In today’s episode of the Brains Byte Back podcast, we speak with Mike DeKock, the founder and CEO of MJD Compliance. A boutique, tech-forward CPA firm specializing in providing SOC 2 examinations for technology companies worldwide.
Mike starts the interview by explaining that MJD Advisors is not your traditional CPA firm that focuses on financial audits but instead assists in information security compliance. He then describes how he discovered a passion for certain aspects of his career as a financial statement auditor.
He goes on to add that internal control focus auditing for SOC 2 was beginning to grow in an industry that isn’t known for being tech-savvy. Identifying an underserved area that required specialized support for growing tech businesses.
Mike explains that he witnessed early on a community of small companies with big ideas looking to specialize in the world of tech. Now, the tools exist for them to scale those opportunities with stronger security practices. He gives an example of how he guides his clients by shifting attention to growing the company to where they want to be in a world where compliance can sometimes be seen as a burden.
Following this, Mike explains how he helps his clients when it comes to cybersecurity measures in place and how compliance requirements are relatively simple but written in a way that can be difficult to understand.
Finally, he shares a unique question he likes to ask new members of his team as an icebreaker that helps identify and support their strengths early on.
You can listen to the episode below, or on Spotify, Anchor, Apple Podcasts, Breake, Google Podcasts, Stitcher, Overcast, Listen Notes, PodBean, and Radio Public.
Alternatively, you can find the transcript below:
Erick Espinosa: Mike, I want to start off by thanking you for joining us on this week’s episode of Brains Byte Back. I’m just going to jump right into it. I wanted to ask you if you’re to meet somebody, and you’re describing what your company does, and JD, what are you guys doing? Exactly? Are you helping people in the startup and tech world?
Mike DeKock: Ah, yeah, one, thank you for having me on. I’m excited to have the conversation and talk to you. So MJD, we’re a CPA firm. And I mean, we’re an audit and compliance company. We help clients with a service called SOC 2, which is kind of our primary product, which is providing an audit of their security practices, for lack of a better term.
Erick Espinosa: Okay, and you guys are not a typical CPA firm. You guys focus more on that side compared… because typically a CPA firm, most people would relate that to accounting. But you guys do things a little bit differently, right?
Mike DeKock: We don’t do any taxes. We don’t do any accounting work. We don’t do any financial statement work. We’re specific to IT audits. Really, cloud SAS is who we work with. But to provide that service to provide the ultimate report, you have to be a CPA firm. And that was my background. So that’s how we had to operate. But certainly not your traditional CPA, that’s for sure.
Erick Espinosa: How did you start the company? What gave you the idea? I imagine you realized there was a niche in the market for this.
Mike DeKock: So I’ve been a career CPA and actually started as a traditional CPA as a financial statement auditor. But really, what I always enjoyed was process improvement and working on teams so I can help my clients. The financial aspects and the accounting were never all that exciting to me. So when this opportunity I started to see around SOC 2, where there’s this internal control audit. It immediately spoke to me in terms of like, one, this is very technology-focused engagement, which CPAs aren’t exactly known for their technological prowess. Which was something I was always really good at. And then, obviously, there just weren’t very many people doing it. And so it kind of small pond, sort of opportunity. And then also like to really get the magic and be able to help these clients in a very complex technical role, you needed to specialize. You needed to be boutique. And so that was kind of the idea behind the firm was basically the products and the technology that they obsess over. We want to do that the same way with the audit side.
Erick Espinosa: I’m sure you’d agree in the last few years, there’s obviously been this big boom, when it comes to emerging tech. We’re seeing AI and spatial computing; these are terms that are becoming mainstream and the products themselves are becoming mainstream. Because we’re finding them in people’s homes and at work. As a result, we’re seeing these people step into the market, like startups and entrepreneurs. How are you guiding these entrepreneurs that are looking to find some success in this market?
Mike DeKock: Well, it was one of the things that my eyes was really open to. As I started to get interested and get involved in the service about six years ago, where it felt like there was this community of all these small companies with one big idea to do one very, very specific thing really, really well. And now the technology is able to scale those sorts of opportunities in a way that it wasn’t. And so, to be able to unlock the service, the greatness that that kind of like specific problem solving, enables, you need to have good security practices. You need to be able to prove that what you’re doing on a day-to-day basis meets the needs of a much larger company. And so the opportunity to get to interact with that growing community has been really exciting. It’s one of the things we really enjoy the most.
Erick Espinosa: What’s the reaction been? With most of the clients that you’re working with. They reach out to you, right? And they need this kind of help.
Mike DeKock: So what usually happens is you have a start-up with an opportunity with a larger enterprise. Probably the biggest opportunity they’ve ever had. And it’s ready to close, but they’ve said we need you to get your SOC 2 report. So they’re engaged, they’re motivated, they’ve already made this decision before they’ve come to talk to me. I don’t need to sell them on SOC 2. But what they’re also expecting is this compliance burden. This bureaucracy that’s going to slow them down. That it’s going to mess up their operations. It’s going to change all the things that they do to meet these audit requirements. And so the bar is really low for me. One, which is nice. But also, if you can craft it in a way where I mean, most of these clients we work with, they all care very deeply about security. It’s really helping them write down what it is they’re doing, and formalize all those best intents into actual best practices. And so when you kind of frame it in that way of where it’s like, we want to help you become the company you want to be. As opposed to slow you down with, you know, bureaucracy and controls that don’t make sense. That gets exciting. People tend to get on board and embrace that. And I spend most of my time convincing people that it’s possible.
Erick Espinosa: I noticed that you guys mentioned that you also work towards mitigating risks. Adding that extra security measure and looking at compliance measures is part of the process. What makes it kind of different in comparison to, let’s say, if somebody reaches out to an insurance company and refers to themselves as a risk specialist? What do you guys do differently?
Mike DeKock: So a component of SOC 2 is you have to conduct a risk assessment. And often I’ll talk to clients, they’ll say, We’ve never done that before. And they talk about what you’re describing. Like that big formal written go down through NIST controls, quality, and criteria. It’s like, okay, so you haven’t done that before. And that probably doesn’t make sense for a ten-person company that has all their tech and a world-leading cloud provider. And it’s using all these incredible tools and hires very highly experienced engineers. You don’t need to go soup to nuts on that. But you’re smart people, you’re engaged, you have different processes and systems to evaluate the decisions you’re making. And so let’s understand how you’re doing that. And you start to have conversations about, okay, why did you pick AWS for your cloud? And you get into in-depth types of things. They thought about the decisions they’ve made, it’s like, okay, you just did a risk assessment. Write that down. It’s helping enable, like, you’ve actually done all of these big things you read about at larger companies. It’s like helping you channel those things that you worry about, and that you think about, write some things down that you want to work on other decisions. We don’t need to think about that right now. We’re not at a company that size, at that scale. And then just being able to make decisions and be proactive about those things that keep you up at night, as the phrase goes.
Erick Espinosa: I’m sure you hear a lot about cybersecurity being a big concern going into 2024. There’s a lot more discussion about it because there are numbers related to last year in terms of how many organizations have suffered a cybersecurity attack. Smaller companies tend to be more vulnerable. Do you see a lot more people reaching out to you with that in mind? That’s the main thing that they want to focus on. You know, cybersecurity measures?
Mike DeKock: We help companies prove that they have implemented those cybersecurity measures, and helping them design those controls and protocols, and then prove them up upstream. And I think the risks that you’re talking about in terms of like risks to the company, often end up being the sorts of I mean… your people is your biggest risk. How do you enable those individuals, right? You get insecure. It’s through your education. Understanding what these things mean. Why you’re allowed to do certain things and not allowed to do other things. It’s how to help and empowering them so you don’t feel helpless. You don’t feel like you can’t do anything because you’re operating under this control regime. But also understanding how to make good decisions, like where you need approvals for things and acting as a unit tends to be our biggest focus.
Erick Espinosa: And what do you think is the future of MJD down the line? How do you picture yourself growing your company?
Mike DeKock: Where we’ve been most successful is being boutique. Being focused. Being niche. The problems we’re solving are very specific to a population of people that need that solution. We’re going to branch out. We’re going to broaden into other services, but that’s always going to be at the heart of the firm. We’re not going to get into taxes. We’re not going to get into financial reporting. It’s going to be what’s complimentary. But that also we can be celebrated for and it’s not something we’re just trying to pick up on the fly. So right now, something I’m looking at is AI audits. And being able to demonstrate that your AI models are unbiased and how those are processing information. I mean audits have been around since commerce. So being able to operate on the front end and use the tech to make us great to end up being able to consult around the service is where I want to be. That is where I want us to be.
Erick Espinosa: That’s a very creative, forward-thinking approach, obviously, to something that’s a little bit older. I guess it’s like a new style of doing something, right?
Mike DeKock: It has been just an interesting last few years as to embracing that. Almost from previous audit roles and what I see from the traditional auditor, the software has got the amazing ability to do all these awesome things, and nobody noticed. And that, like many of the processes I used to have and operate with, it was all just digitizing the paper. It wasn’t actually using the technology in your role. And that’s what we’ve really unlocked. When you build yourself around the technology, not rely on the technology and focus on, ok this is green, I’m done, this is red, I’m done. Like a manufacturing line approach, but where you’re able to enable you to kind of conduct, keep the simple things simple and not have to worry about all the paper pushing that comes along with it, and then provide value and guidance, kind of wrapped around an audit has been really successful.
Erick Espinosa: I imagine the people on your team play big roles in the direction of the company. When I came across your website, I saw something pretty interesting in terms of a blog referencing Marvel characters and their superpowers. What would you say is your key superpower in the way that you guide your team and your company?
Mike DeKock: It’s a really good question. Superheroes are big. We do a thing when someone’s on their first day, we go around Zoom, and everybody has to share What’s your superpower. What makes you special? It’s like a really cool kind of fun way we’ve had to introduce the team. And what I will always share is..I have a fresh perspective on everything, including my own ideas. And so I’m often insulting of my own ideas a month later. Where it’s like, yeah, I thought you’d like that, like, Yeah, I know, I don’t anymore. But it’s really allowed me to take that fresh look, that fresh lens at what we’re doing practical pragmatic for solving the end solution in the end objective and understanding being able to digest…the compliance requirements, and even like the legal aspects are all relatively simple. But they’re written in a way that’s very, very complex and hard to break down. And it’s just a ton of information to be able to process. And so that’s what I’ve always been really good at is also taking that and simplifying it in a way where again, people understand this can be very approachable. When it’s given to you in pieces instead of here’s 100 pages to go read.
Erick Espinosa: I would argue that for some companies, it would be hard to keep up with compliance and regulations that are constantly being updated and changed right now, as well as government policy regarding the privacy of your data. These are things that are still kind of developing, but we’re still trying to learn how to navigate through, right?
Mike DeKock: It’s absolutely and you don’t know, you don’t know where to start, you don’t know where to end. And sometimes it’s just who is the right person to answer this question, to confirm what I’m thinking. And often, I’ll say the most value I can be to my clients; sometimes, it’s just thumbs up, thumbs down. That way, they’re not thinking about what is the auditor going to say? Or is this what this means and just having someone else there to validate? Yeah, it can be very overwhelming really easily if you don’t have those resources.
Erick Espinosa: Exactly. Mike, if somebody out there is interested in getting in touch with you to learn more, how could they reach you?
Mike DeKock: Well, they can certainly connect with me through LinkedIn. Our website, www.mjd.cpa, has all the contact information and details there. And I do look for my LinkedIn DM. So, if anybody wants to reach out, I’m happy to talk. Amazing credit.
Erick Espinosa: Congratulations, Mike. Thanks for joining us today. It’s great to see companies like yours guiding these entrepreneurs of the future who are creating the products of tomorrow.
Mike DeKock: It’s been a fun couple of years, that’s for sure. It was great to talk. I appreciate the time. Absolutely.
Disclosure: This article mentions a client of an Espacio portfolio company.