September 8, 2020

Last Updated on January 14, 2024

Anyone involved in consuming, providing or regulating cloud services knows that security is a critical concern. But that doesn’t mean every software-as-a-service (SaaS) provider has a robust security posture—especially when you’re taking a hard look at it as a potential investor.

Just how important is data security and privacy to the growth and investment potential of an early-stage SaaS company?

We got the complete picture from a front-line expert on a recent episode of The Virtual CISO Podcast. Our guest was Jesse Nash, a partner at Reitler Kailas & Rosenblatt LLC, a leading venture capital law firm based in Manhattan. Jesse represents both SaaS companies and their investors, so he knows the issues from every angle.

How should a growing SaaS business approach data security and privacy?

“What my early stage and growth stage SaaS companies are trying to do is understand the regulatory environment their customers need to meet and building a data security and privacy infrastructure that matches up with those expectations,” says Jesse.

What are venture capital and private equity investors looking at?

“What I’m doing in transactional and M&A due diligence is trying to get a handle on the data security and privacy risk and compliance that those companies are experiencing, to see whether they are a viable investment candidate or not,” Jesse notes.

“Number one, private equity funds want to make sure that they’re not stepping into a lot of risks in terms of data security and privacy and noncompliance,” continues Jesse. “Number two, that their potential targets are in compliance with their contractual obligations and their customers are happy, and they’ve made the right investments so far to make their customers happy.”


“Number three, when it comes time to exit that company, there’s going to be a solid story in terms of data security and privacy compliance that’s not going to be a due diligence drag when they go to sell the company for hopefully multiples of what they invested in it,” Jesse concludes.

In short: your security story equals your investment potential.

With so much on the line, Jesse counsels clients to uncover and address security snags before moving towards a deal. He recommends reading an article from McKinsey titled, “Securing software as a service.”
Jesse relates: “What [McKinsey] did was interview CISOs from major companies about their experiences doing B2B SaaS transactions. What the CISOs experienced was a pretty significant disconnect in terms of the B2B SaaS company and how it was approaching those CISOs and engaging—becoming a partner and a stakeholder in the customer’s data security and privacy infrastructure.”
“What these CISOs say is, ‘Look, our biggest drawback to going on the cloud … is data security and privacy. That’s the number one impediment. It’s not cost; it’s not a product/need match. It’s not loss of control or other operational concerns. It’s data security and privacy. That is the biggest issue in terms of an impediment to the growth of SaaS,’” adds Jesse. “CISOs are going, ‘I really need you guys to step up and be a bigger stakeholder in helping me do my job.’ So that’s been the impasse that I’ve seen [in deals].”

Here’s Jesse’s bottom line for SaaS startups: “Understand the regulatory environment your customers are working in; understand their expectations in terms of data security and privacy; and make sure you have a clear and precise data security policy that matches up with that, so we’re not working from square one every time we do a tech transaction.”


If you work for a SaaS, want to invest in a SaaS or purchase a SaaS, you need to hear this podcast end-to-end. You can listen to the full show with Jesse Nash here.
If you don’t use Apple Podcasts, click here.

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times