Scott Orn, CFA
Posted on: 06/14/2022
Adam Markowitz of Drata - Podcast Summary
Adam Markowitz, CEO and Founder of Drata, discusses how Drata can streamline data audits and help companies protect their data, continuously monitor their data security, and produce reports for SOC 2 and other compliance programs.
Adam Markowitz of Drata - Podcast Transcript
Scott: | Hey, it’s Scott Orn of Kruze Consulting, and thanks for joining us on Founders and Friends for another awesome podcast. Let’s give a quick shout out to the Kruze consulting accounting team. We’re very fortunate. We have a ton of people at Kruze who work on the monthly books for our clients and get them all set up, due diligence-ready, rocking every month, answering all the clients’ questions, making all those adjustments. And there’s no better moment for a founder and for us, really, when a founder says, “Hey, I think I’m going to get a term sheet. Are my books ready for diligence?” And we get to say, “Yes, they are. Fire away, send them over, give them access.” That is a great feeling. It’s the feeling that lets us know we’ve done a job very well done. And nothing is better than watching that cash hit the bank account. |
Scott: | So, if you are a venture back startup, you’re going out to fundraise, maybe check us out. Check us at kruzeconsulting.com. We love what we do. Taping here, I think we have 575 clients. Clients raised over a billion dollars this year, so we know what we’re doing. And hopefully we can help you be successful in your fundraise. All right, let’s get to the podcast. Thanks. |
Singer: | It’s Kruze Consulting. It’s Founders and Friends with your host, Scotty Orn. |
Scott: | Welcome to Founders and Friends podcast with Scott Orn and Kruze Consulting. And today my very special guest is Adam Markowitz of Drata. Welcome, Adam. |
Adam: | Thank you for having me. |
Scott: | My pleasure. So, we are Drata’s accounting firm. But more importantly, for this podcast, we actually used Drata for our SOC 2 compliance. And that’s why I wanted to have you on. I get to see Drata in action. It’s pretty freaking awesome. And we love publishing and talking about products we really love, so hence the interview here. Maybe you could start off just by telling everyone how you had the idea to start Drata. |
Adam: | Sure. No, I appreciate it, Scott. Thanks for having me on. We started Drata out of our own personal need, our own experience. So, we just do it to walk you through a little bit of my background and career, how I got here way back when. I started my career, actually, in aerospace, believe it or not. Right after undergrad, I began working as an engineer on that space shuttle program, doing grad school at nights. And then it was after grad school, 2010-ish, when NASA retired the space shuttle program. I decided to pursue a passion project of mine I was calling Portfolium, which was basically like a LinkedIn for college students. But it was centered around an e-portfolio instead of a profile, a resume. And the whole idea was to really connect students with employers based on more than just where they went to school or the GPA. And so tangible evidence, proof of their skills and competencies. Projects, papers, presentations all went into a new portfolio, which I got the idea for Portfolium for my own personal experience. |
Adam: | I use a new portfolio in my interviews. That’s how I landed the job at the space shuttle program. And I attributed the whole thing to basically earning trust, really, by proving I deserved it, proving it with evidence. And so, again, called it Portfolium, learned to code, brought on some incredible co-founders, investors. And it kicked off a six-and-a-half-year journey as a first-time founder in software industry. And yeah, over a two-and-a-half-year stretch, we sold into almost 400 universities across the country and… |
Scott: | Oh, my gosh. That’s amazing. |
Adam: | … 5 million students, and then the company was acquired by Instructure, the makers of Canvas, the learning management system. Yeah. This was February 2019. About a year later, co-founders and I, same co-founders, we started Drata, where, obviously, now I’m the CEO. But it was selling Portfolium into college universities where we got the idea originally. |
Scott: | Was it because they were requiring you to be SOC 2 compliant or you saw the pain that the university were going through? |
Adam: | I mean, the biggest irony was we were selling software to help students prove their skills to employers, and the university said, “Great. It’s going to help our students do just that. But can you prove your security posture to us before we hand over [inaudible 00:03:56] of student data.” It’s a great question. They have every right to ask it. And so, we had to prove that we were trustworthy, doing the right things when it came to protecting the students’ data. And that meant a SOC 2 report was a great way to do that. We were to prove that we’re doing what we say we’re doing and earn their trust. And then we had to maintain it as we grew. So, the team was already experienced in what that looked like and how to do it and how to streamline it. And so, getting that group back together on day one, with all that muscle memory of having worked together for six and a half years, obviously very passionate about earning trust by proving you deserve it. And we came out the gates really, really fast. |
Scott: | So, for those who don’t know… I mean, maybe describe the product a little bit and then have a… |
Adam: | Yeah. Sure. So, yeah, I mean, SOC 2 is a… It’s compliance framework. It’s a set of criteria, necessarily requirements, but you could use it interchangeably. And then it’s up to you as a company to design and implement controls to satisfy or meet that criteria. And then you get audited by a licensed CPA that comes in and actually audits those controls to prove they’re effective in satisfying that criteria. And that all gets put into a SOC 2 report. It’s actually not a certification. It’s an attestation. So, it’s not a pass-fail audit. The result is always a SOC 2 report. And you want a clean report. That’s the goal, the objective, because in our case, with the universities, we show the university the report. The first thing we do is read it. You want to make sure it looks clean and it doesn’t have a lot of findings or any findings, for that matter. |
Adam: | And so, the tricky part is, especially as a startup or really any-size company, is, one, knowing what controls to put in place… Well, what a control is, which is really any tool, any process policy you put in place to really prevent the bad thing from happening. And you need anywhere between 10 and 200 controls in place for a SOC 2 audit. But you need to know what controls, how to map them, how to implement them, how to prove that they’re effective. And that’s a lot. That’s a lot for any size team. |
Adam: | And so Drata really helps companies do that, stand up and then maintain their security compliance posture. And the way we do it is pretty unique. We use automation. Drata actually connects to our customer’s tech stack from their cloud infrastructure, identity provider, their code repos. And we do it all with the least privileged access, so read-only access or less. And we’re monitoring. The system is automatically monitoring all these controls every single day. So, as you’re growing and employees are coming on board, more and more assets usually takes more and more time, hundreds of hours to get and then maintain these certifications and attestations. Drata is monitoring it all, alerting you in gaps form in real time, and then collecting the evidence automatically. So, again, hundreds of hours are saved. |
Scott: | It’s amazing. And a good example for folks that don’t know is GitHub/Heroku somehow got hacked or something happened last month. GitHub, I think, reset everything. And so, I went back in, and Drata prompts me to go back in and connect Drata to the Kruze Heroku. And so that it can keep monitoring, right? I’m sure that one specifically caused a lot of problems or you had to send a lot of reminders out to clients, but it’s that easy? There’s actually a pre… I don’t know what you call it, but a dashboard of available integrations that most startups have. And so, we went down the list and we’re like, “Boom, boom, boom, boom.” And all of a sudden, we’re connected and the system’s monitoring. It’s actually really sleek and super easy. I’m not a super technical person. I’m just the COO guy who goes in and knows how to do all that… It’s actually amazing. |
Adam: | I appreciate it. I mean, that’s part of the beauty of SOC 2 compliance in general. It’s not the sexiest of industries or spaces, and yet we wanted to bring a very slick, easy-to-use, intuitive interface to it, the kind of SaaS that we’re all used to and spoiled by, but for this purpose. And yeah, so it’s fantastic to see companies, again, starting from scratch, as a two-person startup working out of a garage, all the way up to publicly-traded, thousands of employees being able to use Drata at different points of maturity in their programs. |
Scott: | Big time. We knew we had a lot of work to do, so for us, it wasn’t just like, “Hey, we’re ready to get the certification.” I’m just curious, do you hear this a lot? We actually use you as a roadmap, in a way. Almost like a clean hygiene list. And so we’re going down, knocking out all the things that Drata tells us to knock out, and in that process, actually building our compliance. Do you hear that? Or is it mostly people who are just already set up and they just need the monitoring and then the attestation? |
Adam: | We hear it quite a bit. Usually, earlier stage companies or smaller companies are doing it for the first time. And so, we hear the analogy a lot, TurboTax for compliance or SOC 2. And it’s not a bad analogy. I think, if TurboTax can make doing your taxes somewhat enjoyable, we can make compliance fun and intuitive. But more so, if I was doing my taxes but I didn’t even know what taxes were, I mean, that’s an extra level of product fidelity that has to be there to really guide companies who are doing this, literally, for the first time. |
Scott: | Totally. Well, I was going to ask you: when you got the band back together, did you go over your old notes of… Whoever was doing the 2 two or the multiple people doing the SOC 2 at your previous startup, did they have everything written out? How did you build this knowledge base? It’s pretty extensive. |
Adam: | I mean, what was probably most interesting for us, right, even at our peak at Portfolium, at the time of acquisition, there’s 33 of us, employees. So, it wasn’t a very big company. And we were acquired by… It seemed a massive company to us, 2,500 employees, publicly traded. And we just assumed certain things when it came to this big company’s compliance programs or their own SOC 2 report. And within weeks after the acquisition, we were being pinged for these manual screenshots, evidence being collected of controls for the acquiring companies SOC 2 audit. And so, we realized there was a pretty large team still manually doing all of this work. The first time we picked our head was- |
Scott: | It was probably from Bob or Mary in IT instead of a system. |
Adam: | Yeah. Well, it was the first bigger company test of this idea that we already had, and we already built solutions in house over the years at Portfolium to do this. And so literally seeing eyes get very big at… Whoa, this could save us hundreds of hours, the opportunity, it was the first time we picked our heads up out of our myopic tunnel vision end tech zone to really see this is this applicable to all companies, definitely all SaaS companies, but any company that stores or processes data in the cloud. And it never goes away. So, a big common misconception is, “This is just something I can knock out real quick, check the box, and move on.” This is something that you could audit it every year. And the audit itself isn’t just a point-in-time SOC 2 type 2. You’re proving you stayed compliance, so to speak, over the prior 12-month period. |
Scott: | And as you’re getting bigger, your system stack is getting more complex and you’re adding new stuff, so there’s always stuff going on. |
Adam: | Exactly. |
Scott: | It actually lends itself to a reoccurring revenue stream for Drata really well, because I know we’re on a subscription. But again, for us, it’s a no-brainer because it’s not only helping us satisfy… We’re not quite at the point where we’re doing the audit yet. We’re still knocking out a couple things. But we’ve made huge leaps just from the checklist, just from the hygiene list. So, in a way, our hypothesis was this: that you would actually save us a ton of money and give us that guided tour of how to get to the promised land, and that’s actually what’s happened. It’s been really nice. |
Adam: | It’s great to hear. No, it’s like it’s the GPS and the self-driving car, all- |
Scott: | Yeah, yeah, yeah, yeah. |
Adam: | The initial value prop for a lot of early-stage companies is just getting compliance or getting audit-ready. And then that shifts to the staying compliant, right? Like you said, as you grow, you have more assets, more people, more servers, more code repose, the value of the automation only gets stronger because it’s more and more hours that would’ve been spent manually, monitoring and collecting evidence for audits. |
Scott: | Totally. You tell me, but it feels there’s a marketing aspect to this, where the public is more aware of SOC 2 now or maybe startup public, the… And the IT consumer, so to speak. And so, it’s almost the better business bureau branding or something like that just says… Or Verisign. You know how Verisign was authenticating all the transactions and built a huge business on that? People look for this stuff now on websites. And I think there’s still a lot of opportunity for you to even blow that out even more. But it’s become this really positive, self-reinforcing culture where people see their friends doing it or hear their friends doing it or the web services they’re using have done it, and so they start down this path. Are you seeing that too? |
Adam: | Oh, yeah. Yeah. It’s become almost a minimum bar, table force requirements, and definitely in SaaS. And we witnessed it ourselves, again, at Portfolium. Those first universities that started requesting it, they were doing just that they were requesting it. If we didn’t have it, we would have to answer a really long security questionnaire instead and walk through things. It took time but it didn’t kill the deal, so to speak. I mean, but even as a two-year stretch of us selling to universities, it started to become the minimum bar. If you didn’t have it, the competitor had it. And it makes a lot of sense. Part of being compliant or maintaining your own SOC 2 report is reviewing the reports of your critical vendors. So, there’s a bit of a waterfall effect that happens organically. It’s- |
Scott: | Or even having that conversation with your vendors, because they may not even know about it. It may not be required of them. So, having that conversation’s actually really valuable too. |
Scott: | Hey, it’s Scott Orn, and we’re going to take a quick break from the podcast to give a shout out to the Kruze tax team. Gosh, it’s so nice to have an in-house tax team. I can’t even tell you. We have some really amazing professionals on team. I think it’s 13 people now, and we do everything from your federal state income tax return, state franchise tax filings, R&D tax credits, those are pretty popular these days. And guess what? They’re there for you when you go through diligence. A lot of people don’t know this, but you actually go through tax diligence, not just operational financial diligence, but you do go through tax diligence. So, it’s nice to have Vanessa Kruze on the phone with your VCs and with the accounting firm they hire to diligence all your stuff, and the law firm they hire to diligence on your stuff. Vanessa knows what she’s doing. She’s done this a million times. And it’s not just Vanessa. We have a really great team of tax professionals that will do those calls too. |
Scott: | It’s sometimes the difference between getting around close or having it taken another two weeks because something was disorganized and the task compliance wasn’t done correctly. We hear those horror stories from clients that come to us. So, hey, if you want Kruze’s tax team on your side, we’re here for you. Check us out at kruzeconsulting.com. Thanks. |
Adam: | Oh yeah, yeah. And where we see the [inaudible 00:15:22] going, and happy to see it, is just the idea of continuous compliance, something that’s been talked about for a long time. Even, even these type 2… Talking about SOC 2 again, but just even a type 2 audit, which is basically an audit over a period of time, usually a 12-month period, it’s retro, it’s looking back. And so, if I’m doing business with the vendor and I looked at their SOC 2 report, even if it’s very, very clean report, I know that was… I don’t know. Anywhere from six to 12 months ago. What’s it today? How secure of a client are they today? And it’s a good place to be going. |
Scott: | That’s amazing. And then there’s another part of the business or maybe there’s a perk to using Drata, for lack of a better word, which is… You touched on this, is that CPA review. And we’re Kruze is a CPA firm too but we don’t do the IT security reviews. Because that this was actually new to me. Until we signed up, I actually didn’t know there was this review process. Can you talk about that a little bit? |
Adam: | Yeah. So just again, just through the lens of SOC 2, Because there’s tons of frameworks out there, but for SOC 2, again, the result of a SOC 2 audit is the SOC 2 report. And the audit and the report are conducted, they’re generated by a licensed CPA. So, it’s any, really, CPA firm that’s doing these SOC 2 audits. They come in and, basically, like I said, they’re auditing the operating effectiveness of your controls that you’ve implemented. And because it’s an independent third party, that’s what gives the SOC 2 report the weight that it carries, which is really, really important. So, we’re very clear with our customers and prospects that Drata does not an audit firm. We partner with audit firms. |
Adam: | They’re trained on how to use Drata. They love the fact that it’s saving not just their client’s time but them in conducting the audit, and therefore, there’s reduced fees for the audits itself, just a win-win for everybody. And in that way, you’re maintaining a relationship with your auditor, you know exactly how audit-ready you are, the auditor knows. And when it comes time to generate the evidence that gets reviewed in the audit, it’s right there. It comes out in a really clean, organized zip file, folder structure that the auditors love. And that just saves, again, so many hours in conducting actual audit. |
Scott: | I’m laughing because, when we do tax returns, sometimes clients just dump all this stuff. And going through all that stuff is impossible. So, having a nicely organized SOC 2 report has got to be amazing for those folks. The other thing, you touched on this for a second, but it’s almost you’re like this marketplace or you have these reoccurring relationships with the auditors. Because that’s always a tough thing if you’re just a one-off startup going out to hire a SOC 2… any kind of auditor, any kind of accountant, there’s always a risk of making a bad selection. So, I actually really like the fact that you have these reoccurring relationships. And you can probably grade or you know who’s doing a good job, you know who’s maybe being a little crazy. Do you see that too? |
Adam: | Yeah. I mean we have to maintain a really high bar with all of our audit firm partners, right? We only partner with highly reputable firms. Again, the reputation of the firm conducting the audit and who signs the report matters. That’s why some companies will only go to the big four audit firms for their audit, and others don’t have the budget for that. They don’t necessarily need to. So, we partner with over 50 different firms. They range from the big four to much smaller ones that are more affordable for, traditionally, our startup customers. But it’s a win-win for all of them. |
Scott: | That’s really cool. The other nice perk… And I want to make sure I get this right, so correct me here, but I’m not sure if you have some of those auditors in the past life on staff or… I just know our team talks to a couple experts. So, it’s not a completely automated thing. The solution is automated but then you actually go talk to Drata experts. This is pre-certification, pre-attestation. And our team has actually got a lot of value out of the experts that are on the Drata payroll. Does that make sense? Maybe explain that process a little bit. |
Adam: | Sure. Yeah. I mean, this is part of our, I guess, product philosophy. Of course, we have dedicated customer success managers that you can always reach out to as a customer. We have technical support that can help you with issues they’re experiencing with the product, but we also have these internal compliance experts. These are former auditors, former info stock professionals that are on staff. They are part of our customer success org. And so right there in the product, if you’re stuck…. And not stuck because you don’t understand the product. Hopefully, it’s intuitive and you know how to use the software. You have support, otherwise. |
Adam: | But usually, the questions that we get right there in the tool are about in the weeds policy questions for SOC 2 or ISO 27001. And those get routed directly to that compliance expert team to give the feedback. So, it’s, again, very TurboTax-like. If you’re stuck on something very, very in the weeds and you need a CPA to come in and help guide you, you have that. You’re never just abandoned to the software, although the software is very, very powerful. |
Scott: | Yeah. Our team has taken advantage of that a lot and that’s been a really nice value add. It’s a great package. I think I told Tim this… Tim’s your VP of finance or CFO. I really connected with what you’re doing emotionally because it had a lot of parallels with our business, taking these very complex processes or the desired result and then stripping it down into processes and making it easy for people to go through, and then having the experts. That’s amazing because our team is doing it internally. This is the first time they’ve ever done it. This is new for them. And so sometimes they know what questions to ask and sometimes they got to do the old “what questions am I not asking or should be asking?” And that’s where the experts are actually really, really helpful. |
Adam: | No, it’s great that you said that because in prospects we say that all the time. It’s like, “If I don’t know that I don’t know, I I don’t think I can even know the right questions to ask.” And so, we can help guide on even the proper questions. If you are getting introduced to an audit firm and you’ve never been audited before, you’re trying to select an audit firm, here are some good questions you might want to think about asking. Otherwise, you don’t know. |
Scott: | I love it. I love it. I’m going to be respectful of your time, so we’ll wrap up in a few minutes here, but this is all in good fun. But we have some infamous clients that were just absolute train wrecks when they came to us and we clean them up and all this stuff, and it’s all shorthand institutional knowledge. Obviously, don’t name any client, but have you ever seen just “oh, my gosh. This is a giant hack waiting to happen, and thank God you came to us before someone got to you” kind of moments with prospective clients? |
Adam: | You’d think- |
Scott: | Don’t name any names. |
Adam: | Literally thousands now. No, it’s usually stuff that’s right in the middle of a rapid growth, right? When a lot of our customers raise a new round of funding and they bring on a ton of new employees right afterwards, we have our own internal pattern matching where we go, “Okay. Because of what we know about the company, where they are, these are potential pitfalls.” And we could help, again, proactively catch those things. The software does that itself, but then our customer success team actually gets involved as well. It’s like, “Congrats on your recent round of funding. Here are three areas where we see, benchmark-wise, companies make mistakes at this stage when it comes to their compliance posture. You onboard [inaudible 00:22:41] new employees over the next 12 months. Here’s all the different areas in which these gaps could form. The software’s going to alert you, but I’m giving you an extra heads-up.” That stuff, for sure. |
Scott: | Yeah. Plan ahead versus waiting for the software to alert you that you did something wrong. It’s just- |
Adam: | Yeah. [inaudible 00:22:55] the real-time alert, but still, just having that extra support and knowledge and domain expertise, it, it helps a lot. And then, I mean, we could have some internal dashboard, I’m sure, of just kind the most common gaps that we see, whether it could be in your infrastructure or your personnel or your code repose. I mean, there’s… And you see them. I mean, they’re the causes of a lot of breaches out there. But luckily, if you’re monitoring it continuously, you’re going to get alerted right away. |
Scott: | Yeah. That’s amazing. Well, we’re loving it. It’s working really well for us. |
Adam: | Thanks. |
Scott: | Like I said, we knew we had a ways to go. So, if you’re a startup out there that’s thinking about this, I actually recommend it from a hygiene, “here’s the list of things you got to fix” kind of way, versus waiting until you think you’re ready. I really do. It’s not a crazy “break the bank” expensive service either. You guys have made it really affordable. I’m sure your plan is to grow with companies. But it’s at a price point that allows a smaller company like us… We have 150 people and a small development team. We’re not huge, right? And so we can afford to dedicate budget to it and it works for us. The ROI is amazing, so shout out to all the people in customer success, the engineering team. You’ve assembled a really nice package and service and we just love working with you guys. |
Adam: | Thank you. Means a lot. Really appreciate it. |
Scott: | Yeah. You’re taking a bunch of first-timers through the journey, and we appreciate it. Well, maybe just to finish up here, if people are interested, maybe give them the quick pitch one more time and then just tell them exactly where they can reach out. Obviously, the website, but maybe LinkedIn or if there’s a sales team or a customer support team they should reach out to. |
Adam: | Yeah. Yeah. I mean, again, if your company stores or processes customer data in the cloud, which is just about every company these days, it’s not a matter of if, it’s a matter of when you’ll be required to prove that you’re doing the right things and protecting the privacy and security of that data. And usually, in our experience… And we empathize because we were one… I mean, this is our story. I mean, we waited too long. It’s true, I mean, you can’t start too early. |
Adam: | If anything, you’re going to want it’s going to be faster, cheaper, and easier to maintain. We all know what tech debt is. Security and compliance debt is no fun. And so, using automation, we’re able to bring that cost way down, you said, and have people, from literally day one, launch-compliant and stay that way as they grow. It’s just baked into the culture and DNA, and the monitoring is there. And so, if you’re not hearing about it, you will. Happy to help guide companies through that process. So yeah, just drata.com, and click “get started,” and our team will reach out and get you going. |
Scott: | You can sleep soundly using it and having gone through the process. That’s the ultimate, right? Obviously, there’s hackers out there that can get through anything. But knowing you put your best foot forward and done things the right way makes you feel really good. So, it’s actually one of those products or services that you have a smile while you’re using it. It’s really nice. |
Adam: | Our product team is going to love that. Thank you. |
Scott: | Yeah. It’s true. It’s true. It just makes you feel so good. So… All right. Adam, thank you so much. Really appreciate you coming by. And- |
Adam: | Of course. |
Scott: | … catch you later. And take care, man. |
Adam: | Thanks so much for having me. Take care. |
Singer: | It’s Kruze Consulting. Founders and Friends with your host, Scott Orn. |
Kruze Consulting is a leader in Startup Tax Filings, Payroll Tax Savings from R&D Tax Credits, professional advice and more! Find out why hundreds of seed and venture funded startups trust Kruze Consulting’s tax experts, software and process to save them time and hassle.