IT Compliance & Security Automation Landscape

Measuring and Communicating Security for SMBs and Large Enterprises

The glut of data breaches over the past few years has called for stricter rules and regulations that implement the right frameworks to protect data access and ensure privacy and confidentiality. For enterprises, large and small, the consequence of a data breach not only amounts to the cost of a lost or compromised asset, but often comes at the expense of losing customers. With the recent implementation of the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), many companies are forced to revisit their security posture and ensure that they adhere to the proper security and compliance guidance.

The stakes and business implications increase exponentially for organizations as they scale and partner with a wider number of third-party vendors. As the amount of data under your purview increases, so does your ownership and legal commitment to protect that data from unauthorized access. From a compliance standpoint, in order for a large enterprise to safeguard its assets and demonstrate proof of GDPR compliance, it needs to be able to prove its commitment in protecting user-centric data, and evaluate each of its vendors that also have access to its data to ensure that they are also compliant.

For many, this means getting a SOC 2 certification to assert the operational effectiveness of their current infrastructure and IT systems detailing the policies that they have established to ensure data security, availability, confidentiality, and privacy. Of note, the SOC 2 certification is mandatory for businesses that provide SaaS and other cloud services and store information on the cloud.

The SOC 2 audit is a multi-stage process, meaning that vendors would either need to hire an external engineering consultant or dedicate bandwidth from an engineering team for the purpose of evaluating the current state of its IT infrastructure, assessing and fixing existing security gaps and submitting clear documentation to the auditors. Alas, SOC 2 is not a one and done process and organizations constantly have to re-evaluate their security postures and prove that they remain compliant throughout the business’ lifecycle. Depending on the scale and complexity of the company’s infrastructure, this process can be tedious, time-consuming and expensive. Vendors selling into Fortune 500 banks and into other highly regulated markets face a similar challenge as they are subject to even stringent infosec requirements and have to navigate a far more complex process to ensure that they have the right processes in place and comply with the rules and regulations that apply to those industries.

In a time when security and engineering talent need to be heads down focused on building and scaling a business, it is almost counter-intuitive to have them spend a considerable amount of their time doing the grunt work of filling out security questionnaires. We are beginning to see an emergence of tools that:

  1. Automatically scan the company’s security policies and process security workflows, enabling faster audits and certification
  2. Implement compliance right into the developer workflows, empowering DevSecOps teams to adhere to the best software practices
  3. Programmatically scan the organization’s IT infrastructure to discover, manage and secure all assets, controlling who has access to what data, software and hardware entity
  4. Provide larger enterprises with a unified view of all their vendors, and the risks they pose to the business, improving vendor management

These tools broadly fit into the following seven categories:

Governance, Risk and Compliance (GRC)

Governance, risk and compliance is responsible for ensuring that organizations have the appropriate IT controls and policies in place to effectively manage risk and comply with regulatory requirements. Today, the tools that have emerged out of this category, and that are being widely adopted both by the Fortune 500 companies and SMBs, provide a comprehensive way for companies to establish that their internal processes are well aligned with the business’ goals, manage identified risks and audit processes to ensure that they adhere to the laws impacting the organization.

Vendor Risk Management

New age, third-party risk assessment and containment tools are used by the enterprise customers to automate the process of evaluating, documenting and emailing sensitive security questionnaires to third party vendors. These tools connect the buyer to the vendors on a two-way platform which enables the buyer to collect vendor responses, compare the risk profiles of each of the different vendors and select the lowest risk business partner.

Compliance Management

Process-driven tools serving SMBs are focused on helping the individual vendor pass its compliance audit at a much faster rate. These tools build an actionable guidance that helps the company secure its assets and automates security questionnaires.

Security Questionnaire Management

The purpose of security questionnaire management tools is to help customers fill out their security forms and documentation with ease and accuracy. These tools digitize security questionnaires as well as technical content and security policies onto a platform that provides stakeholders with all the tools and resources they need in order to complete popular assessments such as the SOC 2 and ISO 27001. Security automation tools also offer smart integrations to export existing workflows from sources such as Word, Excel, Powerpoint and Outlook and offer smart dashboard, reporting, answer intelligence and knowledge management capabilities to help the users get through audits and achieve certifications at a much faster rate.

Data Compliance

In the wake of high-profile data privacy issues such as the Cambridge Analytica scandal in 2018 and the Equifax data breach in 2017, more and more companies realized that they needed to rethink their approach to data privacy. Specifically, companies were concerned with the ways they were collecting and storing data from customers to ensure that they adhere to the new privacy regulations such as the GDPR and the CCPA that were enacted to protect user data. This in turn led to a growing demand for tools that can safeguard customer-centric data by delivering accountability and transparency, and maintaining compliance.

Audit Management

Audit management tools are used for the purpose of helping companies execute their audit processes in a quick and effective way by providing assurance that risks are being correctly evaluated and that the existing risk management processes comply with the organization’s internal control framework.

SaaS Management

The rapid rise of SaaS applications has transformed businesses, but at the same time made it harder for IT admins to have complete visibility into the SaaS stack. SaaS operations tools make it easy for teams to oversee and manage the consumption of SaaS applications scattered across the organization and uncover security blind spots created by the clutter of tools.

If you’re a startup or corporate executive working through IT compliance and security automation issues, please reach out or sign up for our next enterprise playbook lunch on the topic. And stay tuned for more content on SOC 2 — Work-Bench is in the midst of creating a tactical SOC 2 playbook (see our other playbooks here).


Work-Bench is an enterprise technology VC fund in NYC.


Work-Bench is an enterprise technology VC fund in NYC. We support early go-to-market enterprise startups with community, workspace, and corporate engagement. Sign up to get our digest of top content & industry news weekly:

Priyanka Somrah 🦋

Written by

VC Analyst @Work-Bench, investing in #nextgenterprise


Work-Bench is an enterprise technology VC fund in NYC. We support early go-to-market enterprise startups with community, workspace, and corporate engagement. Sign up to get our digest of top content & industry news weekly: