From Legal to Engineering: How Manuel Harnisch is Navigating AI's Impact on Software Compliance

Show Notes

Manuel Harnisch, VP of Technology Services and Support at Fossa, shares his journey from Germany to scaling US tech startups. Discover how Fossa shifted their sales strategy from legal buyers to engineers, what this says about the future of software purchasing, and why AI is both an opportunity and liability in modern development. Manuel also shares his personal transformation story, losing 100 pounds and becoming a trail runner after 2020. Whether you're navigating startup growth, managing technical teams, or trying to stay compliant in a fast-moving AI world, this episode delivers valuable insights for technical leaders.

Chapters

• 1:10: Manuel's journey from Germany to US tech
• 3:51: Transition to leadership and management
• 12:48: Overview of Fossa's compliance and security platform
• 17:21: The evolution of sales approaches in software
• 19:41: Pivoting from legal to engineering buyers
• 21:51: How AI is complicating software compliance
• 25:42: The emerging "vibe coding" phenomenon

Transcript

0:00

On today's episode of Curve Ahead, I am joined by Manuel Harmish, VP of Technology Services and Support at Fossa, a software compliance and security platform that ensures companies ship secure, license compliant code. From growing up in Germany to scaling tech startups across the US Manual brings a global perspective to product leadership and the startup grind. In this episode, we cover how Manual and the Fossa team shifted their sales strategy for from legal buyers to engineers, and what that says about the future of software purchasing. We also covered why AI is both an opportunity and a liability in modern software development and what Fossa is building to stay ahead of it. If you're navigating startup growth, managing technical teams, or trying to stay compliant in a fast moving AI world, this episode is full of insights. Welcome to the podcast. Do you mind introducing yourself? Yeah. Hey, Brian, Manual Harnish here, currently VP of Technical Services and Support over at Fossa. Can you tell me about your background and what led you to work with Fossa? Yeah, absolutely. Oh, gosh, it's a long story. So let's maybe start from sort of like the personal side. I, I grew up in Germany. I came to the US when I was 18. I was fortunate enough to be able to do that immigration path, went to college here, really loved it and kind of decided to stick around. I've always had sort of a knack and love for technology pretty early on, you know, started. I think the first computer I had was a Commodore 64, which was like 10 years old when I got it, but that was the starting point. And then, you know, got a couple other ones, you know, over the, you know, teen period, if you will, and really enjoyed that. Had a little web design and consulting business back in Germany and, you know, really enjoyed that. This is in like the very early 2000s actually, before the dot com bust and really enjoyed it and so decided to make that part of my career. Fast forward a little bit. I ended up stumbling into my first startup in 2008, which is a great time to join a tiny little startup because, you know, a couple months after I joined there in March, things kind of went south. But we actually did okay because were super, super scrappy and, you know, weren't really burning money and I got hooked on startups, you know, from that I spent almost nine years there. When I there I was in basically tech support, first real full time tech support person. This was a, you know, company specializing in appliances. A company called Sub1 would basically do network monitoring, you know, in your data center. This is before the days of cloud really. And you know, did the tech support for about a year and kind of worked my way through the various different, you know, customer facing, technical roles at that company, post sales engineer, you know, deploying, you know, the boxes, then eventually pre sales, you know, the two SES we had at the time sort of quit within a week of each other. Totally independently. Yeah, the person that was running that team was like, do you want to like do pre sales? And I'm like, I don't know what I'm doing, but go ahead and teach me and you know, I'll do whatever. And yeah, a week later went to our first conference in actually I think it was in Las Vegas. So that was exciting and really enjoyed that. Kind of got good at it I think and you know, did that for a couple of years and then eventually the company had gotten pretty big by that point, like about three, 400 people when I joined, it was 11. They, they're like, hey, we got this really big challenge with customers wanting to do upgrades and nobody wants them. The painful, you know, would you like to. And would you like to sort of part was like, we want you to build a team and run a team that helps us solve this problem. And I said, okay, you know, sure, I don't know what I'm doing, but I'll give it a shot. And so that was my introduction to leadership and management in a formalized way and did that for about two more years and then eventually got recruited by another company, also startup, spent four years there, then got recruited to yet another startup in 2020 and spent a year and a half there. And since late 2022 I've been at Fossa. So that's kind of like my career progression and a little bit of background and maybe the last thing I'll throw in there to kind of tie it all back up. One of the personal transformations I've done couple years as part of 2020, I decided, well, I didn't really decide, but it started out like I need to do some exercise when everybody was kind of, you know, cooped up and couldn't go anywhere. And I started walking, eventually started walking with a weighted vest and did more of that and eventually became a runner. So I, you know, I, I completely transformed because I used to be about 100 pounds heavier than I am today. So that's a, a little bit of an inspirational story, hopefully. Have you done any major running races yet or still training for something or Anything on Horizon? Yeah. So you may be familiar with this since it's kind of local to Denver. I did the Leadville 10K last summer, which was interesting at 10,000ft, you know, around 10K, you're definitely slower there. Hit my first trail half marathon last April and one of the reasons I'm back in Arizona right now, the same event group is doing a 30k here in the same location, more or less just like a different course. So we'll be partaking in the 30k in a few weeks. Running is such a different beast than road running. Like it's night and day different. Yeah, I, I, I am always very worried about tripping and falling because I think that would be very painful. I did trip and fall last winter, January of, I think it was February. We were down in Cabo for an extended period, you know, down there, and I was road running actually into the marina area. The sidewalks there are, yeah, a little questionable as soon as you get outside of where all the tourists are. And you know, I was going up this little hill and there was like a sandy patch and I must have gotten caught and tripped and you know, face planted effectively and I was fine. It wasn't like hurt in a major way, but it definitely had some, you know, some bloody spots and took about four weeks to fully heal up. So yeah, trail running is a different beast, definitely. So let's get back to your background a little bit. I had made a couple of notes and I'm curious if they've helped you or hindered you in your professional career. So being a migrant to the US has that, did that help kind of spur this startup mentality, being, you know, scrappy and flexible in responsibility? Yeah, it's a good question. I hadn't thought about that. I guess I always kind of historically felt out of place in Europe and sort of the work mentality over there is quite different. Right. Like you usually choose sort of like, you know, a career path and you usually choose like one or two companies. Companies. You get in there and then you spend a good amount of time there. And I, I still have friends there and effectively none of them spend less than say 10 years at a company. I, I guess one was like at eight years. But you usually spend a lot of time there and career progression is very slow. You're, you're kind of expected to do your time and then if you spend enough time there and enough people retire, you eventually kind of move up. And so I, I always felt like that was very limiting I'm not necessarily like a risk seeker, but I do think that there is a maybe being a little bit more risk embracing and less sort of like going to safe route. And I think that's like one of the reasons that, you know, I really enjoyed the startup sphere. I'm not like, you know, if you sort of like look at other people that have German heritage or that over there, a lot of them are more risk averse. Right. Whereas I think for me I'm like, okay, I'm willing to just see how this goes. What's the worst thing that can happen? And you know, if it doesn't work out, I'll just try something else. And so I guess it's kind of been helpful for me. It's been a good experience, you know, coming to the US and just having an environment where you get out what you put in and sometimes you get out more than what you put in. Whereas I think in Europe it's more like you get out a fraction of what you put in terms of effort. I think that even in the States, right. In a corporate realm. I worked for different organizations for about 15 years before starting my own thing. I feel like they're regardless, like it doesn't necessarily meet. What I'm trying to say is that there was a lot of times where I was working at an organization where I felt like I was putting in a lot but not getting out a lot. Looked over for promotion, looked over for this thing or that thing, you know, that was when I knew it was time for me to look for something else or look at a different organization. So I think that is the reason that there's so much more career movement here in the States versus maybe somewhat like in Germany. But I, I never felt like what I put in, I got out equally until I started my own thing. And it's like, well, you know, if I'm sick for a day, nothing happens or. Right. Because I started as a solo. So like if I was sick, there was nobody to come in and do the work that I needed to do for the day. Yeah, well, actually that, that made me think there for a second. Maybe originally I kind of mischaracterized it a little bit. I thought a little bit more about it. I think you're right. I spend, I spent about six months at a big US company in the mid 2000s, kind of like a sort of an internship as part of college. But it gave me an opportunity to like see big corporate life. I'm not Gonna, I'm not gonna name them, but, you know, I felt like a number, even though it was like a pretty, like, you know, it was actually a pretty prestigious part of the company. We got to travel a lot and, you know, see a lot of different things. It was part of internal audit. I felt like the impact of the work was pretty mundane and minimalized. And so after that, I'm like, I'll again, like, I'll never work for a big company again. Now since sort of maybe softened my stance, I'd consider it, especially if it was like, by means of an acquisition. But in general, I find like, I, I like to have a big impact and I can do that more easily in a smaller company. I will say that the startup ecosystem in the US is just, you know, many more times much richer than it is in Europe. I mean, starting a company here and actually like getting some venture funding and, you know, actually structuring it, so it's rewarding for your employees. Much easier to do compared to Europe and especially Germany. I actually, I know somebody, a company, but, you know, they're located out of Munich. That's where, you know, the founder and CEO is located. But he's an American and he incorporated in the US and everything is like, based on the US because otherwise it would be very difficult for him to do things like stock options and other incentive plans. And so that's probably like one of the main things that New York is lacking. It's just a, you know, a legal construct to really do startups well. I mean, they're catching up, but they're still pretty sclerotic and slow when it comes to, you know, adjusting to that paradigm. I've got very little experience that. Right. I've, I've been bootstrapping my organization. There may come a day where I'm needing outside capital, but right now, like, I'm trying to do everything as much as I can with as lean of resources as I can. So. Yeah, yeah, and there's nothing wrong with that. But even that, like, in a situation like that, the amount of planning that you have to do in Germany, actually I have a good friend that took over, like a family business that's grown significantly, has, you know, almost 100 employees now, but they're still relatively small. And the amount of, like, justification that he showed it to me, that is that he has to do if he wants to set aside a certain amount of revenue for, like, future planning and not be taxed on that, like is. Is. Is pretty ridiculous. Whereas yes. The tax code in the US is not simple, but it's actually a lot more business friendly than it is, you know, in places like Germany. I would almost argue that the US tax code is more business friendly than it is, you know, individual employee friendly. It's easier, it's not easier for me to do my taxes now, but it's easier for me to accomplish more with my taxes. Yes, yes, no, I would agree. So tell me about the work that you're doing now. Okay, what, where would you like to start? Let's start at the 15,000 foot overview of what it is that you're working on, who you're working with. Yeah, so I mean, I guess we can sort of like high level talk about FOSSA and how it functions and then sort of where my role and my team of sid. So fossa, we're I guess technically still a startup, although, you know, once you're 10 years old, are you still a startup? We can argue that, but you know, we're about 50 people, B2B SaaS. That's sort of like the deployment model. You know, the main focus of the platform is compliance as well as vulnerability and security, specifically to code. A lot of software, a lot of modern software obviously relies on open source. Open source, you know, it's kind of like it was sort of the redheaded stepchild in the 2000s, then everybody kind of like embraced it and said like, hey, this is great free software, like let's incorporate it. And then the lawyers found out about that again and they're like, well, wait a minute, like we got to make sure that, you know, we're not violating licenses. Like there are actually like, you know, enforcements happening. There was, you know, big lawsuits, you know, a couple years ago with the GNU foundation and some other, you know, some other well known organizations. I think Red Hat had some stuff going on. And so people like, yes, we still use open source, like this is good, we want to contribute back, but we got to make sure that we do this in a compliant fashion. And so that is what we at FOSSA ensure effectively. You know, we scan your code, you know, you connect it in your, either your CIDC pipelines or you know, through GitHub, you know, quick imports, if you will. We scan your code and we tell you know, what licenses you're exposed to either directly or transitively through third party packages themselves may rely on other software. And so we tell you like, here's, here's the landscape and you know, here's what it looks like and here's where you have some potential risks based on how you're shipping software. So that's the compliance piece. And then we also have, you know, pretty robust ability to scan for security and vulnerability considerations. You know, there's this thing called a CVE that actually was just something the other week with Next JS that was like a big security concern. You know, are you exposed? Are you using that version of Next js, if you will, we can tell you that. And then, you know, you make decisions based on the risk exposure, if you want to upgrade your packages proactively, if you want to patch them, things along those lines. So we ensure that some of the world's biggest companies are sipping both compliant as well as secure software. So that's the company in terms of what I focus on and my team. So I'm part of the revenue organization. So this kind of goes back to where I like to be customer facing and also being on the side of the house and actually either brings in dollars or secures dollars. And specifically my team is sort of bifurcated between one part is pre and post sales engineering. So I have several individuals on the team that focus on the technical side of sales and then they also support the accounts that they win together with the respective account directors post sales. So lots of, you know, technical details in implementing a software like this, you know, you got to make sure it's correctly implemented. You got to make sure that, you know, all the policies are configured right and they're really like, you know, that part of team is really consultative with their customers and with their prospects. And then there's the other part where we obviously got to do regular customer support as well. You know, break fix. We do have a fairly sizable business tier, self serve tier as well. So those are customers that don't necessarily talk to a salesperson. They just go on the website, they sign up for free trial. If they like it, they convert to sort of a paid business tier. Some of them stay free forever. If you're a hobbyist, obviously you don't need all the features, so you can do that. But you may still have questions, you may still have concerns. You know, things may not work as you expect them to. That is, that is the part of the team that sort of manages the ticket queue. And so that is the team. And you know, obviously my role is to sort of run that on a day to day basis, be the backstop and the, you know, the, I guess the support person for the team and then also Work on bigger initiatives like you know, we did a tools modernization last year we changed ticketing systems. This year it's focusing on, you know, what our account plans look like. I run a number of renewal conversations and things like that myself as well just to make sure that we're, we get coverage there and then really partnering with sales, marketing, engineering, product to make sure that we build things that you know, customers want and ultimately that will drive the company forward. How much effort do you or your team spend like building something for you to actually acquire the sale. Does that make sense to do like the, do a pre sales build, do like wireframe build out so the customer has a better understanding of what it is that you're going to deliver. How much time effort goes into that? Yeah, I think what you're describing we sort of loosely consider proof of concept. You know, sometimes it's, you know, it's a little bit more than that. You know, it could bespoke work as well and really a lot of demo work, I'd say, you know, a fair amount. But, but it's not like the number one thing that the team focuses on. To be clear, we don't do proof of concepts for every prospect. We, we tend to do it for really key ones, big ones. A lot of our customers that u buy an enterprise agreement actually, you know, run their own trial, right. Like they sign up for a free account, we upgrade them temporarily, just sort of like a full experience. They test things, you know, make sure that it works as they want it to and then they have some questions and then ultimately make a decision at the end of that. So quite a few people don't actually want sort of a, you know, a sales guided experience primarily because over the last two years or so we've shifted away from our original target Persona, which was the legal buyer because that's kind of where we got in the compliance space. And lawyers oftentimes do want that full experience but we've shifted further towards, we call it shifting left towards the engineering team. And a lot of engineers, they just want to sign up, they want to try the thing, see if it does what they want it to do. And actually for them it's a bug in the system if they have to talk to a person. Now some of them have come around and obviously they do see value in the consultative approach that we try to take. But generally they want to be as hands off as possible from the vendor and just discover the value themselves. And if the product does what they expect it to do then that's great and they're happy and they will buy. And if it doesn't then it doesn't make a ton of sense. So I'd say a good bit. But it's actually decreasing in terms of how much time we do for bespoke proof of concepts and bespoke demo. Tell me about that shift. What was the realization that you needed to shift from get from the legal perspective more left to the engineer. That was a brutal experience, I can tell you. Well one, while Fossil was sort of founded 2014, 2015, they really didn't you know, have a big go to market effort until I'd say like 2018, 2019. Right is when you really started selling. And so you know, then you fast forward to you know, 2020, 2021. Yes there was a dip obviously but money was free. You know, a lot of companies were, would buy software just because, and you know, like oh this sounds great, this solves a problem for me. I'll worry about implementation later. You know, you know, legal Persona would come and say like hey, of course we need compliance. I don't, you know, I don't have to worry about the implementation piece. Somebody else will do that. And so that's what got us to a pretty sizable customer base. But then 2022 rolled around and a lot of these companies started, you know, the year of efficiency. Right. I think that was a term for 2023. That really started at the end of 22 and the, a lot of the law departments, compliance council, things along those lines, a lot of them started to actually either leave or get cut. And so with that if your main champion was like one or two people on that side of the house and they're gone now, well, it's really tough to justify, you know, why, why they have this platform if nobody else is looking at it. Now you make the argument that you know, that's kind of foolish and you know you take on a lot of risk that way but that's what a lot of these companies did. And so it became pretty clear as a result of just what were seeing in the buyers and the champions that we needed to adopt and, and move towards where funding was still happening, which generally was on the engineering side. And of course, you know, end of 22 AI comes around really wasn't like a big thing until the middle of 23. But engineers are like oh you know, new toys, right? Like let's work on that. And so it was pretty clear that we needed to get into that wave and sort of lean away from the lawyer Personas. But we still do have quite a number of legal teams that work with us. Some of that has come back, but I don't think you'll ever go back to the place that it was in 2020 and 2021. So you had mentioned AI. How has that complicated things for you? For about a year and a half or so, let's say end of 2022 until about the middle of last year. So that's middle of 2024. Everybody's kind of like, you know, let's wait and see. A lot of customers were pretty apathetic. They're like, yeah, we know it's probably being used, but it's not a big deal. Some were a little bit more worried about it and they're like, well, how can you tell us people are using AI to write code? And the biggest concern for a while was like, well, if they're using AI to write code, what does that AI train on? And is it just copy and pasting off of open Source projects? Right. GitHub has Copilot, which they say that it doesn't, and copy from open source packages and they're actually pretty good about that. But then there are other AI coding agents out there that kind of popped up and maybe some of them are less scrupulous and less ethical. And so that was a concern for a little bit. But the answer to that for a while was kind of like, well, it's also still, wait and see, like there's no case law for this yet. We don't know if anybody's going to say, like, well, if the AI verbatim copied a function, is that plagiarism? Right. Is that a license violation? Nobody really knew yet. And so like fast forward, you know, second half of 24, it became more apparent that, you know, that this was going to stick around. A lot of big companies were doubling down on actually like, you know, mainlining that and then also like demanding that, you know, you could identify, you know, AI written code, not necessarily for legal reasons, but to make sure it's well documented. Because sometimes, you know, these tools don't document. They're actually using AI to write that code and then just to make people more efficient and effective. It's, it's definitely shifted and it's almost like, okay, so now this is a real thing and you know, people think about that. For us, we've also gone through this Transition, where it's like, initially it was okay, you know, we'll see what happens. But probably about six months ago we realized like, okay, you know, this is a thing and we need to enhance our own product to effectively significantly up level what it can deliver with the same number of your engineers on our side. So we're actively working towards things like auto fixing and auto upgrades based on LLM analysis. So take that next JS bug that I mentioned earlier, that was a big issue last week. We're working towards something that could say like, okay, based on your entire environment, you're running this version and that has a security issue. We can tell you what the upgrade path looks like to basically get past that. And we can actually perform that upgrade for you entirely through AI. Whether it's updating function calls, merging things along those lines. Our goal will be to do that with an extremely high degree of confidence. A senior engineer can just look at it and say like, yep, auto upgrade, AI based, we're good to go. So that's one of the things that we're actively working on right now. And we have a pretty strong hunch that this is going to significantly inflect software development this year. Yeah, I think from everything that I'm seeing, AI has in the last, you know, probably nine months or so definitely impacted software development and development positions. Whether it be eliminating positions or people needing to adapt to using AI to either supplement their code or help, you know, deliver like it seems like you're doing from the delivery perspective, but also using it to help identify vulnerabilities. So it'll be interesting to see what happens in the next six to eight months as we see more and more organizations, plus like one or two major frontrunners who are great at helping assist like non technical people create code and create programs. And it's gonna be the wild west here for the next couple of years on this. Yes, yes. You know, it'll also be interesting. So I kind of predict. So what is it like three, four weeks ago that the term Vibe coding became like mainstream and everybody started talking about that. I'm like, okay, yes, I think that's a thing. I think there is going to be a dichotomy though where there will be Vibe coders that aren't really developers and you know, they will build products, if we want to call that, but they'll be complete for the functionality that they instructed the AI to build and they'll actually work. But there will be some new and interesting failure points. Right. Right. Now, AI is only as smart as what you prompted to give you. And what I mean by that is you can say like, okay, build me a product that looks like this, that does these things with these constraints, but a novice doesn't necessarily think about security. Build me an API that does X, Y and Z. Well, okay, is that API going to actually enforce certain tokens? Is it going to enforce them in certain timeframes, things along those lines? I think I saw something the other day. I don't know if it was on AX or Bluesky or some other place where there was a guy that basically built an app, was really proud about it, was making money. Like, two days later, it's like, oh, somebody figured out how to exploit all the API tokens and please stop. Right? And I think we're going to see more of that. And then I think there'll be this sort of equilibrium where, yes, people will build prototypes through wipe coding, but then you will still need the developers that actually know the architecture and infrastructure of modern software, and they'll be able to plug those holes or they'll be able to prompt the AI in a way that it actually is a true product. Right? It'll have CRUD and it'll have RBAC and all this other stuff, and it'll be secure and it'll actually function. It was written by humans, and maybe at some point in the future, you won't have to ask for those things anymore because they'll just be assumed and it'll be secure by default. But we're not at that point yet. Do you think that may become a emerging marketplace of. Of people who have coding backgrounds working with Vibe coders just to fill in the. The architecture that doesn't necessarily exist through Vibe coding? I'd like to say yes, but I also thought. Well, I think we all thought for a little while that prompt engineer was a new job, and it was for about three months. And then people like, well, actually, it's not that hard. Like, you don't need to have that much specialized knowledge. So I think it'll be a role in a transient way, but I don't think it'll stick around much beyond, like, a year or two. Push my chips in on that. Well, it's been a great conversation. I really appreciate your time today. At the end of all of my podcasts, I give my guests 90 seconds to plug anything that they're passionate about. So without further ado, the next 90 seconds are yours. Yeah. Yeah. Thank you. So I'll talk a little Bit more about Faza and just to give the overall spiel here. Yeah, what is faster? Faza is a leading application security and compliance platform. We focus on helping engineering teams deliver trusted software and therefore we enable companies to prioritize real vulnerabilities in their software and open source that they incorporate. We accomplish that by leveraging comprehensive set of scanners, focusing on code analysis, vulnerability detection, license detection, container scanning, binary scanning, snippet scanning and of course AI detection comes with that and sbom ingestion among many other things. So, so if you ship software, chances are you should give Fossa a look. Even, even if you're just doing it as a hobbyist, you may not know it, but you will likely be using some product that is actually covered by Fossa. So if you have one of those fancy computer on wheel things, you know, a car, chances are we actually make sure that is functioning. A modern car is basically just a giant computer running a bunch of open source software, usually an open source operating system like Linux and then various layers of manufacturing supplier software on top of that. And all of that comes with you know, obviously security concerns, as has vulnerability and compliance considerations for the vendors. And so you probably already use a product that is incorporating Fossa to be possible. So that's just one example. We have many other well known brands in the, you know, obviously automotive, space, banking, telcos, medical devices and a lot of digital enterprises. Basically a lot of the web Properties and Web 2.0 and 3.0 companies rely on Fossa to make sure that they're compliant and secure. If you fall into any of those categories, fossa.com, give it a look and we'd love to have you as a customer. Thank you so much. Thank you.