Secureframe Automates Security Compliance – Techstrong TV

Shrav Mehta, CEO and Founder of Secureframe, talks about Secureframe’s platform for security compliance automation. They automate the compliance process for certifications like SOC 2, ISO 27001, HIPAA, and PCI DSS. The video is below followed by a transcript of the conversation.

Alan Shimel: Hey, everyone. Welcome to another Techstrong TV episode. I’ve got a new company and a new person to introduce you to in this episode. Let me introduce you to Shrav Mehta. Hey, Shrav, welcome to Techstrong TV, man.

Shrav Mehta: Hey, Alan. Thanks for having me.

Shimel: Pleasure. So, Shrav, y’know what? I’m gonna let you kinda introduce you and your company yourself a little bit. Why don’t we start a little bit with your background, and then we’ll get to the company?

Mehta: Yeah, yeah. So, y’know, I started out building Android apps when I was around 12 years old. I grew that business significantly, but I had the day to days of, y’know, going to middle school and high school, so I wasn’t [laughter] really able to spend a lot of time on that business. And eventually I decided, “Hey, I wanna work with like the best start-up founders I can.” I was fascinated with the rise of developer tools and security, which led me to working with some of the best founders in Silicon Valley. 

  And really, while I was at these companies, security compliance was a big, painful problem that we dealt with at each one of these. And at one start-up I had worked at, we’d spent over $100,000.00 on lawyers and security consultants to help us, and we really ended up nowhere, after a long time. So it got me really, really interested in the space. Yeah.

Shimel: Excellent. And then, tell us about your company.

Mehta: Yeah, so a little bit about Secureframe. We make it super easy for companies to streamline their security compliance and get certifications like SOC 2, ISO27001, HIPAA, PCI, and a long tail of other certifications that pretty much every business these days needs. 

Shimel: Sure. Sure. And so you’re a co-founder, yeah? Everyone out here wants to be an entrepreneur, or believes they could start a company. So you had this background, starting when you were 12, right? You finish school, you work in some Silicon Valley companies. How did you and your co-founders decide, “Hey, man, we’re gonna start a company”? What made you wanna start the, I mean, as you said, compliance, you recognized, was a bear for many companies, right? But like how did you go about it and put this company together?

Mehta: Yeah, I think for me, it’s really about getting to work with like my best friends at work like every day on something really meaningful, and making like significant progress and impact on the industry and, hopefully, the world. So I knew that I really wanted to start a company of my own, and I was just waiting for the right thing to come to me. And I had explored a bunch of different ideas, but nothing I was super passionate or excited about, until I landed on Secureframe. 

  So I had worked with a lot of really amazing founders, and I think some of the biggest things I’ve learned is, you have to just have a lot of passion, a lot of commitment. You can never give up on what you’re working on. So if you’re not super excited about what you’re working on, it’s gonna be really hard to go down a seven-to-ten-year journey. And pretty much every entrepreneur, every founder, every CEO I’ve worked for or worked with, just has an amazing amount of grit, a lot of passion for what they’re working on. 

  And they are folks that will never give up, and I think that is one of the most important attributes of any founder. I think you just have to be incredibly passionate about what you’re working on. And for me, I was just fascinated with developer tools and security, and this just seemed like the perfect kind of thing for me to spend a decade on, and I got really excited. And when I started talking to some of my friends about it, they were like, “Hey, this sounds really interesting. I’ve dealt with some of these pain points.” 

  And once we started kind of working on an MVP, talking to some customers that we’d just kind of advised and helped for free while we were working our other full-time jobs, we realized that, “Hey, we’re kind of onto something.” There is a whole new world of security and compliance that is out of date, that needs to be brought into the future. Especially with the increase in cyberattacks and increase in data breaches, it just became a top issue for a lot of companies.

Shimel: Yep, absolutely. And, y’know, we’ve been running through stuff, but I wanna make sure we make clear to the audience the name of the company and the website.

Mehta: It’s just Secureframe, and you can go to secureframe.com or you can go to soc2.com, and you’ll find us.

Shimel: Yep. SOC 2, S-O-C 2, number 2, or secureframe.com, great. So it’s funny, actually. I recorded yesterday, and we have this video show we do called DevOps Unbound. And the topic of yesterday’s show was devops and compliance. Does devops help compliance, reality or myth? Because part of the promise of devops is that we could somehow automate compliance into the software development life cycle. 

  That we could somehow make non-security folks, developers and devops engineers, care enough to make sure that we’re documenting, for compliance’s sake, our CI/CD processes and what’s in there, and building compliance in without slowing down the development process. So I’m wondering, is that kinda what you guys are doing at Secureframe? Or is it still on the right side of the ledger, if you will, looking at post-deployment compliance?

Mehta: Mm-hmm. Yeah, so great question. The way I’ll put it is that compliance has a lot of different elements to it. And the way I typically explain it to people is like SOC 2, ISO 27001, HIPAA, PCI, all of these kind of frameworks are just giant lists of things that you have to do in order to secure your business, and not necessarily all of them are technical. For a lot of these certifications or frameworks for security standards – HIPAA’s like a law, technically; SOC 2 is like a framework that AICPA created, just to be extra clear here. 

  But all these frameworks are really just giant lists of things that you have to do, and some of these items can be more nontechnical, like making sure that all your employees go through background checks; that you have proper employee onboarding and offboarding processes. But there is a technical component to pretty much all these security standards. So for SOC 2, you have to often go into your cloud infrastructure, like in AWS, and make sure that everything’s encrypted at transit and at rest. 

  You wanna make sure that you have CloudTrail enabled through audit logging in AWS. And these items are a lot more technical, and in the past what you’d do is you might have like a giant checklist you’d have to kind of interpret the rules and the guidelines that the AICPA sets, and look at the controls that you guys might have set at the company. And then you’d go through it kind of like a checklist, and you’d say, “Hey, is every server that we have encrypted? Are all our S3 buckets encrypted? Is this EBS volume encrypted?” 

  And there’s just so many resources in the average AWS account. There’s over 20 regions; I think there’s over 200 products, and new ones being launched all the time. So you can imagine that this is just a really slow process, and it’s very error-prone to have a human go through all this, especially if you have like a very large company, a very large AWS account – it’s just not very feasible. So you end up doing these checks like once a quarter, and that’s just not very safe or secure. 

  When you’re not doing those checks is when you’re most vulnerable. So with Secureframe, for example, the way we solve this is, we integrate into your AWS environment. We have a simple CloudFormation template or Terraform template that you could set up. We take read-only access, using like AWS’s security audit permissions profile, and we take a look at all your resources. And we scan them daily, or you can change the frequency to whatever you want, and we’re gonna tell you –

  “Hey, these new resources you added in aren’t compliant. They aren’t encrypted,” or, “Hey, you didn’t enable CloudTrail or GuardDuty,” or whatever the right settings or configurations are for your business, and we will help make sure that you continuously stay on top of any changes in your environment. So that’s kind of how Secureframe helps automate these processes, versus the old ways of really kind of manually checking all this stuff. 

  And when you hear this, you’re like, “Oh, my god, why didn’t we always do this? This seems so obvious.” But it’s really that the APIs to automate a lot of these processes just weren’t available till very recently. 

Shimel: We brought that up in the discussion yesterday, which is, y’know, you can’t make wine before its time, right? These APIs, a lot of what the automation kinda hooks, if you will – they weren’t there. 

Mehta: Yeah.

Shimel: So you can’t blame people for not – Y’know, it just wasn’t there. So –

Mehta: Yeah.

Shimel: – now we have the opportunity, certainly, to do this.

Mehta: Yeah.

Shimel: Without diving too deep into the technology right now, you guys also recently announced, though, some fundraising and go-to-market stuff. Why don’t you share with our audience a little bit, Shrav?

Mehta: Yeah, so we raised $56 million from Accomplice Ventures, and Mike Viscuso, who’s a partner at Accomplice and the former CEO of Carbon Black, is joining our board of directors. And we had a lot of our other investors – like Kleiner Perkins, Optum Ventures, Kaiser, Gradient, Soma Capital, and tons of other investors who’ve been supporting us for a long time – participate in this round. And we’re really excited about it. Over the last year, just some quick highlights. We’ve increased our ARR by 10x in 2021. 

Shimel: Wow.

Mehta: We’ve increased our customer base by 7x. We’ve grown our team to over 80 people, and we’re planning on doubling in 2022. And we’ve brought on a lot of amazing customers, like InstaFace, Doodle, TopHuddle, Slab, Coda, Lobb, AngelList, Ramp, and so many others.

Shimel: Wow.

Mehta: And we’re incredibly excited by the progress we made in the last year, and all the things that are coming in 2022.

Shimel: Absolutely. And I have a long history with compliance. I’ve been in security for 20-plus years. I think people get confused. It’s not like there’s a single law of the land, right? As you said, there’s SOC, there’s ISO, there’s HIPAA, there’s PCI, there’s GDBR – there’s all different ones. And for many folks, in their line of business, they have to deal with more than one. One of the things when I was consulting, or when I was in that business, was to say, “Look. There’s only one truth. 

  “There’s only one sort of best practices. If you follow basic hygiene in cyber, right, in security – basic best practices, documenting stuff, doing the right thing – generally speaking, I don’t care how many guidelines, frameworks, security, compliance regulations you fall under, doing the right thing here will often check the boxes in all of them, or nearly all of them. Right? There might be, as you mentioned, non-technical things that are specific to an individual regulation. But the bulk of it, I mean, they’re all based on best practices.

Mehta: Mm-hmm. 

Shimel: So doing that, I mean, really helps you get to, y’know – it makes it a lot less confusing, and a lot less sorta – ‘Cause I think some people look at it and say, “Oh, my god, look at all this stuff.” Right? “How’m I gonna do it all?” And I think that helps a lot.

Mehta: Mm-hmm.

Shimel: So we’ll see. So, Shrav, now you’ve raised the money. Eighty people and growing, 10x revenue. What do you think is on the horizon for 2022 here? What’s the big story for you guys over the next year?

Mehta: Yeah, yeah. We have a whole lot of different things in the works. I think you’re gonna see a lot of major changes to our platform over the next year. We’ve talked to a lot of our customers, got a lot of feedback on some of the problems that they’re having, some of the things that they need help with as they grow and scale their organizations. One of the big things is, when we started Secureframe, we just launched with SOC 2 and ISO 27001. Y’know, ISO 27001 is more or less like the SOC 2 equivalent internationally.

Shimel: Right.

Mehta: So if you’re talking to companies in Europe or Asia, that’s typically where you’re gonna get asked about that a lot more. And one of the big things that companies came to us with is, “Hey, SOC 2 is already like a lot of stuff to do.” And then when they actually got to using Secureframe, they’re like, “Wow. This is way easier. We’re automating so much more that we couldn’t in the past. And it’s just made everything a lot more accessible. It’s kind of made everything a lot more secure.” 

  And so customers started to say, “Hey, with kind of the rise of remote work, we’re selling to a lot of companies internationally, so we started patching SOC 2 and ISO 27001 together in a lot more deals.” And the way our platform works, and you kind of alluded to this a little bit earlier, is that a lot of these controls between different frameworks are shared. A lot of different frameworks have controls for background checks, or making sure everything’s encrypted at rest and in transit. 

  And so when you kind of complete one of these controls, and we automate it in Secureframe, you’re kind of knocking out two birds, or multiple birds, with one stone. So you’re not actually doing the same thing over and over again, uploading the same evidence, managing the same processes. You do it once for kind of everything, every framework that has like a relevant security control, which makes it a lot easier to comply with more and more frameworks. 

  So one of the big focuses for Secureframe over the next year is expanding to support larger companies, more traditional GRC automation workflows, and helping companies cater to the infosec programs that they already have set up. Before 2014, 2015, I would argue that SOC 2 was not really the de facto standard by any means. Y’know, it was definitely around; people were talking about it.

Shimel: Right.

Mehta: You sell to a Fortune 100, you’re gonna have to get that SOC 2. But for the most part, people had their own custom infosec programs that more or less reflected a lot of what these frameworks have today. Kinda like you’re saying, they have all the best practices, and they took them, formed the frameworks. And now we’re working with companies to support their custom infosec programs that often go above and beyond just the requirements of compliance. 

  I have kind of a saying:  you can never be less secure. There’s always more and more things that you could do, especially with the rise in cyberattacks and threats. So there’s always gonna be tons for Secureframe to build with our customers. And we’ve just gotten so much feedback on different problems our customers are having, so you’ll see a lot of new products in that regard.

Shimel: I like that. Again, as an old security guy, one of the things about compliance that I always worry about is a false sense of security. That people say, “Oh, I’m SOC 2 compliant. I’m good.” Well, no, you’re not good; you’re compliant. But it doesn’t mean you’re impenetrable or you’re über-secured or anything like that. I always used to like to say compliance is the beginning, not the end of security, right? It represents sort of that minimum bar, but there’s much more to do. 

  So hearing that Secureframe is looking to take people from here to there is good stuff. Hey, just for people who didn’t catch it, give us that website again.

Mehta: Secureframe.com, or you can also just go to soc2 – just like the number 2 – .com, and you’ll find us. 

Shimel: Perfect. Hey, Shrav, thanks for coming up on Techstrong TV. Congratulations on the money raise. Keep doing great things at Secureframe, and come back and keep us posted, okay?

Mehta: Sounds great. Thanks for having me, Alan. I really appreciate it. Talk soon.

Shimel: Not a problem. Shrav Mehta, Secureframe, here on Techstrong TV. We’re gonna take a break. We’ll be right back.

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 81 posts and counting.See all posts by alan