IT and Security Compliance Just Got Easier

Over the past few years, we’ve witnessed a significant shift in the sales processes at our portfolio companies. Making a sale as a startup requires buyers to take a bit of a leap of faith. The technology that startups offer is new and represents the most recent thinking; it also comes with challenges as companies scale quickly. Additionally, startups are almost never cash-flow positive, and so there’s no guarantee of their longevity. The most successful startups have developed tried and true strategies to alleviate these concerns — they boast strong cash balances with marquee investors, they land large reference customers and they hustle a little harder than the established, sometimes complacent, incumbents.

Historically, startups had not invested heavily in compliance as a sales accelerant. Enterprise buyers and/or those handling sensitive customer data did care about a startup’s security posture, but generally these concerns arose later in a buying cycle. Across our portfolio, in years past we’ve seen that a prospective buyer, once emotionally locked in, would have made allowances for a vendor without SOC 2 or an equivalent compliance status. Compliance mattered, but it hasn’t been a sales blocker to a startup.

We have seen the compliance optional mantra change dramatically in the last few years. It is now clear to startups that while they may have landed a large client, they are likely not going to move beyond the pilot phase to full deployment unless they align with their customer’s compliance and privacy requirements. Compliance has become critical to a technology vendor’s sales process and is often an initial gating question to advancing to a feature comparison stage. We attribute this shift to the rapid increase in the requirements placed on software vendors under emerging regulations, notably the California Consumer Privacy Act (CCPA — June 2018), and the General Data Protection Regulation (GDPR — May 2018). As privacy and data protection have moved into the spotlight, enterprises without in-house expertise or experience are increasingly required to adhere to these new regulations alongside historical compliance standards, such as SOC 2 and ISO 27001.

We’re simultaneously seeing a large shift in the philosophy of security architecture, shared by our colleague, Todd Simpson, in his thesis on the evolution of security. Todd has mapped approaches in security against four main Eras: Castles, Knights, Satchels and Writs. Todd posits that we are at a fundamental tipping point to an era where data starts controlling itself — the era of Satchels. The thesis itself is well worth a read, but in short, the trust relationship in a Satchel era creates an opportunity for automated compliance, where buyers trust vendors and partners through continuous verification as a result of ongoing audit processes, logs and data usage stats.

The evolution of compliance’s importance to SMB technology vendors highlighted above creates a more robust and secure system, tying controls to the data itself, rather than to the knight that carries that data. However, it also introduces a large burden on small software vendors without adequate knowledge, resources and time to fully absorb the compliance requirements and implement the necessary policy and procedure changes. In evaluating value-creation among API-first companies, I noted that transferring critical infrastructure that enables key business operations but is not core to a company’s ethos, from an internal workflow to third-party vendors, is nothing new — see AWS, Twilio, Stripe, and numerous other multi-billion dollar companies.

In response to these trends, today we are announcing that we’ve led the Series A in Tugboat Logic, the Security Assurance Platform that automates and simplifies InfoSec policy creation, audit readiness, and security questionnaire response. We’ve seen rapid adoption of Tugboat Logic within our portfolio, and have witnessed firsthand how Tugboat Logic enables its customers to build trust with their buyers and ultimately sell more. Founder and CEO Ray Kruck, alongside and Chief Product Officer Patrick Murray and Chief Information Security Officer Jose Costa have a unique perspective on the market given their decades of experience building software in the security industry; in Jose’s case, spending 10 years leading audit and advisory teams at PwC. The Security Assurance industry is undergoing a rapid shift away from a convenience-driven business posture where value is primarily captured by consulting firms. Tugboat Logic is leading the shift towards an inherently secure and self-directed technology approach realized through an enterprise software stack. We’re inspired by their vision to build an iconic technology company and excited to join them in their mission to simplify and automate information security management for every enterprise.