, that we’re implementing tons of technologies and antivirus software, and things like that but when it came time to teaching employees about all the bad stuff coming their way, it was, you know, Sally from HR slapping together some PowerPoints into hoping that employees learn from that. When I saw that happen over and over and over and over again, I decided to make a business focused on how do we take all those boring PowerPoints and translate it into something fun and understandable, specifically for utilities is actually how we started.

William Leonard

Interesting. Obviously, there was a space for regulation of the power grids, but it’s just not something you hear about every single day. It’s so critical to the everyday life of Americans. That’s interesting. Kind of digging in a little bit more to Curricula here, what does the practical day-to-day look like for you? Who is the end customer that you’re helping to serve here? Are you serving enterprises, startups, or mid-market? Where are you seeking to insert yourself at?

Nick Santora

We’re in a unique position where if you use a computer, you’re vulnerable, and every business uses computers today. They have employees using those computers. It’s just gotten a lot easier to be a criminal. Because of that, every time we hire someone or introduce a Gmail account or an employee to the situation, our risk goes up. The companies that we serve are all over the place. I mean, yes, we have our niche of where we focus on which is a lot of kinds of SMB market customers but we have anyone from casinos, to healthcare to Fortune 100s, to many startups. Every type of vertical you can think of because this problem exists in every vertical, where we focus a lot of our energy is on kind of the product, lead growth model, Dropbox, Slack, and Calendly, things like that, where you can just go to our website, sign up with a credit card, get started without talking to anyone. A lot of startups are now starting to embrace security awareness and training online as part of their core business, right? With everything that happened last year, you had no choice. You had to embrace online training or some type of communication platform. We’re in a very interesting space. Let’s put it that way.

William Leonard

You think about the current environment around ransomware, cybersecurity attacks, things like that. You think about some of your customers. You mentioned you’re working with a number of startups. SOC 2 Compliance is a big step for software startups. A lot of people aren’t as knowledgeable or they just don’t know where to start. When in terms of kind of implementing this training into their business. Can you speak to what some of the startups out there need to consider for SOC Compliance? Are you also helping grow stage companies as well with this?

Nick Santora

Good thing you mentioned that because I didn’t want to bring up SOC 2 but it is a trigger event that is happening in our industry that I’ve never seen before. The only time I’ve seen it is the reason we started Curricula. It was to focus on the NERC compliance stuff because there was an event with something that people needed with a deadline and million-dollar penalties associated with it. SOC 2, if people are unfamiliar with it, is a way to build trust amongst two different companies when it comes to protecting the customer data and security controls of that customer. In order to do that, you can fill out a giant security questionnaire that has a bunch of answers that may or may not be accurate. Or you can get those same questions done in an audit over a period of time to make sure you’re not only doing the things you’re doing, but you’re also maintaining them. Not easy and most of the SOC 2 was really designed for some of the larger startups as they started growing, got to Series B, C, and above because they had money and they had resources to kind of spend on that and the trust was needed at that scale. We are starting to see companies of four employees go through SOC 2 now. We are actually going through SOC 2 by nature of just kind of this market elevating because everyone’s requiring everyone else to have it, right? If I can give any advice on SOC 2 compliance, check the box exercise. I’m not saying that to be argumentative. I’m saying that it is a compliance report to follow. It is a list of things you should be doing. You can go above and beyond those, you can do them in a way that you deem necessary because you’re going to get audited to those. But anytime compliance is in the situation, there’s a lot of heartache from a founder’s point of view. We got to do it, spend more money and do another thing. Well, the beauty is yes, all of these things are designed to be good for your startup. By the way, security awareness training, what we do is actually part of a SOC 2 audit, a core part of it.

William Leonard

Gotcha. Can you talk to us about the core of the security awareness training? What does it practically look like for your customers?

Nick Santora

Depending on the size and maturity of your organization, a lot of companies are kind of seeing this for the first time. To move from death by PowerPoint world to something like this is exciting, because it’s fun and different. The typical kind of employee or customer onboarding experience would look something like this; you sign up on the website, you put in your credit card, and get-go. Now you’re in luck, you land inside of Curricula Ville, which is our world of all these stories, you have episodes, you can pick from a kind of like Netflix that covers all the topics you want your employees to learn about. Phishing, social engineering, ransomware, passwords, confidential information, privacy, you name it. We tell those topics in a narrative format, which is actually like an episode of watching a story of characters unfold, and you’re learning what could happen, and what hackers do with that information. You can kind of build that mental marker and then not have that apply in real life. Because you’ve kind of experienced an event of your own. We make those episodes, we kind of have an in-house content creation department that builds these episodes for customers. You go in, you pick your episodes, which ones you like, you customize them, things like that, you set an audience, which could be all your employees, hopefully throughout the year, and then you launch it. What that does is it drips out different episodes throughout the year, kind of like you’re releasing a new season of your favorite series on Netflix. It gets employees kind of talking about this. That’s the whole point is that they talk about it, they laugh about the characters. We got stickers of all the characters that we send out to customers and stuff like that. But then the beauty behind all of that is training, but it’s all about the effectiveness of it. Inside of our software, we have an integrated phishing simulator. It allows you to act like a hacker. You can build a simulated phishing attack on your employees in a safe space, and then see which employees may or may not fall victim to a cyber attack. If they do, we help train them automatically for you to get them up to speed to hopefully prevent this from happening in real life.

William Leonard

I love how you’re taking, like you said this, this Netflix-like approach and releasing episodes and really engaging the employees at that particular company to really understand what’s on the line here. You mentioned this at the onset, like the incumbent solution to this is a traditional boring PowerPoint that people sit through and likely fall asleep in. I think your approach to engaging is really interesting. As you think about this entire landscape, how do you see Curricula situated differently from other competitors in this space as well?

Nick Santora

You’re right. Even the biggest one in the space with hundreds of millions in funding, and it’s boring, the worst, the worst thing and it’s kind of you know, I always look at it almost like the Salesforce equation where it’s like, if you ask anyone about Salesforce, they say it’s the worst, right? It’s one of those things where it’s an unnecessary evil. It doesn’t need to be like that in our industry. For some reason, everyone’s thinking it’s turning into that. We’re hitting the pause button on the entire industry and saying, “Stop going down this route of complexity and angry employees. Let’s rewind, and let’s talk about how people engage with any content today?” Well, they watch videos on YouTube, and they watch streaming things at home and they have fun, they talk about things. We’re just kind of doing that. I think our niche in the market is by being ourselves. It’s by being fun, it’s by being kind of charismatic about this whole issue, and not trying to be the stick approach when it comes to training. If we do it in that way, we’ve seen great results with all of our customers as we’re continuing to grow. I think that’s made a real difference for the people that have embraced a more innovative and new approach to training in general. I think where we’re gonna see ourselves go and where any company is going to go in the future is our pocket. I would say a kind of uber focusing on is the smaller and midsize companies that can’t afford an IT person to wear 19 hats that also has to build training. It’s for the small startups going through SOC 2 as they grow. It’s for the Slack and Calendly and you know, Dropbox adoption of the world. Employees should be able to enjoy their experiences with the tools we give them. If they don’t, they’re not going to use them. Why are we trying to force people into a bad experience from the get-go, when it comes down to the most important thing for our businesses, keeping it secure and protected for all of our customers and our data? Well, if we play a strong part in that and build kind of our community, we think that we’re going to build a future on hopefully others following in our footsteps of not delivering death by PowerPoint, for the rest of our lives. 

William Leonard

I think any business that tries to kind of build a moat around that is just not going to be successful going forward at all. Shifting gears here a little bit, Nick, Curricula is at the Series A stage. That’s not an easy feat to get your business there. I’m curious, do you have any advice for founders who may be at the seed level, how do they know that they’re ready to go out and raise Series A capital?

Nick Santora

We’re probably an unusual case. We bootstrapped for, what,  five and a half years? If that doesn’t tell you something that is different from anyone else. Did it take us longer to do things? Absolutely. Because we grew a real business. I think that’s the biggest piece of advice, depending on the direction you want your business to go. Do you want to grow real business with real customers and real revenue? Or do you want to shortcut that to be able to innovate on someone else’s dime? We chose the former because we wanted to kind of really hone in on the real issues and spend the time throughout these years to learn. I think that was invaluable. I think that what I see our competitors doing, they’re trying to cut corners and take shortcuts, but they don’t truly understand the problem, because it’s very rushed in making answers for it. I would say for us, that’s our only first and only round of funding. Very different, we didn’t do a seed, kind of just did it through customers. But my best advice would be it doesn’t mean one’s right or wrong, it means understanding your path forward. If the problem is very apparent, and out there, speed is probably more up your alley. If the problem is dramatically changing the industry and thinking of something totally different, you might want to take a little more time before you start coughing up equity to someone else to spend your time and money on that. Because at the end of the day, you’re going to look back and say, “Was that the right decision to go fast? Did we absolutely need to go that fast? Or could we have saved around at the beginning?”

William Leonard

Gotcha. Do you think those are some of the core factors that really led you all to bootstrap instead of going on and raising really early-stage VC?

Nick Santora

I think it would have put too much pressure on us in the wrong direction to just quickly come up with answers. I think there was still a lot of understanding of the real problems out there. Once you figure that out, then yes, pour the gas on, figure it out from there. But without knowing the actual problem, it makes no sense to keep your head down and start creating answers because our industry problems change every single day. You need to kind of be aware of what you’re building towards, and be efficient as a business owner along the way, too.

William Leonard

I think it’s interesting to think about bootstrapping a startup and you mentioned some of the positives of bootstrapping. You kind of have that autonomy to build at your pace. But you’ve obviously seen the other side of the coin. I was wondering, are there any downfalls to bootstrapping a startup as well?

Nick Santora

Stress. We could have done all this and I could have been happy as a hippo the whole time on someone else’s dime. Absolutely, number one is stress and pressure is all of it. It’s on you because if you don’t get customers you don’t get to pay it on and we took no payment. For myself, I took it for probably two years of no salary to kind of keep the boat afloat while fronting some money out of my savings to make sure that we kept the boat afloat. Yes, very stressful financially and emotionally because it’s all on you. The second one is speed, right? We could probably have done what we did in half the time to get to where we are right now. But in order to do that, we would have coughed up probably a huge chunk of equity to do that. We just decided not to go that route and just kind of go at our pace. I think ultimately, I’m happy with the way that we landed where we are. But if I had to rewind again, I still don’t think I would change it. But I think if I needed to change it, those are the things that would have changed is speed and stress.

William Leonard

Interesting. I think that’s a pretty unique insight there. Most founders I speak to have raised that pre-seed, Series A that traditional succession of funding. I think it’s interesting. I think our listeners will get a lot of insight and value out of your thoughts there. I want to get a little bit of macro here, you think about all the cybersecurity, all ransomware attacks that have happened over the last two years., it’s been a plethora of them. What is your take on the state of cybersecurity right now? Are there really any areas for innovation that need to really insert themselves to prevent ransomware and cyber-attacks?

Nick Santora

It’s a nightmare, right? Nothing’s been different. It’s been like this, just the news is now talking about it constantly. The bigger the company gets, the more focused on compliance. What we see every time there’s an event like the pipeline, immediately, regulations come out, and then compliance, and then they have to hire compliance people. Then the compliance person’s job is to meet compliance. You get bigger now you need everyone to do compliance stuff. What happens is that you start to focus on the right intentions at the beginning, but then the wrong intentions in the long pole. That is kind of where I see SOC 2 going right now, where there are all these vendors that are outbound, people, and we’re working with a lot of them to integrate with Curricula to their software. But one of the things that some of them do is just focus on just crushing compliance out of the way, without a care in the world about the actual effectiveness. I can tell those people right away. I’m not going to talk about them here. But then there are ones that are doing really well. There’s a reason behind the intention of this compliance, and we’re actually going to make your security posture better. On the smallest scale, I would see startups are starting to get a taste of compliance as early as four for employees. Because if you want to work with a big company, you have to go through these. In order to change this for the better, I think we have to start. Compliance can’t be everything. We got to stop talking about all of this stuff as the only answer was, “Oh, you have a SOC 2 report.” And then you hand it to him. He’s like, “Great, you’re fine.” That means nothing. That means you’re just doing bare minimum stuff. We were just going through this morning and I was laughing about how they asked for some specific control frameworks. Just answer, “Yes. Cool.” And then you can provide evidence for that. But does it really mean you’re more secure? Long answer to that question of how do we stop this in the long run from a macro level? Well, we got to start focusing on the things that matter. And yes, there are so many innovations that are coming out. But the attacks that we see in the news, and the majority of these attacks are not stuff that happens like from the movies, where it’s like these crazy complex things. It’s a simple phishing email that comes in and an employee clicks on it. If the majority 90% of all cyberattacks happened, because of mistakes that people will hack, that’s why Curricula’s here is that let’s focus our energy on the biggest ROI items such as employee education, to reduce the risk of these happening. If we do that and try not to drink the ocean, I think we will see the numbers go down dramatically.

William Leonard

Awesome. As we wrap up the conversation here, you obviously chose to build Curricula in the city of Atlanta in Georgia. Was there a particular reason why you chose this city to build and are you a native of the city of Atlanta as well?

Nick Santora

I actually grew up in New Jersey my whole life. Came down to Atlanta because the agency I worked for relocated us. When I relocated, I had a bunch of friends that I met down here and one of them worked at the Atlanta Tech Village. Came into the Tech Village, took a tour. I was like, “This is so cool. People are walking around in flip flops and T-shirts and things like that.” As I kind of came up with that idea, a moment I figured this is the place I want to be. I want to be connected to this community. We decided to kind of build the headquarters, the core here, but we have employees in Florida, California, Michigan, New York, New Jersey, Denver, all over the place. We’re remote but embrace the city because I just think this community is awesome. I think there are more stories to tell. We’re just kind of a very unique part of this community that I don’t think has anyone like us.

William Leonard

I think Atlanta is a very special place to build a startup, especially over the last five or so years. Looking forward, you see the companies that are going to be relocating here, you see the university talent, you see the venture funding that is flowing through this ecosystem here. I think it’s just all right for innovation and a lot of successful companies to be built here. I’m hoping Curricula is going to be in that bucket as well. Really excited to kind of watch you all progress. A lot of our listeners are founders at the early stage, how can they get in touch with Curricula to learn a little bit more about your offerings?

Nick Santora

You will go through a moment when you do need to do security stuff for SOC 2. When you hear that word, think of us. It’s www.curricula.com. You can watch episodes. It’s pretty inexpensive. It’s like $50 a month to train a staff of 25 people. I call it circus peanuts pricing because it’s literally super cheap. But yeah, it’s all at the right time. I think my best advice for any type of early-stage founder is to focus on what matters when it matters. If you want to spend time, spend it in the right place, because you cannot buy time. You can get funding, you can get money, you can get all kinds of resources and stuff, but if you want to be resourceful, and you want to focus, then you have to say no to a lot of other things.

William Leonard

Great advice, Nick. Thanks for joining the podcast today, man. I think our listeners are gonna really enjoy this episode. I appreciate your time. 

Nick Santora

Awesome. Thanks for having me. 

William Leonard

All right. Cheers. 

Lisa

Thank you for listening to the Atlanta Startup Podcast. You know, we’re not just a podcast, we’re a community, and we’d love to see you at one of our digital or physical events, go to valor.VC and sign up for an event that makes sense for you. We have events for founders and the investors who back them. Another event you might enjoy is Startup Runway. The Startup Runway Foundation is a Valor organization that provides $10,000 grants to founders who are women or people of color building next-generation software products. Applications are free and we’d love to hear from you at startuprunway.org. And as always, thank you so much to the organizations that make this podcast possible. Not only Valor Ventures, but also Write2Market, a tech marketing and PR agency in Atlanta, Georgia, and the Startup Runway Foundation and Atlanta Tech Park Valley’s headquarters, and also headquarters for over 100 local entrepreneurs, building global businesses. See you next week. Please bookmark the podcast and join us.