The Product Person - VGS: Security and branding
VGS: Security and brandingThe story behind VGS and how they built one of the strongest brands in the security spaceBy RC and Richard It’s not often that I find well-known alumni from my alma mater, University of Maryland. There’s Sergey Brin (Google and class of '93), Brendan Iribe (Oculus and class of '01), and the Mokhtarzada brothers (Truebill and class of '01). But today, there’s one more person to add to the list: Mahmoud Abdelkader, co-founder of Very Good Security and class of '06. Very Good Security (VGS) makes data “unhackable”. They provide security for sensitive data such as payment information and social security numbers. Companies send VGS their sensitive data and VGS sends back aliases to store in company databases. Then, when it’s time to use the data, the company pokes VGS with the alias and receives corresponding data. This intricate dance allows companies to outsource security infrastructure to VGS. If a VGS customer gets hacked, hackers only get VGS aliases rather than real customer data. The downside to this model is that if VGS gets hacked, well, that wouldn’t be pretty. To date, VGS has not been breached — an astonishing feat that sets them apart from other security companies like Okta, Lastpass, Duo, and Auth0. FundingFounding StoryBack in 2011, Abdelkader was the CTO of Balanced, a payments platform for marketplaces such as CrowdTilt, TheFancy and Reddit Gifts. After going through the Y Combinator Winter 2011 batch, Balanced raised a $3.4 million seed round by Andreessen Horowitz. Despite the larger-than-average seed round, Balanced had a hard time competing with another Y Combinator alum, Stripe. In 2015, the team shut the company down and transitioned customers to Stripe. As Abdelkader sold off Balanced’s assets, he kept fielding offers on the compliance and security engine that he had built for Balanced. As part of building a payments company, Abdelkader had developed a PCI-compliant security layer to protect the sensitive payments data from customers. The attention for Balanced’s security layer dwarfed the demand for Balanced’s core payments products. In Mahmoud’s telling, Balanced wasn’t alone in building out the security layer for their financial product:
Inspired by the demand for Balanced’s security engine, Abdelkader teamed up with Marshall Jones, the VP of Engineering at Balanced, to start Very Good Security in 2015. The name Very Good Security is a nod to Pretty Good Privacy, a cryptographic encryption program for data communication. VGS’ thesis was that they could build a productized version of Balanced’s security engine. Then, customers could use that engine instead of building out their own expensive security and compliance layers. While the first word of “security and compliance” describes VGS’s product, it’s actually the compliance aspect that makes VGS most attractive for companies. Companies are required to have Payment Card Industry Data Security Standard (PCI DSS) compliance when handling card data from Visa, Mastercard, Discover, American Express, or JCB International - pretty much every fintech company out there. PCI-DSS compliance focuses on three main components: collecting payment data from customers, storing payment data, and validating that access/security controls are in place. It’s a pain to achieve compliance - depending on the payment volume, audits range from 1-8 months with quarterly network scans to onsite Annual Reports on Compliance (ROC’s) by a Qualified Security Assessor (QSA). As a result, companies find creative ways around PCI compliance. They can offload to a larger financial company - Stripe abstracts a large part of PCI through Elements and Checkout, and companies like Idemia and Bluemark can build/ship credit or debits card without the fintech or neobank ever touching the card. The tradeoff? Flexibility, and to some extent, scalability too. At a certain point, it’s more pragmatic to bring in-house. From there, PCI compliance usually requires hiring on a full-time security professional or paying a vendor like VGS to solve the first two parts of PCI compliance, processing and storing payment information. With a contact list from interested buyers, Abdelkader quickly added LendUp (now Mission Lane) to its first class of customers. In July 2016, VGS raised a $1.4 million seed round from Slow Ventures, Vertex Ventures, and Graph Ventures. Product-Market FitIt took a while for VGS to fully rebuild Balanced’s security features and add on new features to serve customer use-cases. About a year after their seed round, VGS started to poke their heads out. Marshall Jones, CTO at VGS, started publishing blog posts on Proxies Demystified and the release of their first product, the Proxy Secure Logger. These posts were quickly followed up by others. The whole team pitched in - Gordon Young (DevOps/SecOps) posted Threat Modeling for Data Protection, Ulyana Falach (HR / Marketing) posted User Management Feature Release, and Stefan Slattery (Marketing) posted PCI Scope Reduction: Understanding the Process. In July 2018, VGS passed their PCI-DSS 3.2 compliance audit. The milestone marked the maturing of VGS’s product - they could finally effectively sell their product to a broader class of fintech companies. In August 2018, VGS announced their $8.5m Series A, led by Andreessen Horowitz. The closing remarks from Abdelkader was, “I’m selling trust.” With VGS out of stealth, product development accelerated. Beyond just financial data, VGS improved their tokenization API to work on personally identifiable information (PII) and even health records. They also partnered with third parties to create integrations for developers. For example, their Netlify plugin allows users to create secure forms directly from the Netlify dashboard to safely collect and store sensitive user data. Instead of traditional cash-burning marketing techniques, the company has spent time and effort focusing on the “how”. VGS’ content delves into technical security details, changes in product offerings, and staff updates. For example, in November 2018, VGS published a piece titled, "How to Avoid Using Components with Known Vulnerabilities”. And in May 2019, VGS launched their Compliance Academy, a series of lessons that talk about popular compliance certifications such as PCI, SOC2, GDPR, and CCPA. These written pieces established trust and authority within the security space. In April 2019, VGS coined an ingenious term that further cemented their brand - “zero data”. The introduction of their Zero Data mission was accompanied by a special promotional video and quote from Brex’s CEO:
Zero Data was an inflection point. In October 2019, VGS raised a $35 million Series B led by Goldman Sachs’ Growth Equity. GrowthIn early 2020, Visa took note of Very Good Security’s work with companies like Petal and Brex. Shortly thereafter, they invested a large, undisclosed amount. Once again, VGS’s thought leadership and branding building was paying dividends.
By mid-2020, Amazon joined Visa in issuing a vote of confidence. They assigned Select Technology Partner status to VGS. Taking brand-building a step further, VGS threw its weight behind development and promotion of the Open Finance Data Security Standard. This new standard aims to raise the bar for data security in finance. Regulators and the industry at large simply haven’t kept pace with rapidly changing tech. And VGS isn’t pulling any punches. VGS’s blog includes outspoken critiques of how government agencies and the tech industry are falling short of the high mark consumers deserve. At this point, VGS really started to accelerate. They 10x’ed data under management in just a year while doubling customer count. Beyond just startups, VGS was now serving banks like Texas Capital Bank (NASDAQ: TCBI). Vertex Ventures led VGS’s $60 million Series C in December 2020. Throughout its history, VGS was relatively soft-spoken. They’d written a lot about industry standards and general educational topics - yet, very little information about the company had surfaced came out. That would change in 2021 and 2022. In quick succession, Abdelkader appeared on multiple podcast (full list in footnotes) and authored a Forbes piece titled, “Data Security's Secret: Data As An Asset”. ExpansionRapidly expanding companies test their leaders’ adaptability. Leaders ideal for the early vision-and-grind eras are often less excited about the rapid scaling stage. Many don’t know when to let go of the reins. Not Abdelkader. In a thoughtful November 2022 announcement, he revealed that he’d be taking a step back:
Chuck Yu (formerly of Visa and Drivewealth) stepped up in April 2023 to fill the talent gap at CEO. He’s joined by a power team of recent hires and promotions:
The list goes on. However, it’s clear from their investment into expert leadership that VGS is beefing up its growth and engineering capabilities. Final ThoughtsBy recognizing and seizing the opportunity they found within Balanced, Abdelkader and Jones created an exceptional data security platform. VGS’ reputation is stellar. Equally impressive to their PMF and business success - has been their vigilant focus on data security, a flawless track record (0 breaches), and their ability to remove so many regulatory and compliance hurdles for their customers. Footnotes[0] Podcast appearances by Abdelkader
Enjoyed this? Please share it with a friend or two. |
Key phrases
Older messages
Drata: Viral Audits
Monday, April 24, 2023
How Drata came to the forefront with changing software purchasing decisions
Wiz: Visible Vulnerabilities
Wednesday, April 19, 2023
Breaking down how Wiz went from COVID idea to $10 billion
Snyk: Shift left security
Wednesday, April 19, 2023
Catching the shift-left security wave and building a generational security platform
Nirav Tolia on Growing Nextdoor and the Path to Monetization
Wednesday, January 4, 2023
Inside are 5 actionable insights from former CEO and co-founder of Nextdoor, Nirav Toilia
The Rise and Fall of FTX – Part Three
Monday, December 26, 2022
FTX's presidential tokens, FTX.US, Serum, Blockfolio, and Alameda's risky bets in 2020.
You Might Also Like
Data Science Weekly - Issue 540
Friday, March 29, 2024
Curated news, articles and jobs related to Data Science, AI, & Machine Learning ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
This Week in Rust #540
Friday, March 29, 2024
Email isn't displaying correctly? Read this e-mail on the Web This Week in Rust issue 540 — 27 MAR 2024 Hello and welcome to another issue of This Week in Rust! Rust is a programming language
The Value Of A Promise 🤞
Friday, March 29, 2024
How much is a promise from a tech company really worth, anyway? Here's a version for your browser. Hunting for the end of the long tail • March 28, 2024 The Value Of A Promise When you hear a
New Elastic Security for SIEM Training Course
Friday, March 29, 2024
Detect and respond to evolving threats ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ elastic | Search. Observe. Protect Detect anomalies and malicious behavior March
SBF gets 25 years
Thursday, March 28, 2024
Sam Bankman-Fried is sentenced View this email online in your browser By Christine Hall Thursday, March 28, 2024 Welcome back to TechCrunch PM! The editorial team spent a chunk of the day discussing
💎 Issue 410 - Being laid off in 2023-2024 as an early-career developer
Thursday, March 28, 2024
This week's Awesome Ruby Newsletter Read this email on the Web The Awesome Ruby Newsletter Issue » 410 Release Date Mar 28, 2024 Your weekly report of the most popular Ruby news, articles and
💻 Issue 403 - Microsoft defends .NET 9 features competing with open source ecosystem
Thursday, March 28, 2024
This week's Awesome .NET Weekly Read this email on the Web The Awesome .NET Weekly Issue » 403 Release Date Mar 28, 2024 Your weekly report of the most popular .NET news, articles and projects
💻 Issue 410 - Node.js TSC Confirms: No Intention to Remove npm from Distribution
Thursday, March 28, 2024
This week's Awesome Node.js Weekly Read this email on the Web The Awesome Node.js Weekly Issue » 410 Release Date Mar 28, 2024 Your weekly report of the most popular Node.js news, articles and
💻 Issue 410 - JSDoc as an alternative TypeScript syntax
Thursday, March 28, 2024
This week's Awesome JavaScript Weekly Read this email on the Web The Awesome JavaScript Weekly Issue » 410 Release Date Mar 28, 2024 Your weekly report of the most popular JavaScript news, articles
📱 Issue 404 - Dependency Injection for Modern Swift Applications Part II
Thursday, March 28, 2024
This week's Awesome iOS Weekly Read this email on the Web The Awesome iOS Weekly Issue » 404 Release Date Mar 28, 2024 Your weekly report of the most popular iOS news, articles and projects Popular