In the latest episode of our What’s New series, Founder and CEO at Secureframe, Shrav Mehta, sits down with SaaStr CEO and Founder Jason Lemkin to share what’s new at Secureframe, a rising SOC-2 and compliance software company breaking out in SaaS.
In this episode, they’ll discuss:
- When and why you need SOC-2 and ISO ISO 27001 compliance as a SaaS company
- The Intersection of AI and Security
- Compliance in Year Two and Beyond in SaaS
- Differences in Servicing SMBs and Enterprises
- Re-bundling of Software Services
When Compliance Becomes Table Stakes
For Jason, he opened the interview by sharing that in his experience – compliance is actually Year One table stakes for all B2B SaaS companies.
“I was just catching up with a second-time founder who had taken his company public (and it was worth billions) and was doing another company,” Jason shared. “He was doing a freemium product and I was like ‘Why don’t you just walk into an Adobe or a Cisco and just close a six-figure deal? Even if your product’s not there, they’ll buy from you.’ And he was like, ‘yeah, but we have, we’re not like SOC 2 compliant.'”
It may seem easy to shrug off or wait to implement a tool to help with compliance and security, but the morale of the story here is you’ll hit a wall fairly fast if you haven’t implemented a compliance tool by the end of Year One. Especially as you then try to move into the mid and upper markets, security becomes table stakes for the buying committee.
Shrav added that if you want to close bigger deals, not just Enterprise, but mid-market and SMB as well, that the moment you’re ready to Go-To-Market, you need to become compliant.
“SOC-2 is often seen as that like critical standard for SaaS software,” Shrav explained. “If you have customers in your pipeline that you’re trying to close eventually procurement or someone is going to hold you up at some point if you don’t have a SOC-2 or ISO 27001. Or one of these similar certifications.”
So you need to become compliant (or update your security) … what now?
Well, with an app like Secureframe, it can automate about 80-90% of the SOC-2 compliance you need via integrations and APIS – ie hooking it up to your existing platforms, tools, etc. and letting it mine the data. So the time to implementation and compliance is much quicker now than it used to be. However, Shrav explained when that automation won’t necessarily scale anymore. “If you’re expanding and scaling and you’re closing more deals, it may justify a full-time hire to take the load off the team. We usually see this happen around 50 to 100 employees. Now, if you’re in FinTech or another highly regulated industry, you’re probably going to be doing these things and have a dedicated hire earlier.”
Plan around the 50-100 employee mark to hire an IT Manager or CISO (Chief Information and Security Officer) to maintain your compliance and security. Then, as you scale, or into Year Two, your compliance checklist should look a bit like this:
- In years 2-3, maintaining and enhancing your compliance should become a part of your operational rhythm
- Maintain ISO 27001 certification and compliance
- Continuous monitoring is critical
- While year one is typically a full certification audit, years 2-3+ become a surveillance audit to maintain your certification
Ultimately – which one is better, SOC-2 or ISO 27001? Depends – but most SaaS companies nowadays will want to have both, and ideally done at the same time since there’s about 70% overlap between the SOC-2 report and ISO 27001 certificate.
“Oftentimes if you know you need to get both done, we tell people to get it done at the same time and just, kill two birds with one stone,” Shrav explained. “Now the way you determine whether you need SOC-2 or ISO— they’re very similar. SOC-2 is a lot more common in the U.S., whereas ISO 27001 is a lot more common if you have customers in Europe, Australia, and other territories. And a lot of those customers so this is also where your customers are based, not necessarily where the company is based, which is a common misconception.”
The Intersection of AI and Security
It’s going to get a bit harder for CEOs and CTOs to maintain security and compliance going into 2024.
“You’re seeing data breaches happen all the time,” Shrav said. “These are having real-world impacts. So I think we’re just going to continue to see this, more and more and there’s just going to be more things to comply with. There’s just going to be a continued increased scrutiny on security and privacy.”
The bar is only going to get higher as buyers increase scrutiny and AI becomes more integrated in SaaS and technology.
Shrav sees security and AI as the two biggest faces in software for the next decade.
“I think security is one of the largest spaces, behind, AI because there are always going to be, more and more attackers and more and more, breaches and more and more reasons to have a heightened security program,” Shrav explained. “Gartner’s newest I.T. Spending forecast said that I.T. Services is projected to be one of the fastest growing categories of 2024. It’s growing 10 percent you know, from last year. And 80 percent of these CISOs said that they plan to boost their spending on cyber and information security.”
Part of that may be due to this large intersection of AI and security. We’re already seeing a huge collection of customer data and new threats from these AI-enabled cyber attacks, which will only signal more growth in an already fast-growing space. So look for security and compliance to gain momentum this year.
SMB vs Enterprise Security
We recently chatted with ZoomInfo CEO Henry Schuck on what it’s like to sell and service customers that are both startups and enterprise. So, now let’s look at that from a security and compliance standpoint. How is Secureframe servicing both startups and enterprise customers?
On the SMB side, Secureframe sees a lot more inbound when they have a startup receive a security questionnaire from a potential new customer and they need to become SOC-2 compliant very quickly to close the deal. They have a very specific problem that needs solving — fast. While on the Enterprise side of things, they’re often already SOC-2 compliant and have an existing process, so what they’re looking for is saving time (and money) to improve their security efficiencies at scale.
So how do you market to these two radically different segments that still need the same product?
“A lot of the messaging on the SMB side is around, ‘Hey, let’s get you SOC-2 compliant.’ Let’s help you do it quickly.” Shrav continued, “On the enterprise side, they don’t really care about, getting it done quickly. They already have a SOC2. They want to get, more efficient, with how they do it. They want to automate a lot of their enterprise workflows. Saying something like, ‘Hey, let’s help you get SOC2 compliant in weeks not months is not that appealing to them at that level.”
The sales teams at Secureframe are completely segmented by SMB vs. Mid-Market vs. Enterprise for this reason. Shrav still sees a ton of value in SMB (whereas many others have dropped serving SMBS due to budgets) but Secureframe still wants the fast-growing SMB companies since many of their customers grow with them since switching compliance vendors is much harder than switching say a sales or marketing tool.
Revenge of the Suite
Not sure if you might’ve noticed, but SOC-2 is actually an extremely competitive and crowded category within SaaS.
“If you’re winning every deal, you’re not enough, it’s straight from the SaaStr blog,” Shrav joked. “Our thesis with Secureframe is really that the last 10 years have been about, the unbundling of software and it’s pretty much about offering a point solution or microservice for everything.
And we believe that the next 10 years is going to be about the re-bundling of software. And with other companies in our space, you have to go to a different vendor for your readiness, your security awareness training, your security questionnaires, your trust center,etc. And that’s a lot of vendors to manage and integrate. And it never integrates nicely. Never a lot of it. At secure frame, we keep this all under one roof and we still integrate with a lot of these other partners.”
The goal for them has been to become the most comprehensive vendor.
“It’s interesting how it’s the revenge of the suite today, right?” Jason asked. “Vendr just had a report saying that last year, 80 percent of their spend went to existing vendors and renewals. It’s 80 percent in one year, so yeah, the cloud budgets are growing 10 percent or more for Gartner, but your existing vendors are absorbing all of it. So the more you can offer it’s the winning, it’s the winning play. It’s pretty crazy.”