Getting Risky: Cybersecurity & Compliance with Casted CPO, Adam Patarino

Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Welcome to episode five of The Tea on Cybersecurity. I can't believe we've covered as much information as we have already. I hope you're learning as much as I am. If you're anything like me, you may learn better from those that have experienced something before, which is why I'm super excited about this episode. We are going to talk about going from a startup, all the way to compliance with a very special guest. So, I am incredibly excited to talk with Casted CPO and co- founder, Adam Patarino. Hi Adam.

Adam Patarino: Hey, how are you?

Jara Rowe: I'm fantastic. How are you?

Adam Patarino: I'm doing very well.

Jara Rowe: All right, so go ahead and tell the listeners more about Casted and your role there.

Adam Patarino: Yeah, absolutely. So Casted was started in 2019 by myself and our CEO, Lindsay Tjepkema, and we had a vision for helping marketers with their podcasts, actually. I'm happy to be here on this show. Casted is all about building a show, building an audience around that show, and then really demonstrating the value of your podcast and video content throughout the rest of your marketing funnel.

Jara Rowe: I'm a huge fan of Casted even before we were technically a customer. I really like the amplified marketing approach, especially repurposing content and just thinking about content and things differently. So, I'm a huge fan of everything that you guys do.

Adam Patarino: Yeah. Yeah, likewise. Appreciate that.

Jara Rowe: Hey.

Adam Patarino: It's definitely cool seeing folks like yourself being able to start with conversations like these as opportunities to gather a lot of really rich content in lots of ways to repurpose that content and building your marketing strategy on top of it.

Jara Rowe: All right, so let's dive right into this cybersecurity fun. In your words, what is cybersecurity?

Adam Patarino: Yeah, cybersecurity is all about the, in our lens, risk management. Understanding what risks are potential, what threats are potentially out there that could harm our business in a number of ways or harm our customers' businesses. Cybersecurity is also trust, and so it's about being able to establish with our customers and our users, as well as our employees, that we are thinking through the potential risks out in the world and considering ways to prevent them so that we can build a trust and build strong relationships.

Jara Rowe: Awesome. So you've pretty much already demonstrated that, but cybersecurity is important for you all.

Adam Patarino: Yeah, it's really critical. It positions itself pretty uniquely in the B2B space, and more importantly in the enterprise space. As you work with enterprise customers, it's of course really critical to them. They have millions of users and millions of data points, and when we become a part of their tech chain, we don't want to be the weakest link.

Jara Rowe: For sure.

Adam Patarino: So in order for us to have a go- to- market opportunity, we need to make sure that we can demonstrate some competencies to help them feel comfortable.

Jara Rowe: Awesome. Yeah, definitely don't want to be the weak link at all. So through research and experiences and things like that, startups and SaaS companies sometimes don't have cybersecurity as top of mind as they should. So from Casted's point of view, when did you all know that cybersecurity was something you needed to take advantage of and the strategy behind that?

Adam Patarino: Yeah, so I think the bias that a lot of startups feel is that their risk profile is smaller, because they as an organization are smaller. That can be true as far as are they going to be targeted by active threats, but there are a lot of passive threats that are pretty equal no matter what size company you are. For us, I think we really knew from the beginning that cybersecurity and risk management was going to be critical to us to gain favor in the enterprise space, but it's also part of who we are as a culture and a company, is to be a trusted source for customers, for the market, for each other. Some of the deciding factors for us to actually pursue... we're SOC 2 certified, so to actually go into that SOC 2 motion was for us all about being the first in the market to demonstrate that we understand how important this stuff can be. It was also important for us to do it early. The earlier that you go through these things, they're actually a little bit easier to get your protections in place and get your routines in place and get all of your evidence gathered. It's a lot easier when you're smaller, so the actual auditing process can be a lot easier earlier, and then you're building on top of a really strong foundation. That's what we want to scale on top of, rather than going back through a very expensive restructure around security, we wanted to bake it in from the beginning.

Jara Rowe: Definitely. That's awesome that you guys took it so serious so early on, because I'm pretty sure, like you said, that that helps with headaches and things later down the line.

Adam Patarino: Yes, yeah.

Jara Rowe: I do know through research and whatnot that SOC 2 is something that most enterprise level companies really look for in the smaller SaaS startup companies. So, can you tell me more about some of the benefits that Casted has gotten from being SOC 2 certified?

Adam Patarino: Yeah, so I think a lot of people look at certifications like SOC 2 as a cost setter. It does cost money to get certified. There is software that's really helpful, which also comes with a bill, and of course there's the cost of time, which can be quite significant. However, I don't think a lot of people think about the return on that investment very often. We can actually equate dollars to our bottom line that are associated with our compliance. So because we have our SOC 2 badge, we can go to large companies like Salesforce and IBM and IBM and sign large inaudible with those customers, because we've demonstrated our competency in cybersecurity and risk management. So, we look at the ROI as being able to acquire and maintain and grow customers in that space as kind of that return on investment that we spent on SOC 2.

Jara Rowe: So my listeners, all of my newbie cybersecurity listeners like myself, we did just introduce a new term here, SOC 2. S- O- C, SOC 2, not socks like we put on our feet. There's different types of this, but don't worry, our next episode we go into more of what SOC 2 is. It is a compliance that a lot of SaaS companies get to help sell themselves to enterprise companies. So Adam, you did go a little bit into why you guys started with compliance, but was there anything else that triggered the need to start compliance when you did?

Adam Patarino: We definitely didn't luckily run into a vulnerability event, which I think is one of the things that unfortunately is the first step for a lot of customers, is they actually have a vulnerability that is exploited and they run into a problem, and then of course they try to play catch up or try to do damage control. For us, I think in my background especially, I've seen that before and so it became really important for us to get ahead of that, which is why we started so early.

Jara Rowe: Mm- hmm. So, I do know compliance and security aren't necessarily the same thing.

Adam Patarino: Right.

Jara Rowe: So, how does Casted ensure that both areas are being met?

Adam Patarino: Yeah, Casted's maybe in a unique position, because we serve two different types of users. Our first is our customer, and those are the folks that log into our platform, that trust us with their data, that are including us in their marketing tech stack. That's where things like security can be really important, to ensure that as they share their data with us, that they can trust that it's held safe. Our second user is actually our customers' customers, our customers users who are listening to and engaging with their content and also providing some data. When you have a consumer consuming data or interacting and you're tracking their behaviors, that becomes an area for where compliance becomes very important.

Jara Rowe: Definitely.

Adam Patarino: We've seen all over the place how important privacy policies are, how important cookie policies are, the changes in European laws starting to affect American companies, and so for us, we take both motions pretty seriously. Again, because we want to build trust with our customers, right? They want to make sure that their end users are treated with respect and their data is held appropriately. At the end of the day, let's say we mishandle that second user, that very end user's data, it could be that brand, our customer that is held on the line. So in order to make sure that we are trusted and our customers feel safe uploading and managing their content with us, we have to show that we take compliance seriously as well.

Jara Rowe: I feel very good that our audience that digest our content through Casted is taken care of.

Adam Patarino: Exactly, yep.

Jara Rowe: That's awesome.

Adam Patarino: Well, and it's cool too, right? In case of those out there who don't know, Casted's actually a Trava customer.

Jara Rowe: Yes.

Adam Patarino: So, a lot of this learning was something that I learned through Trava and the Trava team, and it's something that Trava was really great at helping both compliance and security concerns. So, it's been a great partnership.

Jara Rowe: We appreciate the partnership as well.

Adam Patarino: Thank you.

Jara Rowe: So I do know with compliance, you have different controls and they look at different company policies. So, specifically just thinking about from a training standpoint to make sure that Casted employees are up- to- date on cybersecurity concerns and things like that, do you guys deploy anything? Do you have any softwares? Or how do you guys train your employees when it comes to cybersecurity?

Adam Patarino: Yeah. Yeah, we actually follow a pretty standard template. There is a company out there that we use their software, it's called Carbide.

Jara Rowe: Okay.

Adam Patarino: Carbide is really helpful at managing all of our different security and compliance policies, but it also incorporates security training for all of our employees. So, part of our onboarding process is to have them go through some lessons. They're really great and easy and quick lessons. We have people review those, and if there's updated lessons, they'll learn more from the updates each year, so we go through and have people look through those yearly. We also work on more advanced training with our engineers. So the standard employee, somebody in marketing and sales that needs to go through that Carbide security training, and then our sales folks have a software development security training that they go through, because ultimately that's where the highest risk is. When you have a higher risk profile, we need to take additional steps, have more procedures, more training, and that's something that actually the engineers kind of enjoy learning a little bit more about, how to shore up our code and have really secure best practices.

Jara Rowe: We were just discussing recently about the importance of engineers and to make sure that they're making those changes in the software updates and things like that. Yeah, there might be new cool features, but those cybersecurity updates are just as important as some of those other things.

Adam Patarino: Yeah, it's always a balance. I lead the product organization and the customer organization, and since the beginning we've had to find a balance for ensuring that we were not developing too much tech debt and we were still delivering exciting features to our customers. That's a challenge for most products leaders out there, is how do we ensure that we're investing at the threat levels into each bucket?

Jara Rowe: Yeah, how do you decide that?

Adam Patarino: We have process that we built off of, Shape Up, which is an alternate development methodology where we are able to create pitches based on things that need to get done and prioritize them. What's great is we have the whole organization place bets essentially on what they think needs to go into the roadmap next, and that has allowed us to ensure that we're reaching the most critical items first. Of course, when you have something like that, you always need to have your thumb on the scale.

Jara Rowe: Okay.

Adam Patarino: So partnering with Trava, they've been able to help us identify the critical areas that we need to ensure we're addressing first. So, I'm able to pull in outside feedback into that betting process and making sure that we can keep a balance between new features and security updates and performance updates.

Jara Rowe: I'm glad we're able to help with that. So to reel it back in just a little bit, when you started with cybersecurity at your SaaS company, how much did you know about cybersecurity during that time?

Adam Patarino: Yeah, that's a great question. My background has been in SaaS most of my career, and I've been exposed to SOC 2 where the company I was a part of was going through it, and I did just a little bit on the documentation side.

Jara Rowe: Okay.

Adam Patarino: So I wasn't super familiar with everything that's involved, but I knew what it was and why we needed it. Then I worked at a global company where they were based out of Europe and their security practices were very robust. We had a lot of trouble getting new software, and we had a lot of routines and processes and procedures to go through in order to advance some of the custom work that I was building. So coming into Casted and knowing that we had a goal of becoming SOC 2 compliant within our first three years, we knew why we wanted it and we had a rough idea of what it might look like to accomplish it. That was it. I learned a whole lot on the fly about what are the details of compliance. It's not just going and getting your badge, there's actually a whole methodology and there's a whole point of view that your whole company needs to adopt being security and compliant- focused first, and that allows achieving SOC 2 to be a lot easier.

Jara Rowe: So if there was one thing you wish you would have known before going through the journey to compliance, what would that have been?

Adam Patarino: I think looking back, I would have loved to know that a partner is going to make things a lot simpler. We got lucky finding Trava and it really helped streamline everything. We didn't have to be the experts. In fact, while we were in a lot of sales processes seeking our SOC 2, we were able to still get into those deals and sell those customers because we had the support of an expert on our bench. So we were able to say, " Yes, we don't quite have the certification, but we have a lot of the right practices that certification proves." So, having an expert be able to talk to their security expert was really great for us. It took that pressure off of me to know stuff I didn't quite know yet.

Jara Rowe: Yeah, that's awesome. We love the buddy system here.

Adam Patarino: Exactly.

Jara Rowe: So Adam, if you could give advice to any other SaaS leader or other CPO in particular at a company when it comes to cybersecurity, what would you tell them?

Adam Patarino: Yeah. I always encourage co- founders and then founders or product leaders to start their security journey early. It's a lot easier when you're smaller, it's a lot less overhead than you probably expect. The second piece of advice I would give is find the right partner in this space. It's a lot easier to hire a firm and a company and a software solution like Trava than it is to bring somebody in- house that can be quite costly. So especially if you're in that early stage, partner inaudible Trava is probably my best piece of advice.

Jara Rowe: So, is there anything else you would like to leave our listeners with?

Adam Patarino: Yeah, if you're thinking about podcasting, if you're thinking about video for your marketing solutions, go check out Casted.

Jara Rowe: Love it.

Adam Patarino: We'd love to tell you more about how we can help you. But in all seriousness, we're going through some interesting economic times. As we look forward with an uncertain future, I hope that everybody stays safe out there and can help one another.

Jara Rowe: Ditto. As we mentioned, we learned a new term today, SOC 2, but if you were a little confused about it, don't worry, next episode, we will be discussing SOC 2 in a way we can all understand as if we're kids. Okay, friends, now that we have spilled the tea on the importance of cybersecurity from the perspective of a SaaS company during their journey, it's time to get into the receipts. So, I have two big takeaways. Adam noted that some smaller companies feel like they're not at risk simply because they're a smaller company, and that is the farthest thing from the truth. It's important to take it seriously from day one. If you do more of a proactive approach, when you do become bigger and you grow, having these different cybersecurity strategies and risk management strategies in place earlier on is only going to help you and benefit you in the long run. If you are trying to sell to a enterprise company, a lot of them actually want to know what you're doing to keep their data safe. So just because you're a smaller company at the beginning, doesn't mean that you should let cybersecurity go by the wayside, make it a priority from the start. Another thing that I took away is that when it comes to keeping data and information safe, it's not just about you, it's about your customers as well. Especially as a SaaS company, you not only have your own information and data, but you also have information from your client, your customer as well. So taking cybersecurity seriously keeps you and your customer safe, so let's make sure that we're doing our due diligence to keep all of us secure. Thanks for tuning in to The Tea on Cybersecurity. If you like what you listened to, I would be greatly appreciative if you could leave me a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.