As more and more data gets stored in the cloud, proving that you can protect your customers’ data is not just a nice-to-have – it’s essential.
There are enough stories of data breaches and cyber attacks to chill even the savviest security engineer to the core. Cyber attacks have gone up 125% from the previous year, and with companies shifting to partial or fully remote settings, it shows no sign of slowing down. In today’s data-driven SaaS scene, these can affect hundreds of millions of users and cause damage in the billions of dollars, and as compliance frameworks become requirements to do business, businesses are turning to third-party services that can help expedite and facilitate the process. And that’s where people like Adam Markowitz come in.
Adam is the co-founder and CEO of Drata, a company that helps businesses protect their customer’s data, continuously monitor their security posture, and automatically keep up with SOC 2, ISO 27001, and other compliance programs. Despite not even being two years old, Drata has already closed a $100 million Series B, propelling it to unicorn status and making it one of the fastest companies to achieve a $1 billion valuation. Cyber security and compliance, it turns out, is in demand.
An aerospace engineer turned entrepreneur, Adam learned early the best way to earn trust was proving you deserve it. After working on NASA’s Space Shuttle Main Engine, he went on to develop Portfolium, a social networking platform that allows students and graduates to showcase skills beyond the traditional resume to potential employers. But before universities would do business with them, they needed assurance on their security posture. Suddenly, the team got to know SOC 2 Reports all too well and realized just how burdensome and unscalable it could become, especially for high-growth startups. Portfolium was eventually acquired, but the team behind it never stopped thinking about a better way to do it. Less than a year later, Drata was launched.
In this episode, we sat down with Adam to learn everything about the SOC 2 framework, how to create a culture of security from scratch and how automation is key to turning a headache into a smooth operation.
Here are some of our favorite takeaways from the conversation:
1. It’s becoming the bare minimum
You can’t grow your business if your customers don’t trust you with their sensitive data. And as nice as verbal assurances and a handshake are, as you grow and try to sign with more established, enterprise-level companies, you’ll find yourself more and more having to provide proofs of compliance before closing the deal:
The shift to the cloud, more and more data breaches – it really put a magnifying glass on third-party risk. And that drove a lot of what we’re seeing here, going from this nice-to-have to a need-to-have. If I’m about to do business with your company and your software is going to access my customers’ data, it’s my responsibility to ensure you have the proper controls in place to protect it.
2. Start early
Verizon’s analysis of cyber security incidents found that phishing was behind 90% of successful attacks, which means that 9 times out of 10, they’re highly preventable. Start training your employees on compliance practices and how to spot these malicious emails from day one – the quicker they adopt a security-first mindset, the sooner it becomes part of the culture.
I was having this conversation the other day, and it might not be the best analogy, but there was an entire generation that grew up driving on cars without seat belts. And then, in the 50s, they introduced this new thing, and there was resistance. But today, having grown up myself from day one, I don’t even think about it when I get in the car. The seatbelt goes on and it’s like breathing.
3. Don’t skip on automation
Security affects every function across your company: from onboarding and offboarding to encrypting data and managing endpoints. From Adam’s experience, there are between 100 to 200 controls to keep track of going into a SOC 2 audit, so if you’re not leveraging automation, you could be spending hundreds of hours a year on compliance:
If you’re not using automation, that means teams across your company are being tasked with collecting every piece of evidence continuously, repeatedly, and then storing it for future audits. And then, if they find gaps along the way, because gaps could form any day of the year, they have to remediate. It’s a lot of people living in spreadsheets, shared folders, screenshots.
Caught your interest? We’ve gathered a list of articles, videos, and podcasts you can check out:
- Score Your Company’s SOC 2 Readiness
- SOC 2 compliance: A Beginner’s Guide
- Evernote’s CTO on Your Biggest Security Worries From 3 to 300 Employees
- The LinkedIn Incident
This is Scale, Intercom’s podcast series on driving business growth through customer relationships. If you enjoy the conversation and don’t want to miss future episodes, just hit follow on iTunes, Spotify, or grab the RSS feed in your player of choice. You can also read the full transcript of the interview, which has been lightly edited for clarity, below.
Security on auto-pilot
Liam Geraghty: Adam, thank you so much for joining us. You’re very welcome to the show.
Adam Markowitz: Thanks for having me.
Liam: First off, congratulations are in order. Drata recently raised $100 million in venture capital funding, which I believe makes it San Diego’s latest startup unicorn with an evaluation of $1 billion. How does that feel?
Adam: Thank you, it feels a bit surreal still, mainly due to just how quickly the company has gone from seed to series, all in under a 12-month span. But it feels great and super rewarding to hit the milestone and do it here in San Diego. Our prior company was founded here in San Diego almost 10 years ago, and it was a very different tech ecosystem back then. So to see it evolve and to have been a part of it this whole time is super rewarding. And also, Drata itself was born right in the middle of the pandemic. We felt fortunate to even be in a position to start the company when we did, and that appreciation has just fueled this really unprecedented year.
“No ramp period, no get to know each other period – it was just go, go, go”
Liam: What was that like?
Adam: It was, again, just being in a position where we felt comfortable to do it. That wasn’t lost on us with what was going on in the world. On day one, there were quite a few of us all coming off from that company. We had all worked together for so long that it was a kind of a nice, unfair advantage. No ramp period, no get to know each other period – it was just go, go, go.
Liam: What does Drata do?
Adam: Drata helps companies put security and compliance on autopilot, as we call it, by automating the monitoring and evidence collection of their security controls. Streamlining audits like SOC 2, ISO 27001, HIPAA, and others. It allows companies to prove their real-time security posture just about any day of the year, so it accelerates their sales cycles and security reviews. Of course, it also makes audits go faster and cost less. And then, it allows companies to be more enterprise-ready.
Liam: The whole area is a new space. What’s it like to be navigating it at the minute?
Adam: The space itself is new, but it’s one that’s been hypothesized for some time. The promise of continuous compliance has been floating around for years. And so, delivering on that promise is super exciting. And, of course, challenging – as it should be. I personally love to be early and use the opportunity to set the bar really high in the market. And just continuing to push it higher with the team.
From rocket science to compliance
Liam: You didn’t start out in security, though. Am I right in saying you’re a former rocket scientist?
Adam: Yeah, it’s funny. The curse of being called a rocket scientist is that the bar is immediately raised for anything and everything you do in life. The car won’t start immediately, fix it – “it’s not rocket science or anything.”
Liam: What was that like? How did you make the transition to compliance tech?
Adam: I started my career as an engineer on the Space Shuttle Program, specifically in the MCC team, the Main Combustion Chamber team. The last shuttle launch was over a decade ago, so some folks out there might not remember seeing a shuttle launch, but if you do, you see the rocket on the pad, you’ve got the two rocket boosters, and then there’s this giant orange tank. That’s the fuel tank feeding these three main engines, and that’s what I worked on coming out of undergrad. The best way to describe how a rocket engine works is just a controlled explosion. So it’s an engineering dream/nightmare, depending on how you look at it.
“It’s how I landed that job working on the Space Shuttle Program – I brought a portfolio into my job interviews to help me stand out and prove my skills beyond just GPA”
Liam: What does it feel like when you’re actually watching the launch? Are you tense? Are you kind of excited?
Adam: A tense excitement, that’s a good way to put it. Everybody loved what we were doing. I wanted to be an astronaut since I was a little kid and to have a real live astronaut walking through the office, thanking the engineers for helping them get home safe, especially as your first job coming out of undergrad, is absolutely incredible.
Liam: I kind of interrupted you there, but you were telling me how you kind of made this transition.
“To help students earn the trust of employers, we had to first prove our security posture to universities”
Adam: The experience came to an end in 2011 when the shuttle program was retired, and I made the jump from aerospace to entrepreneurship. I took the plunge, as they say. I learned to code and built an MVP that I was calling a Portfolium, which was a LinkedIn-like ePortfolio network for students, and the idea came. It’s how I actually landed that job working on the Space Shuttle Program – I brought a portfolio into my job interviews to help me stand out and prove my skills beyond just GPA. And so, I wanted to do that for students everywhere and help them land their dream jobs based on just their proven skills. I’m a big believer in earning trust by first proving you deserve it. In this case, it was evidence of skills in these ePortfolios, which were rich with data that we could use to match students with employers in a more meaningful way.
We grew the company and the network of millions of students, and we did it by selling a learning assessment module into college universities. And that’s when we quickly learned the importance of proving our security posture. Because before the university would sign with us and provide sensitive student information, they needed assurance of our security posture. The gold standard for proving that was, and still is, a SOC 2 Report. So, you kind of see this theme here, earning trust with proof. So, to help students earn the trust of employers, we had to first prove our security posture to universities, and the evidence was the SOC 2 Report. Portfolium was acquired in February of 2019, and our team came back together last year in 2020 to build Drata, to help companies stand up and maintain and prove their security compliance posture with an automation-first approach.
SOC 2 101
Liam: So, let’s get into SOC 2 compliance, which I know is a bit like saying “let’s talk about taxes”, or “let’s talk about invoicing”. But it’s so important. Can you give us an introduction to what SOC 2 compliance really is?
Adam: Sure, happy to! So, SOC 2 is a framework. It’s created and maintained by the AICPA, which is the American Institute of Certified Public Accountants. So, auditors from CPA firms actually conduct SOC 2 audits, and the result of any SOC 2 audit is a SOC 2 Report. SOC 2 is not a pass-fail certification, which is really important and a common misconception. That SOC 2 Report, it’s an attestation, and it’s a trusted one because it’s coming from this certified, independent third-party auditor. And basically, it’s testing the design and operating effectiveness of your company’s security controls when it comes to protecting your customers’ data. In other words, the SOC 2 Report is a report detailing how well your company protects its customers’ data. If you sell software today, there’s a 99.9% chance you’re storing or processing data in the Cloud. And because of that, it’s just a matter of time before you’re asked to provide a SOC 2 Report to your customers, or to your prospective customers as part of their security review process.
“If I’m about to do business with your company and your software is going to access my customers’ data, it’s my responsibility to ensure you have the proper controls in place to protect it”
Liam: And is it the standard for B2B companies?
Adam: In many ways, yes. Especially here in the US, partly because SOC 2 applies to any company that stores or processes data in the Cloud, and that’s every company these days, absolutely all SaaS companies. So, in a lot of ways, it’s become the gold standard now. Even more so like the minimum bar to prove your security posture. We witnessed this firsthand at Portfolium selling to universities; over a very short period, those requests for our SOC 2 Report quickly turned into demands for our SOC 2 Report. And then, it was just baked into every RFP we came across. The shift to the Cloud, more and more data breaches – it really put a magnifying glass on third-party risk. And that drove a lot of what we’re seeing here, going from this nice-to-have to a need-to-have.
Liam: Why is it so important for B2B companies to be SOC 2 compliant as they scale? And does it affect them attracting and retaining bigger customers?
“If you’re not leveraging automation, typically, companies spend hundreds of hours a year on compliance”
Adam: Yeah, definitely. If I’m about to do business with your company and your software is going to access my customers’ data, it’s my responsibility to ensure you have the proper controls in place to protect it. If you give me your word, that’s great, but the independent audit reporter is really going to carry the weight needed to assure me you have an adequate security program. My auditors are going to want to make sure I got that assurance before providing you any data. Otherwise, I’m not following my own control.
Liam: I’ve read a lot about difficulties in startups becoming SOC 2 Compliant. Why was that, and has that changed?
Adam: Yeah, absolutely. We experienced this firsthand. If you’re not leveraging automation, typically, companies spend hundreds of hours a year on compliance. To help kind of explain why, the framework itself is made up of five different trust service principles: security, availability, confidentiality, privacy, and processing integrity. Security is, by far, the largest of the five and technically the only one required for an audit and report. But each of the five has its own criteria that your company needs to meet or satisfy by designing and then implementing controls across the company. A lot of times, when I say that, people ask what I mean by control. You can think of control as a policy, a process, a tool you put in place to help prevent a bad thing from happening or ensure a good thing is happening. That’s how I always define it. And it spans every function across your company: how you onboard, train, and off-board employees, how you manage endpoints and encrypt backup data, how you provision access and authenticate into apps, review code… I can go on and on.
“That means teams across your company are being tasked with collecting every piece of evidence continuously, repeatedly, and then storing it for future audits”
Companies have between 100 and 200 controls in place going into a SOC 2 audit. And then, the audit itself can take a long time because you have to basically prove to the auditor that these controls are there, and most importantly, they remain in place over an audit period. It’s not something you could just kind of cram for every 11th month, if you’re on the 12-month period. If you’re not using automation, that means teams across your company are being tasked with collecting every piece of evidence continuously, repeatedly, and then storing it for future audits. And then, if they find gaps along the way, because gaps could form any day of the year, they have to remediate. And yeah, just a lot of people living in spreadsheets, shared folders, screenshots. It’s clearly very ripe for disruption, and that came in the form of automation. That’s really what’s changed. Drata brings this automation-first solution to save companies hundreds of hours a year and then provides them with these real-time readiness dashboards, so you get audit-ready quickly and stay audit-ready every day of the year.
Liam: That’s so important because, like you kind of mentioned earlier, it’s such an important part of the trust between a company and its customers.
Adam: Exactly. And that’s the theme across the last company as well. You could take someone’s word for it, you could read a bullet point on their resume, but we want it to help people prove their skills. And similarly, here, we want folks to be able to prove with evidence, not just during audits, but any day of the year, how their controls are operating. That could be an internal report for their own team, for their board, for their own sanity, but then externally, as well. That’s where we see the path going.
Do it early, do it often
Liam: How can companies go about creating a culture of cyber security in their organization? Because as we all know, security is no longer just a nice-to-have.
Adam: I think empowering individual employees is key. If employees understand how important they are in protecting their company, it’s something they could take pride in, rather than just feeling like a check-the-box thing. Because nothing could be more true. Phishing attacks are still the most common causes of data breaches in 2021. It’s something like 90% – I had to re-read it just to make sure it wasn’t a typo. Training your employees on how to spot these malicious emails and then testing them throughout the year is one example of how you can empower employees to take ownership of their security. And the company’s going to have a stronger security posture because of it. So I think that’s key.
“The earlier controls are put in place at your company, the sooner it becomes part of the foundation”
I think maybe most important is doing it early. If you bake it in from day one or as close to day one as possible, it just becomes second nature. It’s not something new and different later on when there’s just a lot more inertia or resistance to change. I was having this conversation the other day, and it might not be the best analogy, but there was an entire generation that grew up driving in cars without seat belts. And then in the 50s, they introduced this new thing, and there was resistance. But today, having grown up myself from day one, I don’t even think about it when I get in the car. The seatbelt goes on and it’s like breathing. I just don’t think about it. So the earlier controls are put in place at your company, the sooner it becomes part of the foundation.
Liam: What do people need to know if your business is asked for a SOC 2 Report?
Adam: I guess the first thing is to know that’s a good thing. Whoever’s asking is seriously considering doing business with your company and now needs to make sure you’re doing the right things to protect their data. Secondly, if this is the first time you’re being asked for a SOC 2 Report, it won’t be the last, nor should it. If you don’t have a SOC 2 Report, it is definitely time to get started. And again, the sooner you do it, the faster it will be, the cheaper it will be, and the easier it will be to maintain going forward. All of that, of course, to say leverage automation to do it.
Liam: And SOC 2 is not a certification. Am I right?
Adam: Right. It’s an attestation.
Liam: And there are two different types: Type 1 and 2. What’s the difference?
Adam: To make it extra confusing, there is something like SOC 1 and then SOC 2. I think you’re asking about SOC 2 Type 1 versus SOC 2 Type 2, which is a great question and one that prospects ask us all the time. They’re both the same in terms of the framework itself. The difference is that the SOC 2 Type 1 audit and report are looking at the design of your controls at a very specific point in time. Like, are you compliant today? A SOC 2 Type 2 is looking at the design of your controls, but it’s also looking at the operating effectiveness of those controls over some time, usually 12 months.
Just based on that, you could imagine the SOC 2 Type 2 is definitely a higher bar. It takes longer; it’s usually more expensive; it’s just done over a period of time. You could do a Type 1 on your way to a Type 2. We see customers doing this when they need a report as soon as possible, and Type 1 is definitely better than having no report at all. And you’re not losing any time or work because, again, they’re the same framework. You’re basically getting all of your controls implemented doing the Type 1 audit, and at the same time, starting your four to 12 month period for the Type 2. In fact, some of the audit firms we partner with even bundle their pricing for a Type 1 and Type 2, and that makes it more cost-effective in that specific scenario. But again, you can just go straight for the Type 2, since that’s the gold standard.
“It’s great training, and they do these simulated phishing attacks. So we purposely phish our own employees at random”
Liam: According to Statista, the monetary damage caused by reported cyber crime was $4.2 billion in 2020, four times as much as in 2015.
Adam: It’s crazy.
Liam: Yeah, it’s crazy. So what are the blind spots that are rampant in corporate security systems?
Adam: It’s a good question. There’s more data in the Cloud to expose today than ever. I think what might surprise folks is that so much of it is still the same old tricks, such as phishing attacks. As I said, phishing attacks are still 90% of data breaches in 2021. Most secure awareness training providers out there have modules and courses on how to spot phishing emails, what to do, and what not to do when you get them. And it’s a common control that any company going through SOC 2 would need to have in place, security awareness training. We use a great tool – Drata integrates with it – called Curricula. It’s one example. But it’s great training, and they do these simulated phishing attacks. So we purposely phish our own employees at random.
“All it takes is one email, one employee”
Liam: I bet they love that.
Adam: I’m not even aware if it’s real or not, which is part of the exercise. But it’s a way to continuously flex that muscle internally at the company because like all things, it’s never one and done. You never just snap your fingers and you’re secure. You have to practice. And so, if someone were to click on one of these links and fake emails, it immediately tells them, “Hey, you’ve just been phished, come on, remember your training”, but it’s still valuable at that moment, right?
I’ve been surprised. We had one not too long ago. It looked like an email coming from Carta. And it basically said, “Congrats on your latest stock option grant. It has just been approved by the board, sign here.” And yeah, it just taps right into that instant gratification center of the brain. You’d be surprised how many people will click that link without really checking to make sure it’s legitimate. That’s how, again, 90% of these breaches are happening. All it takes is one email, one employee. That goes back to the original point about baking it into your foundation and culture. That’s how important it is for everyone at the company to take ownership of security. It’s not any one person’s job, it’s everyone’s job.
Scaling security as a startup
Liam: I know we have a lot of listeners from startups, and I was going to ask you what advice you would give to startups in particular about becoming SOC 2 Compliant. Who should manage the SOC 2 process at smaller startups?
Adam: It’s a good question. And one that I think holds a special place in our hearts because, one, we’re still a startup ourselves, but this Drata came out of our own personal need as a startup selling into universities, in our case. So we talked to a lot of startups. The advice we give is, of course, don’t wait. Like I said earlier, start soon. The earlier you do it, the faster, cheaper, and easier to maintain. Definitely leverage automation. You will save hundreds of engineering hours, which, especially as a startup, you should spend on products and other priorities.
“As your company grows, more employees, more assets, more to track”
And I guess the other one would be to think long-term. It’s very easy to get caught in the trap of, “Okay, I got to check this box, or this big deal isn’t going to close, and this big deal is game-changing, existential for our startup.” There’s a way to do it quickly, but one that’s going to set you up for the long term. This isn’t a pass-fail thing. Remember that. So yeah, it’s a report that you get at the end of the audit, and you want it to be a clean, good report. When you hand someone that report, you want it to put you in a good light. A lot of that could just get lost, especially as a startup, in the noise and pressure to get compliant or close this deal.
Liam: And what do scaling companies need to know? I suppose there can be quite different challenges.
Adam: So, if you already have a SOC 2 Report and you’re using spreadsheets or living in spreadsheets and screenshots, you’re already feeling the pain of how unscalable that is. As your company grows, more employees, more assets, more to track. Automation actually becomes more valuable over time as you have more assets within the scope of your audit. And so, there’s even more reason to leverage automation and put continuous monitoring in place so that you’re not retroactively and manually collecting evidence. You know in real-time where gaps are forming as employees come and go, or you spin up or spin down assets automatically. So yeah, it’s a different, but very similar use case.
“This is what’s unique, to continuously monitor controls and then identify and alert when gaps form in real-time”
Liam: I’d love to hear how Drata helps to simplify and automate the SOC 2 process for people.
Adam: Yeah, absolutely. So, we built it as an end-to-end solution. It can take companies from scratch, all the way through audit-ready, the audit itself, and then just continuous maintenance going forward with automation. Drata connects to its customer’s tech stack. This is what’s unique, to continuously monitor controls and then identify and alert when gaps form in real-time. And it’s going to automatically collect evidence of all of these controls that are then pre-mapped across frameworks like SOC 2, ISO 27001, HIPAA, and more. So if you’re starting from scratch, you could leverage the common control framework within Drata, as well as security policy templates to get your foundation set up very quickly. We’ve had companies under 50 employees literally going from scratch to audit-ready in just a matter of weeks. That’s the power of automation.
Then, Drata also partners with audit firms trained to conduct the audit using Drata in a very streamlined way. That saves everyone time, and it results in lower-priced audits. It’s been an especially rewarding journey. It’s something coming from our own personal needs. And then our team, especially our Customer Success team, who works with every one of our customers. We have former auditors, security professionals, on-staff to help guide our customers through the journey. It’s not just all software, obviously, automation is key.
The future of data security
Liam: Just before we wrap up, what is the future of data security? Is it always going to be an uphill struggle?
“I think companies are going to be more transparent about sharing, not just these SOC 2 Reports, but literally in-between reports in real-time”
Adam: I’m going to get my crystal ball out. With more and more data in the Cloud, data security is only ever going to become more important with time. I think you’re going to see companies do it earlier, like we’re seeing already, being asked for compliance and attestation certifications more often. And it’s just going to be baked right into the company culture from day one. Plenty of professions and industries out there where extra security training is required and no one bats an eye because it’s just understood. There are very real risks here. And same can be said for any software company holding data in the Cloud.
I think we’re going to see more continuous monitoring, just an inside-out real-time view, and I think companies are going to be more transparent about sharing, not just these SOC 2 Reports, but literally in-between reports in real-time. The same way we boast about our uptime status – here’s our security posture status. And then, of course, I don’t think I’d be a co-founder and CEO at Drata if I didn’t think automation was going to be the standard method for companies maintaining that security compliance posture. So we’ll see.
Liam: It’s obviously a really exciting time for all of you. What’s next? Do you have any big plans or projects on the way?
Adam: Yeah, it’s amazing how fast the year went by. We launched officially on January 15th, so we’ve reached that unicorn status very quickly. But we’re still very much a startup getting started. Our team’s going to be tripling in size in 2022. So we’re hiring across the board, all departments. If folks out there listening are interested in automation and security, our core values are on our website. And if they resonate with you, we’d love for you to take a look at our careers page, and we’d love to connect with you
Liam: Brilliant. New year, new job. This series is all about hearing how companies scale their growth. Before we finish up, I’d love to know, was there a key event in your career that helped you scale professionally?
“It’s a different kind of rocket, right? Both are very intense”
Adam: We learn so much every day, and we’re just all about continuous iteration and improvement. So, early advice, it was just surrounding myself with mentors, advisors, folks who have been there that we could learn from, and being open to that. After the Space Shuttle Program ended and I was learning to code and building the first version of Portfolium, I was working in an accelerator program here in San Diego called EvoNexus. And that really kicked things into overdrive. It put those people around me immediately, and I got to learn from them. It just really helped put pieces in place to prepare for everything ahead. I don’t think anything could ever prepare you, but it definitely helps.
Liam: What is more tense and exciting? Rocket scientist or running a company?
Adam: It’s a different kind of rocket, right? Both are very intense.
Liam: And lastly, where can our listeners go to keep up with you and your work?
Adam: Yeah, please check out our site drata.com. Feel free to schedule a live demo with our team and see the product in action. We’d love to show it. On LinkedIn, it’s easy to find and follow; just search Drata. And then, on Twitter, at @DrataHQ.
Liam: Perfect. And thank you so much for joining us today.
Adam: Thank you so much for having me.