Rick Caccia was born and raised in Silicon Valley - and just stayed. He is married with 2 teenage daughters, one about to go to college. Between him and his wife, they have worked in 13 different startups - so you could say they have a startup family through and through. Outside of tech, he is a cyclist in a bike club, and enjoys spending time with his family.After speaking with a number of security officers at companies, Rick realized the enterprise situation with AI - most companies are stuck, trying to figure out how to enable their employees to use new tooling, while still maintaining the level of security and control they have over data. Rick was asked to join a founding team to solve this problem.This is the creation story of WitnessAI.SponsorsCacheFlyClearQueryKiteworksLinkshttps://witness.ai/https://www.linkedin.com/in/rcaccia/Our Sponsors:* Check out Vanta and use my code CODESTORY for a great deal: https://www.vanta.comSupport this podcast at — https://redcircle.com/code-story/donationsAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy
We started this company thinking about the security of AI use in a way that most security startups also do, and we got it wrong. So we had to revisit and trade some things off. So we looked at this and said, oh, this is going to be like any other new type of security issue. You're going to have new types of attacks. AI-oriented attacks are going to be the big deal.
Let's figure out how to talk about those and prevent them. And then we went out and we talked to maybe a dozen CISOs. And the interesting thing was none of them cared. Nobody cared. They thought that was years away. And instead, they cared about much less sexy things. My name is Rick Katcha. I'm the CEO of Witness AI.
This is CodeStory. A podcast bringing you interviews with tech visionaries. Six months moonlighting. Who share what it takes to change an industry. Who built the teams that have their back. Keeping scalability top of mind. All that infrastructure was a pain. Yes, we've been fighting it as a group. Total waste of time. The stories you don't read in the headlines. It's not an easy thing to achieve.
Took it off the shelf and dusted it off and tried it again. To ride the ups and downs of the startup life. You need to really want it. It's not just about technology. All this and more on CodeStory. I'm your host, Noah Laphart, and today, how Rick Katcha is enabling safe and effective AI through security and governance for the enterprise. This episode is sponsored by KiteWorks.
Legacy managed file transfer tools lack proper security, putting sensitive data at risk. With KiteWorks MFT, companies can send automated or ad hoc files in a fully integrated, highly secure manner. The solution is FedRAMP moderate authorized by the Department of Defense and has been so since 2017. Step into the future of secure managed file transfer with KiteWorks.
Visit KiteWorks.com to get started. This episode is sponsored by ClearQuery. ClearQuery is the analytics for humans platform. With their full suite of features, you can go from data ingestion to automated insights seamlessly. With Ask ClearQuery, you can find valuable insights into your data using plain English. Don't miss the opportunity to simplify your data analytics with ClearQuery.
Get started today at clearquery.io slash code story. Rick Katja was born and raised in Silicon Valley and just stayed. He's married with two teenage daughters, one about to go to college. Between him and his wife, they have worked in 13 different startups. So you could say they have a startup family through and through.
Outside of tech, he's a cyclist in the bike club and enjoys spending time with his family. After speaking with a number of security officers at companies, Rick realized the enterprise situation with AI. Most companies are stuck trying to figure out how to enable their employees to use new tooling while still maintaining the level of security and control they have over data.
Rick was asked to join a founding team to solve this problem. This is the creation story of Witness AI.
The company is Witness AI. We enable companies to adopt AI safely and effectively. I've probably spoken with more than 100 CISOs, Chief Information Security Officers, in the past year, and I would say almost every company we've spoken with is in the same boat. The employees want to use all these cool new AI tools so they can be more effective.
And the security and privacy teams are worried about the risks. And most of these companies are stuck. They're trying to figure out how or if they should let employees use this stuff in a way that doesn't put the data at risk. Our software gives the user activity guardrails to ensure that people can use these cool new Gen AI tools in a safe way while also being productive. We're pretty early.
We're just in beta now with a bunch of Fortune 500 companies. We were incubated inside of a venture firm called Ballistic Ventures starting about a year and a half ago. I knew the Ballistic guys, known them for well over a decade. We were both acquired into a large company. We were in other startups a long time ago.
They asked me to come in and work with a CTO co-founder and figure out where this company should go, and we've done that. I guess the product, the way I would say, gives customers visibility. Where are my employees going relative to AI? What are they doing there? Should you care as a company? In my career, this is probably the first time I've never had to explain the problem to a potential buyer.
We just talk about risks around AI. They get it and they get right into how the product works and can they buy it.
Let's dive into the MVP. So tell me about that first version of Witness AI. How long did it take to build and what sort of tools were you using to bring it to life?
Once we had a clear idea of what we wanted to do, from that point to the first beta, Proof of Concepts was about six months. It's built as a set of Kubernetes microservices. We stand them up as a new instance for each customer. When we talk about these guardrails that we have around user activity, they're really separate microservice-based AI policy engines.
So like one of them might look at your prompts in a chat window to detect jailbreaking. Another one might look at prompts to detect use of confidential data. We use a mix of standard technologies and we use a bunch of custom built stuff as well. All the AI engines are custom trained. We've also incorporated a lot of open source stuff.
I think AI is interesting because there's a lot of open source stuff available. There's new stuff popping up all the time. We've also been using some early stage platform technology from some other early companies and that may or may not work out for us over time. We're trying to sort that one out.
So let's stay on that MVP for a minute. Let's dive into maybe a decision or trade-off you had to make in building that first version, right? It could be around approach, feature cut or limitation, technical debt acceptance, all those things, right? Tell me about some of those you had to work through and how you coped with those decisions.
We started this company thinking about the security of AI use in a way that most security startups also do, and we got it wrong. So we had to revisit and trade some things off. So we looked at this and said, oh, this is going to be like any other new type of security issue. You're going to have new types of attacks. AI-oriented attacks are going to be the big deal.
Let's figure out how to talk about those and prevent them. And then we went out and we talked to maybe a dozen CISOs. And the interesting thing was none of them cared. Nobody cared. They thought that was years away, and instead, they cared about much less sexy things like visibility. Like, I don't care about some crazy new attack.
I care about just seeing, are my employees using some new LLM-driven chatbot that happens to be hosting data in China? How do I enforce acceptable use? We ended up having to make decisions to trade off the kind of whizzy, sexy security features for things that are much less whizzy, like visibility and policy enforcement. And when we made that trade off, the results were just crazy.
We went from not being able to get a single design partner, early customer, to getting 25 design partners in a month after we changed that decision and saying we're going to trade off the sort of sexy security stuff for the boring visibility, compliance, governance stuff. And the uptake was just amazing. It was like we flipped a switch.
This episode is sponsored by Kiteworks. Legacy managed file transfer tools are dated and lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. And that's where Kiteworks comes in. Kiteworks MFT is absolutely the most secure MFT on the market today.
It has been FedRAMP moderate authorized by the Department of Defense since 2017. Through FedRAMP, Kiteworks' level of security compliance provides a fast route to CMMC compliance, saving customers time, effort, and money. Kiteworks MFT makes it easy for users to send automated or ad hoc files via fully integrated shared folders and email.
Administrators can manage policies in a unified console and create custom integrations using their API. Did we mention it's secure? The level of security with KiteWorks solution is rare to find. Step into the future of secure managed file transfer with KiteWorks. Visit KiteWorks.com to get started. That's K-I-T-E-W-O-R-K-S dot com. This episode is sponsored by CashFly.
The web is a competitive place, and if your site delivers its content pixelated, slow, or not at all, well, then you lose. But that's where CashFly comes in. CashFly delivers rich media content up to 159% faster than other major CDNs. Through ultra-low latency streaming, lightning-fast gaming, and optimized mobile content, the company offers a variety of benefits.
For over 20 years, CashFly has held a track record for high-performing, ultra-reliable content delivery. While competitors call themselves fast or use cute animal names, only CashFly holds the record of being the fastest and serves customers like Adobe, the NFL, or Roblox, where content is created by users and must be delivered in real time.
For the first time ever, CodeStory listeners can get a 5TB CDN for free. Yep, you heard that right. Free. Learn more at cashfly.com slash codestory. That's C-A-C-H-E-F-L-Y dot com slash codestory. Okay, so then you've got your MVP, it's working, you're getting some traction. Tell me about how you have progressed and matured the product.
I know it's early, but there's still a process that you have to go through in figuring out, okay, this is the next most important thing to build or to address with Witness AI, you know, around roadmap and things like that. So tell me about how you go about it.
With enterprise products, you have this interesting combo, right? You're rolling out some sort of platform that has to run inside some large company. So first off, you have a combination of speed and scale of the platform itself. Will this thing work at a fast enough speed that they'll actually deploy it? Then you have this set of enterprise use features.
Then you have a set of features that are your actual differentiated features. And so for version one, for MVP, you have to get some level of all three of those working at once. And we're actually at that point now. And so we're maturing each of those different pieces at different rates now that the basics are there. So enterprise features might be things like, does it work with Active Directory?
Does it work with Okta or whatever single sign-on they use? And you either have that or you don't. And if you don't, no company is going to deploy this. So you have to get that there. That's part of the MVP. Then speed and scale are things like how much latency do you add? How do you get that to an acceptable level? What happens when the employee user count goes from 10 to 100 to 1,000 to 10,000?
And if the product is too slow, then they view it as being broken. You also don't get deployed. And so then when those two things are working, then you also have to have the features that are why people looked at the product in the first place. They don't buy a generic product that works fast. They buy a product that does something for them.
We've had to make sure that trio of platform speed and scale, enterprise features, and then the differentiated capabilities around AI guardrails are all there. We're at that level now, and now we're going to make sure that as we go from 100 users to 1,000 users, The latency doesn't drop.
Make sure that all the cool new things that the engineers have wanted to do around AI classification and risk analysis, all those things are coming. But first, we had to get those basic things there. I couldn't build a product that didn't have any single sign-on or way to protect user activity. That had to be there. And that's part of the MVP.
I'm curious about team, right? You know this intimately after going through so many startups in your career, how important team is, right? So how did you build that team and what are you looking for in those people to indicate they're the winning horses to join you?
You think of people, product, market, right? Do you have the right people? Things are going to change. Can the people adjust when things change? Are you in a big enough market that it's worth doing? And then are you building a product that is different enough that it's going to win?
From the people side, we really jump started with a set of engineers that our CTO, co-founder, had worked with previously. And that's usually how it goes, right? You can't start on day one with total strangers. It never goes that way. You always start with people you know. Our software combines AI analytics, security, and kind of high scales web services operations.
So we needed people with skills across all of those areas. So we looked at the team, we said, we need someone who has depth in AI or depth in security or depth in building sort of high volume web services. You're never going to find someone who has all three, but you're looking for someone who has depth in one and aptitude in learning the others.
The AI person may say, I'm going to build this new analytics engine, but I know it has to work at this level from the platform side or else I'll never get deployed. Second, we went remote from day one. And right now at about 25 people, it's manageable. It'll remain to be seen if that still works at 100 people, but it's working so far.
We have an amazing team in Cairo, actually in Egypt, that have worked together and worked with our CTO before. Super, super smart team. And they happen to work off cycle relative to our time zone here in the U.S. So we end up getting round the clock development as a company.
So those are the kind of things we looked for, like people with strong depth in one of three areas, aptitude and willingness to learn about the others, the other areas. And then we got lucky that it so happens that these teams are on different time zones so we can work 24 by 7.
Hello? Welcome to the Data Analytics Club. Do you know the password? No, didn't know there was one. Do you know how to code? Uh, no. Do you know how to query data? Like, ask a question? I guess not. Hmm, I see. Then you can't be in this club. Sorry. Goodbye. Don't be left out of the analytics club. ClearQuery is the analytics for humans platform.
With their full suite of features, you can go from data ingestion to automated insights seamlessly. ClearQuery provides you with the information you need without requiring you to do the heavy lifting. Their Ask ClearQuery feature allows you to ask questions in plain English, helping you find relationships and connections in your data that may have previously gone unnoticed.
You can even visualize your data with presentation mode, taking your data storytelling to the next level. Pricing is based on storage, not licenses, and that ensures that you get the most bang for your buck. Don't miss the opportunity to simplify data analytics, your data analytics, with ClearQuery. Get started today at clearquery.io slash codestory. This episode is sponsored by CashFly.
The web is a competitive place, and if your site delivers its content pixelated slow or not at all, well, then you lose. But that's where CashFly comes in. CashFly delivers rich media content up to 159% faster than other major CDNs. Through ultra-low latency streaming, lightning-fast gaming, and optimized mobile content, the company offers a variety of benefits.
For over 20 years, Catchfly has held a track record for high-performing, ultra-reliable content delivery. While competitors call themselves fast or use cute animal names, only CashFly holds the record of being the fastest and serves customers like Adobe, the NFL, or Roblox, where content is created by users and must be delivered in real time.
For the first time ever, CodeStory listeners can get a 5 terabyte CDN for free. Yep, you heard that right, free. Learn more at CashFly.com slash CodeStory. That's C-A-C-H-E-F-L-Y dot com slash CodeStory. I'm curious about scalability. Was this built to scale from day one or with scale in mind? Or are there interesting areas where you've had to fight it as you've grown?
We put a lot of effort early into go-to-market, how we structure sales, how we're going to do pricing, all the underlying marketing operations. Because what tends to happen a lot of times with these enterprise startups is you get a bunch of early traction, you bring on a bunch of sales reps, and then the thing hits a wall somewhere around $10 or $15 million of sales and about 150 employees.
We wanted to make sure it didn't happen here. We built the pipeline of sales reps, sales engineers, marketing demand generation. We've got the marketing systems built out early. And the notion being that the engineering side probably won't hit that scale wall for a long time, but you tend to hit that scale wall in go-to-market. Let's prepare for that early.
All of the sales and marketing folks are people I've worked with before. Everyone's been through. Companies exploded, took off, and then hit a wall. So we've talked a lot about how do we put things in not to hit that here, and we think we've done a good job of it.
So as you step out on the balcony, in particular, or when it comes to Witness AI, when you step out on the balcony, look across all that you've built thus far, what are you most proud of?
If I'm being honest, it's still early enough that I'm mostly more paranoid than proud. I would say with startups, results matter. I think this is the thing that sometimes doesn't come along when you read all these stories about startups that did well. People want their work to matter. And the measure of that, like it or not, is company value.
So you don't really want to come along and grind away for one, two, three, four, five years and then have the company go nowhere. We have a message that works like 95% of the time we talk to a new prospect. It didn't respond positively. We have a team that works really hard, gets a lot done. The valuation was high on the round. The pipeline is much larger than I expected it to be.
So I feel like from a results standpoint, I could stand up in front of the company and say, the stuff you're doing, you know it matters, you care about it, but we're delivering the things that show that there's value in the company. And that's a good way to tell in the early days with a startup, does it matter or not?
If you're going to join a 20, 30, 40-year-old, $100 billion company, it's harder to see that in your day-to-day job. With a startup, you can see it month to month and quarter to quarter as you see the revenue grow and you see the customer side grow in a way that you notice. And I think that's something that I'm being paranoid about, but I'm proud of how it's gone so far.
Okay, let's flip the script a little bit, Rick. Tell me about a mistake you made and how you and your team responded to it.
For me, the biggest challenge as a new CEO, this is my first CEO role, is now I have engineering under me. And there have been a couple of times where I did not trust my gut. I went along with either a hiring or a technology decision that maybe seemed to have a little bit of hair on it. And the results down the road caused more friction for the team than those guys deserved.
And we had to dig out from them. Some of the engineers had to put in some really long hours to work around some of these decisions that didn't work out. I think for me, I feel very comfortable with sales and marketing decisions. I've got 30 years of work there. I've got a lot of time in product management, so I'm comfortable with product management decisions, much less so on the engineering side.
And so I've made some mistakes there in terms of going along with something that maybe didn't sound right and then didn't work out, and I wish I'd pushed back a little harder. I think it's a hard one because you come up through one side of your career and then you feel like you need to defer to leaders in the other areas.
I'm not sure that's any different from a technical person who's a new CEO who might make some decisions they regret around sales or marketing. You make decisions without the experience you'd like to have in that area. I've definitely made some of those. And the result, unfortunately, is some of the engineers have had to grind it out to get around those to help us dig out.
Okay, well, this will be fun.
Tell me what the future looks like for Witness AI, the product and for your team. I know it's early days. So what is the vision? Cast it out there.
So the team is easy. I'm on the tech side. We need to build out those AI platform and security groups I talked about. That's really straightforward. Like we have a bunch of roles and we'll build out under the leaders there. Go to market. We have to build out and are building out a US national set of sales reps. Then we expand internationally.
In parallel, we're building out a partner organization to get leverage. And that's both resellers, system integrators, technology partners, domestically and internationally. All that has to be done. It's part of the future. It's not super crazy and interesting. It's just what you do as you grow.
From the product, today, we're working on providing fast, effective user activity guardrails for generative AI use in companies. And we have a lot of work to make that happen, but it's after that where it also starts to get really interesting because gen AI is the new sexy stuff, but it's not the only stuff around AI.
And so after that, we have all this company organizational use of AI that is not the conversational chatbot stuff we see today. It's embedded AI in predictive applications, predictive analytics, workflow processes, all this stuff that you never see. But we need to build a way to provide guardrails around that, too.
As my co-founder, our CTO, says, once these things start getting these AI engines start to get connected to each other via APIs, they're not just going to give you answers. They're going to go take actions on their own. And from a security perspective, it's going to be robots fighting robots, as he says.
And we actually see a way to provide guardrails around robots fighting robots to the second wave of kind of the future for us and where it gets really interesting with some of the technology we're working on today.
Let's switch to you, Rick. Who influences the way that you work? Name a person or many persons or something you look up to and why.
I've worked in small companies that have grown, kind of late stage privates, and then have been acquired into some really great public companies. But I would say I've been fortunate to work for probably two of the best leaders that I've ever seen. One is a guy named Prakash. He is now the chief product officer at Freshworks. It's a publicly held company in the CRM space.
I was lucky to work for him long ago, like 20 years ago when he wasn't at the Chief product officer level, worked for him at a company called Oblix, which is an identity management. Late stage startup was acquired by Oracle. I worked for him again when we got acquired by Oracle. Most productive product guy I've ever seen.
Unbelievably savvy, able to manage, getting things done with keeping the good spirit and was just unbelievable in how he could make things happen and how effective it was in getting things done. And so when I walk into a sticky situation, I think about how would Prakash do this? How did I see him do it? And I try and pick that up.
The other person I worked for that really had a huge impression on me was a gentleman named Tom Riley. He was the CEO at ArcSight when I was there. I joined when it was private. We took it public in 2008. Tom was the CEO there. Later, he was the CEO at Cloudera, a big data Hadoop company. Tom was probably one of the best culture-oriented, high emotional quotient leaders I've ever seen.
The Valley is filled with high IQ guys. Tom also had super high EQ, just an amazing people-oriented leader and culture-oriented leader. And I struggle with that myself because I tend to be very focused on let's get the results. How do we get the results? I don't think enough about how the feelings of people, how that may be sort of absorbed.
When you're focused on results and less attuned to feelings and you suddenly have CEO authority, I've learned you have to be much more careful on how you communicate, but I'm working on that. And I loved working for both Tom and Prakash, and I've tried to absorb those strengths they have in being effective and building a great culture as we take witness AI from small to large company.
Rick, last question. So you're getting on a plane, and you're sitting next to a young entrepreneur who's built the next big thing. They're jazzed about it, but can't wait to show it off to the world, and can't wait to show it off to you right there on the plane. What advice do you give that person, having gone down this road a bit many, many times?
Here's the interesting thing. I would say most of the time, and I've talked to a lot of young entrepreneurs, young new CEOs, and both as an advisor or potentially an exec on their team. And I would say, given that most of them seem to be engineers or have come up through a technical background, my advice would be take sales and marketing seriously.
It's pretty rare that the build it and customers will come works. So that means at some point, if you have any success, sales and marketing will be the fuel to take that success forward. And if you don't take it seriously, it doesn't mean it's going to solve itself. It means that the founder CEO, that young entrepreneur, isn't going to understand when they're being told BS or not.
They're not going to know when their sales leader is BSing them. They're not going to know when their marketing leader is BSing them. I would say learn about it, take it seriously so you can judge it, whether it's working. And Noah, before I took this CEO role here as a founder CEO at WinSAI, I got a lot of calls from headhunters for chief marketing officer roles.
other career, my main career, primary career. And for the past two years, those calls all seem to be some version of a mid-stage couple hundred employee private company that had stalled. And every time I'd talk to the entrepreneur, founder, CEO, they needed to restart marketing. They were usually technical guys who didn't really take marketing seriously.
They couldn't figure out why sales was struggling, why they didn't have pipeline, and why things had flatlined. Some signs pop up when this is happening. You get an entrepreneur CEO who thinks like the marketing people only make T-shirts or it's all about PR or the sales guys. They're just coin operated guys. They don't know anything. That's not how it works.
So I would say my advice if I were sitting on that plane would be if you've come up through the development side and you are fortunate to get funding and you have a hot technical company. Take sales and marketing as seriously as you take development. And all of it can have metrics and can be managed in the same way you manage building code.
And if your sales and marketing leaders don't give you those metrics, then something's wrong and dig in there early.
That's fantastic advice. Well, Rick, thank you for being on the show today. And thank you for telling the creation story of Witness AI. Thanks, Noah. It's a pleasure to be here. And this concludes another chapter of Code Story. Code Story is hosted and produced by Noah Laphart. Be sure to subscribe on Apple Podcasts, Spotify, or the podcasting app of your choice.
And when you get a chance, leave us a review. Both things help us out tremendously. And thanks again for listening.