TrustCloud raises $15M to accelerate GRC Transformation for enterprise CISOs

When I speak to enterprise CISOs and GRC leaders, they often talk to me about 2 problems:

1. “Every GRC product we have purchased makes us feel like servants to the product. We are stuck spending countless manual hours working for the product:”
   – Solution: We want a product that works for us.
2. “Enterprise GRC is complex. Nobody has created automation that solves this complexity, and as a result, we revert to manual work that is very ‘check-the-box’.  We don’t trust the results.”
   – Solution: I need a solution that gives me automated assurance that I trust.

Today we unlocked a huge milestone for TrustCloud that will help us scale operations to solve these 2 problems for enterprise CISOs and GRC leaders.  We’ve raised $15M in strategic funding led by ServiceNow Ventures, with participation from Cisco Investments, Presidio Ventures, OpenView Venture Partners, Tola Capital, and other existing investors. (Read official press release)

The funding comes on the heels of a banner year of growth with new enterprise and mid-market customers, and will be used to further accelerate enterprise go-to-market and channel operations, while enhancing our AI capabilities to provide enterprise CISOs with a unified view of security risk across the IT landscape.

The enterprise challenge with legacy GRC vendors and Trust Management startups

Legacy GRC vendors, and new compliance automation and ‘Trust Management’ startups struggle to solve four areas of enterprise complexity – which are fundamental requirements to move enterprises from manual check-the-box to delivering ‘accurate assurance’ for CISOs and GRC leaders.

1. Automation fails when enterprises have custom controls, risks, compliance standard requirements:  Automation is easy for simple controls, risks, and standards. Automation, especially accurate automation, is VERY difficult when every enterprise has built their own custom program. I have heard feedback from hundreds of enterprises and mid-market companies that their current vendor landscape fails when solutions are custom, forcing compliance automation back into manual mode due to complexity.
2. Inability to handle inconsistent security maturity levels across BUs:  An enterprise is made up of many products, BUs (business units), and geographies. Every segment of the enterprise has a different security and privacy maturity level. A one-size-fits-all approach, that current GRC vendors take, doesn’t work. Most modern compliance automation and Trust management startups are very opinionated because they architected their products to meet the needs of cloud-native businesses that can all achieve a uniform and standardized security and compliance posture. This design strategy doesn’t work with complex enterprises because enterprises need a significant amount of flexibility to dictate different security postures and standards for different BUs. This results in a Trust Management startup vendor’s solution failing enterprise practitioners — forcing CISOs and GRC leaders to revert to using spreadsheets.
3. Lack of support for fragmented and hybrid IT environments:  Legacy GRC vendors often can’t integrate and analyze data from IT, business, and security tools. Compliance automation and Trust Management startups can often only implement simple integrations and data collection from cloud-native tools. The moment an enterprise is hybrid and/or an enterprise has legacy security and IT tools with complex data and business rules that need to be extracted and analyzed, all bets are off. Enterprise practitioners are stuck with taking screen shots and performing risk assessments manually again.
4. Can’t automate the work in complex security and GRC workflows:  Enterprises have built complex workflows over time.  Legacy GRC vendors are fantastic at creating and supporting these workflows manually.  But, they cannot automate the work in these workflows. What is an enterprise to do?