Episode 405 | Minimum Viable Security, Moving on from AuditShark, and More Listener Questions

Show Notes

In this episode of Startups For The Rest Of Us, Rob and Mike answer a number of listener questions on topics including Mike’s thoughts on moving on from AuditShark, minimum viable security, and more.

Items mentioned in this episode:

Transcript

Rob: In this episode of Startups For The Rest Of Us, Mike and I talk about minimum viable security, moving on from AuditShark and answering more of our listener questions. This is Startups For The Rest Of Us episode 405.

Welcome to Startups For The Rest Of Us, the podcast that helps developers, designers, and entrepreneurs be awesome at building, launching, and growing software products, whether you’ve built your first product or you’re just thinking about it. I’m Rob.

Mike: And I’m officially the answer to the ultimate question of life, the universe, and everything.

Rob: 42.

Mike: Yes.

Rob: Did you just turn 42?

Mike: Yup.

Rob: Congratulations man. Happy birthday!

Mike: Yeah, I finally made it. It’s like my kids. I keep telling them, “Oh if only you make it to 10, or 11, or 12.”

Rob: You finally made it to the end. I can’t believe I didn’t even think about that when I was 42. Ooh, people get to guess now how old I am. It’s fun.

Mike: I know. Oh you’re screwing up the intro.

Rob: And we’re here to share our experiences to help you avoid the same mistakes that we’ve made. Where are we this week sir aside from happy birthday wishes to you?

Mike: Well, I was in The Indie Hackers podcast, I think about a week and a half ago. That was with Courtland Allen. I was also on the Release Notes podcast with Charles Perry. There are actually two episodes to that. They split it up into part one and part two. I think that part two will be live by the time this episode goes out. Both were a lot of fun. I’ve got a lot of feedback from both The Indie Hackers podcast through The Indie Hackers forum and then over Twitter. It was nice to see the stuff I was talking about was resonating with people in terms of my journey, and path, and things with Bluetick and how that was validated, and how AuditShark went off the rails and everything else.

Rob: That’s cool. I heard the Release Notes episode. It actually came up in a Google alert. I have a Google alert on maybe Founder Cafe or maybe Startups For The Rest Of Us or something, and so it came up because it was in the show notes, and I so I picked up the episode. I actually enjoy hearing you on other podcasts because they ask you questions that we never cover on this show, and so I learn something, “Oh I didn’t know he did that.” You talked about your past and then even just hearing your retelling of the story of AuditShark, and Bluetick and stuff was kind of fun. I enjoyed it. We’re going to link up both of those episodes in this week’s show notes, episode 405.

Mike: Aside from that, I’ve started working on public API for Bluetick. I knew that I wanted to do it, at some point but the entire application itself is a single page application, so everything’s driven with an API. But in the process of building the app and creating that API, I found all these things that are just, I’ll say, are not probably done in the best of ways. It’s nice to have version 2–is the API that will be public versus 1, which is for internal use only.

Rob: Yeah, I was going to say that. But obviously, be sure to have a /V1 or /V2 when you publish it because you’re going to need to update it at some point and you don’t want to break retroactively. The other thing is, have rate limiting in from the start because, by the time you get to the point where you need it. It’s not good to have somebody take your API down.

I would also, this is all just from experience, if possible, put the API on a separate server or separate banks of servers because if someone takes your API down, you don’t want your main app to go down. What else? I bet there’s like four of these totally off the top of my head. I had not pre-planned these, but yeah, there’s really good ways to do APIs at this point.

I remember, again, dating my years back 10 or 12 years ago, all the APIs were different, REST was not a thing, it was all post-APIs. It was really jenky, and I guess, they were what, it was like web service, it was like XML. Remember, it was all XML?

Mike: Yeah, Microsoft came up with this thing as WSDL.

Rob: It was WSDL, SOAP, all that crap. It was terrible. You’ll still see some old APIs use that, but REST APIs now are so clean. A lot of them are stateless. There’s these best practices that people use. I would really try to implement because they definitely makes a cleaner experience for everyone.

Mike: I use Swagger to document the API, kind of hooked it, so if I make any changes to the API, I’ve got to document that basically says how it works. That’s an easy enough thing to incorporate into the public API but the other nice thing that I found is that there are utilities out there that you can use to query your Swagger documentation, and then it will build libraries for you in various languages so, Python, C#, and various other things. It’ll just create a library for you, and then you can make it available to people so that if they want to hook it directly into their application, they’ve got the code to do it, and they don’t have to write all of the wrapper stuff that goes with it which is awesome.

Rob: Assuming that it works well, that is awesome. Really, really cool. I know that with Drip early on, obviously, we released a Ruby wrapper because Drip was written in Ruby, and then someone built an open source. Python was one, I believe, and then someone built a .NET one. I think they kind of just open sourced it, and we linked out to it which was cool especially in the early days. It did kind of stink as we got further on because they weren’t actively maintaining it because they have built it for themselves and implemented it.

We added more to the API later on, a bunch of more methods, they didn’t implement them, so people would email us and be like, “Hey you need to add this.” It’s like, “We don’t even know anything on the code base.” and we didn’t have any .NET developers on staff. There’s different things. Everybody wants a wrapper in every language, and you just can’t do it, and it’s just not feasible. But if you are able to roll up the top two or three most common ones and then be able to maintain them, that would be a big deal.

Mike: I don’t know how many people are going to hooking into it, but I have talked to other people who run apps like SaaS apps, and they are interested in hooking into Bluetick. Question is, “How do I make it available for them? How do I make it available as a public API for customers? Do I have separate endpoints for each of them?” I’m not entirely sure on it yet but I suspect it’d probably be easier to maintain if I just have one public API, and that was it, regardless of whether you’re integrating directly or not.

Rob: I would tend to do that although—we had the public API and anyone could consume it. If we wanted like, when Leadpages wanted to integrate with us or if it was an official integration that we were both going to promote, and it was going to be on our integrations page, we typically fork off a separate endpoint so that we could handle that differently. Because sometimes, with that one, we wanted to give it a higher rate limit or we wanted to route the traffic slightly differently based on what it was, and if it was coming to the public API we didn’t know–that is one thing to think about. In the end, we had 35-40 integrations. We did not have a full, 40 different endpoints but I do think we had a handful for especially the most popular ones.

Mike: I could see having a third party integration API, like a dedicated endpoint for that, and then for certain ones, you say, “Okay, we’re going to fork this code and give it additional functionality or put it on a different server.” Because it justifies having higher rate limits just because of the data going back and you trust them to send you things in a normal fashion versus if you just have that public endpoint, who knows what they could be doing or sending. Most of those are going to be for regular customers versus somebody who is sending stuff over on behalf of a lot of customers.

Rob: Yeah, totally. Here is something to think about as well. For some reason, segment.com—at least last I heard when I still at Drip—they don’t honor rate limits, they just never implemented it. They said that they were working on it but they would DDoS us about every two months or three months. They would take the API pretty much down, and we would be frantically emailing them because we would return a 403 I believe which is, “You’re over your rate limit. Please stop sending.” and there’s a bunch of stuff in the response code. You say, “You have to wait 57 minutes before you can send another whatever.”

Zapier is an example, has a rate limit, and when we would go out and webhook into Zapier, we would read that response, and then we’d throw it into a queue for 57 minutes later. It would say, “You can have up to 1000 per hour.” You can just read the response, and it will allow us to rate limit stuff out. Segment never bothered to build that, and so someone would come in with half a million uniques a day, and they would be pumping everything into the segment, and they just click the check the box of like, “Yes, stuff everything into Drip.” All of a sudden it will be just, boom. Beware of that.

Again, we talked with Segment quite a bit about it, and they were like, “We’re working on this. It’s a problem for other folks too.” But at one point, we, for a couple of hours, we had to block all of Segment’s IPs. It was crazy. We’re at the firewall, and then they would get it turned off. Just beware. It’s not going to happen day one, but it will happen eventually.

Mike: I don’t know. It may happen day one.

Rob: Yeah, that’s the thing, right? You never know.

Mike: I’ve seen, just because of the volume of data that Bluetick handles on the backend because it’s a mailbox. When I split things off onto two servers. Part of the reason I ended up having to do two servers was because when I got a new sign-up, if they had a large mailbox, the first thing it does is it indexes everything. Right there, just adding a new customer will basically DDoS the entire application, it depends on how large they were, so I added a bunch of code to back things off a little bit and do internal rate limiting on how much calculations and stuff it does, and how quickly it does stuff.

I even added code that would monitor the process that was currently running, and then throttle it up and down in terms of the CPU usage which was kind of crazy because it works across the entire process, you can’t do that on a […] basis in Windows. I don’t know. I considered moving it off into its own separate process, but that one involved a different service. I was just like, “I’ll put it on a different server, and I then I won’t have to worry about it.” that was the solution I ended up with.

Rob: Yeah, that makes sense. Something else to consider, in the early days, reset the rate limit pretty low knowing you can always increase it but decreasing it later is not going to go well. We set it low and when people come in and say, “I need to import 100,000, and your rate limit is going to take me two days to do it.” So we’d said, “Okay, we’re going to build a bulk endpoint for you.” so then we build a public endpoint that was, instead of add subscriber, it was bulk add subscriber, and you could I think it was 1000 per payload, 1000 subscribers. It was still the same amount of submissions, it was still rate limited at that, but you could then send 1000 instead of just one. We built several bulk endpoints both in, and I believe out as the troubleshooting.

This is one of those things where customers say, “No. I need a higher rate limit.” It’s like, “What do you actually need?” “What I actually need to do is import 100,000 people.” “Oh well, there’s a better solution than increasing the rate limit across the board for all 30,000 people or whatever who use this app because that could be catastrophic for the thing.” so we did do that. It’s just something to think about. It’s product decisions. But there’s often more elegant ways to do things than just what the customer is asking for.

Mike: Yeah. I like to have early conversations with pretty much every customer that comes on to Bluetick just because I want to know what it is that you’re actually trying to do. Like yesterday, I had a call with somebody who had signed up, and I was trying to figure out what it was they were trying to do. They’re in the fashion industry, and they have all these samples and stuff of people, like manufacturers and vendors, that they have to follow up with, and they ask for samples, and if they don’t get them or they don’t hear back, they have to follow-up with them.

It was very interesting hearing the conversation about exactly the specifics of the problem that they were trying to solve. Ultimately, we concluded that the volume isn’t high enough right now to justify using Bluetick, but once it starts scaling up, which they expect that to happen, then Bluetick is going to be really helpful for them.

Rob: On my end, as you know, I recently moved. We were in California for two weeks, and then we flew in and landed at midnight on a Wednesday, and we closed on the house on Friday. When we were in California, I really wasn’t thinking much about the house closing. All of the stuff was in-flight, and there wasn’t much work to do on it. When we got back, I’m like, “I need to start changing our address.” Thursday and Friday, as we’re about to get the keys, I start changing the address, I start moving utilities, I start doing all that. I forget that for internet access, a: how critical it is—it is perhaps more important than a lot of other things.

Mike: […]?

Rob: Yeah, I was going to say electricity, but it’s really not because you need both. It is as important to me as having electricity. It was crazy to not have it. What I forget is that cable, internet, and DSL—they can turn it on same day or they overnight you the equipment, and you get it the next day. That’s what I was thinking. But of course, we have fiber here. We’re at the luxury of having fiber gigabit fiber.

There’s two companies that offer it in the neighborhood, really cool. I call up, and they’re like, “Yeah, we can get to you in 11 days.” Then the other one said, “We have to trench…” not trench but put pipe under the ground, so it’s going to take 30 days. I was like, “No, this is catastrophic,” because we’ve been spoiled by having this fiber at the other house, so I set up the appointment. The 30-day fiber is a local company called US Internet, and super fast, and it’s $70 per gig, up and down. They are at the street, but it’ll take them about a month to get in.

But I signed up for cable. I’m going to basically have it for a month. I had them overnight the equipment, so within 36-48 hours of moving in we had real internet but it is cable which is crazy. It used to be blazing fast, but now it feels–I think if Sherri and I if we’re both on video calls, and the kids are streaming, you start to have issues. It’s funny how quickly you get spoiled by having gigabit which you never, I will say, we never maxed it out.

Mike: Yup.

Rob: The moral of the story is a couple of things; if you’re moving, and you’d only need DSL or cable, you can probably just give them a few days’ notice assuming it’s already wired in but if you’re going to do something like fiber, this is a reminder to myself be like, “Yeah, you wanna give somebody a few weeks because it may not actually be wired to all the houses.”

Do we want to answer some listener questions today?

Mike: Let’s get to it.

Rob: Alright. Our first question comes from Nick Malcolm, and he recorded an audio question, and so he went straight to the top of the pile—as they always do—so voicemail to us or emailing us with an MP3 or M4A gets you to the top of the stacks. Let’s listen to that audio here.

Hello, Mike and Rob. I’m a long time listener from New Zealand. I’ve been involved in startups in the past, in technical roles but now I’m working as a consultant helping companies to better at security. I work alongside development teams doing things like threat modeling and teaching about common risks like […] and also at an organizational level with processes and policy and risk management. I’d be really interested to hear your thoughts on what minimum viable security should look like for startups and how this might change as the company grows. Thank you for everything you both give to the startup community, that’s much appreciated. Thanks.”

Mike: I think the trouble with security or trying to address the problem of minimum viable security in a startup is it competes with the aims of the business especially when you’re first starting out. There’re pre-profitability and then post-profitability. If you’re talking about pre-profitability, you need to do at least the varied minimum basics such as making sure that the code that you’re writing is, if it’s proprietary code, you’re not going to be releasing it, just make sure that it’s in a secret repository someplace, it’s not like a public repo. But obviously, if it’s open source, that kind of stuff doesn’t matter.

In terms of the server and infrastructure, for a startup, it so depends on what the startup is doing, how their infrastructure is configured, and the, I’ll say, knowledge of security that the people who are building it have. If you’re the type of person who is like, “Oh let me handle all these edge cases and make sure that I’m doing the right things,” then that’s fine. But if you’re not, then you just have to be aware that those things are probably going to need to be dealt with at some point down the road. Maybe not today but you have to do a good job of being diligent about marking where your code could potentially be exploited or places where things could go sideways. Whether it’s cross-site scripting attacks or things going into the query string and the API being used for things that it really shouldn’t be. Beyond that, you can go so far into the weeds that it’s just not even funny.

Security companies make their living basically, sort of being ambulance chasers to start with. If somebody has a security breach, they suddenly come up with all these articles about, “Hey, you have to be careful of these two, and this just happened to this person.” because it’s scare tactics. That’s really what they’re trying to sell on. But in terms of the basics, if you’re using password, make sure they’re one-way encrypted, make sure that anything that is sensitive is being encrypted inside of the database.

Those are the types of things that you want to at least pay minimum attention to. If you’re running Windows, obviously, you’d probably want to be running antivirus software of some kind on each of the machines in the environment. But as I’ve said, you can go so far into the weeds like putting data loss prevention things on your phones or laptops or all these other stuff. You don’t need to go that far, in most cases, I don’t think. Unless you are a security company selling security software, in which case, being hacked would obviously, be the worst thing in the world for you.

Beyond that, just do what you need to do in order to protect the customer’s data. Making sure information does not bleed from one customer over to another. That’s a pretty basic thing, but sometimes it can go wrong if you’re not careful about how you’re doing database queries or packeting data between customers.

Rob: I agree with you. This is the kind of stuff that you have to worry about just enough, and not any more than that because it will slow your business down, it’ll slow building features down, but you have to pay attention to it as you go. These days, when I think of minimum viable security for startups, I think of starting with a language that has that built-in or a framework that does. I know that Rails has a bunch of stuff that validates the incoming request streams, and it’ll pull out cross-site scripting sequence injection, and all of the stuff. That‘s a good place to start.

If you use Azure or if you use EC2 or Google cloud, there’s a lot of security best practices built into there. Nick, who sent the question, included what looks like three blog posts that we will link up in the show notes as well as a SaaS CTO security checklist. Again, this is stuff that you do it just enough to where you feel comfortable. It’s like GDPR. Do you implement a full-blown thing and pay $10,000 to hire a lawyer or do you pay someone $500 and the be mostly compliant?

The TLDR that Nick sent over is like, “Use version control, have logging and monitoring, and continuous integration.” so that you’re constantly running unit tests. I think you should have some unit tests that are testing security, and making sure that things are not going to be easily hacked or whatever. Hopefully, those thoughts are helpful. I realized that it’s kind of an “it depends”, and it’s definitely always a “there’s a continuum” when you’re doing these things but it’s also similar to a question of, “How much should I worry about the legal stuff surrounding getting my LLC set-up and getting every trademarked.” and getting all that. It’s like, “Well, I should worry about it just enough.” It depends on your risk tolerance in all honesty. Thanks for the question, Nick. That was a good one.

Next, we have a comment about moving on from AuditShark. He says, “Hey, guys. I’ve been listening for a while now. Over two years ago, I started an app part-time. Finally, after all these time and all the money I’ve sunk into it, I’ve decided to let it go. There were a number of reasons it failed. Most important being that I’ve never launched my own product before and didn’t fully understand what it took. Listening to Mike’s decision to move from AuditShark…” we have an episode called Moving On from AuditShark. It’s probably 150, 200 episodes ago. He said, “It’s given me the confidence to know this is the right decision. I felt his pain in the episode because it’s the same pain I’m going through now. I’ve decided to do this stair-step approach and practice learning simpler products like an e-book or audio course. Hopefully, this will both give me the confidence and an audience when I’m ready to launch another product. It still hurts and I still think what if all the time but I know I’m making the right decision. Love the show and congrats on 400.”

Thanks for writing in, Greg. It’s always good to hear from folks who experienced things. We talked about trying to help people avoid the same mistakes we’ve made. Sometimes you’re going to make the same mistakes we’ve made but maybe knowing that we made them, there’s some solidarity in knowing, “Oh, other people make them too,” and kind of we’ve all been there so. I think this thing will go away over time. Mike, from your perspective, you went through it, and now you’re in the middle of AuditShark building something that’s obviously starting to get some traction. What are your thoughts on this?

Mike: I’m not in the middle of audit shark anymore. What are you saying?

Rob: Freudian slip, that’s funny. What do you think?

Mike: Well, I definitely get how you can think what if all the time. I really don’t. AuditShark would not have been a good fit for me long-term. I didn’t realize that when I started out. I didn’t realize it ‘til I was probably very close to the end but it didn’t fit me as founder, and it wasn’t the type of business that I probably would have wanted to own long-term. I looked at it from more of a financial perspective of, “Oh I really want to be able to sell this and make a lot of money from it.” I enjoyed the problem space itself, but I did not enjoy trying to sell that type of a product versus Bluetick where I actually do it because I feel it’s legitimately helping people that need that help, and with AuditShark it was more about meeting the checkbox requirement for people, and nobody actually cared about it. It was just like, “Oh, our company says we have to do this so we’ll do it.”

Rob: Yup, that makes sense. I think early on you probably thought what if a bit, and then you moved past it. That’s the healing process of letting something like this go.

Mike: Yup, definitely.

Rob: Cool. Our next question/comment is a comment on episode 403, so go to startupsfortherestofus.com if you ever want to leave a comment, read all your comments. Doug said, “First of all where do you find the time to play D&D?” which I think is funny. From my perspective, I am trying to think, I got back into it, what is it, my kid is 12, and I think I taught him when he was maybe eight, and so it’s been about four years so yeah, Drip was going on. Frankly, we don’t play D&D very much. I mean, we do more now that I’m not working on Drop anymore, but when I was growing Drip, we would maybe play every few months. It really was not an on-going campaign thing, but it’s definitely gotten easier for me to carve out the time.

I think if we have a recurring campaign that was with other people, you just kind of find the time. If it’s every week or twice a month on a Thursday at seven, and you know that you’re going to let people down if you don’t show up, that would be something. The other thing for me is we keep our sessions short. They’re typically 60-90 minutes. They’re not these four-hour campaigns, and we enjoy it that way. How about you, Mike? How do you find the time?

Mike: I have two different ones. […] morning is with a friend of mine and our kids, kind of collectively, that we’ve run very sporadically. We might need once in a month or once every two or three months. That’s been going on for probably close to two years at this point. The other one that I just started up, I think we’ve had three sessions so far, but it’s every Tuesday night. We meet up at 7:30 PM. Two nights ago we’ve had a rather lengthy one. It went until 12:30 AM. It was almost 1:00 in the morning by the time I got home. It was 7:30 PM to 12:30 AM, that was kind of the ballpark thing.

We’re shooting for 2-3 hours, three hours is kind of the minimum that we want, and then after that, it’s kind of wherever is a decent stopping point. That session just happened to be longer. But I agree with you that having a set time of the day each week or every couple of weeks that you’re shooting for, that’s the best way to go just because you’re making a commitment to other people to be there and show up. I think that’s really helpful.

Rob: Here’s the thing, when I was doing startups on nights and weekends and had a day job, I didn’t play any of this. There were years where I didn’t go to happy hours with friends when they would go. I didn’t play any type of tabletop games because I work all day, and then I work all night. My kids were either not born yet, or they were really young, so they would go to sleep at seven, and then I would just work ‘till 1:00 in the morning, and I was tired, but that was the slog.

You and I both moved into the position. Once I’m working on it full-time during the day, and I’m putting the seven-nine hours a day of startup work, then in the evenings I actually like to not continue to do that, and so it depends on the phase you’re in. If you are still working nights and weekends, I would say don’t get involved, like don’t have a hobby. It’s crazy advice, but I really put all my hobbies on hold while I was getting that initial traction. It was definitely a couple of years, it was even more than that, actually. It was probably over the span of about five or six years, but it wasn’t constantly I would tackle a project, work on it for six months, and I wasn’t doing anything nights and weekends, and yeah, it sucked, but I had that goal. I wanted to get that financial freedom. I wanted to get out of my day job. It would crash and burn, and then I’d be all dejected and disappointed. I would go back to having a hobby for a while until I got motivated enough to do the next effort.

Mike: I find that setting aside the time is a nice distraction as well because it’s very easy to get stuck into the pattern of working on the same thing all day every day and let it bleed into other parts of your life which ultimately is probably not good for you. I think that they’re just making sure that there’s a set commitment that I have that is external to work in any way, shape or form. I find that that’s helpful.

Rob: I agree. I fully agree. I think of this podcast a little bit like that. Every week, no matter how bad things were, how hard they were, how stressed I was, you and I would have this one hour blocked off to sit and talk about this stuff, and that’s something that we’ve done for a long time. Even though it’s talking about work, in essence, it did help the days. I think you have to have some variety to them.

Doug has another question, he says, “Rob, you say wanting financial freedom was motivating. Is that another way of saying I hated my day job? How far can not liking the cubicle and office get you on a startup journey? Comfortable paycheck is the enemy of great startup ideas. I am proof of that.”

It’s an interesting question. In all honesty, I hear this from people time to time, and they’re like, “Well, my day job’s good enough. I’m kind of motivated to do. It sounds like it’s fun to do a startup.” In my opinion, if you’re not all in on it, you’re just not going to put in the time to do it. If it really is a major pain point, like for me, yes, I hated my day job. I hated all of the day jobs I did. Hate is a strong word, but I was never happy for very long. Maybe it was 12-18 months, and then it was like, “No, I have to move onto the next thing.”

The further I got along, not only would I burn out on a job within, let’s say, 12-24 months. But I also realized I wanted to make money more as a salaried or even as a contractor. I wanted mobility. I wanted to be able to travel, and not have to worry about being in one place or living in the same city or being concerned that I was going to get laid off, so I wanted the confidence that I was in control of my own destiny. Frankly, I did want more control of my time.

I hated having to be in an office at 8:30 AM or needing to be available at these hours, so I just wanted that. Especially as I got older, when I’ve gotten to my early 30s, I realized, “This was not going to work for me.” It was a real, true pain point in my life and I was willing to put it all on the table. I was willing to sacrifice nights and weekends for years to do this. If that’s not you and you don’t have the burning desire, that’s okay. I’ve some good friends who I envy because they’ve been happy.

Mien, a really good friend of mine in Sacramento, started the day job the same week back in 2000. He still works at that company. It’s 18 years later. He’s a developer, and he works at a consulting firm. I’ve had 20 jobs since then. I bounced to different jobs, different products if you count it all, maybe even more than that. We’re just cut from a different cloth. I would be so hopelessly unhappy and depressed if I had his life but I don’t judge him and say, “Oh you could do better if you’ve done startups.” because I don’t think he really had the desire. I don’t know if his personality is cut out for it. He really didn’t want the stress. He’s just more conventional than I am.

We each have different priorities, and we have different personalities. I think you really have to look in the mirror and ask yourself, “Am I willing to do what it takes?” because this startups stuff is not easy. I hope that’s something we’ve communicated in the past 405 episodes both through just talking about stuff theoretically and also the agony of episodes like moving on from AuditShark and the agony of some of the stuff that I’ve talked about here. That was a good rant for me. What do you think, Mike? You have other thoughts?

Mike: The summary of what you just said is like, it’s a personal decision for each person. I can relate to your friend out of Seattle. I was up in Rochester within the past couple of years, and one of the reasons I had left Wagman’s was there was a guy who’d recently got promoted to a position that I had wanted, not that I was going to get promoted to it, it’s just that it was one that I aspired to. He got promoted to it after being at the company for 18 years. I was like, “I’m not waiting 18 years to get promoted to that level.”

I ran into him a couple of years ago, and he’s still there working at the same company that he’s been at for 30 years. That would not have worked for me. I don’t have the personality to have been working in that business for that long and not transition around. I’m sure that he works on different things, but it would not be a good fit for me.

Rob: Thanks for the questions, Doug. I enjoyed them so much. I didn’t answer them on the blog. I wanted to talk about them on the show. Our final listener question for the day is from Ricardo Feliciano, and he says, “Hey Mike and Rob. I love the podcast. I find it very valuable. My question is, what is the best way to charge for an online and real-life community? The two best examples I’ve seen are Founder Cafe from the two of you and Nomad List, nomadlist.com. I ask because I’m starting a community for Marvel and DC fans called Comics and Coffee, that’s comicsncoffer.com. I don’t know if I should pay wallet or try to monetize it through merchandise. Perhaps through a premium program such as what Reddit does with Reddit Gold or Discord with Nitro. Thanks for your time. PS for comics and coffee background: We started up with a podcast, and we’re adding a form, and in-person meetups for movie nights soon.” What do you think?

Mike: I think if you’re going to have a community, there has to be some compelling reason for people to join and stick with their membership is, really what it comes down to. When you look at something like Nomad List, that’s aimed at people who are traveling around the world—and they’re probably constantly traveling—they’re more likely to become and remain a member for longer periods of time. Because even though they may be in Thailand for three months or six months or even a year or two, then they go over to Belarus or Spain or Africa or wherever, and then they’re going to need to be able to connect to other people either locally or online or potentially both, that’s one of those communities where it’s an ongoing thing, that they don’t just need the service once versus something like, trying to meet up with other people locally and those people are not moving around.

Everybody lives in the same community. For example, I live here in Massachusetts. If I wanted to get together with people and wanted to form a group or an organization or something like that, I might use meetup.com for that. The benefit of that is finding other people but if you’ve already got an established location, and a group of people that are coming, chances are good that they associate with other people outside of that who are also involved in comics. They’re going to invite their friends.

Now, the advantage of your platform or your community is that you are going to be able to attract more people to it and that’s the value proposition you have which is, “Hey, find other people and stick with a local community.” The problem is that once they have found your community and are coming to whatever meeting’s there are on a regular basis or semi-regular basis, what additional value are you offering? I’m not clear on what that would be.

With Founder Cafe, it’s a little different because everybody’s remote. Because it’s all remote like, if you join the community and then you leave, you no longer have access to it versus if it’s a local, in-person meet up and there’s a regular meeting every Tuesday at 7:00 o’clock, everybody comes at 7:00 and once you’ve found it, you kind of no longer need the platform anymore, so what value is it that you offer?

I think that’s what you need to focus in on in terms of trying to figure out how to monetize it. You might be able to pay wallet and have some sort of merchandise behind it, I’m not sure how would that go though. I don’t know is charging on ongoing basis is for would be terribly lucrative, I’ll say.

Rob: Yeah. B2B is easier than B2C. In this case, Founder Cafe or the Dynamite Circle or Nomad List, they tend to surround people who run businesses, who are making money through something, who the network they know can help them make more money, help them to have a more successful business whereas going to gamers, I mean gamers are notoriously cheap. They’ll spend money on games but trying to ask consumer to do a subscription tends to be a harder thing to do. I’m not saying that you shouldn’t do it but know that when I think about the $99 every quarter that we charge for Founder Cafe, most business owners see that and think, “Yeah, that’s not very much money compared to what I’m paying for all the other services I’m using.” But if you were to try to charge that in your case, it will be very hard.

Basically, no one would sign-up. I bet people would be like, “Are you kidding me? $33 a month to have access to this list?” You’re going to be more down in the, I’ll say, the Netflix zone where you’re probably looking at $5-$10 a month, I would think. I would probably either charge it quarterly or charge it annually. It’s such a small dollar amount. You don’t want to have these $5 charges all over the place. Maybe it’s $50 a year, $80 a year, $100 a year, somewhere in that range is what I initially think about.

I don’t think it’s a bad experiment. I mean depending on how many people you already have on the list, merch is fun, but merch is going to take time, the margins are low, and you really need a lot of people on your list in order to sell enough merch to get any type of revenue, you’re only getting, what’s the net margin on merch? Is it 10%, 20%? It’s going to be very small. I think that could be an interesting revenue stream to explore, but I would do that later. Having a premium membership, I think could be very interesting.

You could also consider doing a Patreon but again, you need quite a few people to do that, then you can have that insider’s group pretty easily, and all the mechanics are handled for it. People already know, it’s becoming pretty popular to hear this word Patreon and to know what that means. It’s not like reinvent the wheel and introduce everybody to, “Yeah, this premium membership,” blah blah blah. It’s just like, “Go to your Patreon account. You already potentially support some other podcast creators, support it, and if you support it at the $5 a month level,” and then Patreon handles all that for you—all the billing and all that—then you get this extra perk of getting this log in, or getting this episode earlier, getting these episodes that are only published on the Patreon feeds.”

Those are my initial thoughts on it. I love the idea of Chris. I’d love to do something like this, but it is going to be hard to pull the viable business out of it. You’re going to need a lot of people listening to you. B2C is the volume play. You need a lot more people selling something for $5 a month versus $50 or $100 a month.

Mike: The other thing that occurs to me is something like this seems similar to there’s a website called Roll20 which is mainly aimed at roleplaying games but obviously, there’s a lot of Dungeons and Dragons players on there, but playing various editions, and Pathfinder, and various other roleplaying games and they have a mechanism where they’re charging, I think it’s either $5 or $10 a month and it’s an annual fee.

I agree with Rob but I think going the annual route is probably the best way to go to get some of that initial revenue and then down the road, you could look at that and say, “Okay, now that I’ve got 500, 1000, or 10,000 who have paid that much money.” Again, with 1000 people paying $50 for a year, that’s $50,000, it’s not enough to support one person for the most part full-time.

One thing you could do is start offering like an escrow service for people who want to buy or sell comic books. Yes, you can do it on eBay, but then you have to deal with PayPal, and all these other stuff, for higher-end, and Rob maybe you could speak into this because I know you’re in the comic books but would you pay for an escrow service for something like a high-value comic book? Because we’ve talked about, in episode 403, about analyzing another type of business but I think part of that is looking at the type of customer that you want. People who are buying and selling extremely valuable comic books, they want to make sure that what they’re getting is good quality, and that they’re actually going to get it and not going to get ripped off. By offering an escrow service as an add-on later, that might be an option.

Rob: Yeah, I think that could get traction. I don’t know if that exists today, to be honest. I wish there was a text box, we could type search terms into, and it could potentially tell us if that exists today.

Mike: I know. That’d be fantastic.

Rob: It’s crazy. Anyway, enough daydreaming. But yeah, I think that’s a good point. Again, then do you have to build a large enough community that the small percentage who use whatever service offshoot making enough money to be viable. But I do think that’s a cool thought experiment or an interesting way to think about it. It’s a creative way to think about, I’ll say. I think adding offshoot businesses rather than just charging directly is another way you could potentially monetize it.

Mike: Thanks for the question, Ricardo. I think that about wraps us up for the day.

If you have a question for us, you can call it into our voicemail number at 1-888-801-9690 or you can email it to us at questions@startupsfortherestofus.com.

Our theme music is an excerpt from We’re Out of Control by MoOt, used under Creative Commons. Subscribe to us on iTunes by searching for Startups and visit startupsfortherestofus.com for a full transcript of each episode. Thanks for listening. We’ll see you next time.

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.