When I started Eden Data in 2021, my goal was to change the way high-growth organizations think about compliance. Our approach has won us back-to-back Drata Partner-of-the-Year awards and secured our position as the top firm from SOC 2 to IPO for 200+ brands like Zendesk, Kindbody, and Bitly.
Our team of 40+ ex-Big 4 cybersecurity and compliance experts manage hundreds of Drata accounts for clients, which has given us a frontrow seat to industry trends. We get insight into both the GRC landscape and the fast-paced and fluctuating demands of corporate buyers for which many startups are prioritizing their compliance programs.
Given that, here are the predictions I shared at Drataverse ‘24 about what will happen in the compliance industry over the next 5 years:
1. Cybersecurity is going mainstream
On a personal level, cybersecurity and data privacy are in the news on a daily basis, whether it’s a publicized breach or congressional hearing. We give our data to Facebook, then we're mad when Facebook uses our data in the wrong way. Then we start not caring again for all these AI tools coming out, and then we get mad that they are collecting all of our data to improve their models.
So there is this element of people starting to care more and more about cybersecurity as individuals, which is also carrying into the workspace. From both our B2B and B2C clients, we’re hearing frequently that Trust Centers are the often the first point of contact with buyers. Before contacting sales or starting a free trial, buyers are checking help centers for audits, compliance policies, and sub-processors.
The reason behind this trend of cybersecurity awareness is that it's becoming easier than ever to manage it. I think a lot of people believe security is just purely threat modeling and vulnerability management in the cloud and all of these deeply technical terms. But, in reality, a lot of security is documentation. It's process building. It's tying things back to compliance so that we can actually validate that we're meeting the standards. And what we are seeing on our side is that, with platforms like Drata it is easier than ever for you to be able to tie the work that you are doing to something tangible that you can showcase to not just your auditors but also your customers and prospects.
By that process becoming easier than ever combined with the aforementioned trends, we're seeing a huge uptake in awareness.
2. Loss of trust will drive business decisions
Compliance isn’t an abstract concept anymore. Virtually every large enterprise has suffered a breach, either directly or via a vendor. For established brands, breaches of any significance can be devastating. That trauma is directly driving buying behaviors, with infosec and procurement processes designed to treat every prospective vendor by default as unnecessary additional surface area until proven otherwise.
Historically, senior business leaders could make final decisions, and brute force onboard new vendors. Now, we’re routinely seeing that when customers say “this is the perfect solution for me,” that is only an early step in the buying process. It’s followed by extensive infosec reviews which are indifferent to the value proposition and instead singularly focused on compliance and security risks.
Even if your solution is the most innovative in the market, you’ll lose out on enterprise deals to inferior solutions with better security postures.
3. Compliance will become table stakes
When I first started Eden Data, getting SOC 2 compliant, even with just the minimally required controls, was a differentiator for a technology startup. Now it’s increasingly becoming table stakes. It’s expected if you’re doing business of any sort with even midsized business customers.
We’re seeing enterprise buyers begin to ask for a lot more than the minimalist SOC 2 Type 2 report. They want to see actual application pentest results, not vague network scans. They want multiple Trust Service Criteria, not just Security. They also want to see GDPR compliance, hefty cybersecurity insurance, bug bounty programs, and a diligent subprocessor and vendor management program.
My expectation is that expectations will continue rising.
4. Your choice of auditor, pen tester, cybersecurity partner, and policies will matter
Building on my last prediction, I predict that buyers will overwhelmingly stop treating SOC 2 reports as a check-the-box exercise. They will actually diligence audit firms, pentesters, and even review policies.
One of the biggest things I can stress is that the vendors that you do business with, and you associate yourself with regarding security and compliance is absolutely going to matter.
We’ve seen an increasing number of audit reports get rejected by prospective buyers. If you’re deciding upon auditors based on costs, you may be throwing your money down the drain altogether in the near future. And the same thing applies for pen testing. Pen testing is just a service that has exploded in value, but it's also exploded in sketchiness, for lack of a better term. There's just a ton of vendors out there that are not doing quality pen tests. They're selling vulnerability assessments as pen tests and unfortunately, it's hurting the industry. We are getting to a point where people are actually reviewing these when they are going through the procurement process and pushing back on them heavily.
Moreover, boilerplate policies are not going to cut it. Policies are being scrutinized and buyers can tell when you are using generic documents found online that aren’t tailored to your business, technology, and systems. When buyers go to your Trust Center and download your policies, they are looking for actual tangible content in there related to the risks that they are tying to your business.
This industry is going to soon see a massive race to quality.
5. We'll see the rise of cybersecurity-native startups
My last prediction, which I’m the most excited about, is that we will see the emergence of pre-launch startups that are building their companies with an emphasis on cybersecurity and compliance. Instead of viewing compliance as a cost, they see the ROI in a strong security posture out of the gate and realize how much easier it is to remain compliant over time rather than become compliant later.
One of our fastest growing customer segments is pre-seed startups with 1-10 employees. They’re getting SOC 2 compliant before writing any code so that they can configure their environments in a compliant way before adopting processes and trying to retrofit them later.
From the conversations I’ve had with them, it’s working. They’re able to work with F500 buyers much earlier in their journeys than the typical startup. I expect to see this become the norm and likely a key piece of any smart seed investor’s diligence process.
If you want to chat with me about your predictions on the future of our industry drop me a word on LinkedIn!
