Podcast: Nick White, Osano, Part 2


This Part 2 of my interview with Nick White, head of marketing at Osano. In today’s episode Nick explains what Osano is, the state of privacy management and regulation today, and how he is growing the company to become the leading global privacy management platform.

Subscribe to the podcast: AppleSticherTuneInOvercast , SpotifyPrivate Feed.


Edward Nevraumont: This is part two of my interview with Nick White. Today, we're going to dive into his experiences as head of marketing at Osano. First, Nick, can you describe what Osano is and what it is the company does?

Nick Whitet: Osano is a data privacy platform. We're a piece of software that helps companies comply with data privacy laws. Over the past several years, more and more people have been asking for stronger protections around their privacy online. Meanwhile, politicians can't agree on anything, but this is one area where they see that they can do something, where democrats and republicans can agree and they could do something for their constituents. That's true within the US and that's true all over the world.

Governments have been passing these laws and there's a big law in the EU. There's a big law in California. There's a big law in Brazil and South Africa. If you're a business, you're supposed to follow these, but it's a pain in the butt to understand what they are. They're all different. It's a pain in the butt to understand what you actually need to do to follow the law and make sure that you aren't breaking the law.

Rather than have your attorneys and your engineers figure that stuff out and then instrument solutions, you can just pay Osano a small amount of money, significantly less than what cost for you to do all that stuff yourself. We're a software-as-a-service platform. We help companies follow all of these laws all over the world, regardless of where you are, regardless of where your customers are and regardless of what language they speak and read.

EN: What's the alternative, Nick? If you're a large company, do you just go and redo all that work yourself internally? If you're a small company, just break the law?

NW: You could. You can always break the law.

EN: What do companies actually do? If they don't use Osano, are those the two paths?

NW: Yes, generally. Either you can build this yourself, or you can pay for a platform, like Osano. There's different ways that you can build it yourself. There are tools that can help you along the way. We have competitors and there are different options for solving this. It's the most straightforward way. We are the most popular way and it's very simple and affordable.

EN: Most of the time when you're acquiring customers, are you trying to steal them from a competitor or a different solution, or you're just trying to get them to comply with the law, period, and join Osano? What percentage of companies’ websites right now do you think are following the law?

NW: Between 10% and 20%.

EN: 10% and 20% are following the law?

NW: 10% and 20% of companies, of websites that have proper businesses are following the law. I’m not counting blogs and things like that. I think that your previous question about is the government actually going to come after me? Probably not, if you just are running a small blog or something like that. It is a green field and people are behind. There's just this perception that this is akin to a speeding ticket that you can get away with this and you might get a slap on the wrist.

What we're seeing is that the fines can be very, very substantial. Again, these are all different across different regulations. For the European Union's law, it's 4% of your revenue. For Brazil's law, it starts at over 100 million dollars. That's the minimum. The consequences can be massive. The much bigger challenge is in people saying, “We'll risk it.” They just don't know. It's just an education problem.

EN: Osano has a few different products. Can you explain your product set, or your feature set?

NW: Yeah, absolutely. We help companies comply with all of these laws. These laws can be complicated in some sense, but they can also be really simple. If you don't get data privacy, you can think of it like all the lessons that you learned in kindergarten. If you want something for somebody, you should ask for it first. If you want something back from somebody, you should be able to ask for it and have them give it to you. If you want to know if somebody has something, you should be able to ask them and they should tell you the truth. That's all that our products are doing.

When it comes to asking people for permission for something, we see that whenever we go to a website and a banner pops up and says, “Hey, do you accept cookies?” That's one element of our platform. It's what we call consent management. Another element is subjects rights management. That's the idea of if somebody wants their information back, you need to tell them what it is. We set up workflows and automations that allow them to gather information and then give it to people and deliver that information. Then if they want it to be edited, say you change your name, you can do that. If you want it deleted, then that's one element.

Then the last major pillar of the platform is what's called vendor monitoring. You don't just need to make sure that your operations, your company is doing a good job and data privacy-wise, but you also want to make sure that all the companies you work with do privacy well. If you work with other companies, you're passing them your data and your customer’s personal data, so you want to make sure that they are good actors.

That was actually the impetus for this company. The founders wanted to know, are the companies that we work with doing privacy well? It turns out that problem is really complicated and it takes a lot of lawyers to figure that out. What they did is they just built a objective way of evaluating privacy. We created privacy scores. Created this ontology of over a 100 different ways of evaluating a company's privacy practices and then distilling all that qualitative information into one score. It's on a scale of 300 to 850, just like your personal credit score.

We invested in a lot of this and a lot of this work. We have a team of two dozen attorneys, spending tens of thousands of hours rating well over 10,000 different companies. It would probably behoove us to keep this information and sell it. We do offer that as a component of the platform, but if you're curious about the privacy practices of your favorite website, we also give that information away for free.

Osana.com is our main website, but we also have a consumer version of our website called privacymonitor.com. If you go there, you can type in Reddit and you can look at what Reddit's privacy score is and how it's trended over time, or any other website. So that's an overview of the platform.

I guess, one last thing to share about Osano is that we're a B corporation, which means that we've been certified as providing a public benefit to folks. We aren't just focused on producing profits, but we're also providing something good for the entire world. We're very committed to creating a diverse workforce here. We're very committed to creating a more transparent Internet. We're very dedicated to having a very wide reach. That doesn't just mean serving a lot of different companies and we do serve Fortune 500 companies and tiny little one-person businesses, but we also have a set of open source tools. You can just take a lot of Osana's product. It's stripped down. It's not all the same. You can take that and build your own tool, if that's what you'd like to do.

EN: Nick, who buys your product? It's almost like an insurance product. It's not going to help you necessarily grow your revenue, it's going to protect the downside. Who's your buyer?

NW: There isn't one answer for you. Privacy is a new category and that means that there tends not to be a privacy person at most companies. At big companies, the largest companies, yes.

EN: I would imagine the largest companies start doing this in-house. If you have a chief privacy officer, you're probably doing a lot of this stuff in-house.

NW: A lot of times. Your website and your data systems are more complex. Yeah, the Microsofts of the world, they're probably going to build their own and it makes sense for them to build their own. For the vast majority of companies, it doesn't make sense. The math just doesn't work. Within any given companies, we really see three different buckets of buyers for us. One is product managers. Typically, the product manager for the website that say, “Oh, I’m responsible for this thing. Other websites have this and we don't.” That's one.

Two is marketing. The thinking there can be a little bit underhanded. Marketing tends to not like privacy, because it makes it more difficult for them to do their jobs. If they set the tone of the privacy conversation internally, they can pick and choose what data, or how data is handled. It turns out that Osano's products are very marketing-friendly. Marketers really like to use us. The third bucket is compliance folks, just people who are in charge of making sure that companies aren't breaking the law. Then the fourth are what we call board members, like either VCs and investors, or the CEOs, COO type of folks who are most liable should something like this go wrong.

Some people can be criminally liable at businesses for breaking the law. Those are the folks that would be most likely to be on the hook. They're also the ones who are very highly invested in making sure that companies follow the law of its letter.

EN: How is it divided? Is it one quarter for each of the four groups, or is one group just over-represented on or buys or stuff?

NW: Product managers are the most common. It's still the minority though.

EN: Then once someone's looking to buy this thing, is it bought, or is it sold? Are you pushing it on these people to make them aware of it, or are they coming to you and looking for a solution?

NW: It depends. There really are two different types of customers in that sense. Sometimes they know about the laws, they know they need to buy something they know that they need to find a solution. Then that conversation is very different. The conversation is about here's why we're unique and better than our competitors and why you should choose Osano over different folks.

Then other times they're passive and then the conversation is, “Hey, here's what data privacy is. Here's what these laws are. Here's why they're so important and here's what you need to do.” It's much more of an educational conversation.

EN: How are your sales divided between the buyers and the sellers, being sold to versus being purchased?

NW: When it comes to count of customers, it's around 80% inbound versus 20% outbound. When it comes to revenue, it's roughly reversed. We have a sales team that's hunting and they're going to hunt the biggest deals, the biggest brands, the companies that have the most traffic and generally, that's how we charge for usage. That's how it works.

EN: Most of those sales people when they reach out and they find a customer, were those customers sitting back and not really worrying about this until the sales people ping them, or were they in the process of looking and you just got them at the right time?

NW: Most commonly, they were sitting back. It goes back to that statistic that we discussed earlier. 10%, 20% of people have a solution. Yeah, maybe a small percentage above that are thinking about a solution, but this is mostly green space. This is mostly not being dealt with. It's so crazy to me. This is a marketing problem. It's an education problem. It's a really interesting one, because my call to action is obey the law, which is most companies don't have such a strong call to action as that.

EN: Reminds me of those companies that help you manage your sales tax problems across the US. Every state has different rules and doing it all is difficult and you have to do it. every state has different privacy rules and you comply with these different models and having someone manage that for you makes sense. How do you monetize it? Is it a SaaS product?

NW: Yeah, it's a SaaS product. We're a freemium product. If you have a very small amount of website traffic, you can use us pretty much forever for free. If you have more traffic, you can kick the tires on us and we offer free trials, but we charge monthly or annually for this.

EN: I assume there's tiers of products that you said offering more and more services for higher and higher monthly fees?

NW: Yeah, that's right. It's traffic-based and it's also based on the number of other companies that you want to monitor. If you want to get alerts from five different companies, that's very different than if you want to get alerts and monitoring for a thousand different companies. On average, companies share data with 730 different companies many more than they think. Yeah, it just all depends on what those two numbers are; traffic and vendors.

EN: The vendors is people that you work with. You're not monitoring competitors. You're monitoring vendors.

NW: You're monitoring – yes. You can do that. Generally, the first vendor that people monitor is themselves. If their privacy practices fall off a cliff, they want to know. The intent is to watch the people that you have a contract in place with.

EN: How do you acquire your customers? You have a sales team that goes and gets 20% and the 80% inbound. How are you getting those leads?

NW: Search has been very valuable for us. This is a space that people are trying to figure out. As a marketer, you want to get the right person at the right time. The nice thing about this space is people are asking Google about what they should do and what data privacy is. SEM or paid search is very important for us. SEO is very important for us as well. A nice thing about this business is we provide widgets to other websites and surprise, we can link back to ourselves through those widgets. We have a very nice backlink profile. By writing content that's relevant to our customers and our product, we can rank for it quite quickly, thanks to all that nice backlink juice.

EN: What is your split between paid and organic search, roughly?

NW: It's heavily weighted towards organic today. I would expect that that changes over time, but it's heavily weighted towards organic. That's thanks to us having just this inbuilt organic search engine.

EN: The reason why you're not doing more paid, is it – you're a SaaS business obviously, so you pay upfront and you get a revenue stream. Are you just constrained by capital in your growth, or is it constrained by ROI?

NW: It's a combination of both. We're investing pretty heavily, but also, I would say the biggest thing is we're constrained by capacity right now. We don't have enough marketing people here to really focus on ramping up SEM. We're hiring, but we don't have a dedicated paid search person today. It's just something that I do for my 5% or 10% time. If we had somebody to do a better job of matching up queries to copy to landing pages, all the basic stuff that you know and talk about, we would be ramping it up faster. It's growing, but it could be growing faster. That's one piece. The other is for the terms that we're already ranking one for, we generally don't also buy ads against. We don't want to compete with ourselves, so that's another piece.

EN: What other marketing activities are you guys doing to drive growth beyond search?

NW: Content in general is really big for us. I came from finance prior, as a financial technology company. I see a lot of parallels with content. If you look at most of the information that you'll find out there about data privacy, it's not interesting. It's not good. It's acronyms and it's jargon and it's wall-to-wall legalese. It's just really hard to read. When I came here, I wanted – I was very motivated to educate myself. It was hard, because the content all sucks so much. I think there's a huge opportunity for us to actually write stuff that's engaging and interesting, while also being needy and teaching people stuff.

EN: What's the value of that? You create that content. Is the value SEO? Is the value public relations? Is the value conversion? Is the value something to do with the enterprise business?

NW: It's all that stuff, plus social, e-mail, onboarding, retention. It powers a lot of different steps. We share it in a bunch of different ways. I guess, a more specific component of content is our data-driven stuff. We have these vendor monitoring scores, which is a lot of proprietary data that no one else has access to, which is really remarkable and really interesting. Something that I found is these scores tend to correlate a lot with people's security outcomes.

When I got here, I ranked all of our privacy scores. When I looked at the worst actors, or the people that had the poor scores, there a lot of them have been in the news lately for getting hacked, or some other type of data breach.

EN: Data breaches themselves don't factor into the score. Security and privacy, they're separate.

NW: Are separate. That's right. Turns out, these two things go together.

EN: Companies that are sloppy on privacy tend to be sloppy on security.

NW: That's right. I saw that via anecdote, then did the analysis to see that overall. Saw exactly what the correlation was. Turns out, yeah, not just that those moved together, but the severity of the breach moves together and we segmented that information by different industries and things like that, and produced a ton of content that's powered, yes, our blog, but also social and a ton of press. It's powered us syndicating that content to other websites. It's powered us doing a bunch of webinars and gathering folks that way. This is out and out marketing, where people don't ever interact with us and just use our self-serve platform. Also, it's lead gen for our sales team.

EN: How do you value that? You go and you put a bunch of effort into this analysis and a bunch of your time. Presumably, that's time that's going away from not spending more than 5% of your time on paid search. How do you know what the ROI is on all that effort?

NW: It's a good question. We do several things. First of all, we track all of the things for PR. We look at the hits that we get and the traffic that we get from that. When we get promoted on newsletters, we look at the traffic for that. There's a direct element. There's also an SEO element. If you put together content today and you get a certain number of backlinks today, you're going to get not just leads tomorrow, but leads tomorrow and the next day in perpetuity. There's some separate math there.

EN: Do you quantify that math?

NW: Yeah. The nice thing about being a startup is that people don't expect a ton of rigor. I come from larger companies that have a ton of rigor. It's pretty easy to do this stuff. People's buying journeys aren't that complicated, because there aren't that many marketing channels today. Also, the ones that we run tend to be the easiest to track. If we did TV and billboards, life would be harder.

Also, we aren't working with giant data. We get tens and hundreds of thousands of visits, but we aren't getting hundreds of thousands of customers every day. That can complicate things. The math is pretty straightforward and given that there's no framework around this stuff, there's a high tolerance for moving relatively quickly. I’m still very adamant that we measure all the things and rationalize everywhere that we focus. As a startup, you have to move quickly and where we focus is everything.

EN: Well, thank you so much for being on the show today, Nick. Before we go, can you talk a little bit about your Quake book?

NW: Sure. My Quake book would have to be something called Stumbling on Happiness by Dan Gilbert. Dan Gilbert is a psychologist at Harvard and he's written some textbooks, but he's really just written one popular psychology book and it's called Stumbling on Happiness and it's extremely good. It's a very entertaining read. He's a funny guy. The substance was very earth-shattering for me.

The main idea is our imaginations aren't that great. We don't know who we're going to become. We are good at imagining ourselves, our future selves. As a result, we don't know what that person will want. That means that today, we're sacrificing for that future person, but we're focused on the wrong things, and so we're delaying gratification and it might be entirely wasted. I woke up this morning and I got to work and I’m working, because I’m saving money and I’m developing a skill set. I think I want to retire at some point. I made all these decisions for what I think my future self will want.

The vast majority of the time, we don't really sit and very thoughtfully think about what that person does want. We just use our imaginations from time to time in an indeliberate way and using your imagination is not the right thing, because it's flawed. Dan Gilbert breaks all this down. He explains why we're all doing it wrong and he explains how to do it right, which is just find direction through analogy. Find people who are living that life that you want that are further along in their career, that are further along in their personal life and then work backwards to determine what you should do next.

EN: Thank you, Nick. Appreciate your time today.

NW: Thanks, Ed.