Millions of dollars pour into security compliance startups amid pressure on business

Government agencies and industry groups are putting increasing pressure on enterprises to ensure their systems, and the vast amounts of data they are holding, are protected against the growing threat of ransomware and others cyber-attacks.

The European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) were initiated to protect the personal data being collected by companies and punish those organizations that are breached due to sloppy security. HIPAA (for healthcare) and SOC 2 were similarly enacted to protect patient and customer information.

Furthermore, threat actors are showing – through such high-profile attacks as those on SolarWinds and Kaseya – that a security weakness in one company can have a ripple effect up and down the supply chain.

Given that, it's no surprise that the security and compliance space is seeing the rise of startups offering platforms and services that leverage artificial intelligence and automation to help organizations ensure they are – and remain – in compliance with the various regulations and standards.

And the investment money is following. Standards compliance startup Secureframe, launched in 2020, this week announced a $56m in Series B funding, led by Accomplice Ventures and coming less than a year after the company raised $18m.

Shrav Mehta, founder and CEO of the New York City-based company, wrote in a blog post that the latest funding round "is a major milestone for our fast-growing company and a signal to the market that automation is the future of security and compliance. This new financing underscores the tremendous demand for solutions that streamline the compliance process and help organizations achieve best-in-class security."

The startup claims hundreds of companies using its technology. Initially Secureframe's offering addressed the SOC 2 security, but it has since expanded its reach to also cover ISO 27001, HIPAA and PCI DSS regulations. Mehta said the company has seen 10-fold revenue growth and seven-times increase in customers.

He plans to put the money toward R&D and growing the company's workforce.

New regulations, emerging security frameworks, and rising customer expectations put significant strain on growing companies

"New regulations, emerging security frameworks, and rising customer expectations put significant strain on growing companies, and too many organizations are trying to keep up using disconnected security tools and manual compliance reviews," Mehta wrote. "With our security compliance automation platform, a SOC 2 audit that typically takes more than a year of tedious manual work and stressful documentation prep can be done in a matter of days."

The announcement of Secureframe's financing came the same day Anecdotes, which created a compliance operating system platform, said it had raised $25m in Series A money and three months after Drata raised $100m in Series B funding, a round led by ICONIQ Growth and one that pushed the valuation of the company past $1bn. Drata, which came out of stealth in January 2021, earlier in the year raised $25m. It offers frameworks for the same four standards that Secureframe addresses.

In a blog post in November announcing the funding, Drata CEO Adam Markowitz wrote that he and the other co-founders "knew if we could leverage automation, we could empower companies with insights and intelligence on their security posture in real time and save them hundreds of hours a year in proving that security posture before, during, and in between compliance audits – essentially putting security and compliance on autopilot."

Kevin Dunne, president of cybersecurity firm Pathlock, told The Register that security compliance is a growing concern for businesses.

"Many data breaches originate from compromised services, as was seen with the SolarWinds attack," Dunne said. "In response, many companies are increasing the scrutiny and security compliance requirements for the solutions they leverage, especially those in the cloud. This is pushing many software vendors to undergo more rigorous and frequent audits for security standards like SOC 1 and 2."

Given that, vendors are entering the space with plans to leverage automation to ensure compliance with the various standards and reduce the associated costs and complexities. They automate the workflow of collecting control evidence and reporting on the effectiveness of the control.

"Additionally, customers can have an 'always on' view of compliance, which allows them to understand their compliance posture throughout the year, reducing the likelihood of a surprise audit come year end," he said.

• Americans far more willing to hand over personal data
• EU Data Protection Board probes public sector use of cloud
• Privacy Shield: EU citizens might get right to challenge US access to their data
• Lawmakers propose TLDR Act because no one reads Terms of Service agreements

Tyler Shields, chief market officer at security company JupiterOne, said that compliance isn't a valuable standalone technology. Rather, "technologies that turn a point-in-time compliance checkbox into a true continuous security model are drastically changing how security is performed. Additionally, the shift to cloud-based systems and API driven technologies are creating an environment where automation can be used to build a truly impressive cyber security program."

We are in the middle of a radical transformation into how cybersecurity is done

Connecting these "seismic shifts in the landscape" highlights the rapid changes in how cybersecurity is executed throughout the enterprise," Shields told The Register.

"We are in the middle of a radical transformation into how cybersecurity is done," he said.

Shaun Gordon, co-founder and CEO at security vendor BreachQuest, said companies like Secureframe and Drata are among the latest hot companies in the cybersecurity compliance space.

"The reality is that cybersecurity remains top of mind for investors and compliance is yet one more area for investors to express their interest in the industry," Gordon told The Register. "Specifically, investors love recurring revenue and cybersecurity compliance is at the bullseye."

It offers high retention rates and is a critical need that is likely to grow. Such "sticky, high-margin software delivering on a large growing market makes for high valuations and happy investors when the products have traction,' he said. ®