🎧🍌 Why Finding Product Market Fit Never Ends with Shrav Mehta (Secureframe)
Automating the $80B compliance market, non-intuitive fundraising advice, doing effective reference checks, sending strong cold emails, and why an IPO shouldn't be a company's end goal
Shrav Mehta is the Founder and CEO of Secureframe, my favorite way to get compliant on SOC 2, ISO 27001, HIPPA, and hundreds of more frameworks.
Long-time listeners of The Peel will already be familiar with Secureframe. Shrav takes us inside how Securefame’s automating the $80B compliance market, his lessons learned recruiting and scaling teams, non-intuitive fundraising advice, and his contrarian take on finding PMF.
Timestamps to Topics Discussed:
(02:10) Automating the $80 billion compliance market
(15:49) Learning to program building Android apps
(22:25) Joining Lob, Hired, and Scale early
(27:54) Joining Pilot to learn marketing and growth
(33:31) Shrav’s secret discount furniture supplier
(35:04) Finishing three years of college in one year
(39:06) Getting 30+ customers before starting Secureframe
(44:24) Non-intuitive fundraising advice from pre-seed to IPO
(50:08) Why an IPO shouldn’t be a company’s end goal
(54:40) How Shrav approaches hiring
(58:04) Tactics for effective reference checks
(1:01:01) Why warm intros are so helpful
(1:02:32) How to send good cold emails
(1:05:31) Why you shouldn’t use LinkedIn’s “Open to Work”
(1:06:54) Lessons learned scaling teams
(1:13:45) Why finding PMF never ends
Find Shrav on Twitter and LinkedIn
Referenced:
🙏 Thanks to Zac and Xavier at Supermix for help with production and distribution.
Transcript
Find transcripts of all prior episodes here.
Turner Novak:
Shrav, how's it going?
Shrav Mehta:
Good. Good. Thanks for having me, Turner.
Turner Novak:
Yeah, a long time coming. Can you just give us just a high level on what is compliance, what SOC two, all that kind of stuff, and then we'll kind of go a little bit deeper?
Shrav Mehta:
The whole security and compliance space has existed for a long time in different forms. What Secureframe really does is we help organizations achieve and maintain compliance with standards such as NIST, ISO 27001, SOC two, really kind of any privacy or security framework out there. And today we work with almost 3000 customers and innovative companies like NASDAQ, Lyra Health, Remote to basically help them get compliant with these frameworks. Oftentimes you might have a customer that says, "Hey, we need to verify that your security has some basic things set up."
So SOC two is a very popular framework that a lot of startups and technology companies comply with. And it might say, "Hey, you need to make sure that all your servers are encrypted at rest and transit." And Secureframe will basically connect to your AWS, your Google Cloud, your Azure, to automatically check that's happening. We'll help you manage your risk, put together your InfoSec policies and a whole bunch more to help you meet the requirements of some of these frameworks. And of course, continuously monitor them.
Turner Novak:
So specifically on the SOC two AWS monitoring, maybe why is that a big deal? Just for someone who is not familiar with this.
Shrav Mehta:
Companies, when you're buying a piece of software, you're going to go through some sort of procurement process and there's going to be a security team that's involved in reviewing your vendor because oftentimes your weakest link is the vendor that maybe has the least security that you end up using and maybe sending sensitive information to. So these security processes that companies have in procurement are quite important. And historically you'd send out a security questionnaire and sometimes these are tons of pages long and they can take hours to fill out. And it's kind of like all self attested, right? If someone says, "Hey, is everything encryption at rest in transit." You just answer yes. And sometimes these folks aren't really auditing or really verifying that to a higher degree.
So SOC two, it's been around for a long time, but it's really become a lot more popular over the last few years. And essentially what happens is an IT auditor kind of comes in and verifies, are you actually doing the things to meet these security controls that your company has? And this gives your customers, your partners more confidence that your business is set up securely and is something that they feel comfortable using. And I want to be careful there. SOC two doesn't mean security. I think sometimes people equate the two. I think it is a good start to setting up your security program. A lot of these frameworks like NIST, ISO 27001 are great as well, but it's not like the end all be all of security.
Turner Novak:
So maybe a way to think about it is these are more frameworks. SOC two compliance is like you're complying with best practices of being secure, but it's not actually the security process.
Shrav Mehta:
And yeah, oftentimes the first time a company really starts thinking about their security program is when they have that first customer that's putting them through this procurement or security process. And that's where a vendor might ask them, "Hey, do you have a SOC two? Do you have an ISO 27001 certification? Do you have something that you can use to kind of prove your security to us so that we have confidence in using you as a vendor and that we won't have any security concerns?"
o that starts to become the basis of a company security program, but it's definitely not the end. And you definitely want to build upon it over time, but it's definitely a great start for a lot of companies.
Turner Novak:
It's kind of like saving them time. If I want to work with a customer, if they were not compliant, like if there's no kind of frameworks or certifications, I could basically say, okay, I'm going to spend months auditing all your stuff and make sure you're secure, or you can just give me the SOC two and say, we've already done this.
Shrav Mehta:
Exactly. I mean, oftentimes you might have to do more than just what a SOC two entails. They might want a pen test and other things, but I think that's a good simple way of putting it.
Turner Novak:
And then talking with some of these other certifications, I think you started, Secureframe started with SOC two, and then you've kind of expanded over time to, I don't know how many at this point, but there's quite a bit that you guys cover.
Shrav Mehta:
So Secureframe, we started off with SOC two and ISO 27001 because our first two or three customers needed to get, they needed to get both the SOC two report and the ISO 27001 certification. So we started with that and very quickly we had a bunch of customers that were requesting that we had HIPAA and PCI, and we had a roadmap to kind of add in all these frameworks.
But when you compare us to more traditional solutions, people weren't really thinking about this on a framework by framework basis. They were saying, "Hey, we have a set of controls or security controls that we comply with internally. They mapped to certain frameworks.
So eventually we launched what we call custom frameworks that we could support any framework out the box within Secureframe. So we have about 30 templated frameworks within Secureframe. We're always adding new ones every month, but you could very quickly add any new framework out there. If I wanted to add the Shrav framework, something I made up yesterday, I could very quickly add that into Secureframe.
Turner Novak:
So that's something a customer would add or something that Secureframe's team adds?
Shrav Mehta:
Yeah. So that's something that a customer would add.
Turner Novak:
Oh, interesting. Okay. So I actually didn't know this. I guess full disclosure, I'm an investor in Secureframe. I didn't know you had these custom templates.
So I can basically say I need to be compliant with these things. Do you guys have a template builder and like the AWS connection, all these different tools that we're verifying, you'll automatically piece in those connections into the template that I'm custom-building to show I'm compliant to whoever needs the certification or the,-
Shrav Mehta:
Exactly. So you can basically upload any controls that you have, any framework that you might want to comply with. Oftentimes enterprises will have frameworks that are variations of SOC two or NIST that they're complying with and they want to upload or import their own variation of that. So we make it super easy to do that within Secureframe and then it'll map to all these automations that we have.
So if they have a control within that custom framework that they upload that says, "Hey, you need to make sure everything is encrypted at rest in transit, and we might be testing, Hey, are all your S3 buckets in AWS encrypted at rest? Do you have public access blocked?" Things like that.
Turner Novak:
And these are all things that are normally best practices. Just people might not even know about them. They not even think about blocking public access until a vendor's like, "Hey, make sure you do this." And then it's part of the framework.
Shrav Mehta:
Yeah, exactly. Or worse, there's a security breach or an incident that they have and they wish they had some of these things in place before.
Turner Novak:
So how big is the broader compliance market? Is it part of the security market? How do you think about if you're doing a TAM analysis or you're analyzing the market, how big is it and all that kind of stuff?
Shrav Mehta:
Yeah. So I mean there's so many numbers out there. I think the number I've seen most commonly is that compliance is an $80 billion plus market, and there's different types of compliance. It's a very massive space. There's privacy compliance, there's data compliance, things like GDPR and CCPA or there's companies like BigID out there that do things that are very different from what we're doing. So it's a very large space and you can argue is that privacy, is that compliance, is that both
For Secureframe, I think we fit within the realms of both security and compliance. We also have some stuff around privacy since we do support CCPA, CCPRA, GDPR and some of the new privacy frameworks that have been coming out. But it's a very large space and it continues to grow every year. There's all sorts of new laws, new regulations coming out, and I don't think that's going away.
Turner Novak:
Yeah, the government loves to make new laws and regulations.
Shrav Mehta:
And I think sometimes people view this as like, okay, this is like the tax that you have to pay to build software. And we could debate that point, but these things are still very important. If there weren't laws or standards that companies will require people to attest to, I think the state of security for a lot of software companies or software in general would be a lot worse. And our goal here at Secureframe is not to add to the headache, but really solve the problem here. We want to make it easy to comply with all these frameworks and new laws and things that are coming out with automation.
Turner Novak:
Yeah, I remember when we first met, that was a big point that you made to me, and I was kind of confused a little bit. I was kind of like, why is it not automated? It just seems ridiculous that people have to do all this stuff manually. I think I remember it was like 2019 was when you started the company. What was it like 2018, 2019? What was the landscape like?
Shrav Mehta:
Yeah, I mean, this is kind of funny, but that wasn't the first time I tried to start Secureframe. There were kind of questions to whether a lot of this stuff could be automated. So Secureframe, we integrate with over 200 different business systems, things like your HR system, your cloud services like Azure, AWS, Google Cloud. We integrate with your version control systems like GitHub or GitLab. And a lot of these services didn't actually have APIs that we can use to pull down this evidence that you're compliant or help you continuously monitor. Or AWS maybe had a bunch of these APIs, but it wasn't developed enough where it had all the checks and things that we needed.
Gusto, Rippling, a lot of these services didn't actually have APIs at all at that time, so it was much more difficult to build something like Secureframe. And I think the why now of that moment was really okay, the APIs, the things that we can use to start automating this are now available and they're getting better and better. And this is a market that's growing. It's very painful problem. People are spending months on something that is very clearly automateable, at least in my eyes at that time.
Turner Novak:
Yeah, it's an interesting, talking about timing too. Typically, the playbook for a software startup is sell to other startups. You don't necessarily need to be that compliant. It's not the highest on the priority list I guess we'll say. But I feel like as you kind of evolved up along a time where a lot of startups were like, okay, we need to start selling to large customers, now we have to start thinking about this.
So it was almost like software was proliferating, getting more complicated, but also you needed to be compliant also, so you had multiple things going for you at the same time. That's what I always thought was interesting.
Shrav Mehta:
Oh. Oh yeah, definitely. So pre Secureframe, getting a SOC two is something that you kind of did at a later stage. Oftentimes you would be paying $50,000 just for the certification, not even talking about all the internal work and things that you'd have to do to actually get compliant. And the problem with that is most companies don't have that kind of resourcing early on. So you wait until you're bigger, more mature, until you can handle those types of customers and then you go through that process.
But nowadays, it's not just like a large enterprise or something that requires it. It's other SMB companies. Those are mid-market companies that require you to get complied with these certifications because oftentimes it's like, hey, if you have a SOC two or ISO 27001, you need to make sure that all your vendors that have sensitive data or information are also compliant. So it is just kind of cascaded and required more and more people to think about their security early on.
Turner Novak:
Yeah. And you have to do a lot of things manually. You had to work with third party kind of auditors, like the accountant version or the lawyer version of compliance stuff, and then it took months, right?
Shrav Mehta:
So in the past, this was very complicated. You'd spend six to seven months in spreadsheets doing all this work manually. There wasn't a lot of guidance. Oftentimes you would just be putting everything in a Dropbox folder and then handing it over to your auditor and then your auditor would give you a bunch of back and forth for a couple months. And you're oftentimes just taking screenshots. You're sampling what's in your AWS account, but when you're using something like Secureframe, we can quickly scan your entire AWS account for all instances where you're not compliant or where you need to fix things rather than sampling around and taking a screenshot where you can easily miss something during an audit.
Turner Novak:
It sounds like audits have become faster, easier, less friction, and maybe more affordable, roughly. Is that fair to say?
Shrav Mehta:
Yeah, definitely. I think with all the automation that we're able to utilize to complete some of these compliance certifications and continuously monitor them, it's definitely become a lot more affordable. And that's why you're seeing companies starting to do this earlier on in their life cycles.
Turner Novak:
Yeah, no, we kind of hit on it earlier, the initial thesis, how you got into it, how it all started. I actually wanted to real quick go even further back pre Secureframe. I think one of the first things you did when we first met, you told me, "Oh yeah, I used to make Android apps." And like you casually mentioned you had multiple games that were top-rated. Talk about that. I'm super curious. I think that's kind of an interesting story.
Shrav Mehta:
Yeah, definitely. So I got into programming when I was really young and it was actually pretty difficult to learn programming at the time because you would basically go to Barnes & Nobles, you'd grab a really thick book that's meant for a college student, and I'm here reading this when I was 10 years old, trying to just comprehend it, to reread it multiple times, try to actually implement the code examples.
Turner Novak:
So you were reading learning how to code, and that's how you learned, was reading the books.
Shrav Mehta:
Yeah. You had to read the books and there was no YouTube videos or things that explained this well and it wasn't as entertaining because you'd be looking at a terminal and writing a Python program that's like a five plus eight is 13. Amazing. So much fun. And I think the thing that made it just so much more interesting to me actually was when the iPhone and Android came out. I'm like, oh wow, I can actually program something for all these devices and I can see it visually. I could show it to my friends. This is way cooler than running some command line program.
So that caused me to dive in very deep into Android. Actually, the reason I didn't program for the iPhone at the time was it was very difficult to actually get approved as an Apple developer. So I remember I applied and they just immediately rejected me because I was 18. I think they've changed these terms over time, but it was a pain and it's like there was no support to kind of go back and forth and negotiate with them. And at the time, it cost $100 a year to get into that program. So I was like, oh my god, huge barrier, all my savings. So I ended up starting on Android because I think it was basically free to get started initially because they were trying to attract a lot of developers to the platform, and then they had a non-moral $25 fee.
I think it may have even been life time, I can't remember. It's been so long. So that made it very easy for me to just do Android and Objective-C was just not a very popular language at the time either. I actually didn't have a lot of experience in it, but I did have a lot of experience with Java and that made it just easier to get started on Android. The other nice thing about Android at the time was that the ecosystem was very new. Any app I published, I would instantly get 50,000 downloads, and I did not realize kind of like the edge I had at that time by being an early Android developer. I just thought I released an app and immediately I get tons and tons of visitors. So any app I published for maybe the first year, it was not very difficult to get into the top 50, top 100 apps.
Turner Novak:
Were you marketing them much or did they just get downloads from just being on the app store?
Shrav Mehta:
Yeah, so a lot of this stuff just got downloads from being on the app store because there were 50 applications. The number one game or app at the time was PAC-MAN, if I remember correctly. So it was not a very robust app store. It was not super well-built out. The games that iPhone had were not on Android yet. So it was definitely a very early ecosystem. The other problem back in the day is Android didn't even actually have a paid app store yet. So there was not a super easy way to monetize. Think about the fact that mobile ad networks hadn't really even come out. There was a bunch that were coming out. The one that I used at the time, if I remember correctly, was AdMob.
And then you'd use this thing called Ad World, which would rotate between a bunch of mobile ad networks and you'd implement that SDK and it would rotate between whatever makes you the most money. And these were not super sophisticated ad SDKs at the time, and they were always constantly being updated, but they didn't have proper click spam protections and things like that. So every time I had a button on my app, I would put the ads right above the button and people would accidentally click that and people would ask me, what's my secret? And I would be like, "Oh, that's the secret. I just put the ads super close to the button." And someone was talking to me at the time. "Well, you want to have a great user experience? You should make those buttons bigger and easier to click." And I'm like, "No, no, no. Ad revenue will go down if we make the buttons easier to click."
I didn't think about the user experience or anything like that. I didn't understand the edge I had maybe wasn't going to last forever. There's going to be other developers that figure this out and want to publish their apps very quickly and if they can immediately get 50,000 downloads from just publishing, of course a bunch more people are going to do it. But at the time I had an Android account that it would immediately start getting things ranked or in the new or featured section because I already had a bunch of popular apps.
But again, actually one of the big problems was like you could never really have paid apps on Android because once they actually launched it, there were all these very simple ways that people could just request a refund within 24 hours and still keep the app. There were just some just ridiculous loopholes that would get used almost all the time. And over time that got fixed, but I launched a paid version of some of my apps and I made $100. So I was like, okay, this isn't feasible. But the ads I could make four or $5,000 a month from the AdMob and the networks that were on Ad World.
Turner Novak:
This was per game?
Shrav Mehta:
Yeah. Per app, per game. I believe I only launched one game and we spent two years actually building this game. It was very complicated stuff. I was working on it with one or two other friends I had kind of recruited and there weren't really great graphics libraries on Android. They weren't very powerful. So we were writing open GL code and I remember we were posting on Stack Overflow and people are not nice on Stack Overflow.
And so I remember I would start posts with like, we really need help with this thing, and people would be like, you noobs, you guys don't belong here. And then I would delete the post. I'm like, I regret this. We'll just bang our head against the computer for eight hours and figure this out. And that would usually work. But it was a very tough ecosystem. But all that finagling, all that, figuring out how to build apps, how to monetize and market it, it was a big learning experience that still some of the lessons from that time I use today.
Turner Novak:
Yeah. And then I think you got your first kind of real job, if we want to call it that. You were super young, right? Were you 17 or 18 if I'm remembering?
Shrav Mehta:
I think it was 16 and it was basically contracting for a bunch of startups. Basically anyone who would let me program because to me programming was super, super fun and I would do it for free all day. I just wanted to work on something amazing and be like a real adult at the time, I guess is what was going on in my head.
I ended up meeting Leore who's the CEO of this company called Lob, and they came out of YC and I was a huge fan of YC at the time. I had read all of Paul Graham's essays and I knew at some point I wanted to create a company or startup of my own. And so Leore ended up offering me an internship at Lob at the time, and I had a blast. It really changed kind of the direction of my career.
Turner Novak:
And Lob, just so we get it on the record, is direct mail automation, like direct mail, those little things you get in the mail from the mattress company or the bank, new checking account, those kind of things. It's basically like some kind of automation tool for that, correct?
Shrav Mehta:
Exactly. So Lob makes it super easy to send direct mail. Things like postcards, letters, checks automatically via an API. And behind the scenes there's a print delivery network that is properly QA'd so that any mail piece that you have is sent from a facility near where it's going, so you can send mail faster. And this is kind of an industry that needed to be brought into the future and brought into a way where direct mail could be more personalized, more automated, and Lob became the system to do that.
Turner Novak:
Yeah, it's a pretty big market too. $40, $50 billion, just sending people ads in the mail basically. Fascinating. And then I think you were there for a year or two, and then you worked at a company called Hired. I'm not super familiar with them. What did they do again?
Shrav Mehta:
Hired made it easy to hire software developers. And as you know, hiring engineers is really, really tough. And the cool thing kind of about Hired at the time was that people would make you kind of an offer with a compensation amount before you kind of even interviewed at the company, like just based on your resume, references that you can get added into Hire that were verified, companies that you had worked at and you'd kind of go through this approval process and then you'd be kind of launched in the platform for a week or two weeks and essentially companies could kind of take a look at your resume and say, "Hey, if we decide to make an offer and move forward, here's how much we would initially pay you." And people would still negotiate and change this over time. But the problem that a lot of engineers were facing is they'd go through a whole interview process and then the compensation that they were offered was less than they were making now by a substantial amount, but they spent weeks interviewing, taking sick days from their current company before remote work existed, I guess.
And if you're interviewing at five or six places, it can be kind of difficult to manage all that. So the idea was more to set expectations upfront, and that was really compelling to a lot of engineers. And you would essentially have companies apply to you instead of the other way around. We hired on our end, we would make sure that the companies followed up with you appropriately, that you weren't ghosted because there were just so many inefficiencies in these hiring processes. So we wanted to deliver a great candidate experience, but also a great company experience. Ultimately, recruiting is a very, very difficult business to make work. It's just very inherently personal. But the founders of Hired were great. They had started Flippa, a bunch of other companies like Liveops beforehand, and I really wanted to work with incredible founders and people that I could really learn from.
Turner Novak:
And then I think you went back to Lob. I think initially it was maybe you were helping at Lob, Hired, and then you spent two years at Lob, and then you worked at Scale for a couple of years, Scale AI. This was like 2017. That was pretty early for Scale?
Shrav Mehta:
Yeah. Yeah, so I ended up going back to Lob. I had dinner with Leore probably every month and I'd tell him, this is what I'm working on, super excited. And he's like, "Shrav, you should just come back Lob and work here and you can do this project here that would also be really exciting." But I think it's like we had developed a really good relationship at that point. And so I decided to kind of go to Lob and I made a lot of really great friends at Hired too, people I still speak with to this day.
One of my close friends is this person Lennie, who's the CEO of Trusted Health, and there's been a lot of companies that have come from Hired as well. So yeah, after Lob, I ended up working at Scale and Scale was actually, I think we called it Scale API at that point. And I had known Alexandr and Lucy, they had lived in this kind of hacker house with a bunch of other Teal fellows, and I had some friends that I would kind of often visit there. I had been talking with Alex and Lucy a little bit about APIs and things that they can use to kind of grow Scale and tactics that had worked.
And over time I decided, okay, I was ready for a new challenge. And I think Alexandr and Lucy are some of the smartest people that I know and they work really hard. So I was like, okay, I really want to join this team. So I joined as one of the first few employees after Lob.
Turner Novak:
And then one of the really interesting aspects I think of your career kind of segues into Pilot. We've had with Waseem on the show in the past. I think you were at Pilot for a year or two, I'm just looking at your LinkedIn, almost two years, I guess. One of Waseem's big questions for you that he said I needed to ask you, you decided to really focus on marketing. I mean, you've kind of always done mostly engineering, but it seems like this, and you'd kind of done a little bit of marketing, but it seems like Pilot, it was, I'm really focused on the marketing side. How did that transition to Pilot come about and why did you decide marketing was so important?
Shrav Mehta:
Yeah. So and all these companies I've been at, I had kind of done a bit of both. I applied kind of systems thinking where the skills I had learned in engineering, not just to product anymore, but actually to marketing and growth and every company I was at, growth was always the challenge. You're always trying to figure out how to grow more revenue. And very quickly I started to try to take on those challenges and I'm like, oh, actually this is really fun. I think I'm actually decent at it.
And we were able to kind of grow some of the companies I was at very quickly with some of these tactics I had put in place. And when I had gone to Pilot, I think they told me, like actually, we really just need someone full-time focused on marketing. If you want to use some of these engineering skills and stuff, that's interesting and useful as well.
So at that point, I kind of made the full shift over to marketing and I had a lot of experience with it. I just didn't really maybe articulate that over time. But when I was building Android apps, I had to do a lot of my own marketing and I had a $0 budget that I worked with. So I'd post on every form, I would spam hundreds and thousands of emails that I would find on Crunchbase and I would scrape, like I yeah, I would literally,-
Turner Novak:
Download my app, like download my game.
Shrav Mehta:
Yeah, I know. Exactly. So I built a scraper to scrape as many emails as possible, and then I would use some free AWS credits or email services I found online. And then I would mass send a bunch of emails. And then I remember, I think these folks would email me saying, "Are you sending spam email at the time?" And I'm like, "Well, some people might think it's spam, but I don't think it is. And it's generating a lot of awareness."
And no one responded to that email and they were fine. Today, if I was doing that stuff in five minutes, HubSpot would be emailing us to shut down our account, but you could get away with a lot more back in the day. So I learned a lot about cold emailing, how to write really compelling emails, marketing messaging, how to work with a very small budget and still generate a lot of awareness. And I was able to apply these skills I learned from Lob and Hired and these other companies and really use them to grow other startups and Secureframe itself too.
So at Pilot, we did a lot around digital marketing. I think Waseem and I were oftentimes still the ones that were updating the marketing website and coming up with the graphics and figuring out new campaigns and things to run. And I think marketing is getting way more technical. You can get a lot out of applying systems thinking to marketing these days.
Turner Novak:
Yeah, it's an interesting parallel to what Wade Foster, founder of Zapier, he was on the show maybe two months ago, three months ago. One of his big takeaways or my big takeaway from that convo was the process of product market fit. It's not just this, we made the product and then we figured out how to market it. It was the marketing and the product is kind of one thing.
So you build, like you engineer the product, you design the product with the marketing in mind, and that just kind of leads to structurally lower CAC, faster customer acquisition, just like a better business, better margins overall just because you have the marketing so ingrained with how you actually built the product in the first place. So I wonder if you maybe had some of those skills from doing all the building to then also the marketing too, is all kind of pieced together.
Shrav Mehta:
Oh, yeah. No, definitely. When you think about building a product, I think it's important to think about growth and how does this get into the hand of users? Is the onboarding experience simple? Are people churning away from your app? If everyone's churning, it's very difficult. And what I would say is not all business models are suitable for that type of marketing.
Like in Uber, I guess it's more B2C, but same thing. They focus very heavily on that referrals page, that referral screen, getting that rider their first ride is very key metric for those types of companies. For a company like Lob, it's an API company. So we focus a lot on content marketing, a lot of the same stuff that companies like Twilio that pioneered that API space, it is something that you can sign up for right away.
So we tracked things like, hey, how long did it take to get someone to their first API request? What issues were they running into? Can we create some quick scripts or libraries or things that will make it easier to integrate something like Lob? And then there's some companies that you just have to straight sell an enterprise software subscription
If you're selling something like ServiceNow for example, you're not really going to be able to growth hack your way into that. You're selling to companies over 2000 employees and you're signing multi-year contracts. You're talking about 10, $20 million to implement the thing probably and a whole team of people to do that, right? You're not going to PLG or growth hack your way into some of those products. It really depends. But if you can and your product is more suitable for those kinds of things, then yes, you definitely want to be thinking about those kind of tactics.
Turner Novak:
So I actually have two more quick questions from Waseem at Pilot. He mentioned you have a discount Aeron supplier. What does that even mean?
Shrav Mehta:
I mean, he's talking about the Herman Miller Aeron chairs. So every company I was at, we would just buy these used and there's warehouses full of them around SF and Oakland that, hey, when startups shut down and stuff, they liquidate everything and there's tons of these.
So I thought most companies just bought Aeron's from there, but we were buying them on Amazon full price. And I was like, "Wait, we're buying these full price? We're about to buy 20 or 30 of them. Why don't we just get these from Warehouse? They're basically brand new." And we saved a ton of money doing that. And I think over time people were like, "Hey, if these only cost 200 to $300 when we're buying them in bulk, can you snag me one? I want one for my home office." And we had a bunch of people where we had a separate order for people who wanted them for their home office. They were hit when Covid hit.
Turner Novak:
Yeah, it's always good to be the guy that has the plug on discounted office chairs.
Shrav Mehta:
I'm a super thrifty person and I care about if we're buying something, like buy it for life or buy something that's good quality, and these things are assets. You can sell them later. So when I see these kind of things, I'm like, okay, if we can get the same quality for less, why not?
Turner Novak:
Yeah, save a couple thousand bucks, tens of thousands, possibly hundreds depending on the scale. Yeah.
Waseem actually had one other thing. He said you were, so you kind of didn't go to college, but I think you also kind of did college sort of on the side while you were working full-time. And he said there's a story of you trying to finish your college finals while working at Pilot.
Shrav Mehta:
Yeah, yeah. So basically I wasn't officially a college dropout. I was kind of always doing one class on the side, but at some point I said, hey, I just want to get this college degree thing over with so I can be fully focused on whatever else I want to do.
And so when I first started at Pilot, I was actually just working three days a week, and the other two days I would actually be working on my college courses and showing up on time. And I basically ended up cramming three years of college in one. And people thought it was absolutely crazy, and you're only doing it for two days a week. But I think having worked at some of these startups, my work ethic had developed to another level where I felt like, okay, this wasn't actually that difficult.
Think about it in college or like in high school, if you're in classes all day from basically, if I remember, it was like 7AM or 6AM if you had zero period all the way to 3PM and then you would basically do homework or sports right afterwards for two, three hours and then homework for the rest of the night. And then you'd rinse and repeat that for five days a week.
And then when you go to college, there's this weird thing where you don't attend the lectures that you have for a couple hours a week. And this was perplexing to me. I'm like, okay, these lectures are only for, like on Monday, Wednesday, Friday, or Tuesday and Thursday, and they take an hour each time and half the students don't even attend them unless there's an exam or a quiz. And oftentimes they're recorded and put online.
So I'm like, how did we go from this crammed grind of now what I consider high school is like a 15, 16 hour workday, or maybe not, maybe it's more like 12 hours, like a 12-hour day and go to this thing where we're doing just a couple courses at once. So I'm like, I think I can do nine of these courses at once on a quarter system. And I had a decent amount of programming knowledge and stuff before.
So I don't think the actual material or the content was particularly hard. It was just the fact that, okay, I had to do all these problem sets and just writing a lot of homework assignments and things out that actually ended up taking a lot of time. So I had to be very good about time management.
I think the joke that sometimes like with Steve and Jeff, Pilot Co would make us like, man, we get, Shrav is working at Pilot for three days a week, but he's working the weekend, he's doing all these other things. So we're getting a really great deal here. But I was just happy to be working with really great founders like them, to be honest. And I was having a blast working. They're great people. Probably one of my favorite companies to have worked at. And I would basically go to work on Monday, and then on Tuesday I would wake up at basically five or 6AM drive for two hours to Santa Cruz, and then I would basically, I had my first lecture at 8AM and it was a teacher that required you to go to them.
So those were the ones I really just had to actually go to. And then my last lecture would end up at 8PM. I'd try to finish homework, get some work from Pilot in during the day, and then I would get home by 11PM and then do the same thing on Wednesday, go to Pilot, Thursday I would go to school, Friday I'd go to Pilot, and then the weekend I would be cramming in all these homework assignments, things I needed to get done, chores. And it was a very jam packed schedule, and it was probably one of the hardest years of my life in just terms of the workload that I was taking on, but I knew I could get through it, and I was very motivated to graduate and just put this behind me.
Turner Novak:
Okay, so you got through that insane slug of college. Yeah. And then you started Secureframe, this was about four, four-ish years ago, a little over four years ago. How did you initially kind of come up with the idea? Were you super familiar with compliance? Because I know we talked quite a bit about the market. What was that moment when you're like, all right, this is what I'm going to do?
Shrav Mehta:
Yeah. So there was a bunch of different ideas that I was interested in. So most of the ideas revolve primarily around security, some around AI. And I always kind of keep a list of things I'm thinking about or problems I'm having, like maybe there's a business that can come about it. And I was kind of more entrepreneurial in that nature. And I would always kind of ask people like, "Hey, if I built a product around this, would you buy it?" And I was working on two to three different things at the time.
Recruiting is just really not best space, is the way I would put it. It's inherently very personal. It's very difficult to scale. And VCs also really don't love recruiting businesses. Not to say that's the primary reason you shouldn't start a business. If you start a great business and ultimately works, the VCs will come. And that's also not the only way to start a business. But I settled on Secureframe because was one of the ideas and security that we were interested in. And I had talked to some customers and all of a sudden people were sending me intros and referrals saying, "Hey, hey, Shrav can help you with some of this SOC two stuff or show you how to use these templates."
So I started talking to some of these folks on the phone and I would say, "Hey, if I built a product to automate this, would you use it?" And a bunch of people were kind like, "Yeah, yeah, I would use this." And this seems like they're just being nice to me because they're my friend and I don't want to be misled and then one of them calls me up a month later and they're like, "Okay, Shrav, we're waiting. Where is it? We're ready to use the software you were talking about." And I was like, "Oh, I actually didn't build it. I didn't know that you really, really wanted it."
So I immediately kind of quit my job at Pilot, and we got to the races. We built the first MVP in a couple of weeks to get started and helped with some of these people with some scripts manually while the product was getting built. And by the time we had kind of the full MVP ready, we had maybe 30 to 40 people in line who hadn't really even seen the product who were just ready to use it. And I was like, that was kind of that moment for me where I'm like, okay, I think we actually have something here. I see a viable product that we can sell for a decent amount of money that clearly a lot of people want.
One of my sayings is, if you're in a really, really, really big market, you should be able to find at least one person that's willing to buy the product before you have it even built, before you've written even a line of code. Oftentimes, I see so many startups that write a ton of code, have a really well-built, fully featured product that no one wants to use or that they didn't properly validate or they're saying things to themselves, like if I just built this one feature, someone will come and use it. And the reality is like, look, if you're building in a very large market, someone will come to you before you build that feature and maybe give you the money to validate it or build that for you.
So that's something I always kind of encourage people to do, is really validate their ideas before writing any line of code. So it was very clear with all the people that we had in line, and I think the vision was very clear for where we would expand. We would initially support all the controls and all the frameworks and things that companies need. We would launch more and more integrations to automate things, and we could very quickly expand into what Secureframe Trust is today, which is our questionnaire automation and a whole bunch of other security and compliance products that we have coming out over time.
So all the things just started to click very quickly and ended up just having casual lunches with people. And folks were like, "Well, when you're ready to start the company, we're ready to write a check." And I was like, "You don't want to see this deck or this and that." And they're like, "Hey, we did a bunch of reference calls. We talked to some of the people that are waiting in line for this, and we really like this. So yeah, when you're ready, we're down."
And just to formalize it, I did actually make a deck and put together all these materials because I wanted to take it super seriously. And the fundraise, we got a lot of no’s, but eventually once we got a couple yeses, you started to build more confidence and we figured out how to put together the seed round. And from there we got a lot better at fundraising and figuring those things out. But the reason I share this is I think it's, again, VC is not the only way to start a business. I think it was probably the right call for Secureframe, but it is not the only way to start one.
Turner Novak:
Yeah, because I think it did help you just go a little bit faster, gave you money on the balance sheet, hire more people, build the product faster. Is that fair to say?
Shrav Mehta:
Yeah. And the funny thing is when I told my VCs my plan and saying, I'm not really raising right now. I'm actually just going to put in my own money, and once we get to a million in revenue, we're going to go raise a series A and stuff like that. And I think for some VCs that was actually more compelling to them. Wow, this guy is just putting all his savings. He really believes in this. So that I think was kind of like a funny thing as well.
Turner Novak:
What do you think is a good framework then to think about fundraising? It's don't actually need money, like is that a good takeaway? Is like build it without raising anything and then that's kind of how you get investors on board. Is that a fair summary or?
Shrav Mehta:
What I would say ultimately is I have a lot of conversations with founders and the number one topic oftentimes it's like, tell me about fundraising, what fundraising advice you have. And oftentimes not about like, hey, how do you build a great product? How do you find product market fit? It's like, how do you fundraise? And ultimately, I think the answer is you have to build a really great business. If you build a really great business, the VCs will come to you. It is going to be much easier to do a pitch.
I've seen some, I won't name any names or anything, but I've seen some great businesses with great founders who maybe aren't the best, how would I put it? They're not the best at maybe pitching their company or yeah, fundraising, and VCs will still hand them giant checks because they have a fricking amazing product. That's ultimately what matters.
Turner Novak:
And then when you think about having a good business, good product, bad at fundraising, that might be trickier early on when the numbers aren't there, but later on, good at fundraising, but no business, no product, like it's a dead end. You can't keep going. So you really need to have a good business, a good product. It might be a grind, but eventually you get to a point where the numbers speak for themselves, the product and the business speaks for itself. And it's maybe not the most exciting thing to hear if you're just starting the company, but I mean, it's kind of true.
Shrav Mehta:
It's 100% true. You really do need to build a great business these days. And there's countless startups that have raised a lot of money and haven't really built a great business, and many of these will hopefully get there, but ultimately, if you're trying to raise a good round, build a great business.
The other thing I'll kind of say is not everyone has the savings or has the ability to necessarily build a company without some venture funding or without the ability to pay a salary. And that's tough. I'm not going to say that this situation works for everyone, but building a startup was something I planned on doing for a long time, so I kind of prepared to pay myself very little or nothing for a long time. I had kind of gotten everything in order so I could be 100% dedicated to working on Secureframe. And so if you have the ability to planning ahead of time before you start your company, it can make a big difference.
Turner Novak:
You've raised a little bit more since then. How should somebody approach raising a series A, kind of the first maybe big institutional round? How did that come about for you, just general process, and then what are some things for other founders to think about?
Shrav Mehta:
A lot of people who have fundraise more recently, they're thinking about the 2021, early 2022 times, and fundraising was very different during those times. I don't think we're going to see a repeat of that for a long while or potentially ever. When it comes to fundraising for your series A, and I know people hate this, but there's kind of that 1 million ARR golden benchmark and.-
Turner Novak:
Yeah, I feel like it's like two or three now honestly. I think I actually saw the average series A done in 2023 had grown six X year over year, and it was something like 2 million in ARR roughly. That might be wrong, but I remember the growth. The average series A that was closed was growing six X year over year.
Shrav Mehta:
I mean, anecdotally from some deals I've seen recently, I think you might be right, but you've heard of that $1 million golden ARR rule and the controversy behind it to go, oh, this company got funded at $0 in ARR and this one didn't get funded at $5 million in ARR. But you have to take the context of all those things.
So I was talking with this founder the other day and he's like, "Well, my friend's company raised at $200k, and so we should be able to raise another round at this point too, right?" And I was like, "Well, I can say yes if that's what you want to hear from me, and you very well might be able to. I don't want to say it's impossible because we see that happen all the time, but there is so much context that goes into it."
What's your growth rate? If you're about to hit $1 million in ARR within two months, and it's very clear from the growth that you have, like, Hey, you closed $200k this month, $500Kk this month. Well, next month if you're closing $700-800K, well, you're going to hit that benchmark and some VC might want to get in there early before everyone else finds out that you're growing like weed and are going to be ready to raise a series A soon.
And sometimes there's just certain thesis’ that VC firms have, and that convinces them to go in earlier on a company than they might normally. There's all sorts of reasons why someone might do that.
Sometimes second time and third time founders, they just have better relationships with VCs. They've done this before and they're stronger fundraisers, so they're able to create a more compelling story or reason to invest in them earlier than other companies might be able to receive funding.
So there's all sorts of context like that $5 million ARR company that wasn't able to raise a series A, what if 80% of that revenue was services revenue or the margin was bad, or the churn wasn't great, or it was in a sector where the TAM was very limited and there wasn't really an opportunity to get to $100 million in ARR or $1 billion in ARR there that made it less fundable. There's all sorts of things that can kind of go into it.
What I'd ultimately say for raising a series A or really raising venture in general is people think about the IPO is the big exit. You have to probably hit $200-300 million in ARR these days to kind of go public, debate those numbers right now, but you have to have a lot of revenue to get there.
Some people are like, okay, if I can get this business to $200 or $300 million in ARR and IPO, we're done. But it's really actually the day after the IPO, right? In order to kind of qualify for an IPO, you essentially need to be probably growing $100, $200, $300 million in ARR 30% year-over-year growth. And you're seeing the bar of companies as of this moment in early 2024, the bar is so much higher than that. Maybe when the IPO window opens sometime in the near future, we're going to see that bar lower or change a bit.
But once you actually are to qualify to go public, back to that point, it's not just hitting that $300 million ARR milestone, let's say. It's the fact that you have to have a path to hitting $1 billion dollars in revenue within the next 5-7 years, and you have to be ready to forecast your earnings with a very high degree of confidence. You need to have a public company leadership team. You have to be ready to essentially nail your first two years of earnings and have a high predictability in your ability to do that.
So ultimately, when you think about raising venture, if you're thinking about the IPO as your ultimate exit, which is what really you should be aiming for when you raise venture, you're not aiming for $100 million revenue company or a $50 million revenue company. You're ultimately aiming for a path to $1 billion dollars that you can buy people in on.
Turner Novak:
And probably more too. Optionality of saying, here's how we do $5 billion, $10 billion in revenue. We're building a generational company. This is a very long term, this is a big opportunity. This is yeah, to your point, it's not like, oh, $100 million and we're done and we never grow. That's just almost like the start.
When you look back 50 years later, it's like, oh, they're doing $26 billion in revenue, whatever. We'll say an insane number. You cross that $200 million in revenue to IPO, you're like 1% of the way there, whatever the math comes out to.
Shrav Mehta:
Exactly. So if you don't have that path to $1 billion, you're not going to get an IPO and if that's the ultimate exit you're looking for, you ultimately need a path to get there. Now look, there is M&A and other paths to being successful in other terms in venture, but ultimately when you're raising a Seed round or a Series A or something, you're thinking about the IPO. That's what you really should be thinking about when you raise that kind of money. So that's one piece of it that I don't think people talk about enough.
But the second piece of it is, I think you, like just going back to the stage that you're at as a small company, you have to kind of have some form of product market fit or at least early signs of it. I think that was kind of one of the traditional markers of a Series A and you want to have a clear path to the day after the Series A.
A lot of people think $1 million in revenue, let's go, let's raise that Series A, but what happens after you raise the money? Can you take that money and hire your first few execs? Can you get that to $5 or $10 million in revenue or the metrics that your business is going to be expected to hit to raise a Series B with the money that you raise?
And then for the Series B, the bar gets higher. Can this become $100 million revenue business? What are the outcomes that my VCs are typically looking for at the growth stage? So it's not just about hitting $1 million in revenue. If you take five years to hit $1 million in revenue, well on the seven to 10 year IPO timeline for most companies, will you ever hit even $2 million in revenue? You have to have that path afterwards, and if you feel confident in that and there's clear signals that that's happening, that's more of what I think about when raising a Series A.
Turner Novak:
Yeah, and then two, it's not just you raise the money and that's the goal. The goal is you're building a business and by raising capital, you can invest it in the business and actually get to your end goal faster and probably capture more market share, build a competitive advantage, whether it's network effect, economy of scale, building out your brand, IP, whatever your competitive advantage as a business will be at scale. Raising venture is a way to get there faster if you use it correctly.
So talking about what happens after you raise some money, like your first institutional round, you need to hire people. I know you have some philosophies on hiring. How do you approach hiring?
Shrav Mehta:
We try to hire really hardworking people that are very motivated. I want people that are self-motivated, that I don't have to micromanage or tell them what to do all the time or anything. Of course that's what everyone wants, fairly basic stuff, but we look for things like, hey, is this person above maybe their years of experience or where the average person would be in their career? Are they able to communicate really well? We do a lot of very thorough reference checks and we're asking a lot of deep questions to just understand the candidate better and we hone in on that a lot.
I think it's really important to do thorough reference checks on candidates, especially if they have a lot of experience. Talk to their direct reports if they were a manager or a leader, talk to the people that manage them. Understand what it takes to work really well with this person. Are they the right fit for the stage and size that you're currently at?
Oftentimes companies will hire execs that are a better fit for a later stage, aren't going to be able to operate very well at the early stage. They might have all these fancy logos on their resume, and ultimately they have those fancy logos and they're fancy logos because they're probably large companies that you recognize and stuff. You got to be really careful when you optimize for things like, oh, they have great logos on their resume. Think about why those are great logos.
There's certain companies that just were a rocket ship and you maybe didn't have to necessarily grind or do as much work to be successful there. But you want to hire the person maybe at the number two company in a space. You want to hire the person that had to will the company into existence and force it into working. Nothing at startups ever really works. You kind of have to will it into existence, which is something that we talk a lot about at a Secureframe, but have a very thorough hiring process. Spend the time to interview a candidate.
We try to meet every candidate in person these days as well. I think that was one thing that was kind of taken away during COVID in the remote environment. I remember we were building Secureframe's team out, and it was particularly difficult because I don't know if you even remember those times, but I was like, I don't know if I can interview someone just to over Zoom and make a hiring decision for the first few employees. It's really, really scary to kind of even think about, and we had no choice. That was the point in COVID like March 2020 maybe, where we were just scared to meet in person. We didn't know what COVID was going to do to you.
Turner Novak:
Yeah, that's when you did the very first seed round, right? It was March of 2020, if I'm remembering right.
Shrav Mehta:
Exactly. We had closed it right before COVID hit, and I was thinking in my head, oh, will the wire come? Will the wire come? And luckily the wires did come and everything worked out, so there was no issue there, but it was definitely very difficult to hire and kind of make that mental shift.
ultimately, the first few people I hired are people that I'd worked very closely with before, but eventually I got more comfortable hiring people over Zoom and figuring out other ways that we can kind of get that signal. And now that's super, super common. Oftentimes when we did first interviews back when we were in person, we would do them over phone, like Uber conference or something. We wouldn't even use a video or Zoom call, but now that's just expected for first interview or first phone call.
Turner Novak:
So you mentioned something super interesting, was doing very thorough reference checks. How do you do a reference check for someone who's never done one before?
Shrav Mehta:
So there's a bunch of different questions that I start off with, but ultimately I'm trying to really dig deep into their experience. What kind of impacts do they have at the company? What are the biggest things that they did to drive change?
One piece of advice I've gotten is no one's perfect. There's always a negative thing about someone, and if you have a reference check that is just all A plus, all good things, I think it's important to at least kind of get one negative thing. Otherwise, you haven't done a thorough reference check or really dug deep enough. I'm not a perfect person. If you dig deep enough on a reference check, you should be able to get something negative about me, otherwise you probably didn't do that reference check thoroughly enough.
I think that kind of stuff is very important and oftentimes when you're hiring someone, a lot of people have this natural inclination to note down what they want to hear and kind of ignore red and yellow flags. So we try to be very thorough about it. I don't count a reference check as a reference check unless we got something negative or an area for improvement, and then I want to dig deeper onto that topic.
Turner Novak:
Yeah. So how do you pull that out? Let's say you're doing a reference with me and I'm just saying all these great things about someone, is there a question you can ask to get me to say something negative?
Shrav Mehta:
I try to feel it out. There's clever kind of questions that you can ask people.
if you were to pair Turner with another person, who might that person be and the things that they compliment or say, hey, you want to pair Turner with someone who's really organized? And I'm like, okay, so that means they're unorganized, right?
iim giving a very rudimentary example here and some people will catch onto that, but I oftentimes just try to be very direct. I don't try to beat around the bush and like “can you give me something that they had to improve upon?” When they first joined your company, what did they look like? What were some of the issues that maybe they had and how did they improve those issues? How did this candidate or how did this employee progress over time at your company? There's a lot of things that you can ask and like, okay, did they fix these things over time? Did they iterate? Did they get way better?
Turner Novak:
One adjacen question that I thought you had some interesting points on, what is the best way to apply for a job at a startup?
You said basically warm intro is the best, strong cold emails to the founder also works, applying to jobs on the job application is usually, I think you've said in your experience, just fewer lower quality applications that way. And then you also said, did he open to work? This thing on LinkedIn is the worst possible thing you could do as a candidate.
I know we just did a lot of things there, but could you kind of talk through those? Highest signal ways, warm intro?
Shrav Mehta:
Yeah. Yeah, so the last one is a bit more of a joke, but I'll get into that. But look, a warm intro is always the best and I think about whose the person that made the intro, who are the candidates that they've sent me in the past and are they really good? This person sent us some of our best performing employees. I'm responding to that email right away. Let's get on a call tomorrow or tonight. And then strong cold emails, like you'd be surprised, but I actually don't really get a lot of strong cold emails and,-
Turner Novak:
Really?
Shrav Mehta:
Yeah. It's kind of surprising actually, especially if you're looking for a sales role or something, I think the first thing that you could do to show that you're a great candidate for the job is shoot over a cold email to me, to our VP of sales, to someone to kind of get that job. It just stands out.
When you see all these applications come through on Lever, Greenhouse or whatever you use, it's like a giant stack of 1000 or a couple thousand can come in a single week and,-
Turner Novak:
They probably all look the same too. It's probably so hard to even distinguish people.
Shrav Mehta:
Oh yeah, no, I mean they do all kind of look the same. I mean, you get very good at looking at the resumes quickly, looking for the right skills, but yeah, you end up just kind of in this giant stack with a bunch of other people.
So if you don't maybe have a warm intro to the hiring manager or whoever might be responsible, that's all right. But you can also just send a very good cold email to the founder or to who the hiring manager might be. I still don't get a ton of these, these days, so I could tell you that it's a good way to stand out.
Turner Novak:
So how do you send a good cold email? If you were to open something from me applying for sales role or trying to sell you something or an investor trying to invest in Secureframe, what do you want to see, you as Shrav at Secureframe in a cold email?
Shrav Mehta:
It's one of these things where these days when I see it, I know it.
Turner Novak:
Shorter usually better versus just a long narrative?
Shrav Mehta:
Definitely shorter. If you're writing an essay, it's going to be tough for me to spend the time to parse through the whole thing to get to the substance.
Turner Novak:
I found if you need to send an essay PDF, like you can reference here's a longer thing and it's attached. That makes it a little bit simpler to handle, I feel like.
Shrav Mehta:
Sometimes I think that works. So one is like attach your resume, your LinkedIn, your quick links that I could just browse around on very quickly because sometimes it's easier for me to browse LinkedIn than go to a resume. So I can quickly see, okay, I recognize these company logos much quicker than reading out the names.
Turner Novak:
The text.
Shrav Mehta:
Exactly. And I can maybe see references they have. I can look at our mutual connections that I would probably use to do reference checks and stuff in the future. Resumes, include that as well, of course. And then I'm looking for like, okay, why do you want to work here? What role are you applying to and why are you a good fit for it?
And show me that you've done a little bit of research on the company. That usually stands out. It's really not that difficult. I think that's for the most part what you need to do to kind of stand out from the herd. It's not a whole lot.
The other thing I'll say is its pretty obvious these days when people are using ChatGPT to write emails. Even when you try to change the style or tone, there's still a specific tone to it. And ChatGPT is essentially a fancier auto complete. For a long time, we could generate five or six tokens that come out of it, and now we're able to generate way more. But I can oftentimes tell if an email's written by ChatGPT or it's very long and has very little substance to it.
Turner Novak:
Yeah. I get a lot of those, like people applying for jobs at Banana Capital. “Love that you've backed so many innovative early stage companies and love that you are an investor in” - and it lists five random companies from the page. There's a lot of fluff words, adjectives. It's just not really that helpful.
I don't really have time to read those long emails, to be honest when there's hundreds of emails in there. You almost have to make, you got to hook people pretty quickly too. I feel like any more than two paragraphs, any more than five or six sentences, you're going to lose people if it's not very enticing.
If I'm like, "Hey, I'm a customer, I want to spend $1 million dollars on Secureframe," you're probably going to read that email and if you can tell if it's a serious email, but if there's nothing that really hooks you in the email, you're going of move on quick because as the founder of a company, time management is a big thing. You can't spend 20 minutes reading an email from somebody that doesn't go anywhere, so.
Shrav Mehta:
100%.
Turner Novak:
So the other thing you said was, so the joke about the LinkedIn open to work, like but why even joke about that? What's the underlying truth to that joke?
Shrav Mehta:
One is I want to hire very driven people. I want to hire go-getters. And I think sometimes when you put open to work on LinkedIn, you're sending this signal, like come to me. I say it as a joke because I know a lot of people use it, and many people have found jobs through it, and people should continue to do what they feel is best for them.
Turner Novak:
It's almost like a supply and demand thing. If you are very in demand, you're a very good candidate, employee, executive, and you're needing to signal to the market that you're looking for a new job versus the market coming to you and trying to convince you.
Shrav Mehta:
That's a good way to put it.
Turner Novak:
Yeah, I feel like it kind of qualifies you in a bucket that you might not want to be in as a job seeker potentially.
Shrav Mehta:
I think that's the thing. It's like you're hotter, you're in demand, so you don't need to necessarily put this thing on your LinkedIn. Is that a real signal? I think some people, they put it up anyway, even if they're in high demand, like why not get more applications? So that's why I truly do mean that as a joke. But yeah.
Turner Novak:
And you had some other really good points when we were chatting earlier about just scaling teams. How do you think about, okay, maybe you close whatever amount of money, your business is doing good, you need to start scaling up. You go from 10 to 100 employees, insert whatever scenario you want. How do you personally, and what lessons have you learned just on how to scale a team effectively?
Shrav Mehta:
Yeah, I know everyone says this, but you got to continue to raise the bar with every hire that you make. You constantly hear these analogies of A players bring in B players and B's, bring in C's, and so on and so forth, and all that stuff is very true. You really do need to increase the bar at all times with your company.
As a startup, you only have so many resources, so you have to make sure that the resources and the headcount and the people that you do bring on are phenomenal because those are the people that are responsible for hiring the next set of people.
You always have to be very involved in hiring. You have to be very rigorous about it. You really need to make sure that you have good management structures in place. Your managers are the face of your company to certain employees that they lead. So I think making sure that your managers have good training, that they abide by the culture of the company, that they're doing a good job of hiring and bringing on amazing talent and creating a true performance management culture is important too.
Turner Novak:
You've mentioned before you're always hiring, you're always trying to find super talented engineers, super talented salespeople, executives. How do you keep doing that? How do you stay on top of that and just constantly be hiring people?
Shrav Mehta:
Look, it's really difficult. I spend so much of my day and so much of my time recruiting great candidates, and it's not just for the candidates that we're hiring or the open roles that we have today.
It's like, okay, I want to talk to VPs of marketing that I could be hiring a couple years from now. I want to build my network for engineering roles that we're going to open up a year or two from now. Oftentimes, the best candidates, they take a year or two to recruit and convince to leave their job, and then the right timing has to open up. So I'm oftentimes just meeting with candidates, getting to know them, staying in touch so that when they are ready to look for a new role, I have kind of a good bench of people that I feel comfortable moving through a process very quickly at that point.
So you do have to spend a lot of time networking, knowing who's out on the market. And sometimes you have the opportunity to make an opportunistic hire that maybe you didn't even think you could really get, or they weren't going to be on the market for a while, but now they are and they reached out to you because they had that relationship that you built with them beforehand. So I think all of that is super important. It's probably the number one job that you have to do as a founder or CEO of a company.
Turner Novak:
I've heard another philosophy just in terms of constantly meeting people. When you want to hire a, let's say CFO, try to just meet the best CFOs in the world, like the top five CFOs. I mean, maybe that's a tall ask, but just and in terms of raising the bar, like understand what an A+ CFO, Head of Sales, or VP of Marketing, Engineering, insert whatever looks like.
And if you meet five people that are just amazing engineering managers, whether or not you can hire them or not, it's a different story, but then you know what good looks like. So then when you are hiring for the role, you're like, okay, Terry, such a good VP of Marketing, like I need to hire someone like her. And it helps you keep the bar pretty high.
Shrav Mehta:
100%. I think that's a very common thing that founders do, and it's like ask some of your investors for intros to their portfolio companies and the execs on those teams, and you can get a good variety of that.
And I also think it's interesting to meet people who maybe didn't do so well in the role and get a retro from the founder on what went wrong there. What would they do better? Not necessarily just honing in on what really great looks like, but what red flags or yellow flags you might want to avoid or look out for. I think the thing that's even more important than that, which is pretty common, I think commonly thought of, is sitting in the role and really understanding what you need in that role.
At one point I had to sit in the engineering seat, I had to sit in the sales seat, the marketing seat, the finance seat, HR, all these things. So I'm like, okay, I know these are the things that this department has a lot of things to deal with or handle. I know that this person's going to need X, Y, Z skill because there's many types.
Let's just go into legal. There's many types of general counsels that you can hire. You can hire someone with a privacy and security background, which maybe is much more valuable for a Secureframe. You can hire someone who's just really good at just general corporate governance, making sure all these sales contracts are negotiated well. There's a lot of flavors you can get there. You can hire a marketer that's amazing at B2B marketing or amazing at B2C marketing or someone who has a lot of experience selling API products.
So there's a lot of flavors and you have to kind of assess what do you really need? What are the things that you could trade off? Can I teach someone the skill or what are the skills that I think are an absolute necessity and not something I really want them to be learning? And you have to see how do these compliment the gaps that you have on your current team today. Talking to those four or five great CFO candidates, they might have a very different skillset or different thing that makes them valuable to their companies then what might be valuable to Secureframe or someone else.
Turner Novak:
And then I think on your point too about understanding all the roles, because maybe you did them or you have done them, you should probably understand how to do the role, understand you're maybe good at this one thing, and then find someone who's better than you at it. That way you can really delegate that and give them full autonomy over the thing because you know they're going to do a better job than you.
Shrav Mehta:
Yeah. And this is kind of one of the things I talked about earlier, is really I knew I was going to start a startup at some point, and I did a lot of planning around it. One of the things I did is I would talk to every leader, every exec at the company. Whose desk is everyone going to? I want to talk to that person, understand their job, understand why they're good at it, why is everyone coming to their desk because they're obviously probably very good at what they do and have a really good knowledge base maybe inside what's happening in the company.
And I would often like, I would go to Hired CFO or VP of Finance and I would ask them, "Hey, tell me about your day-to-day. Can I just watch what you do?" And he's showing me Xero and how they're migrating to QuickBooks and this, this, and that and how he's looking to hire this leader. And I'm like, "Okay, I have a much better understanding of what you do." And that was very foundational for me to understand what to hire for, building my network of those people that I can call in later knowing that they're good.
Turner Novak:
You have another, kind of on an adjacent framework, you said that finding product market fit is also a 24/7 job because some people would say, we found it. This is the moment. We have it forever and we're good. What exactly do you mean by that?
Shrav Mehta:
If you're building a long-lasting enduring company, you might have product market fit with a certain market. Maybe that market is like the first $1 million of business that you have, and now you have to figure out, how do I get to $10 million? How do I get to $100 million? And there will be fundamental shifts in your product, in your ICP that you will have to expand over time to better serve that market. In the early days, Secureframe could serve people that just needed SOC two and ISO 27001. Now we can serve a customer that needs any framework, has any compliance need.
Turner Novak:
Like GDPR, HIPAA, all this different, all these acronyms.
Shrav Mehta:
Exactly. So there's a lot of stuff that we have to do to make sure that we continue to maintain product market fit as we grew. And then eventually you have to launch your second and third products, and you want to make sure that you find product market fit there.
ftentimes, companies do launch, very often they launch a second or third product and it just doesn't grow as fast or it's not maybe as good or doesn't serve their ICP the same way. And that's what I mean. You have to constantly be looking for product market fit, talking to customers. That journey never really ends. It's rarely like, hey, we've figured it out and boom, we're done.
Turner Novak:
I think it's a good thing to keep in mind because no one really talks about it, but some of the most successful companies you think about, I think Rippling is one that's maybe top of mind for a lot of people. Rippling is known for having multiple, I think there's six kind of core product lines that are at least a couple million in revenue.
And then you mentioned ServiceNow earlier, that’s another one. I think they have multiple four or five, six lines that are over $100 million in ARR, something very significant like that. And ServiceNow is a publicly traded, forget the market cap, but one of the biggest enterprise software companies in the world. So when we talk about it's a long journey, it's not just product market fit once, it's continuously over time, never ending.
Shrav Mehta:
And oftentimes as these companies get larger, they have to acquire in these products so that they don't miss out on a market or something like that. So there are other ways to continue to maintain product market fit as you grow bigger and expand. Sometimes they just need a way to bring in that entrepreneurial talent or that new product.
Turner Novak:
I know there's a couple founders I've met that their philosophy is we love hiring ex founders or we like acquiring companies, bring the founders in and have them lead a team just like you. A lot of people make fun of the running a startup inside another company. Big corporation, maybe it's not quite the same, but I think there are cases where you can give that environment of like, hey, this is your team. You're in charge of it. There's a vision you're trying to help me hit, but you have autonomy. I'm not going to tell you what to do.
Shrav Mehta:
Yeah. That's something that I believe in as well. It's like when we're starting a new product or a new project at Secureframe, we kind of have an entrepreneurial engineer or PM that kind of leads that initiative from the ground up. They're responsible for getting the first 10 customers communicating back and forth and doing some of the initial sales.
When we started Secureframe, it's like, okay, I had to spend some time coding. Then I would jump into a demo and then demo goes well, and they want an order form generated, and then they became a customer, and now I'm doing some support and building more features based on their feedback. And then I take another sales call and just having a week of constant two to three calls a day between customers and prospects allowed us to build a lot quicker.
And we didn't have a Jira or project management tool at the time. It's like, okay, customer says something, let's code it right now. Let's just mock it up in Figma in 10 minutes and push it through. So there was a very, very quick feedback loop. So we try to recreate those effects when we're launching new things at Secureframe.
Turner Novak:
Trying to think. I think we hit on all the big topics we wanted to hit on. This is an awesome conversation. Thanks for coming on.
Shrav Mehta:
Yeah, of course. And thanks for having me, Turner. Excited to be a part of it.
Stream the full episode on Apple, Spotify, or YouTube.
Find transcripts of all other episodes here.