There were plenty of important topics covered at the recent Startup Daily and AWS Unicorn Day in Melbourne from venture capital to impact startups to scaling to a billion-dollar business. One particular session on compliance demonstrated how paying attention to the small details can help founders close the biggest deals.
When Oscar Watson-Smith, sales engineer at compliance automation platform Vanta, asked the room how many startups had been through or heard of SOC 2 or ISO before, many hands were raised.
Any startup going global, working with government or heavyweight clients with tight data protocols would know that certifications like ISO and SOC 2 are essential.
But they’re not just nice-to-haves – they’re deal-breakers, according to Watson-Smith.
“Startups often come to me and say, ‘Hey, we’ve got product-market fit. We have this excellent product and a customer we’re about to sell to. We’re about to sign on the dotted line. And then they said to us, ‘Where’s your SOC 2? Where’s your ISO?’ And it prevents them from closing a deal,” he said.
“So they come to us in a bit of a tizz sometimes and they need help immediately to prove that they are compliant in order to win some sort of larger business.”
Rapid-fire summary of ISO and SOC 2
ISO stands for the International Organization for Standardization, a global federation of national standards bodies.
One of the most common standards you’ll see is ISO 27001 for information security management and customer data privacy protection. This must be verified by a third-party auditor, and often requires action across different parts of a business, from leadership to HR to IT.
SOC 2, which stands for Service Organization Control Type 2, is an information security compliance framework created by the American Institute of Certified Public Accountants (AICPA). Widely used across the US and the SaaS industry, SOC 2 helps organisations verify their security and reduce the risk of a breach.
The wheels of compliance move slowly
At least, traditionally they do. For startups used to working at speed, the compliance process can grind progress to a halt.
“It can take anywhere between six to 24 months, particularly for ISO and SOC 2, but there’s a lot more frameworks than that,” explained Watson-Smith.
“And it’s a lot of multiple steps like researching… you’re going to need guidance. You’re probably going to have to bring a consultant or an auditor or a virtual CSO to help you in getting ready for this audit.
“Then you’ve got the actual audit costs, which can be extremely expensive, especially if they have to go through a lot of manual evidence that’s in disparate locations.
“Then we have the evidence gathering, putting it all together, and in the end, you’ve spent a lot of valuable time on something that isn’t very interesting or exciting, but it’s very important for you to be able to generate revenue for your business.”
Startups need faster action
Watson-Smith explained that a lack of certifications is a “common blocker” to startup growth.
The time and expertise needed to prove you’re compliant is onerous, which is why automated compliance platforms like Vanta have seen a surge in popularity.
“We’ve reduced that timeline from 24 months to anywhere between one to six months,” he said.
Founded in the wake of high-profile data breaches back in 2018, the San Francisco-based security and compliance-based platform has rapidly attracted more than 8000 companies to use it services, including Atlassian, Quora and ZoomInfo.
In July 2024, Sequoia Capital-backed Vanta announced its $150 million Series C funding, raising it to a $2.45 billion valuation – up from its $1.6 billion valuation in 2022.
Vanta has a Sydney office of 30 staff, including Watson-Smith.
“We test, we remediate, we get you audit ready, we get you through the audit, and then we make sure that you stay compliant when you’re outside of that audit window,” he said.
“So when the next one comes around, it’s really easy for you to just bang it out very quickly.”
Security and compliance are a long game
Watson-Smith pinpointed two key factors that benefit startups playing a long game: integrations into a single platform and the process of continuous compliance.
Vanta’s API accommodates more than 360 integrations with everything from AWS to Xero.
“We run these [API checks] once an hour and that’s where that continuous compliance comes in because we can keep checking if you’re compliant,” he explained.
“If you spin up a new instance, a new database, for example, and someone forgot to put an IP range restriction on it, we’re going to notify you immediately that you’re now out of compliance.”
Startups can access Vanta’s Trust Center every day to see their security postures and controls at any given moment.
“If have a really specific security questionnaire they want answered, we can actually automate the answering of them with all the information we have about your organisation in the platform using Gen AI,” he said.
“So we plug the questionnaire in and we answer all the questions for you, and then you can just vet that the answers are correct. And we’re using your compliance documents as that source of truth.”
Watson-Smith told Startup Daily that when global sales and marketing platform ZoomInfo implemented their security questionnaire automation and Trust Center, they reduced the amount of questions they had to answer manually by around 90%.
In Oscar’s own words below:
Keep an eye out for more highlights from Unicorn Day, which included fireside chats with Zeller CEO Ben Pfisterer, Canva Head of Design Andrew Green and former Aconex founder turned Saniel Ventures CEO Leigh Jasper.
Make sure to sign up to the Startup Daily newsletter for updates on our next events.
This article is brought to you by Startup Daily, supported by Vanta.
Daily startup news and insights, delivered to your inbox.