In 2013, Adam Markowitz founded Portfolium, an edtech startup that matched college students and graduates with employers.
“I remember the first time we were asked for a SOC 2 report, which quickly became the minimum bar requirement in our industry for proof of an effective security program,” he said.
The process for creating the report was time-consuming, manual and costly. It was also a drag on the sales cycle, and then there was the need for maintaining compliance.
When Markowitz departed Portfolium after selling the company to Instructure, he teamed up with Daniel Marashalin and Troy Markowitz to launch Drata in the summer of 2020. The vision was to automate security and compliance across 14 frameworks, including SOC 2, ISO 27001, HIPAA and GDPR. This is all done with continuous control monitoring and evidence collection.
Growth has definitely been robust. There are currently more than 2,000 customers.
In early December, Drata announced its Series C funding for $200 million, led by ICONIQ Growth and GGV Capital. The valuation was set at $2 billion. Among the company’s investors have been tech luminaries such as Frank Slootman, CEO of Snowflake Computing, and Microsoft CEO Satya Nadella.
“And for Drata, fundraising has always been viewed as a tactic rather than a goal or outcome,” said Markowitz. “Our funding not only validates our execution to date, but also represents our continued efforts to expand our product capabilities and help us navigate this next stage of growth.”
GRC Market Defies Downturn
There are some powerful drivers for the compliance and security automation market. First of all, cybersecurity is becoming a “must have” for businesses and governments. The threat environment has become increasingly more challenging, especially with distributed environments. The move to remote work has only worsened the problems.
Just look at the case of Rackspace. The cloud computing services company was hit by a ransomware attack in early December that disrupted the mail servers for thousands of customers. The result is that Rackspace shares plunged by about a third. Lawyers have already filed a class action lawsuit.
The growing number of data privacy regulations has raised the potential consequences of cybersecurity breaches, spurring demand for GRC (governance, risk, and compliance) software. IDC expects GRC spending to hit $15 billion by 2025.
OneTrust is another company benefiting from the booming compliance market, rocketing to a $5.3 billion valuation in less than seven years and earning a top 10 ranking in our list of the top cybersecurity companies.
What’s more, the automated compliance and security software market is likely to benefit from slow growth or even a recession, as the technology can be a way to streamline operations and lower costs.
For example, when it comes to preparing for a cybersecurity audit, the evidence required is a major pain point for companies. In the case of Lemonade – an online insurance company – it spent over 200 hours on the process. But when using Drata, it took only a tenth of the time.
Given these growth drivers, VCs have been ramping up investments in the category. Here are a few other winners.
See the Top GRC Tools & Software
Laika
One growing use for compliance tools has been to speed up M&A deals.
“Having built tech companies, it became increasingly clear that compliance shortcomings were a roadblock to closing enterprise deals,” said Austin Ogilvie, who is the cofounder and co-CEO of Laika, a security and compliance automation platform company. “There were shortcomings like cybersecurity capabilities, lack of robust controls around access, resiliency, and recovery. They were costing me millions in delays and lost deals.”
Laika is certainly comprehensive. It provides not only advanced compliance automation, but there is also integrated auditing and penetration testing.
Laika is not just software; it also includes services. The company provides hands-on guidance for customers, such as with a dedicated Compliance Architect. “It’s really the humans behind the product that sets us apart,” said Ogilvie.
In early November, Laika announced its Series C funding for $50 million, which was led by Fin Capital. Other investors included J.P. Morgan Growth Equity Partners, Canapi, and ThirdPrime.
Sprinto
Security compliance tools can also be used to make sure that applications and systems run optimally.
“Security is largely about having the right operational processes and discipline in place,” said Girish Redekar, who is the CEO and cofounder of Sprinto.
That’s why his company’s platform integrates with many systems that cloud companies use daily, like CRM and code management systems. Sprinto checks to see if they are used with the highest levels of data security and business continuity.
The system also typically provides more value over time. For example, after you set up a framework for SOC 2, it makes it much easier to be successful with other areas like ISO27001 or GDPR.
“We are focused on liberating security compliance from confusion and making it accessible, affordable, and actionable through the smart application of technology,” said Redekar.
In early 2022, Sprinto announced its $10 million Series A funding, and the lead inventor was Elevation Capital. Other backers included Accel and Blume Ventures.
Strike Graph
For more than 20 years, Justin Beals has served as a Chief Technology Officer, data scientist, VP of Product and engineer. While at his last startup, he realized that he could turn security into a sales asset.
“My cofounder, Brian Bero, and I incubated Strike Graph at Madrona Venture Labs in early 2020 and launched later that year,” he said. “We were excited about the idea of empowering other organizations to not think of security activity as a cost center but as a revenue driver.”
A challenge for compliance automation is that no two companies are alike. Each has their own unique technology architecture and business processes.
This is why Beals has positioned Strike Graph as a security orchestration and measurement solution.
“Our customers can select the right set of controls from our database of 400+ security controls, integrate with thousands of cloud provider data elements according to their unique architecture, and successfully complete common security assessments from Penetration Tests to SOC 2 audits without engaging extemporaneous vendors,” he said.
In late 2021, Strike Graph announced its Series A funding for $8 million. The lead investor was Information Venture Partners.
Read next: Top Cybersecurity Startups to Watch