Jan-Erik Asplund
Background
Shrav Mehta is the co-founder and CEO of Secureframe. We talked to Shrav to learn more about the upmarket sales motion that SOC 2 and other kinds of compliance can enable, the "base minimum features" needed to sell into the enterprise, and what makes compliance a challenging but worthwhile problem space.
Questions
- Can you start us off by talking a little about Secureframe and the problem you’re solving, customer profile and the core use cases that drive adoption? Why is it so valuable for startups to start selling into the enterprise?
- Can you share some signs of early product-market fit that you have?
- What makes compliance so hard? What does that burden of getting certified and re-certified look like in terms of time and money investment?
- Can you talk about Secureframe’s pricing strategy and business model? If usage-based pricing, what is the unit of usage? If SaaS, what is the recurring value folks are getting?
- What are the base minimum features that are needed for a SaaS company to start selling into the ‘enterprise’? To what extent does selling into the enterprise require a sales team and to what degree has even enterprise buying behavior shifted towards more off-the-shelf software?
- If you're a start-up trying to sell into the enterprise, at what point does getting certifications like SOC 2 become important?
- Compliance is a pure cost for companies and like all costs, companies want to reduce it over time. Do they see price as a criteria for competition? Do their existing customers expect price reduction over the years? How do they prevent a customer from churning to a lower cost competitor?
- How much of this process can be automated and how much has to be manually handled? How does that affect your margins?
- Generally, companies have seen compliance primarily as a cost of doing business. How do you avoid being in a race to the bottom on price in this market?
- How do you think about Secureframe’s positioning relative to companies like Drata, Osano, Strike Graph, Laika, and Vanta? How does Secureframe differentiate itself in a market where many of the players have an offering that’s similar on the surface?
- There’s a lot of companies raising a lot of money in the space and a lot of noise. How do you think about this land grab and winning in the short term versus long-term building a sustainable business?
Interview
Can you start us off by talking a little about Secureframe and the problem you’re solving, customer profile and the core use cases that drive adoption? Why is it so valuable for startups to start selling into the enterprise?
The rise of cyber threats has created urgency around security compliance like never before. Increasingly, companies are requiring their vendors to meet security standards like SOC 2 and ISO 2700 before even considering their software or services. This forces many startups, especially SaaS startups, to complete SOC 2 certification at an earlier stage of growth in order to sell to enterprise or even mid-sized companies.
The problem is navigating security and privacy compliance is a major headache. Today, getting compliant is a very long, manual process. It’s a process that startups don’t have the luxury of time or resources to learn and perform.
Secureframe provides a true end-to-end security compliance automation solution. Secureframe makes it quick and easy for companies to get rigorous compliance reports and certifications like SOC 2, ISO 27001, HIPAA, and PCI DSS by connecting to your AWS or Google Cloud.
We guide you through the process, and you get expert guidance from our team if need be. The analogy I like to use is that we're building the TurboTax for security compliance.
Can you share some signs of early product-market fit that you have?
When Secureframe first started, I was just exploring the idea and I had all these Excel sheets and guides and recommendations for auditors I would send people. A couple of people started coming to me every month saying, "Hey, which auditor would you recommend?" I started asking them a couple of questions back, saying, "Hey, if I built a product to automate a lot of this, would you use it?" A bunch of these folks were like, “Oh, totally.”
By the time we had launched and had an MVP ready, we already had 30 to 40 people ready to use us. I think it would be naive to call that product-market fit, but it was interesting that people needed it.
When we actually built the product and launched it, we had a lot of great feedback. There was a very clear path to making the product better just based on what our customers were telling us.
What makes compliance so hard? What does that burden of getting certified and re-certified look like in terms of time and money investment?
One of the things that we discovered early on with Secureframe was that people didn't understand what SOC 2 was.
My simple analogy was that all of these frameworks are just giant lists of things you have to do in order to secure your business. SOC 2 is one list. ISO is another list. HIPAA is a list we form from interpreting the laws over time. The same thing with PCI—it's just another giant list.
A lot of these listicle items are things “Hey, for SOC 2, you need a background check. All of your employees need to make sure that in AWS, you have Cloud Trail enabled for audit login, and that all your EC2 instances are encrypted. Your data has to be encrypted at rest and in transit.” There are hundreds of these items and a lot of these frameworks like SOC 2 and ISO are pretty similar. PCI has overlapping requirements, and so does HIPAA.
In some ways, by offering more certifications, we're able to knock out the classic two birds with one stone. This background check requirement applies to SOC 2 and ISO and probably dozens of other frameworks. What Secureframe does is automate as many of these items as we can.
The traditional way of getting some of this stuff done might be “Hey, let's put a calendar event on the office manager's calendar or the HR person's calendar.” They're going to run background checks for all the new employees that have just started this month. Then, when the auditor comes, we will take it from this Google Drive folder to this folder and show it to them. Then you realize you’ve forgotten one.
That's where these things fall apart, especially when you're a large company. At Secureframe, we'll integrate with a vendor like Checkr or Vetty, and we'll say, “We have background checks for all these employees that have started. You're missing one. Let's remind the employee to fill out their background check, and let's get this done, so nothing slips.” It's all automated. There's no HR manager who has to check all this in. Then, when your auditor comes for the audit, they basically take a quick look inside Secureframe. They’ll say, “Great, you have everything. This is perfect.”
Not all these items are super automatable. There is one for SOC 2 that's pretty common, which is that all your employees have to sign a confidentiality agreement. We could build an integration with DocuSign, but there's all sorts of stuff in there. In that case, we guide you to uploading the right pieces of evidence and documents for these employees.
Then you actually have to show up for your audit. One of the things that our customers are really scared about—especially folks who haven't been through a SOC 2 audit or any of these things—is the audit.
They're like, “Oh my God, we have the big, scary auditor coming in. What is going to happen to us?”
It's really not that bad. It's not that scary. We have a lot of ex-auditors on our customer success staff that walk people through this. All an auditor does is review the evidence and the controls that you've created and make sure that you are actually doing the things that you say you're doing, similar to an auditor doing an audit of your financials and bank statements.
Once they go through everything, they create a doc that ends up being your report. They have their own processes on the backend, but as far as what your customer sees, they're just reviewing evidence and then writing a report on it.
Can you talk about Secureframe’s pricing strategy and business model? If usage-based pricing, what is the unit of usage? If SaaS, what is the recurring value folks are getting?
We charge a yearly rate based on the size of the company and per framework. This is on a recurring basis, which makes sense as companies need to recertify every year.
What are the base minimum features that are needed for a SaaS company to start selling into the ‘enterprise’? To what extent does selling into the enterprise require a sales team and to what degree has even enterprise buying behavior shifted towards more off-the-shelf software?
I think the “base minimum features” needed to start selling into the enterprise is actually the same as selling to a startup. The “land and expand” strategy can really work if you target a small team within an enterprise business and then drive adoption across the organization by proving your value. You still need a strong sales team to pitch and help the buyer convince their managers to provide the budget, but the features stay about the same.
Now if you’re talking about closing the entire company and onboarding thousands of people onto your app, then you’re going to need a longer selling cycle and larger sales team and the features required will be different. If we’re talking about Secureframe, enterprise businesses will be very interested in our reports and dashboards to quickly understand their security posture. Our platform also scales to match the needs of an organization with a complex infrastructure. For example we can monitor multiple CSP’s at the same time and scale up to hundreds of instances.
I don’t think enterprise buying behavior has shifted a ton. There might be instances of some types of software moving to move off-the-shelf, but others are moving the other way. Atlassian, which owns Jira, famously built their business on the self-serve mode. But even they have recently moved to a more sophisticated selling motion and they had a large amount of resellers that sold their product to enterprise customers.
Most companies eventually hire a sales team. Even Slack staffed up their enterprise sales team and that drives a majority of their growth today.
If you're a start-up trying to sell into the enterprise, at what point does getting certifications like SOC 2 become important?
In the past, it would typically be around the hundred employee mark where a lot of start-ups and companies would start to invest in getting these certifications so that they could unlock the ability to sell to these enterprise customers.
Now, I would say that's entirely changed. Platforms like Secureframe have made this a lot more accessible, easier to implement, and get these certifications, allowing people to sell to these larger companies much earlier.
What I'll also say that's shifted is it's not just large companies or enterprises requesting this: it's SMBs, other start-ups, and mid-market companies. I would say the average company these days is right around 10 to 20 employees. If you're in fintech, healthcare, or any space where you're dealing with sensitive data and information, it starts to become a day-one cost of doing business.
That was not the case several years ago. Part of the reason why that is, is there's this kind of network effect where if you have SOC 2, then you think all of your sensitive vendors have to have SOC 2 as well.
Compliance is a pure cost for companies and like all costs, companies want to reduce it over time. Do they see price as a criteria for competition? Do their existing customers expect price reduction over the years? How do they prevent a customer from churning to a lower cost competitor?
I would argue that it’s too simplistic to say it’s a pure cost for companies. Getting compliant unlocks revenue as it’s a requirement for many companies to actually do business with you, so you can tie revenue to being compliant.
Second, getting compliant also means you’re following modern security best practices, which actually protects you from costly data breaches. A 2020 study showed every PCI compliance-related breach could have been prevented by following PCI DSS standards.
Lastly, regarding cost, you get what you pay for. Not all automation platforms are the same in terms of how dedicated they are to making the audit process as seamless as possible. And if you use an automation platform without expert guidance, you’re going to really feel the difference when auditors start asking questions you can’t answer. Instead of cost, you should look at value. If you factor in the time saved in audit readiness and low stress of the actual audit, we have the highest return.
How much of this process can be automated and how much has to be manually handled? How does that affect your margins?
You can't 100% automate everything, but we do provide in app guidance where we can’t. We can take a process that traditionally took a lot of companies a year or longer and help them get it done in just a couple of weeks, or even less.
Generally, companies have seen compliance primarily as a cost of doing business. How do you avoid being in a race to the bottom on price in this market?
For one, I’d say that security is one of the most important things you can do for your company. If your company is breached, if someone hacks you, that might be it.
The other thing is that getting these certifications can really be thought of as a revenue generator. By getting your SOC 2 or ISO 27001, you’re essentially unlocking a whole other sector of companies that you can now sell to because you can go through their security review processes, and that's revenue that you can't get without actually getting these certifications. It's ultimately less of a cost center and oftentimes more of a revenue generator.
We're also creating stronger, faster, more streamlined audits. If you can save six months in getting your certification, that's six months you can close deals earlier. That's six months your company is more secure, and that's probably worth way more than what you're paying for Secureframe.
How do you think about Secureframe’s positioning relative to companies like Drata, Osano, Strike Graph, Laika, and Vanta? How does Secureframe differentiate itself in a market where many of the players have an offering that’s similar on the surface?
The key phrase here is that we’re “similar on the surface”. One of the biggest misconceptions companies have is that the process can be entirely automated. Yes, you can automate much of the evidence collection and pre-audit readiness, which our market-leading platform does with the most integrations in the space, but there’s still a large portion of the audit process that our software guides you through.
There’s a lot of companies raising a lot of money in the space and a lot of noise. How do you think about this land grab and winning in the short term versus long-term building a sustainable business?
I cut through the noise by focusing on building the business based on our vision and focusing on our customers. At the end of the day we are building the best product for our customers based on the idea that it should be simple for companies of any size to have the right security and compliance practices without being security experts.
We have been super focused about the products and features we launch, which has helped us win in the short-term, but many of the longer term initiatives we are executing on will position us to become the security compliance platform of choice for every business, from startup to enterprise.
Disclaimers
This transcript is for information purposes only and does not constitute advice of any type or trade recommendation and should not form the basis of any investment decision. Sacra accepts no liability for the transcript or for any errors, omissions or inaccuracies in respect of it. The views of the experts expressed in the transcript are those of the experts and they are not endorsed by, nor do they represent the opinion of Sacra. Sacra reserves all copyright, intellectual property rights in the transcript. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any transcript is strictly prohibited.
