In the first episode of SaaScast, we were joined by Meiran Galis, a strategic and tactical leader in the realm of security compliance.
He’s worked with hundreds of SaaS companies, including small startups and Fortune 500s, and built compliance programs for rapidly growing organizations. He’s passionate about implementing security controls that leverage automation, reduce the cost of compliance, and mitigate business risks.
Meiran spoke about the importance of security compliance, especially for SaaS startups.
And new startups, who should be looking to be making a profit as soon as possible, need to be thinking about how they can cut down on unnecessary costs and use their budget wisely.
A key component of loyalty is trust. Nothing builds trust better than a customer being sure that their data is safe with your org. But don’t just take it from us, take it from a security compliance expert! Meiran goes into all of this and more in the full unedited talk. But we’ve put together the highlights below. Enjoy!
- Merian’s background
- The importance of security compliance
- Avoiding early hurdles as a startup
- Finding the right talent
- The future of security compliance
Meiran’s background and role at Scytale
Welcome, Meiran. To start, can you tell us a little bit about yourself, your background, and your role at Scytale?
Of course. So, as you said, I’m an expert in the domain of security compliance for SaaS companies. I began a while ago when I was a manager in a technology risk department.
Back in the day, I was doing audits for hundreds of companies in the domains of cybersecurity, recruitment, HR, healthcare, payroll, etc.
Being there and performing so many audits, I fell in love with the experience of meeting people, understanding architecture, and learning about the successes and struggles that each organization experiences on the journey of implementing compliance controls.
It's a very impressive niche you found. Why did you choose to become an entrepreneur?
You could say, in a way, that it found me. Since my first college degree, I always had a passion for exploration, building business models, and finding solutions to problems. I loved it, and I still love it, and this is why I got into it.
I always tried to deliver more when I was working at EY, and I guess passion was the way for me to learn more, deep dive, and think about how to do better. Leveraging all this information, knowledge, and experience helped me a lot when I decided to leave EY and create Scytale AI.
The importance of security compliance
Can you tell us a little bit about security compliance as a whole and why Scytale exists?
Yes, of course. In the general perspective, security compliance is basically an arm of the policies, procedures, governance, and risk that a company needs to manage. Managing all of the security efforts is vast and complex. You have application security, frameworks, regulations, standards, guidelines, and controls.
Once a company wants to build a robust security program, it will need to choose one framework or standard that works for them. It can be the ISO 27001, SOC 2, NIST, or one of many other frameworks.
Most companies, especially startups, don't have the time to do it just because they want to do it, but it’s a requirement from customers and prospects.
And because this is a requirement, they know that they must go through this process, and they need to do it in a manner that is fast, smart, and saves them time. That way, they can invest their time and skills in development, hiring talent, funding the company, and, most importantly, making sales.
It's tough because they have so much stuff to do, and many times they don't have the knowledge or the experience around security compliance, and they also don't have the time or the will.
In other words, they don't care at this particular moment about the security of the company. They care more about the speed and features of the product and bringing those customers in.
For many companies, security compliance is just something that needs to get done. All the same, my approach is that if you're doing it, don't just follow a ‘check box’ mentality. You're already investing your time in it, so at least get some value out of the process in order to boost, sell, and propel the company to full scale.
In brief, security compliance is about the need to design and implement controls within a company as a countermeasure for certain risks. The aim is to reduce these risks to an acceptable level.
These controls can come as part of the software development lifecycle, as part of the access control, as part of the risk assessment, vendor management, etc.
As you see, I'm very passionate about it. This is why I created Scytale – because I wanted to take my experience and knowledge and save time for startups.
In the same breath, help them build trust in the company for prospects, investors, customers, and any partners that will be working and collaborating with the company.
Avoiding early hurdles as a startup
What have been the main hurdles you've come across as a startup, and how would you recommend that people avoid them?
To begin, I will say that the most important thing is to understand what you want to do. It might sound easy, and maybe you think you already know, but there is still research that you will need to do to support this.
When I say research, I mean, speaking with potential customers, doing customer reviews, and understanding how to do customer reviews because eventually, you want to compare apples to apples, so it needs to make sense and support your decision afterwards.
Also, get some benchmarks to see what's going on outside. You are not living in a vacuum. You need to know how people work right now, what they’re interested in, and what types of solutions they have.
Another key thing is intuition. You have to have some intuition, something you bring from yourself and your experience. Combining everything you have learned will be the most critical part in the beginning.
Also, finding people that believe in your vision is crucial. If you find a nine-to-five guy, I don't think that's the type of person you would want at this stage in the company. You want someone that is committed. You want someone driven, motivated, and passionate.
That's what I was looking for. More than experience, I was looking for passion and potential in the initial team. I would look deep into their eyes, and I could see that we had a good match and these people are really committed. I think that's what makes the difference.
So start by knowing what you want, documenting stuff, putting it to the test before you write even one line of code, and finding great people. Those were the key parts at the beginning of my journey.
Finding the right talent
Talent is crucial in startups. Have you got any tips for finding and hiring the right talent?
You know, that’s the million-dollar question. I would say first, try to test for potential. That’s a key part. Also, look at their passion. I know I'm repeating myself, but if someone doesn't love what they do, it's only a matter of time until they leave the company, and that’s gonna cost you much more; that’s why I'm insisting on it.
I remember when I was interviewing someone for an engineering role, I asked him a question and he said, “Look, it's not possible.” Later, I was interviewing someone else, and I asked him, “Is it possible?” He said, “Everything is possible. You just need to find out how.” I really liked this kind of approach, and I connected with it.
In some other cases, you also need to test achievements. Achievements are critical because, especially when it comes to marketing, they result in sales.
Also, you need to find some good chemistry. You can feel it in the room when you meet someone that you would go and have a beer with. You’ll be sitting in a room all day every day for months with this person – would you rather have fun or be miserable? I think that's really important to consider.
Last but not least, Jeff Bezos said in one of his annual letters to shareholders that he’s always looking to see if this person is going to increase the average quality of the people that work for the company or decrease it. If he feels they will increase the quality, he hires the person. I think that’s a good rule of thumb.
The future of security compliance
In terms of the future of security compliance, what are some trends you have your eye on?
In the past, we used to see security certification standards, frameworks, and regulations based on regions or countries.
Then we started to see them being based on industry – the payments industry and the healthcare industry, for example. After that, we saw FedRAMP, for example, for companies that want to collaborate with federal agencies in the United States.
Now, we start to see security compliance audits based on technology, like blockchain, AI, and automated vehicles that can make autonomous decisions that can directly impact people's lives.
So I think we're gonna see compliance lagging behind but still managing to build in frameworks and audits around the technology. I think we’ll also be utilizing this technology. For example, we’ll see compliance on blockchain and compliance through blockchain technology.
Also, today, companies go through an audit once a year – even though it might be carried out over a period of time, it’s still a once-a-year approach.
What we’re gonna see is this shifting to a daily approach. We're gonna see a daily audit and a daily collection of stuff. Everything's gonna become fast and on time, and we're going to see this evolve in the upcoming years.
If you enjoyed this post, Check out the Scytale ebook on SOC2 compliance right here.