Sacra Logo

What are the costs and challenges of compliance for cybersecurity startups like Secureframe?

Shrav Mehta

Co-founder & CEO at Secureframe

One of the things that we discovered early on with Secureframe was that people didn't understand what SOC 2 was. 

My simple analogy was that all of these frameworks are just giant lists of things you have to do in order to secure your business. SOC 2 is one list. ISO is another list. HIPAA is a list we form from interpreting the laws over time. The same thing with PCI—it's just another giant list. 

A lot of these listicle items are things “Hey, for SOC 2, you need a background check. All of your employees need to make sure that in AWS, you have Cloud Trail enabled for audit login, and that all your EC2 instances are encrypted. Your data has to be encrypted at rest and in transit.” There are hundreds of these items and a lot of these frameworks like SOC 2 and ISO are pretty similar. PCI has overlapping requirements, and so does HIPAA.

In some ways, by offering more certifications, we're able to knock out the classic two birds with one stone. This background check requirement applies to SOC 2 and ISO and probably dozens of other frameworks. What Secureframe does is automate as many of these items as we can. 

The traditional way of getting some of this stuff done might be “Hey, let's put a calendar event on the office manager's calendar or the HR person's calendar.” They're going to run background checks for all the new employees that have just started this month. Then, when the auditor comes, we will take it from this Google Drive folder to this folder and show it to them. Then you realize you’ve forgotten one.

That's where these things fall apart, especially when you're a large company. At Secureframe, we'll integrate with a vendor like Checkr or Vetty, and we'll say, “We have background checks for all these employees that have started. You're missing one. Let's remind the employee to fill out their background check, and let's get this done, so nothing slips.” It's all automated. There's no HR manager who has to check all this in. Then, when your auditor comes for the audit, they basically take a quick look inside Secureframe. They’ll say, “Great, you have everything. This is perfect.”

Not all these items are super automatable. There is one for SOC 2 that's pretty common, which is that all your employees have to sign a confidentiality agreement. We could build an integration with DocuSign, but there's all sorts of stuff in there. In that case, we guide you to uploading the right pieces of evidence and documents for these employees.

Then you actually have to show up for your audit. One of the things that our customers are really scared about—especially folks who haven't been through a SOC 2 audit or any of these things—is the audit. 

They're like, “Oh my God, we have the big, scary auditor coming in. What is going to happen to us?” 

It's really not that bad. It's not that scary. We have a lot of ex-auditors on our customer success staff that walk people through this. All an auditor does is review the evidence and the controls that you've created and make sure that you are actually doing the things that you say you're doing, similar to an auditor doing an audit of your financials and bank statements. 

Once they go through everything, they create a doc that ends up being your report. They have their own processes on the backend, but as far as what your customer sees, they're just reviewing evidence and then writing a report on it.

Find this answer in Shrav Mehta, CEO of Secureframe, on building a TurboTax for security compliance
lightningbolt_icon Unlocked Report