Check out all the on-demand sessions from the Intelligent Security Summit here.
As its very the name’s definition suggests, compliance isn’t just a “nice to have.”
It’s a requirement, and it must be prioritized as early as possible.
But because compliance efforts have traditionally been done manually, organizations can struggle with time, resources and funds to establish, manage and maintain it.
“With a sea of paperwork, repetitive and laborious tasks like collecting evidence, compliance has turned into something companies avoid for as long as they can, or something they neglect to maintain over time,” said Adam Markowitz, cofounder and CEO of compliance automation platform Drata.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
This has driven great demand for governance, risk and compliance software (GRC): IDC predicts that the global GRC market will grow from $11.3 billion in 2020 to nearly $15.2 billion in 2025.
To address this demand, Drata emerged with its offering just less than two years ago, and has gained significant momentum in that short period of time. As evidence of this, the company today announced a $200 million series C round. This brings the company’s valuation to $2 billion, doubling its $1 billion valuation from its 2021 series B round.
“At a time when data threats and regulation enforcement is on the rise, companies need to show tangible proof of their security standards through compliance to build and maintain trust with their customers and stakeholders,” said Markowitz.
Expanding regulations, market demands
The GRC market will only continue to grow, as per IDC; the firm predicts the business continuity and ESG/CSR categories to grow the fastest, followed by compliance and risk management. Evolving categories include privacy, third-party risk management (TPRM), and environmental, health, and safety (EHS).
Among other factors, according to the firm, market acceleration is being driven by evolving compliance regulations, rises in data threats and increased demand for environmental and social responsibility.
One IDC survey found that nearly two-thirds of organizations use multiple GRC tools, with some deploying five or more. Also, most companies plan to increase their GRC spending over the next three years, and roughly half expect the use of cloud-based tools to increase over the next three years.
But at the same time, those organizations with higher numbers of platforms see a lower rate of integration between them, according to IDC.
“The GRC market is positioned for significant growth as companies seek ways to automate and manage the complexities of expanding governance, risk and compliance mandates,” said Amy Cravens, research manager of governance, risk and compliance at IDC.
She adds that, “understanding how businesses are consuming these solutions and their preferences for packaging and deploying services will help solution providers tailor offerings to meet market demand.”
Drata’s security and compliance automation platform monitors and collects evidence of a company’s security controls and helps to streamline compliance workflows to ensure audit readiness, said Markowitz.
The platform integrates with more than 75 applications and services, including AWS, Azure, Github and Okta, and enables cross-mapping of controls with various compliance frameworks. Dashboards allow organizations to visualize their real-time compliance posture, and notifications alert them to gaps so that they can remain compliant, said Markowitz.
With 22 months out of stealth, Drata has launched more than 14 frameworks, including General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), the Payment Card Industry Data Security Standard (PCI DSS) and NIST 800-153 for WLAN connections. The company also launched a Trust Center and a Risk Management offering last year.
Shortening time to compliance with GRC
Drata customer, Lemonade, for instance, was able to cut down the 200-plus hours they typically spent going back and forth with an auditor by one-tenth. Thnks, meanwhile, was able to pursue both SOC 2 and ISO 27001 at the same time, said Markowitz, and an insurance tech startup estimated that using Drata’s GRC platform helped them save six months of time in the SOC 2 auditing process.
As Markowitz noted, leveraging automation allows Drata to bring “compliance to the masses.”
Previously, organizations would have to go into multiple platforms — such as AWS for infrastructure or Jira for ticketing — to take screenshots and show that it was configured correctly.
“This took hundreds to thousands of engineering and operations hours annually, just so the team would have to do it all over again next time,” he said.
Instead, “we help companies change the way they view compliance and transform it into an integrated piece of their organization.”
Beyond GRC tools
Still, Markowitz emphasized, a successful compliance program thrives only when an organization adopts a “cybersecurity-first” mindset.
“It’s important for everyone at the company to understand, acknowledge, and be accountable for their compliance program,” he said.
This means having leadership buy-in when pursuing compliance, factoring it into budgeting and providing the resources needed to achieve and maintain it. They should also be involved in the audit preparation process. Establishing this kind of accountability can foster transparency throughout the company, said Markowitz, “which in turn further streamlines the compliance journey.”
Companies should also implement key, foundational processes that can educate employees and keep internal and external data protected. These include the following:
Conducting employee background screening and security training
Companies need to conduct formal background screenings of both employees and contractors, as well as annual security training to ensure each employee is up to date with the latest security information and ways to avoid common attack vectors, like phishing.
“Employees are a company’s first line of defense when it comes to securing data against outside threats,” said Markowitz.
Using password managers and MFAs
By using password managers and multifactor authentication (MFA), employees can better create, store, share and manage passwords and other authentication information.
“Good password hygiene and MFA ensure that malicious actors can’t access your network through the ‘front door,’” said Markowitz.
Tracking vendors and conducting vendor reviews
Track all third-party applications, SaaS subscriptions and browser extensions. Understand the data being shared with them and, based on the criticality of the vendor, begin asking for security documentation, including their latest SOC 2 report.
Conduct external application penetration testing
Annual penetration tests by third parties is an effective way to evaluate system security and determine specific measures to help defend against a real attack in the future.
Today’s funding round is co-led by GGV Capital and ICONIQ Growth, who respectively led Drata’s series A and B rounds. Alkeon Capital also made significant investment, as did Salesforce Ventures, Cowboy Ventures, S Ventures (SentinelOne), Silicon Valley CISO Investments (SVCI), and FOG Ventures (Operators’ Guild).
Drata will use the funds to continue investing in R&D, while also investing in features for startups and auditors, said Markowitz.
As he noted, “From the very beginning, we invested heavily in product and engineering to ensure we had the product that could serve the market, and so that we could continue to build differentiated experiences.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.