accelerator : Steve Neville, Trend Micro, On Why Startups Should Care About Regulation & Compliance
This interview is part of our feature on SAAS NORTH 2018 speakers.
L-SPARK: Tell me about yourself and your background
STEVE: I’ve been in the tech world since 1995. I was a marketing guy coming out of University and technology was incredibly intriguing. You see, technology was really interesting back then – we were operating as Silicon Valley North and there were many great things happening here. I loved the vibe and ended up being employee #5 in an organization, which I saw through to a large raise.
When I had the opportunity to move from a startup to a more established company, I landed at Entrust as employee #372. Landing at Entrust began my indoctrination into security. I spent 11 years at Entrust and saw a lot of changes happen over those years.
As my colleagues left Entrust, and gathered at Trend Micro, I got a bit curious about where they were working and I enjoyed what I saw. When it came time to depart Entrust, Trend Micro seemed like the natural next step. I’ve been there ever since.
L-SPARK: Tell me about Trend Micro – what’s the #1 problem you’re solving for folks and what makes the company unique?
STEVE: Trend Micro is a really interesting company. We’ve been around for 30 years – our 30th birthday is coming up in October – and we’ve got over 500,000 enterprise customers around the world and over 6,000 employees. We’re the largest, independent security company in the world.
I was attracted to Trend Micro because of their mission statement—“Making the world safe for exchanging digital information”. It doesn’t just translate into the products – we have great products – but Trend Micro has a much larger view. Rather than just ask the question, “Does this affect the bottom line?”, the company truly looks at its customers, collaboration, creating impact and change as well as building trust in the industry.
The people at Trend are truly different than the way the average organization reacts to the outside world. Not only do we want to make the world safer, we help organizations do that, too. We’re also a global citizen. The company’s philosophical approach is to also help people in the real world. We have an annual give-and-match program that has raised over $4M for various charities.
Last year, for example, we had over 1,400 Trend employees show up in Vancouver. The year before we were in Orlando. We don’t go out golfing, etc., we take a half a day and we spend it on charitable projects. We went to two schools in Vancouver, 700 per school in red shirts, and we put our time and effort into a project.
We are really all about helping the world around us. It’s a testament and reflection to who the company is. We’re not just about security products and the bottom line, although we do really well there, but we all know that we’re a lot more than just the numbers.
L-SPARK: You’ll be speaking about regulations during your talk at SAAS NORTH – can you tell me why this is important, what the regulations are that people should have top of mind and why startups need to pay attention?
STEVE: To start with the first question, if you look at the root of regulation out there (GDPR, for example), the root is to try and fix a specific issue. GDPR focuses on data privacy and allowing individuals to have control over their information. We live in a world where data breaches happen often, and that’s a reflection on companies – any size – that aren’t treating threats appropriately while storing and using personal data.
PCI is one that you need to pay attention to if you’re using credit cards, for example. Regulations help protect personal information that is being used wherever it is being leveraged. In Canada, there’s PIPEDA, which relates to personal data. If you’re dealing with healthcare information, HIPAA and HITECH translate globally.
You can have a startup that is 10 people but has 10,000 customers. Scaling on the Internet means companies can hold a lot of data regardless of their size.
L-SPARK: As a startup, it can sometimes be difficult to put things like regulations to the top of the priority list. Why do you think it makes sense for startups to focus on regulations early on?
STEVE: Security and regulations are inherently tied. Most regulations are about protecting some form of data. The big opportunity, in my opinion, for startups is to bake the idea of security into the organizational DNA as its scaling. For example, maybe you’ll say, “I’m going to implement a security framework” but that might sound overwhelming. However, there are great frameworks that exist out there that can be leveraged – SANS Top 20, for example – and the good news is that they match well with most of the regulations.
Now, you have the opportunity to get ahead on all of the regulatory work you’ll need to do because they all rely on the fact that you’re using effective, appropriate, logical security. From a startup perspective, the competing priorities is totally understandable but the good news is that there are ways today, with security, to leverage something like a SaaS offering for security. You can embed an agent in your server or make a call with an API, for example.
There are interesting ways that startups can leverage effective security and take advantage of organizations like ours. We have something called the Automation Centre, which is similar to a GitHub, for example, to get examples of what to do and how to do it and use the service as a backend. You can bake security in at the beginning and get ahead on both the threat and the regulation—without ever having to deploy & manage a security infrastructure.
Let’s say you have a breach with GDPR, you won’t necessarily get fined just because you had a breach. You need to show that you had the appropriate measures in place so that security framework can help protect you long-term.
L-SPARK: What does all of this have to do with customer advocacy?
STEVE: The opportunity with regulations, such as GDPR, is to not only comply but leverage the fact that you’re treating that data well with prospects and customers. It helps to create trust, it helps them to understand that you’re treating their data with respect and you respect them as an individual. They’ll automatically feel better about dealing with you as an organization, and that should translate to the bottom line.