How compliance and customer trust will grow your business
In this episode, WorkOS CEO Michael Grinich and Drata's CTO Daniel Marashlian talk about security, compliance, and startup growth.
Michael Grinich (00:02):
Welcome to Crossing the Enterprise Chasm, a podcast about software startups and their journey moving upmarket to serving enterprise customers. I'm your host, Michael Grinich. I'm the founder of WorkOS, which is a platform that helps developers quickly ship common enterprise features like single sign-on. On this podcast, you'll hear directly from founders, product leaders and early stage operators who have navigated building great products for enterprise customers. In every episode, you'll find strategies, tactics, and real world advice for ways to make your app enterprise ready and take your business to the next level.
Michael Grinich (00:39):
Today I'm joined by Daniel Marashlian, the co-founder and CTO of Drata. For those of you unfamiliar, Drata is a security and compliance platform that automatically monitors your security footprint and helps gather evidence for audits like SOC 2. Compliance is one of those key pieces in becoming enterprise ready, and Drata has seen an explosive growth since their launch. The company is today valued at over a billion dollars. I'm super excited to dig in and chat about all things compliance, startup growth, and how to cross the enterprise chasm. Daniel, welcome to the podcast.
Daniel Marashlian (01:12):
Of course. Thanks for having me.
Michael Grinich (01:13):
So, mentioned few times, Drata as a company, was hoping that you could give us a quick introduction to the company in your own words. You guys do a lot of different stuff and have grown and changed a lot as you've grown. So give us the latest summary.
Daniel Marashlian (01:26):
Sure. High level, Drata helps companies automate their compliance posture. Well, not compliance posture, we help your compliance goals. And by doing that, we automate a lot of the evidence gathering and organization of that, which eventually outputs towards the reciprocal side of a lot of the security compliance frameworks, which is you get an annual audit. And in that process, if anyone's ever gone through it, you know it's a lot of tedious back and forth because an auditor, a human, isn't sitting next to every one of your employees throughout the year understanding what you're doing. So you eventually do have to show this evidence to the auditors, how did you operate your business against your business controls and what those are, like, "Hey, this is how we're going to operate our company." And the question is, okay, prove to me that you operated that.
Daniel Marashlian (02:15):
And so in that, imagine how would I do that if an auditor isn't sitting behind my shoulder throughout the year, is a lot of times people use screenshots and tickets and emails and et cetera, et cetera. And we try to automate and gather all of that from tools like AWS or GitHub or JIRA or background check providers and et cetera, et cetera.
Michael Grinich (02:39):
And Drata is a relatively new company too. Can you quickly tell us how long it's been around, how fast you've grown? I know there's been some news.
Daniel Marashlian (02:45):
Yeah. It hasn't been too long. I think we're about 20 months in now. We started in the middle of 2020. We're heads down in stealth mode till the end of the year. We launched in beta with a couple beta customers in late November, which was fun. We were our first customer. That's always fun. And use our own tool to get our own SOC 2 report. And then we launched publicly in the middle of January in 2021. So we recently just hit the year mark. In that year, it was a crazy, amazing year, not only from growth of our team and product, but customers as well. We also secured a series A and then a series B as of last year and have grown to a unicorn status, which is always fun as a company.
Daniel Marashlian (03:29):
So we've been growing fast. And I think that that unprecedented growth rate has really helped us shape this world of our security compliance automation and showing people a better way. And not only just hitting a tool and setting it, forgetting it, but really the partnership approach that we've taken with our customers to not just say, "Here's a tool, good luck. It'll automate everything." It's some things, these processes are human interactive and everyone is nuances of it. And not everyone uses AWS as an example in the same way. And so there's a lot of times we have a lot of very in depth questions and we have a lot of expert auditors and compliance experts on staff to help our customers. It's part of the offering in there. So we really in a way hand hold people through, but at the same time use the software to automate it as it goes through. So we're here to help humanistically but have software to automate as much as possible.
Michael Grinich (04:26):
That's some tremendous growth, extremely fast. And I know that 20 months ago, there were already a few people in the space building compliance tools and it's something several folks have been working on. As you looked at starting a company here and building something, how did you think about approaching, not a greenfield market where there's nothing but where there's already some competitors potentially, potentially well-funded, how did you see entering into that kind of market and also what the opportunity was for you to do differently?
Daniel Marashlian (04:55):
Yeah, definitely. It was so funny. Just as any other entrepreneur, right, you get this idea, you think it's the best thing in the world and it's like no one's doing this. And then as you go into the product market research, you're like, "Holy cow, seven other companies are doing this." That's how it works. Honestly, when we came up with the idea, going through pains of our last business, and that's where it came from, was doing this manually and working. So I had an educational technology company in the past called Portfolium. And we went through that motion and we sold to universities. And every time the CIO or something like that would be like, "Let me see your SOC 2 report," or something along those lines, and we didn't have it early days. And so eventually we went through that motion and did it, and did the whole spreadsheet JIRA ticket thing, rip engineers off the road map. And it was an expensive process for a younger company. We had about 40 employees.
Daniel Marashlian (05:47):
And in that process of that business, we sold and merged with Instructure, the makers of Canvas, pretty large educational college company. And I was so excited as an engineer myself and the engineering leader like, "Oh man, I've never actually worked with, you know, this is a big 2000 something person company.” Like, "Let's go work with this amazing security team." And they are amazing. And they taught me a lot in the security side and compliance side, how they manage it all. But they were still doing it at my hand and it was like, "Whoa, something is majorly wrong here." I was in startup mode with Portfolium, but at this bigger multinational company, it was really shocking to see they were still doing it, JIRA ticket spreadsheets, things like that.
Daniel Marashlian (06:30):
So that's where the entrepreneurial bells I think started ringing again for me. And as we dove in after merging those companies and parting ways, it was Adam, my co-founder, we loved working with each other, and Hey, what were some problems that we faced? And this is what it was. And all roads led to this idea. And we were like, "This is unbelievable. We can help engineering and security teams. We can help the sales and go to market teams, get these certs faster to sell upmarket and grow their companies faster." And as we go do that product tour, you start finding, "Oh, okay, there's a competitor here that does something similar, something similar." And, "Oh, wow, this maybe really close to what we do." So you dive in and you understand, okay, what does this company do exactly, what are their customer bases, who are they going after? Maybe let's try to talk to some of those customers through one, two, three degree separation, what do they like, what do they not like, and understand their approaches of these competitors in the space.
Daniel Marashlian (07:22):
So that's what we did. And from there, we took our own spin and approach. I've been a long time entrepreneur in my career and from B2C companies to B2B companies. And always took that product and design-led approach on the product side first and then more so at the business, the customer-obsessed centric approach. So I would say that's what we did differently, is we really put the end user at the center of our business and said, "This buyer, this user, they need to trust us indefinitely. We're going to be holding the metadata of their security posture. Their trust needs to be at the center of this business." That is our number one value of our culture in our company, it's trust. And so how that gets communicated out through the marketing material to the onboarding process, to customer care, to product, to engineering. I even tell all of my engineers like, "Every single keystroke you make in the code, think about how this could be broken or hacked or attacked."
Daniel Marashlian (08:22):
And so from day one, when knowing we're going to be building a cybersecurity company, we went above and beyond what most do. So when starting a company, usually when you start a company, it's just like, "Go as fast as possible, don't worry about whatever." But we did it right from the start in terms of security posture and processes and getting a SOC 2 report before we even launched the business publicly, and things like that.
Michael Grinich (08:48):
I want to dive into what you said about engineering and design and the experience around that. This space around compliance is not necessarily seen as the place with the best design or typically seen as a beautiful products or elegant experiences built here. And yet Drata has been able to create an experience that's pretty delightful to go through and simple and easy. How have you structured the team around that and done that? In this new world of B2B SaaS, a lot companies aspire to bring modern principles that are designed to legacy industries. Talk about that.
Daniel Marashlian (09:20):
I think it just maybe naturally came out of my almost 20 year career here and from building tools. One of my first companies that was big, it was called TweetPhoto. And we were the ones responsible for putting media onto Twitter, love me or hate me for that. It's like you build this product where millions and millions of users use it. It's like, "Okay, we need to make it enjoyable." And that leads into the next thing and leads into the next thing. And what I realized, especially with my last company, Portfolium, was we were writing software for students in that a little younger, well, I guess older, millennials, and then into the Gen Z arena. It's like they're used to using these apps like Instagram or whatever across the internet. And holy cow, there's just hundreds or thousand person product teams on these products that look beautiful and they use it every single day for free. And it's like that's what they're used to now. The bar has been raised so high for day to day usage in our interaction with technology. It doesn't matter what industry you're in, people want better.
Daniel Marashlian (10:21):
And so I think if you can really take those patterns, those design patterns, from the Instagrams of the world or whatever, the tool is and put them into these B2B apps, people are used to it. And so those triggers in your brain are comfortable. I'm probably misquoting the biology here, but your receptors increase or whatever, and it's like, "Okay, this is enjoyable." And we've heard that time and time again. In general security, it's like, "Oh man, that's the cost center in the business. That's the thing I don't want to touch with the 10 foot pole." You have the CSO or whoever in the corner figuring it out for us. And it's usually internally this weird divide between the company.
Daniel Marashlian (11:04):
And especially in the S&B, where if you're the busy CXO individual, and this is the last thing on your mind, maybe this is the 200th thing you did of the day, it's midnight, "Ah, shoot, I got to think about our compliance or security." And so what we wanted to do was bring security and compliance ... They're definitely different, right, just because you're compliant doesn't mean you're secure, just because you're secure doesn't mean you're compliant. But by going through this compliance process, it makes you a better ran company and makes you a more secure company. So that intersection is really strong. And so by doing it from day one and getting these early adopters or these S&B leaders in, it really helped shape, I think the culture of their business and really put security in the forefront where they said, "Wow, Drata made security kind of fun. Wow, this is enjoyable." I've seen this time and time again now across our customer base.
Daniel Marashlian (11:58):
And this is what surprised me the most about starting this company, is that so many of our customers now because they've used Drata, have put security as part of their core values of their business and their culture. And where before it was always this side thing we'll do later. And so that's amazing because for people like the actual individual of myself or you, we're users of all these tools out there and I don't want my data stolen. So to be able to cultivate this culture that'll just spread throughout the S&B space, throughout the B2B space. We have customers of all kinds, of B2C and every industry and everything. So it's great to see top of mind security come through these company's culture because the importance of that's just so relevant.
Daniel Marashlian (12:42):
Holy cow, I think it was earlier this week, there was a giant state attack on some Israeli stuff. And a lot of times it relates to vendors, it relates to process, it relates to humans. Sometimes we're all lazy and we forget to patch the server or we forgot to click this one checkbox on AWS or whatever it was. So how can we have a watchdog in a way, always checking you on that business process that you're running?
Michael Grinich (13:07):
I certainly hope not only will that world of clunky old IT software go away, I think that's what you were talking about earlier. We're thankfully transitioning out of that. I think no one likes that. We're getting into better tools, but also every company having a stronger security posture and just taking it from early days more seriously, certainly what the world needs. I wanted to ask more about your growth also. So obviously the product experience leads to people sharing it through word of mouth. And I know you had a lot of earlier stage companies when you just got started, those design partners. What has led to your large explosion of growth, what really has driven it? Looking back, was there one specific thing you did or if you were talking to maybe another founder entrepreneur hoping to have such growth, what would you remember?
Daniel Marashlian (13:47):
Yeah. I think at the core of it is, it maybe sounds a little cheesy or cliche, but it's really our culture of our business and that culture which centers around trust and a competitive fire and some other items that we all, not only we interview for, but that we live and breathe every day. I think that's what helps our acceleration and growth at every level and putting the customer at the center. So with that, it multiplies out of customers are happy, they're leaving reviews, they're telling their peers, they're telling their former employees. We've actually seen it time and time again. Maybe someone that was the champion or a user of Drata leaves their company and goes to a different company, and they're like, "My first action is to bring Drata into this company." So now multiply that over 20 months that we've been around, it's definitely been a great kicker. Obviously hats off to the sales team and the marketing teams. They're doing a phenomenal job, which is amazing and obviously the engineering, the R&D org to support all that.
Daniel Marashlian (14:49):
So those are factors. And I wouldn't really say it's one thing we did. It's funny, I've told this to a lot of my peers. I've been building companies in San Diego for almost 20 years now and I'm involved in the community out here. And so I know a lot of people in the community and entrepreneurship community, and they're like, "Wow, it's very positive." And like, "Hey, congratulations, you're doing all this amazing stuff and that's great." And some of them ask me like, "What did you do differently or whatnot."
Daniel Marashlian (15:13):
And sometimes in my head I'm like, "I didn't do anything differently." We always wrote amazing code. We always wrote amazing product. We always put customers first. We have a killer marketing and sales team. But I think a little bit to credit myself and my other peers, it's like, "Well yeah, but we've also been doing this now for 20 years." So the mistakes we made 20 years ago, five years ago, it adds up and you definitely have that saying, as you try to make yourself 1% better every single day, do that over 15 plus year career. I think just naturally now I don't make those mistakes. And so I think that's a lot of paths of a lot of entrepreneurs. Yeah, maybe your first one you got lucky or you didn't and you learn lessons and where you see people find real success is like maybe 15, 20 years into their career.
Daniel Marashlian (15:59):
So I would say it's like that. It's just a combination of 15, 20 years of being in the grind and seeing every single thing you could see from a B2C company to B2B company. And it cultivated into this perfect storm of right market, in general, cybersecurity, right industry or industry, right market for compliance automation, timing of the market. Sadly, the global pandemic is horrible, but from a business side, it has moved a lot of people to work at home, therefore heightening the IT teams around the world to take security a little bit more as I can't control it now in my office. And so everything culminated into a perfect storm for us to see this type of growth.
Michael Grinich (16:40):
Well, it seems like it's all continuing too. Those trends are not going away. Let's talk a little bit more about compliance. So SOC 2, I think a lot of people are familiar with SOC 2. Tell SOC 2 people hear about it all the time. There's obviously other types of compliance and other ways that people approach this. Can you talk about how you see that industry, what Drata does and how you see the industry outside of maybe just getting that SOC 2 certificate?
Daniel Marashlian (17:04):
Yeah. The SOC 2 cert is a great validation that you're running a well oiled machine. There's definitely different levels. For those who don't know, there's like five trust service criteria. The security one's the only required one. So you can go deeper and show that you do more stuff maybe around privacy or the processing integrity. You are doing what you say you're doing even at the code level. So those are great things to do. But I think it's once you have that report in hand, it's like that trust thing. Again, it keeps coming back to trust. It's as I talk to my upstream vendors or whatnot, is that it's not so much that I have this cert or this report. It's like, "Oh wow, these guys care about me, this care about my users. And so I'm going to trust them." It's just building that trust from the start.
Daniel Marashlian (17:51):
So I think there's that, and that's an important thing and it's definitely spidered. Roll back maybe 10 years ago, you hear it all the time, "Oh, I have an RFP from Bank of America and I don't have the SOC 2 report and I can't ... I don't even know where to start." And so those bigger financial institutions, that's definitely where it got started, right, it is the AICPA, the American Institute of Certified Professional Accountants. So it was all around accountancy and finance and stuff. But there's a sector now in the SOC 2 report now versus the SOC 1 or more around compliance security. And with the rise of SaaS and with the rise of clouds, it's like, "How do I ..." Before I used to have servers in my office or I had a [colo 00:18:28] and I control everything. We don't control anything. We're talking on Zoom here using Google or Slack to communicate. My servers are in AWS, Nocodes and GitHub, et cetera. I can't control it, but I can still deploy practices in my business to ensure it's a secure thing.
Daniel Marashlian (18:43):
So I think the SOC 2 report in general, even if it's American standard, is a great methodology to show that. The ISO 27001 cert is that international sister to that. It's very popular in European markets, around the world as well. I've noticed even around the world, the people are accepting either. Because I think the SOC 2 American standard has become almost an industry standard. And those are great certs to go after, maybe where to start.
Daniel Marashlian (19:13):
I would say on one side, SOC 2 is a little bit more gray and it's a little bit more open to interpretation. Therefore, if that's your first thing to start with and you use a tool like Drata, it gets you into the shape because you can shape your company to how you want to do it and show, "Hey, I'm different than maybe someone else." It's not cookie cutter. And it lets me not break my processes too much, mold them a little and then move forward, where ISO 27001 is a little bit more rigorous. Tthey have this annex A and it's like, "You got to do this, you got to do this, you got to do this." And that's good. But what I've seen is it's better to start with SOC 2, and if you want to go more international markets and those international partners are challenging you for an ISO cert not a SOC 2 report, then okay, maybe move there.
Daniel Marashlian (19:59):
Recently, we've actually launched some privacy offerings around the GDPR space. CCPA is coming out soon. So, everyone around the corner, which is great, in the California world. And then HIPAA launched a little later. It was I think in December at the time if I'm remembering that right. So the difference between the HIPAA laws around the health privacy act and GDPR and CCPA and those laws, that's the big difference, is that those are laws and they're just compliancies that you need to adhere to, not get an industry certification.
Daniel Marashlian (20:33):
So I think where SOC 2 and ISO go, it's like, "Okay, I want to go achieve this." And so I work up and I eventually do an assessment or whatever, and I get this certificate or report, where HIPAA, if you're even a startup from day one, you're holding PHI, the personal health information. You're a bioscience company or you're helping some hospital build some SaaS tool or whatever. You need to be HIPAA compliant from day one.
Daniel Marashlian (20:58):
And so that kills companies. If you're this young company trying to build all this amazing stuff and now I got to go shift gears and make sure we're HIPAA compliant and how do I do that? So to make sure that you do that from day one, because it's not the cert you get, it's you need to be that from day one. It's, I think, tools like Drata and the way we help you automate it all and put you on your way there to really ever proving compliance in case you ever get tested down from the authorities or your clients. It just makes that world so much easier. So yeah, the law aspects around HIPAA and GDPR, I find those actually super open greenfields for us as we move forward. We've been really focusing on the industry certs like SOC 2 and ISO, but I think these privacy and health laws are really a new opportunity for us. How do we get from the youngest health startups to some of the biggest names out there?
Michael Grinich (21:49):
Daniel, I have one last question for you before we wrap up. You've been building startups and thinking about this for a couple decades now.
Daniel Marashlian (21:56):
Michael Grinich (21:56):
Almost, almost. Sorry, not to age the both of us. With this company, I'm curious, what has been new that you have learned as you've been building this one in particular and then also looking back, what advice would you give the next generation of founders and entrepreneurs? Maybe someone starting off with the first company that they're building.
Daniel Marashlian (22:14):
The tech side, obviously that's my realm, there is always a sense of like, "Go, go, go, we don't have enough time to build the product or whatever." Just make sure you're doing the fundamentals correctly from the start, like the way you're setting up your security and the way you're deploying your infrastructure. There's so much amazing software out there from Terraform to others and making sure that those security passes are just done from the start. And that's great. Hopefully, we're here for you and we can get you on the way to SOC 2 or something to start, but more important is that you just take into consideration security and at the application level infrastructure level to start. I think that'll pay dividends in the long run.
Daniel Marashlian (22:55):
On the business side, what I would say to young entrepreneurs is really not only understanding your market and whatnot, but what's the buyer journey? I think that's so critical and really understanding who the customer is, who the buyer is and how do they eventually become a customer and then how's that handoff from the sales customer perspective into customer success. And tracking that along the way. Using tools like HubSpot or whatever are a little easier and cheaper than like a Salesforce, which maybe more bigger enterprises use. So I would say get those like funnels and pipelines done right and be extremely analytical on your data. Some customers or some companies in the early is like, "We're just trying to close a deal." Then you fast forward six months or a year and you lost all of that insight you got along the way in that funnel and what worked here, what didn't and why? And so as you bring in new people that weren't there in the beginning, they could always go back and see.
Daniel Marashlian (23:47):
One other tool I would recommend, and this has been a huge help for us. It does cost money so make sure you can pay for it. But we've been using a tool called Gong, G-O-N-G. It records your calls and there are a couple others out there, but it's been instrumental. We've had it from day one, from training new people that come on and re-listening to how things happen in sales calls and whatnot. So something like that that records every single customer call or prospect call, that'd be a huge thing. So that was to a younger audience.
Daniel Marashlian (24:17):
To what I've learned about this company, what I've done differently or what I've learned this time, I would say growing this fast is a little painful. Make sure you have time to not sleep, I guess. I think as of even, I forget the timeline, five, six months ago, I was running HR, I was CTO, I was engineer, obviously founder and helping where I could there. So making sure that you start thinking, for these major positions and major department heads, I would probably try to hire, if not six months ahead of it, three months ahead of it. Because by the time it's too late, it's already too late. And then you have to bring someone on and by the time they're ramped up, it is a three to six month process. And so hire a little sooner. I wish we hired ahead people a little sooner than we have. We actually have someone starting soon, which I'm super excited about. That's been good.
Daniel Marashlian (25:11):
And I think it honestly just keeps going down to culture. That's where we learned a lot at my last company with Adam, my co-founder and others. And not only understanding what the culture is of your company and how it works and the correspondence to your customers, but then how do you cultivate that throughout your company, how do you hire for that, how do you put the ownership of the culture on the employees, not the leadership? And that to me is what's paid dividends at the last business and this business. So even in those hard times where you're up at 2:00 AM on a Saturday just doing HR stuff, it's like you have this ended sight of “This is where people can help me in this area or this is where we're going”. And I think just the culture of all of our employees now from young to old, from the earlier spots, people that started this week, man, it's infectious. It's fun.
Michael Grinich (26:03):
I 100% agree with that. I feel like startups are all about hiring culture, just growth and hiring culture. With that, we can wrap up. Daniel, thanks so much for joining us. This has been really fun, really excited to continue to see the growth of Drata. And I don't know, next time we chat, maybe you'll be a multi-billion dollar company at the corporate level.
Daniel Marashlian (26:19):
Let's do it. And for anyone listening, WorkOS is a great tool. We're customers as well.
Michael Grinich (26:24):
Thanks a lot. Thanks a lot. We'll let you get back to running Drata. Thanks everyone for showing up and attending. This has been great. Take care. See you next time.
Michael Grinich (26:36):
You just listened to Crossing the Enterprise Chasm, a podcast about software startups and their journey moving upmarket to serving enterprise customers. Want to learn more about becoming enterprise ready? The WorkOS blog is full of tons of articles and guides outlining best practices for adding features like single sign-on, SCIM provisioning and more to your app. Also, make sure to subscribe to this podcast so you're first to hear about new episodes with more founders and product leads of fast growing startups. I'm Michael Grinich, founder of WorkOS. Thanks so much for listening and see you next time.