 Hello everyone. Welcome to theCUBE's special presentation of the AWS startup showcase. This episode's on cybersecurity. This is season three, episode three of the ongoing series featuring exciting hot stars from the ecosystem of AWS. I'm your host, John Furrier with theCUBE. And today we are excited to be joined by Aman Bhatia who is the VP of customer experience at Thuropast. Good to see you. Thanks for coming on today. Appreciate you coming on and talking about complex projects and compliance and innovation. Sounds good. Thanks for having me, John. So, you know, the startup scene right now with cloud is going next gen. You've seen a lot of AI conversations. It's come compliance legal now. We're seeing a lot of that conversations around copyrights and the law and all that stuff. So you got innovation going on at a level that no one's seen before. And now you got the compliance and other aspects being in the same conversation. So people want to turn compliance into an enabler and an innovator driver, not a blocker. And this is something that you guys do at your company. And again, data's in the conversation. More apps are thrown up, more data than ever before. And the security risks are higher. Budgets aren't doubling, but data is. So, you know, the compliance conversation is front and center right now. What are you guys seeing right now from a business standpoint? What is the compliance conversations going like right now for you guys? Yeah, that's a great question. And it definitely is front and center, compliance is right. And the reason is because in many ways, proving your compliance with important security frameworks is now the currency for doing business. It's the only way as a SaaS company, as a company managing customer data, you can win enterprise business deals. That's number one. Number two, it's the only way for you to build and maintain your reputation. Look, any company, whether you're a startup or not, it takes a long time to build your reputation. And the last thing you want to do is have a security incident, which impacts your end customer and it impacts their reputation. It certainly will impact your reputation. So, those are definitely two elements we're seeing in the marketplace. It is the currency of doing business. So, when you're talking to customers and prospects, they all know they have to get on top of this, right? And it's not, it's complex. A lot of little nuances involved, platform discussions, tied to business investments. It's not a bolt on anymore. It really is built in from day one. A lot of people have to do that. Otherwise, it bites them in the butt later down the road. How do you guys have that conversation? How do you help people understand and onboard the operational mindset into getting compliance as that smart move to get in the front of this and not make it, you know, chasing their tail, if you will. Definitely, it's no longer a bolt on in any way at all. So, when we speak with prospects, it's often a conversation on our part to explain to them why they should start and focus on security and compliance from day one. It's very easy to delay this till the day and enterprise customer asks you for a specific audit or a report, right? It's very easy to make that decision early on. However, it's a little bit like sort of, you know, working on your fitness or going, exercising or going to the gym. It's something which takes time. It takes effort. It takes training. It takes training your staff. It takes establishing your systems and processes in the right place. And that's really where a company like Theropass and a lot of the other compliance automation providers come in as well to help you prepare from day one. So you don't have to do it all at the very end and have mixed results. It's interesting. I was having a conversation with the CISO the other day and we were talking about how they, how they keeps in shape because they call them a tech athlete because security, the pace of play is very high. Innovation right now is seen from startups to large companies. So people are leaning into the innovation opportunities with AI and cloud. So, you know, they have to be in shape, if you will, on not managing these seams that are developing, right? Whether it's security seams or data to be stored. So the compliance departments tend to be like the ones that are saying, slow down, you know, don't go so fast. And the innovators want to go faster. So there's always been that balance between, you know, innovation and compliance and legal or saying, hey, you know, slow down, can't go too fast. So this is where innovation has to be the pace car, if you will. So love to get your thoughts on how compliance has been a blocker and how people remove that blocker or balance innovation and compliance. Cause this is the tricky art and science of it. It definitely is a tricky art and science aspect to this, this thing, right? So what we see with a lot of customers is, I think when they don't start on day one with compliance and security, it makes the job a lot harder down the line, right? Because again, there's the people element, there's a system element, there's a process element which all needs to be in sync together for compliance and security to work. The other big thing that we noticed is that the industry in general is very, there's a lot of canned controls out there which customers can adopt, but there might not be the best solution for the customer. So I think really taking a tailored and custom approach to developing the right security program for your company is really critical because it should match your business needs, it should match the industry verticals you're in, it should match the geographies or regulatory environments you're working in. And so unless you have a very customized tailored program from day one, it's going to be a struggle. I'm going to talk about thorough passes business. Obviously it's a differentiator, if you do it right, it could be problematic, if you don't get it right. This is a key area again to fuel the innovation aspect of it. What's the value proposition that you guys are offering? When you go into a customer, where are you guys winning? What are the benefits? And for prospects watching, what are signs that they do need you? What are some of the pain points? What do you guys see? What do they feel and how does that come? Take us through the business value proposition. Absolutely. I think the value proposition always starts with business value, right? And so typically prospects come to us when they're pursuing enterprise deals or other B2B deals where they have to prove trust in them as a company, right? And their security and compliance programs, it's typically accomplished through something like a SOC2 audit report, right? But it can also certainly be other frameworks such as ISO 27001, HIPAA, GDPR, so on and so forth. So it always starts with a value proposition of an end customer or an end user asking for this report so that, you know, our prospects see value in it. But I think the second most important piece is, I think we all know that in general, the cybersecurity industry has lots of different players. I mean, I don't remember the exact numbers. It's thousands of players out there, right? And so it's very easy to have lots of different vendors which where the systems don't talk to each other, they're not fully integrated. So what TheraPass offers is at least for compliance and security purposes and end-to-end platforms. So from the day you come in, you establish your controls, you work with a team of auditors, you implement these controls, you go through audit, you produce the right kind of documentation and reports you need to prove trust to your customers and then continuously then use the software to maintain these programs over a period of time. All of that in one place. Again, you can accomplish this through many, many pieces or many different vendors, but we try to offer it all in one. Talk about the enablement because, you know, this is a platform versus tool kind of conversation. End-to-end, I feel like that's the kind of thing where it's going to enable value. What are some of the proof points that people will see when they see the benefits of this? They take the end-to-end journey. Obviously it's a business differentiated to get it right. What are some of the things that comes out of it? Give some examples of, you know, situations where you've had customers see the benefits. What's that look like? And what would be the alternative if they had a patchwork, you know, compliance strategy? Yeah, that's a great question. So I'll start with the alternative first, actually. So typically when a customer buys a compliance automation software, they're really just buying software with a canned list of controls. It's all very templated. It's not customized to them. It's really just sort of jargon, right? Which they can go implement. Our differentiator there is the people, right? So we offer people support in addition to our software. So from day one that you come in and you're trying to establish which frameworks apply to you, which controls you want to implement, how you want to implement them for your business needs, for the geographies you're working in, for the industry verticals you're working in. From day one, you have the support of our team. So you're working directly with our auditors. You're directly working with a team of compliance experts as well as like a dedicated customer success manager who's gonna be your shepherd through the journey. Because this journey is hard, right? It's not easy for sure, right? There's lots of different pathways here. And so typically that's the big differentiator which our prospects see from Theropass. I mean, when I think of examples, we've had plenty of prospects come from other compliance automation providers where typically they have the software, they try to work through the software where they get a bunch of green check marks, but ultimately when they go to audit or they're trying to prove trust with other companies, there's a lot of other questions that pop up. So we're trying to differentiate ourselves by proving that we want to show the green check marks that actually mean something. It's interesting you brought up audit and trust proof. This is huge. So you got the, I would say two categories, startups, they're always running as fast as they can. They're building value. You got the big companies who also are in that other bucket and they're doing new progressive things and they're doing, they're innovating, right? They're doing what they got to do to reinvent themselves and refactor for the next gen cloud. The issue is they want to do a business deal. They want app sec review or they want to do some sort of business relationship or frankly, you know, prove that they're secure to get the check box to do the next thing, whether it's a deal or government approval. A lot of these things go on all the time. And I hear more horror stories than ever and from companies saying I lost that deal because I didn't have a SOC2 report or I lost that deal, I needed a pen test. I need app sec review, but we do dev house. We update the code every day. How do I keep track of, I got web services. I mean, this is a huge complicated problem. Am I getting that right? You're hearing the same thing and is this what you guys solve? 100% and exactly more reason why to start working on this from day one. Because like you said, there's the app sec review piece. There's change management piece. It's documentation. It's having the right policies, procedures and all of the right controls implemented and not to mention, while there are many different kinds of IT audits that you can pursue to prove trust to your customers. There's also other things such as pen test, which we also offer in-house as well. But it's a complicated journey and you don't want to go through it alone. And this is where having the right software solution certainly matters, but also having the right experts so they can help customize the program for you matters a lot as well. One big, one thing that comes up a lot in the CUBE conversation we're out there around this kind of area is ease of use and customer experience. For instance, is it like getting root canal on some level? Oh my God, I want to go get that done. Compliance, like this is like, I got to get all this work I got to do. Where's the benefit? There's a lot of work involved in IT related compliance. How do you guys make that easier and how do you answer that question of, if I go down this journey, I want it to be as easy as possible. I'll make the investment, but I got to see some benefit. I don't want to be up to my eyeballs and busy work and hassles and all those forms I got to fill out. That's kind of, I mean, over simplifying that, but you get the idea. How do you guys make it easier? Exactly, and I think this is where our software and our expertise combined make a difference, right? Because for instance, with a lot of the compliance frameworks, there are large number of overlaps. And so what our software tries to do is to really simplify that overlap to make your life easier. So you don't have to do repeat work. So you don't have to do things all over again, right? At different points when you're pursuing different frameworks, that's where we try to make a difference. A great example of this is, imagine you're a healthcare tech startup, right? And so you certainly need to pursue SOC2 because that's a very common currency of doing enterprise business, but you might also want to prove that you're HIPAA compliant or that you're pursuing other certifications like high trust. There are a large number of overlaps amongst these frameworks. And what our software is able to do is to present those to you. So you're able to do all of the work at once. It's going to feel like sort of one audit to you, even though you're ultimately achieving multiple achievements here at the very end, you're achieving multiple reports at the end. I mean, I think it's a no brainer for a startup to get the foundation in right out of the gate, make it part of the fabric, table stakes for the company. That's a great market. You guys probably doing really well there. I can see great value there. On the other side, more mature companies might have legacy enterprise. You know enterprises are, they solve complexity by adding more complexity and they don't want to do that with the cloud. So they want to solve with easier solutions. You guys are one of them. How do you advise those mature companies that already have some compliance but want to grow, they want to refactor, then jump in on the cloud. How do they leverage you guys for growth, for their further growth if they got existing controls in place? Yeah, that's a common scenario which we run into as well. Some more mature businesses, they've pursued a variety of different compliance frameworks over a period of time. Now they're essentially in maintenance and evolution mode. And so there again, the software and the expertise pieces combined make tremendous amounts of difference because think of it this way, as a mature company, you're typically thinking about your growth in terms of expanding into new geographic areas, probably maybe new industry or new verticals. And each of those come with their own set of requirements. So as your company grows, you want to definitely evolve your controls and that's where our software and expertise can make a difference, right? But it doesn't stop there. The size of your company matters as well. So the way you implement your controls when you are a 50-person company or a 100-person company is very different than when you have 1,500 employees and maybe even contractors geographically. How do you ensure that all of the endpoints where customer data or sensitive data is located is secure and safe? That's where the software and the expertise make a huge difference. It's a task you don't want to do alone. I got to ask you about the current economic headwinds. You know, there's kind of two markets around this, the AI market which is very frothy. But generally we're seeing some headwinds. People think that's going to turn around. Always puts pressure on companies spend. How do you guys convince companies, hey, don't leave compliance on the side of the road. You got to keep doubling down or making that as a smart business investment. What's the pitch or what's the strategy you guys do to make sure that they're set up for this on the security side and make sure that that compliance is in there? Yeah, I think first and foremost, everything that we've been talking about so far that having a right security program in place is now the currency of doing business. There is no other way to do business. This is just a must-have. So I think that's a very important element of the conversation. But the other secondary piece is, I think just in general, the industry is full of providers who are very manual in nature. It's not software-based work. They're doing IT audits the old way. They're doing things using spreadsheets and SharePoints and documentation, passed on through emails and so on and so forth. And that's where the software piece makes a difference. We think that our software makes it easy enough and efficient enough for us to provide you service. And then we certainly try to pass along a lot of those savings as well so that it can be both a cost-effective thing. But while still allowing you to pursue this must-have that you need to have. Why are companies hesitant on this? Is it because they don't want to look at it? They think their perception might be it's too much work. They ignore it or they're too busy on other things. What are some of the reasons why people aren't saying, hey, this is an obvious tier one feature of our business? I think it's a little bit of all of the above, definitely there's an element of effort and time that companies have to put in which can be a detractor or a blocker for them pursuing this path, right? And making sure they're secure from day one. But what we typically notice as well is that it does, especially when you're trying to secure your application and the customer data in your IT infrastructure, it requires some time and effort from your engineering team. And as we all know, engineering time is extremely valuable, right? And they are working on obviously sort of money-making features hopefully, right? And so I think that's where we see the biggest blocker people are very hesitant to use their engineering time or anything other than value added or business value. But I would argue that this is a business value because again, for any company, whether startup or not, it takes years for you to build your reputation and it only takes one security incident for your end customer to lose trust in you and to move their business somewhere else. And the other things to deals, any kind of checks you need trust, there's going to be a huge badge of value and I think, I mean, I think if a company's got product market fit on a product, they got to get compliance up and running, you can't wait. I mean, the downside is pretty massive. Give some color commentary to downside to what would happen, examples where you're seeing the customers that didn't make the right investments. What are some of the downsides? Because the business logic is simple. Product market fit, get compliance check settled because you're going to have reviews, you're going to have deals. What are some of the downsides? I want to share some color. Yeah, the downsides are definitely a critical security incident which puts your end customers data at risk and possibly puts you even at legal or regulatory risk as well, right? I think what's very interesting in the cybersecurity industry in general is what we observe is that there's typically three end points which are the weakest from a company's security perspective, right? I think number one, often tends to be people, right? And so it's very important part of what Theropass offers is security awareness training and modules built in for employees to get the right training whether it's on securing customer data, whether it's with securing AI models, so on and so forth, right? So it's very important you secure your people in that way, right? And make sure they're doing all of the right things because one mistake from one employee can lead to a massive security incident which can hurt you reputationally. The second big piece that we notice is obviously from an application perspective, you wanna make sure that your application is secure. There are no end points where the threat actors are able to get in and do damage to customer data that obviously I think we've all read lots of news stories about data breaches, companies getting hacked and so on and so forth, right? And the third piece is definitely there's also an element of physical security depending on whether you're a remotely based company or not, right? You wanna secure your office location. You wanna make sure there's no confidential data. I mean, this might be slightly less so now in post COVID world, but threats still exist. There's a lot of customer data that gets printed out or is sort of laying next to somebody's desk or anything like that. And those can all lead to security incidents which are going to hurt your reputation. I mean, they got to assume the security is going to happen. I was talking again to another CSO and someone from AWS for instance around their shared responsibility model which I'm a big fan of. I think people generally think that the shared security model is awesome. I mean, you have interoperability of multiple vendors working together. It's security is a team sport. Everyone kind of agrees that. But that creates seams, right? These seams can be exploited by the bad actors. So, you got to assume something's going to happen and if you can't get the audit done if you can't actually get the data, this is huge. I mean, it's not even like why even conversation? I just don't understand why people don't do this. I mean, is it because just mind share? They need to be reminded of it? What's the big reason? Do you think it's not as fast? Is this just too complicated for them to get out of their way as operations? What's the core problem? I'm an effort. Like I mentioned earlier, I think just the amount of effort and our industry is very rife with lots of solutions which are still very, I would call it old school in nature, right? They require a lot of work in spreadsheets or notion projects or different large seams of data that you're storing on a Google Drive and then you're sharing it with somebody else and it makes the management of a security program really, really difficult and onerous and sometimes it makes it a check the box activity. And that's really where a company like Theropass is trying to make a difference through software and expertise. We're trying to make it as easy as possible for you to manage it all in one place in a centralized format so that that time and effort element is a lot lessened for you. Hold on, congratulations for being selected for the startup showcase with AWS ecosystem, Theropass being recognized as a great business. You guys got good traction and you're growing. But as VP of customer experience, let's kind of wind down the segment in getting into some of the customer stories. Why are they buy from you guys? What are some of their experiences? Most companies want partners, not vendors. Take us through the customer journey then experience that you guys provide. But take a minute to explain what goes on and the reason why you guys are successful. Yeah, thanks for that opportunity to talk about this. Look, ultimately Theropass is a company which really cares about our customers and we have over 200 G2 reviews with four to five star ratings to prove it. Ultimately, what we want to help our customers with is pursuing the right compliance and security posture because like I mentioned earlier in the interview, it's a currency of doing business. It's the only way to do business that we wanna help our customers be successful, innovating and building their business and reputation. And then secondly and most importantly, our software plus expertise model really allows customers to build a custom and tailored approach to pursuing compliance and security. It's very easy out there to take a very canned or templated approach, but building a custom program for your company is ultimately the two differentiator which you can prove to your end customers. That's awesome. Congratulations on your success. It's really hard for companies driving these complex projects, integrating the customer experience and compliance of their applications and using you guys and I know you have a great, great client roster of this and congratulations and thanks for taking the time and joining us on the program. Thanks for having me. Okay, this is the CUBE Special Presentation of AWS Startup Showcase Cybersecurity, season three, episode three of the ongoing series covering the hot startups from the AWS ecosystem. I'm your host, Jeffery. Thanks for watching.