Ask the Compliance Expert: 10 Questions with Chris Sesi, JD
Secureframe is designed to provide everything customers need to achieve and maintain security and privacy compliance. That’s why we provide each customer with cutting-edge automation and expert guidance to simplify and streamline the compliance process.
Today, we’re introducing you to VP of Compliance Chris Sesi. Chris has been with Secureframe since it was founded in 2020. In that time, he has helped expand Secureframe's suite of governance, risk, and compliance solutions, including our 14+ security and privacy frameworks. He's helped build the foundation for Secureframe and supported dozens of companies in obtaining and maintaining compliance with the most rigorous global standards.
1. Can you tell us about your background and previous work experience? How long have you been in the security and compliance industry?
My background is in computer science and law. I started my legal career at a large law firm, primarily doing technology transactions and commercial deals. A large part of my role was reviewing security addendums for technology companies that were part of our legal contracts. Many of these addendums contained requirements that were similar to SOC 2 or ISO. A lot of the controls and requirements of those frameworks were embedded in the legal document so that clients had to contractually agree to follow them or be in breach of the contract. That’s when I first started learning a lot about the information security space.
Then, one of the first startups I joined happened to be a security startup. We served really large customers and they kept asking for this report called a SOC 2 that I eventually helped our company receive. From there, I joined another security startup called Duo Security, where I learned more about InfoSec. When that was sold to Cisco for $2.5 billion, I wanted to stay at a startup as I loved helping to build so I left to join another. This was the first one not in the security industry, but I joined to help manage their security program as Head of Legal, Information Security, and Special Projects. My responsibilities included building our InfoSec and legal programs from the ground up, among other operational responsibilities. We sold to big insurtech companies so security was of the utmost importance. Building out a robust security program — which included achieving SOC 2 from scratch — and negotiating those deals was on my plate and what I helped them do.
Around that time, I started doing some angel investing and got introduced to Shrav, who was thinking about the idea for Secureframe. Because I built SOC 2 programs from scratch a couple times, helped organize and run those programs at a number of companies, and spent a lot of time in the security space, I knew it was a good idea and could solve a huge pain point that I had firsthand experience with. I offered some advice about what I would do and focus on and ultimately ended up investing in the company. Shortly thereafter, I began advising Shrav and then we agreed it would make sense for me to join the team. So I joined pretty much from day one.
Altogether, I have eight years of experience in the security and compliance industry and about three years of that has been spent helping build Secureframe from pre-product to thousands of customers.
2. What is your area/framework of specialization?
SOC 2 is what I learned first and knew best, but coming from the security space, I had a lot of general best practices and knowledge. This allowed me to go deep on other frameworks at Secureframe quickly. In fact, in my first three months here and within one month of launching Secureframe, I helped Secureframe become ISO 27001 compliant and we were the first automation compliance tool to achieve the certification.
Once you have a strong foundation in information security, a lot of the frameworks are quite similar so you just have to master the nuanced difference between frameworks like ISO 27001 and SOC 2. For example, for each framework, the structure of the audit is usually different. Some requirements are different. Some frameworks are more prescriptive so they require special language or tweaks to your policies. With ISO, there’s a requirement for an internal audit, which SOC 2 doesn’t require. Once you understand the differences, adding that new framework to your skill set becomes much easier.
3. What excites you most about the security and compliance industry?
There’s a couple of things. One, I think the industry is gaining more respect than it used to have — and that will continue. Now you see security discussed in the boardroom. It’s not an afterthought. It's awesome to see security compliance expanding in scope. SOC 2 or ISO 27001 is one of the first things every B2B company sets out to achieve as they have become a staple for doing business. With it, the market is expanding so there’s a lot more opportunity to innovate in the security and compliance space.
The other to note is the global regulatory sprawl centered on data security that is underway. Many countries are implementing new cybersecurity regulations, and it is becoming harder and harder for multinational organizations to stay compliant or continue to globally expand without being in violation of these new regulations. This creates an exciting opportunity for a company like Secureframe to continue to scale and help our customers grow around the world.
4. What’s a common misconception people have about security and compliance?
One misconception, which is changing but still prevalent, is that you don’t need a strong security and compliance posture if you’re small. The reality is that security and compliance is critical for keeping data safe but also for sales enablement, whether you’re a big or small company. Yes, you want to be secure, you want to make sure you don’t get breached, but it’s also very critical to doing business. I often say one of the first things you do when starting a company is get incorporated. If you want to start a B2B company, the next thing you have to do is get SOC 2. Good luck trying to sell software without proving to your customers and partners that you’re secure.
The other misconception is that security and compliance should be treated as a check-the-box activity. Checking the boxes increases the likelihood you’ll run into a security breach as your company grows. A breach puts you in the news and in a bad spot with customers. So treating security and compliance like a check-the-box situation can ruin the reputation and brand of an organization.
5. Why did you choose to work for Secureframe?
I believed in the problem that we were trying to solve with Secureframe. So much so that I invested in the seed round in March 2020, started advising and joined shortly thereafter. Because I previously had gone through the SOC 2 compliance process and built InfoSec programs myself, I knew the opportunity to help others who don’t know what they’re doing was huge. I certainly didn’t know what I was doing the first time I helped a company get SOC 2 compliant many years ago. So I knew there was an opportunity to essentially build a playbook that was repeatable to achieve compliance with SOC 2 and other frameworks, and I wanted a chance to build that from the ground up.
I also wanted this chance to build something from scratch because I grew up in an entrepreneurial family and I had owned and helped start other businesses.
6. What’s your role in the compliance process for customers?
Early on, I was doing everything. I was customer success. I was sales. I was engineering. I was our compliance manager. Today, I have taken a step back because I helped to hire and build out some of those teams. Now I manage a lot of our compliance managers day-to-day and the work that they’re doing from an internal, customer-facing view.
But the more exciting part of my role and what makes Secureframe unique is that we have over 25 team members that are ex-auditing and compliance professionals and you see that in everything we’re doing, from the way we treat and work with customers, to the feedback and strategic advice we’re giving, all the way to the product we’re building. It’s critical that we gather those many, many years of experience across these people and fuse it into everything that we’re doing and into our culture. It shows in the product we’ve built and in the teams we’ve built.
Having been here since day one essentially, I was able to help make sure we brought on these people with the right experience to build a company that can help others who don’t have this specialized experience and knowledge to achieve compliance the right way.
The ultimate goal of Secureframe is to help customers build trust with their customers and you can’t do that if you’ve never been through it. Having all these people on our team to not only help us build products but also advise customers became really critical.
7. What pain points are you passionate about solving for customers?
I grew up working in a restaurant that my family owned. My mom taught me that the customer is always right and find a way to make them happy, and then take ownership of whatever you’re doing. It doesn’t matter if you own it, it matters that you treat it like you do. That’s the two values I embody and try to help everyone at Secureframe embody. Take ownership whether it’s in your job description. If you see a customer that’s disappointed, mad, sad, figure out how to make them happy.
I really enjoy solving customer pain points. That’s why we’re building Secureframe: to alleviate pain around compliance and reduce the time it takes to maintain it year over year. If we can achieve that goal, we should be able to give our customers a lot of time and freedom back to do what they want to do, which is building their business.
8. Can you share an example of a challenge that you helped a customer overcome in their compliance journey?
Early on at Secureframe, I had a customer running a company of fewer than 10 people. The customer signed up and told me they were going to have their mom manage InfoSec because no one else had time. I remember getting on a lot of calls with someone who wasn’t tech-savvy and didn’t understand topics like cloud infrastructure, which you hope someone doing this might be familiar with. So I spent a lot of time teaching her about these subjects, how compliance works, and why it’s important. I was able to train her pretty quickly to use Secureframe to get SOC 2 and implement a security program at this smaller-stage company. That was a big accomplishment of mine and super fun.
Three or four years ago, it would have been very difficult to get someone to do everything they needed to do for SOC 2 manually.
9. What’s your #1 piece of advice for people who are undergoing their first compliance audit?
My number one piece of feedback when you’re getting ready for your first audit is to be prepared going into it. The more unprepared you are going into an audit, the harder and more stressful it will feel.
Using an automation platform like Secureframe can make such a huge difference. Without the platform, you have to confirm for yourself whether you’re ready or not.
10. What do you see as the biggest organizational benefit of a strong security and compliance posture?
I see two major benefits. One, when you build an organization with security and compliance in mind, you ingrain them in the culture so people are considerate of them. Whether it’s a salesperson thinking about sharing sensitive data with a customer or an engineer building a feature, employees are thinking about the security, privacy, and compliance aspects of what they’re working on in their day-to-day. When you don’t build it into the culture, customer data gets leaked or you have a privacy issue and, as your organization grows, a lot of these things come back on you. But if you can get security and compliance coursing through the veins of all the people on your team, you’ll be way better off in the long run as you scale.
The other benefit is today, security and compliance is a must-have for two reasons. One is from a regulatory requirements perspective. If you want to do business in Europe, you have to comply with GDPR. If you want to do business in the US, you have to comply with CCPA, even though it’s California-specific. Various frameworks are required through third parties like PCI. If you are touching health data, you have to be HIPAA compliant by law. Then there are frameworks like SOC 2 and ISO that are commercially required. They’re not required by any law or regulation, but if you want to do business, you best believe that customers are going to require you to have it. If you want to do business with the government in the US, frameworks like NIST 800-53, NIST 800-171, FedRAMP, or CMMC are required.
The other reason is that in this ever-evolving landscape of what I call a commercial and regulatory sprawl of frameworks, it’s very important to have a system to organize them all. They’re only going to keep growing. There’s only going to be more requirements to follow. Every country will be launching their own data privacy requirements, for example. Australia, Canada, the US, and the UK are coming up with ones soon. So in this landscape where frameworks and requirements about controlling data keep coming at you at different angles, you need a system to organize yourself. It’s only going to become more and more pressing that you get off things like spreadsheets to keep yourself in line.
Get compliant with expert help
Want to work with Chris or another member of our compliance team? Schedule a demo of Secureframe to learn more about how our platform and in-house experts make security, privacy, and compliance fast and easy.