Meeting compliance standards like HIPAA and SOC 2 can be a critical — and often mandatory — part of the matrix of boxes that need to be ticked when securing an organization, but it’s also one of the more thorny to see through, since it involves not only assessing systems as they currently appear, but also making sure that they continue to adhere to standards as they grow and shrink and work with other parties.
A startup called Secureframe believes that it has come on a solution with a system to automate this process for organizations, and today, it’s announcing $56 million in funding to fuel its growth.
Accomplice — the Boston VC — led the round, with participation from a mix of financial and strategic investors. They include Kleiner Perkins, Optum Ventures (United Health), Kaiser Permanente, Alphabet’s Gradient Ventures, Soma Capital, Gaingels and Flexport; as well as a number of individual investors such as Jon Oberheide (Duo Security CTO), Ash Devata (VP/GM for Zero Trust and Duo at Cisco) and Leore Avidar (Alt CEO). Michael Viscuso, who is a partner at Accomplice and in a previous life was the founder of another cybersecurity company, Carbon Black, is joining the board with this round. Secureframe is not disclosing valuation, but says annual recurring revenues have grown tenfold in 2021 (but also does not disclose what that number is). Customers also grew 7x in that period, with the list including companies like Stream, Dooly, Lob, Instabase, Slab and Doodle.
Secureframe currently covers some of the most well-used and well-known security and privacy compliance standards — HIPAA for health data, SOC 2 and ISO 27001 for information security, and PCI DSS for financial information. Shrav Mehta, Secureframe’s founder and CEO, said that the plan will be to use the funding in part to continue expanding that list to a much wider set of standards, including those specific to certain regions and use cases. It integrates with around 100 commonly-used tools in the enterprise to scan for compliance-related issues, and says that processes that might take as long as six to eight weeks can be compressed to days or even shorter with its tools.
Compliance with security standards has — unsurprisingly, given the growth of security breaches globally — become a more pressing issue within organizations, but as Mehta describes it, the imperative has also spread into how organizations interface with the wider world: third parties now also require their would-be partners to meet security compliance as part of their own diligence before engaging in any business activity. (Indeed, just earlier today I wrote about another cybersecurity company, BlueVoyant, whose customers in part rely on it to continuously audit, identify and potentially repair potential breach scenarios in their supply chains, another sign of how organizations’ security strategy has spilled out beyond their own firewalls.)
“The reality is that no one wants to end up as the focus of the next big data breach or big leak of business data,” he said. “Everyone expects companies now to go through security reviews. That is the main thing that is driving security standards compliance.”
But saying your organization needs this, and actually following through on that, are two different stories.
“Security compliance is not just about internal processes but also risk management,” he said in an interview. “It’s become a boardroom issue. But getting security compliance is harder than it looks. A lot don’t complete certifications, or don’t update and stay compliant.”
The implication is that overall, this is creating more of a market for companies like Secureframe to come in and provide tools to meet that need.
Mehta said that he first came across the challenges of this while working across different organizations in previous roles, where he found himself working not just with companies but their partners to help put together checklists to make the process of meeting security compliance standards easier. He calls this effectively the “first version” of Secureframe.
Eventually, he started a company to productize this process, and over time he and the team have incorporated an increasing amount of automation into the mix, although it still focuses on providing human teams to help implement processes and troubleshoot, and it still produces best-practice lists and provides training for customers, just as Mehta would have done before starting Secureframe.
The opportunity here is not just addressing localized and international standards for data protection, security and privacy, but also the fact that these are likely to become even more ubiquitous, and codified around specific use cases over time, to meet the sheer reality of how everything we do now is typically carried out on digital platforms.
“I do think we will see more security and privacy regulations,” Mehta said.
This in turn, becomes a big business opportunity, if not also a very competitive area. Companies today also helping organizations with their security standards compliance include Vanta, Drata and SolarWinds, as well as anecdotes, which today also announced funding (not to mention companies like BlueVoyant that are netting in solutions and also addressing how the wider ecosystem is managing its security).
“Secureframe is onto something big,” said Viscuso in a statement. “They have the vision, the talent, and the technology to drive major transformation in continuous compliance certification. What’s most exciting to me is they’ve already become the go-to solution for startups and high-growth companies who want to automate their entire compliance portfolio. It’s clear why Accomplice is leading Secureframe’s Series B, and I’m thrilled to serve on the board of directors to help play a role in the company’s continued growth.”