Introducing Compyl

An interview with founder/CEO Stas Bojoukha

A few weeks ago, we had the pleasure of introducing Stas Bojoukha to members of our community at our Winter Happy Hour. As a former CISO with decades of experience in the information security space, Stas has just the credentials you would hope for in a founder looking to make waves in the notoriously crowded and complex cybersecurity space.

Compyl is a groundbreaking Governance, Risk, and Compliance (GRC) platform that enables automated, continuous monitoring of security threats through a single pane of glass. Mr. Bojoukha was kind enough to sit down with Somak for an interview about his career journey, the impetus for starting Compyl, the playful side of hacking, and the challenges of starting a company in the heat of the pandemic.

Listen to the interview here, or read an abridged version below.

1×

0:00

-17:40

Somak Chattopadhyay: To start, Stas, we'd love to learn more about your background, your life journey, and what ultimately led you to start Compyl.

Stas Bojoukha: I was born in Klaipeda, Lithuania, when it was still the USSR. My parents immigrated to Canada in 1991. I've always been tinkering with computers ever since I could get my hands on them, and I ended up going to a technical high school, which was a great thing for me in Toronto. By the time I was in grade 12, I was actually working for the school, just building up their networks. And so I was actually an employee of the Toronto District School Board while I was still in school.

SC: Growing up as an immigrant, did you come across other entrepreneurs? What specifically got you interested in starting a company yourself? Did you have any inspiration from anyone around you?

 SB: My dad is a serial entrepreneur, but not in the glamorous way. My dad, when he immigrated to Toronto, drove vans, airport shuttles, ran a hot dog stand, and then wound up having a pawn shop for 21 years. And now he's a plumber, so just watching him through all of these different ventures. Me personally, I've just always had a desire to excel, and I thought there was really a need specifically in the security and compliance space, where the products that were on the market at the time (and still are) are just not good enough. They're not embracing technology, they're too difficult to use, and I, as someone that's been an operator of those platforms, who’s really struggled with them, I knew where the need was.

SC: Can you talk about what it was like taking the plunge of starting a startup in the middle of the pandemic? And what gave you the confidence to say, ‘Hey, there's something here that has real product market fit, and I'm going to invest time and resources and raise capital?’

 SB: I started Compyl in 2020. And the reason for it was, as a CISO I kept running up against the same thing. We had relatively large teams in the security space. It was really hard to manage everyone's everyone's time and all their tasks, and to understand where we stood from a regulatory and compliance perspective. You were constantly being asked by the C suite, What's our risk landscape look like? What is our risk thresholds? Are we exceeding them? Are we below them? It's really hard to answer these questions, and it was always just a finger in the air. So that's where Compyl came out of: the idea of bringing all of this data together that normally isn't interconnected, connecting it, and then putting tasks and workflows and dashboards over top of it.

So I was confident that it was going to work, and the other confidence boost that I got came from one of our very first customers, one of the early adopters of the platform. I had put together something resembling Compyl while working for them years prior, which finally fell over about six years after I left. (I'm not a developer, I'm an engineer, those are two very different things.) But they did come back to me and it worked out really well in the sense that it had fallen over, they were highly regulated, they needed something similar, and nothing else on the market existed.

So we built out something for them and they're still our customer now. So it helps that I'm in this space. I know it intimately and I'm confident that Compyl is going to work because there's definitely a gap in the market for it.

SC: Building on the theme of the cybersecurity needs that you saw as a CISO yourself, can you talk about how the cybersecurity space itself has evolved in the 10-plus, 15 years or so that you've been in the space? And specifically, why is a solution like what Compyl offers so necessary in today’s age?

 SB: Security was always an afterthought for most organizations, where now it's really become at the forefront of a lot of businesses, with CISOs now being included on boards. Over the past 10 years, we've seen a shift to cloud first, and I think that's enabled a lot of businesses to operate and also compete in spaces where they normally wouldn't be able to. Yet the security platforms are still very clunky, still very hard to use.

And I think what you're seeing is, although there's a lot of really fancy security technology out in the market, when you're seeing breaches on daily, on a daily basis, they're not sophisticated attacks. They're very basic, fundamental holes that people forget to maintain. Phishing, not patching servers, leaving misconfigurations on cloud environments. They're not sophisticated attacks. They're just looking for very basic vulnerabilities.

You can have all the best tools in the world, but if they're not interconnected, and if you don't make it easy for people to understand what's going on with them, we’ll continue seeing the same things over and over.

 SC: Could you also talk about your process on the team-building side? Having worked in both larger and smaller teams, what have been some of the lessons learned about team-building at each stage of the business, from first starting to commercialize to finding initial PMF to fundraising?

SB: The very first hires that we made were for customer success to help us manage the customers that we did have, and we were confident in those roles because we had the skill set ourselves internally between my cofounder Simon (Shaddock) and I to actually be able to train up the employees. Conversely, one big challenge area for us was hiring in areas like sales and marketing, since we didn’t have those skillsets and didn’t know what we were looking for in terms of what ‘good’ looked like.

Hiring one really good person is equivalent to hiring five other people. So it's really important, especially at this early stage of the startup. I can honestly say that there are a handful of people whom we hired that if we hadn’t hired them at the exact time that we did, we would have been screwed.

SC: Can you talk about how you've been able to not just attract talent, but retain talent amid the layoffs and downturns affecting the tech world? How have you been able to keep a high performance culture and keep people jazzed about doing what they do and also accountable?

SB: So I'm always very open and transparent with everybody. We work in a space that should be very transparent and ethical first. So doing the same thing with our employees, I think, is important. That means telling them where we are at as an organization. Where where we're going. Sharing with them the mission and the vision. Getting them to buy into it. Our employees know what we're trying to do. And they want to be a part of it.

Being more of a friend than a boss a lot of the time, especially since you're working with them so closely, I think is really important. And I think if you're genuine, and you show them that you’re listening, you’re working through the problems that arise, I think that goes a really long way. Whereas, I know a lot of other startup founders that I've talked to where everything is sugarcoated, everything's completely fine, and everyone's kept in the dark, and and then all of a sudden they do layoffs, or there's a huge amount of attrition for whatever reason, or something comes out in the press. We're just trying to be above all that.

SC: Can you talk about some of the ways in which AI is transforming cybersecurity today and how you're taking advantage of some of those those tailwinds?

Some elements of AI have already been in this space for a long time, like pattern recognition and anomaly detection. If you look at hedge funds, this is essentially what they've been doing for decades now. But I think a huge growth area moving forward will be in speeding up processes that are generally very difficult to to complete. I'll give you an example. If an incident occurs in the organization, just being able to type out roughly what the incident was, and then having AI generate out the description, possible outcomes, doing the root cause analysis, creating BCP plans, playbooks off the back of that, etc. All that is possible because the AI already knows what the organization does, what they operate, what type of data they have, and their tech stack.

Same thing with risk mitigation plans, reporting, dashboarding, trending data over time. For example, ‘Show me all of the risks that have occurred over the past couple quarters broken down by department.’ These are all really useful things that AI can help with. It’s happened multiple times when we’re showing the platform to new customers, they say ‘This is the first time we've actually seen a practical use of AI, besides the ChatGPT stuff.’

SC: Last question. Having been a systems administrator myself back in the day, I’m wondering if you were ever a prankster?

SB: For sure, yeah. We had remote control access over pretty much everyone. So just being able to control people's mice, launch webpages remotely, or do a netstat command so that it would basically prompt you every single second…annoying things like that, but nothing too egregious. But the whole reason why I got into this space is because at the time, the Internet was a thing, but it was still very slow, and we had access to computers, but we didn't have access to a lot of software, so we'd just tinker with things, trying to make things faster or better, or overclocking things, or trying to hack the software that we had, or get a leg up in video games. Things like that, and honestly, that's the best way to learn, still.