Show Notes
For B2B SaaS companies, keeping data safe and secure has become increasingly important. However, meeting
compliances for privacy and security can be problematic and time-consuming. Fortunately, young startup
Sprinto is bringing some much-needed relief to this pain point.
Sprinto co-founder and CEO Girish Redekar was a guest on this week’s episode of the Midstage Startup
Momentum Podcast with Roland Siebelink. The two talked about Sprinto’s early success and a slew of other
topics related to the startup world.
- How and why Sprinto created an end-to-end solution to the problem it solves.
- Why focusing on a specific niche was key to Sprinto’s early success.
- Why Sprinto’s value to its customers is in part due to its end-to-end approach.
- The business benefits of Sprinto using a functional programming paradigm.
- The two macro trends Girish sees happening in the SaaS space.
- Why founders should always take advice from other founders with a grain of salt.
Transcript
Roland Siebelink: Hello and welcome to the Midstage Startup Momentum
Podcast. My name is Roland Siebelink and I'm an ally and coach and advisor to
many of the fastest growing startups around the world, one of which is with us
in our studio once again today, and it is Sprinto. And we have with us the
co-founder and CEO Girish Redekar. Hello, Girish. Thank you for joining.
Girish Redekar: Hi, Roland. Thanks for having me.
Roland Siebelink: Absolutely. The first question is always the same. What
does your company do? What makes you different? And who do you impact with what
difference in the world?
Girish Redekar: Sprinto helps other B2B SaaS companies obtain security and
privacy compliances at one-tenth the effort. In turn, this helps our customers
actually accelerate revenue, close high ticket deals, and pass vendor security
assessments with ease. Updating these compliances conventionally took months,
but we do this by automating all the busy work involved, and that's how you get
the benefit that you get.
By nature, our customers are cloud-hosted B2B software companies.
Conventionally, this used to be happening manually. There are a few other ways
to do this, including some software-based tools. Where Sprinto is different is
that we take a very end-to-end approach to this entire thing. We automate not
just the implementation and the operation of the security program, but even the
audits, which are the most dreaded part of this entire equation. I know this
sounds like a gobbledygook of acronyms, but I'm sure that SaaS sales people have
heard of these and perhaps dread these. And it usually means that the deal is
going to take a while to close and Sprinto just helps you get these compliances
out of the way so that you can focus on things that help you close some of these
high-ticket deals. That's at a very high level what we do.
Roland Siebelink: Okay. I love it. That's a very good summary. Much better
than sometimes what I hear from CEOs when I really have no idea what they're
talking about, but this is awesome.
You already mentioned your core customers are B2B cloud hosts software
companies. The core buyer there seems to be a chief security officer, similar
profiles. Some maybe are not quite an officer yet at that stage. How big would
you say the typical client is? At what stage do they become worried about
security compliance, passing audits, and things like that?
Girish Redekar: That's a great question. This honestly varies a lot. The
person on the other side is sometimes the chief security officer or somebody in
the information security seat. But often these are very young companies where
this falls into the laps of the CTO in the company. These are companies of
smaller sizes. Honestly, we've worked with companies that are really small -
five employees or fewer, and they just need these compliances for their first
pilot because they are an enterprise-first company and they just have to look
into this, even for the first customers - right up to companies that are
thousands of employees. We see quite a range.
Roland Siebelink: Can you tell us a little bit about the history of Sprinto?
How did you come about? What gave you the idea? Who did you found it with? I
want to hear everything.
Girish Redekar: This was a big incident. This is not my first SaaS company.
Me and my co-founder at Sprinto, we ran a B2B SaaS company before this called
Recruiterbox. We're both engineers, so we're both developers. We wrote a whole
bunch of code at both Recruiterbox and Sprinto. But one of the things that
happened in my previous bootstrap company was that we were a largely SMB
business. No matter what you do, you're always going to get a few whales down
your pipeline. You don't want to lose them; you want to convert.
Roland Siebelink: I was going to say, "Oh no, there's a whale coming." No
company ever said that.
Girish Redekar: Exactly. It's extremely hard to let them go, even though
they may not be part of your strategy overall. And specifically, at
Recruiterbox, we were also trying to go a little bit more up market. And that's
when we were coming across a bunch of these security questions and we were asked
to become software compliant and so on and so forth. And we always kicked the
can a little further down the road because this whole thing looked fairly
opaque. We had no idea how to go about these things.
At one point, we decided to bite the bullet and get this done. We went through
this process where we hired a consultant and they would sit in our office and
spend hours trying to understand the security posture, trying to get us to a
point where we could actually get ready for an audit. Long story short, I
wouldn't say it was a very pleasant experience. We ended up pushing a bunch of
other engineering things down further along so that we could make space for
this. And it turned out to be a lot of manual busywork at the end of the day.
Fast forward, we exited the company. We took a year's break. And then we were
thinking about ideas of what to do next. This was one of the half a dozen ideas
that we were looking at fairly closely. And it helped to have some personal
context to it about why this was painful. And we were researching that a little
bit further to see if we were alone in this problem. And it turned out, when we
spoke with a bunch of other fellow founders that this wasn't the case.
The long story short is it came out of a personal pain point. We did some
research to figure out whether this was a wide enough problem, and it turned out
it was. I've been constantly surprised ever since by how widespread the problem
really is. In that way, it turned out to be good.
Roland Siebelink: Excellent. Okay. Very good. And that's how Sprinto got
started. I think it's usually a pattern of some of the best startups when they
are built around the problem that the founders personally have experienced and
when you can essentially hack around to find a better solution.
It sounds like the traditional process is really manual, is essentially a
consulting job where people sell you their expertise and help you check boxes
essentially. How do you replace that with software?
Girish Redekar: That's a great question. I think the first good decision
that we made in that process is we focused on a very specific niche. We only
work with cloud-hosted companies. The way these compliance programs work, their
implications or the way you meet the requirements are very different depending
on the kind of setup you have. If you're a company which for whatever reason
hosts data on its own premises or runs its own data centers - those are
increasingly rare - if you're doing that sort of thing, the requirements of this
program are very different. It's a very different thing if you're not a product
company but a software services company, the requirements are different and so
on.
I think the first thing we figured is you narrow down on the problem, and then
you can start looking at this in a very specific manner. The second thing that
Sprinto does is we integrate with a bunch of tools and services that a modern
technology company would use. Like a cloud-storage company would typically be
hosted on AWS or Azure or Google cloud. We integrate with the services and help
you maintain a security posture on these services. We'll integrate with your
version control system that you will be using. Platforms like GitHub or GitLab
or Bitbucket or any of those. We integrate with those as well. We'll integrate
with your HRMS systems or whatever you use to maintain an identity system,
whether that's Octa or any other HRMS system. The broad idea is that we
integrate with a bunch of systems that you already use as a company.
Roland Siebelink: The standard stack for a B2B SaaS company, in a way?
Girish Redekar: Yes. And we have a very broad range of such integrations.
And what we do with each of these is we've translated the auditor's
requirements, which will be complex jargon and audit speak, and converted it to
simple-to-understand business or technical requirements, which we implement via
these integrations.
Roland Siebelink: Okay. You mentioned that one point of differentiation - a
strong differentiation I would say - is that you also take care of that audit.
Does that mean you interact directly with the auditors? And what does that mean
for your business model? Does that mean you have a sizable services component
next to just purely the software model?
Girish Redekar: That's a great question. We don't have a sizable services
component. But this was one of the things that we look very closely at from the
beginning of the business; we realized that auditors are first-class
stakeholders in this entire equation. And we actually worked very closely with
auditors in our early days. Our favorite pastime in the early days was to get
ourselves audited. I think we got audited more than a dozen times. And the idea
was to learn the ropes and understand what auditors really care about.
The way Sprinto is actually built is that with each auditor that we work with,
we understand the requirements and the requirements are actually embodied in our
software. And the entire software is built on top of those requirements. What
really happens as a result is each auditor can be a little bit specific about
how they want to conduct their audit, how they want to receive the evidence, or
how they want to catalog the evidence and format and so forth. And those are
deeply intertwined with their internal processes.
And Sprinto is unique in a manner that we have actually mapped out those exact
requirements and these processes within our software. What that really means is
while on the other side, the customers are doing very simple things, the
auditors still get what they want, and it's nobody's manual job to do all the
work around collecting all of this evidence, cataloging it, grouping it
correctly, formatting it, and then showing it to the auditor and then figuring
out that everything is okay or not. That's happening in software. We spent a ton
of time and effort to make sure that this happens in an end-to-end manner. And
that's really what really gives the value.
Roland Siebelink: Okay. It's almost like a loose coupling architecture that
you set up where the client can build their side of the report and then you can
produce it in whatever kind of format the auditor wants to see it?
Girish Redekar: Yeah. Somewhat like that. And that's really the powerful
thing about the software. You could change your auditor tomorrow and voila.
Roland Siebelink: That was going to be my next question. Great minds think
alike here. That's awesome. Talk to me a little bit about what does this mean
for the business model. On what basis do you price? What is most attractive to
your customers? Is it a subscription versus a one-time fee? How do you typically
go about that?
Girish Redekar: Great question again. The thing to understand is that the
inherent nature of these compliances are themselves recurring. So this is not a
Sprinto construct. Whether you want to be SOC2, ISO, or any of these things that
are compliant, you need to run this program on a continuous basis and you need
to give yourself an audit at least on an annual basis. As a result, Sprinto is
inherently a subscription product. We typically do annual subscriptions for all
our customers. That's quite simply the way the business model works.
Roland Siebelink: Very good. Okay. And how did you find the pricing level
that was most attractive? You don't have to mention exactly what it costs here.
But I'm more looking at what you do to experiment with pricing levels? Have you
found variation among customers? A lot of the founders listening to this podcast
want to hear more about prices, so that's where I'm digging in a little bit.
Girish Redekar: It's a great question. I honestly think that we are in the
process of still understanding how to price this correctly. We have something
that works right now. And Sprinto is priced today, it depends on the complexity
of your compliance program that you are building. It turns out that most of
these compliances are fairly holistic, which means that they have implications
on pretty much all your employees. The employee size of the company is usually a
rough indicator of the complexity of your compliance program. We use that as a
typical proxy of how large or complex your compliance program is going to be. It
changes with the size of the company is the rough indicator. It doesn't change
linearly, but it changes with the size of the company.
Roland Siebelink: Let's talk a little bit about the traction so far. When
did you get to market? Whatever number you're comfortable sharing, of course.
But where do you see your customers? How fast is it growing? Whatever you can
share.
Girish Redekar: A bit of history. Like I said, we spent a ton of time in the
beginning working this out with the auditors, trying to understand how exactly
this process works. And we launched - I won't say launch, we actually put out a
website - I think about eight months ago. In a short period, we have actually
started acquiring customers. We've grown very rapidly. We are already at
hundreds of customers. We've raised a Series A from Elevation Capital and Accel.
Okay. Happy about getting a bunch of really good SaaS investors on the board as
well. That's where we are.
Roland Siebelink: Hundreds of customers, that's very impressive, Girish.
Where do you find these customers or how did they find you?
Girish Redekar: Today, we have customers all across the world. In The US, we
have a few in Europe, Israel, Australia, India, a bunch of places. Most of our
customers are just inbound. We just put out a website and we've just been trying
to keep up with the demand since. That's roughly how it is. We have a growth
team in place now to start actually building out the engines to do this in a
very specific manner.
Roland Siebelink: Where are you investing most of your new resourcing? Is it
mostly still products and engineering or are you really focused on building up
your go-to market? People always want to hear a percentage.
Girish Redekar: I think it will be about 50-50 today. We're basically firing
on all cylinders there. I think we have a really exciting product roadmap ahead.
We are investing a lot in our product and R&D and our engineering function. And
at the same time, we are very ambitious about our growth plan. We are also
investing in our growth as well.
Roland Siebelink: Okay. And for the CTOs listening to this podcast, I always
want to ask, can you talk a little bit about your stack? What's the typical
technologies that you're looking for engineers for?
Girish Redekar: I think the most distinguishing thing for any engineers or
CTOs out there who are listening to us, the unique thing about architecture at
least - and the way is different that we are doing it this time compared to what
we did last time - is we are a very functional core base. What I mean by that is
in contrast to an object-oriented code base. This was a bit of a learning curve,
honestly, for me as well when I was writing code early on. But we are really
reaping the benefits of writing it in that manner. Functional programming is
really cool. I would encourage those who haven't really looked at it yet to have
a look at it. It's really good.
Roland Siebelink: And for those like me who aren't engineers but have heard
of functional programming, what would you say is the key business benefit of
moving to a functional programming paradigm over object-oriented programming?
Girish Redekar: I think the most important thing about business software is
really to be able to fit the scenarios of your customers. Business software
tends to get very complex and you don't know upfront what scenarios you're going
to come across as you grow as a business. You have some hypothesis, but you
don't know everything upfront. What really happens with a bunch of business
software is that you end up doing a lot more changes to it than you originally
anticipated. All your first ideas are shit. Everything you'll begin with, those
things will almost automatically change.
And what functional programming really forces you to do is to build these very,
very simple machines that you can put together to do complex things. And as you
learn more things, moving these things around or composing them in different
ways is a lot simpler when you use functional programming than when you use
object-oriented programming. What that really means as a business benefit is
that it allows you to stay nimble and to actually react to your market and their
needs when they come.
It's not going to be a scenario where you learn something new, there's a new
feature you want to build, and you're staring at this big gray factor that's
telling you that it's going to take weeks. It doesn't work like that with
functional programming if you've done it well. I think that's the biggest
advantage to me, both as a programmer and as a business owner of this way of
programming.
Roland Siebelink: That's an excellent explanation. I've been delving into
functional programming and trying to get a little bit of an insight like that.
And this is the best way I've heard it explained so far, especially since we
know that fast growing SaaS companies often do land in this analysis-paralysis
territory where nothing can be changed anymore for fear of breaking the house of
cards. That's probably some experience you may have had in one of your previous
startups as well. With this functional programming base and all your
architecture being wonderful, and a great team, how big can this grow, Girish?
Where do you see your big ambitions 10 years down the road?
Girish Redekar: Some background to that in the sense that I am really,
really excited about the space, in general. I think there are two very large
trends that are going on in the world. And these are irrespective of Sprinto or
anybody else. I think that the first thing to recognize is that - I think it was
Marc Andreessen who said that software is eating the world. I think we all
acknowledge it now and we agree to it. I think what's really also happening is
that SaaS is eating software. I was reading a report recently and SaaS is
growing at 18% CAGR. Something that's growing that fast, that's doubling every
four years, that's not something you can ignore.
The second macro trend that's really happening is that SaaS fundamentally means
that my data is on your servers. I increasingly want some assurance that you're
keeping this data safe and secure. And this used to be something that the
fortune thousands used to worry about a lot more if you were looking at this a
decade ago. But those demands are percolating downstream. This is no longer
something that the people in the ivory towers worry about. This is something
that's happening. It's constantly becoming more and more downstream.
Today, if you're doing five-figure SaaS deals, you are likely going to get
asked - in one way or the other - something about, "Hey, show me something to tell me
that you're going to keep my data safe and secure." This takes various forms.
Whether that's security questionnaires or some of these compliances or various
other ways of doing that. I honestly feel that - in one way or the other - it's
going to be important for SaaS companies to be able to demonstrate that they are
going to keep their customers' data safe. And compliances is the way to do that
today. And it's increasingly important for SaaS companies to do this
proactively.
Just to take a step back again, there are two major trends that are happening in
the world - macro trends. The amount of SaaS is increasing and the fraction of
SaaS companies who need to become compliant with one of these security
compliances or have a security program, that fraction is also increasing. What
that really means is we are at a point where there's a great inflection point in
the amount of security compliances that are being sought. And we see this with
anybody in the space, whether we speak with auditors, we speak with other
players like testing providers and other places in the security space, it's very
palpable.
On that background, I think we are at the right place at the right time. It's
about execution right now. The ambitions are pretty large. We believe this is a
massive, massive opportunity and it's just about executing it right.
Honestly, the way we look at it internally - our internal vision and our goal is
to increase the GDP of B2B SaaS. That's really how we look at it. That sounds
lofty, but that's where we want to be. If we would have gotten B2B SaaS to a
point where we've actually increased the amount of B2B SaaS, we would love to be
there.
Roland Siebelink: That's awesome. I really love that as a vision of the
purpose behind the company. The stuff that gets you out of bed every morning -
or every evening in your case - to run the company with so much passion and
energy.
Very good. Girish, this is not your first company you mentioned, so you must
have had a lot of entrepreneurial learnings over the years. If you're talking to
founders that are a little bit behind you, maybe on their first project, may
just be at the stage of finding product-market fit, what would be your key
advice? One key learning you would convey to them?
Girish Redekar: I honestly don't believe in entrepreneur advice. I feel that
a lot of these learnings are highly contextual. I could say a few things that
are personal learnings for me. But without the context in which they actually
happened, they don't mean much. This will be a great bite-sizes quote and it'll
sound great but it's not really useful. I'm sorry to disappoint on that.
Roland Siebelink: No, I think this is a great insight in itself. Every
advice is contextual and you may just pick up something from a founder that is
totally not applicable to you, right?
Girish Redekar: Yeah, I honestly don't know how to give a good answer to
that.
Roland Siebelink: Okay. Fair enough. Girish, when people are listening to
this podcast and they want to find out more, where should they go? What should
they download? And how can they help Sprinto most?
Girish Redekar: Do give us a visit. We are at sprinto.com. Check us out, let
us know if we can help you with any of your security compliances. I'm personally
at [email protected], feel free to drop me a line, happy to chat about anything
related to growing your business, especially if you're in a B2B SaaS space. I'm
happy to share my notes, and have done a couple of these things. For what it's
worth, happy to share my experiences and help you out if I can.
Roland Siebelink: That's awesome. For those investors that are excited and
want to talk to Girish, I'm happy to provide an introduction as well, of course.
Thank you so much, Girish Redekar, the co-founder and CEO of sprinto.com. It was
an honor to have you on our show.
Girish Redekar: And thanks for having me, Roland. I really enjoyed this.
Roland Siebelink: Thank you so much. Thank you everyone for listening. And
we'll have the next founder with us on the Midstage Startup Momentum Podcast
next week. Thank you, everyone.
Roland Siebelink talks all things tech startup and bring you interviews with tech cofounders across the
world.