For most of enterprise software history, security and compliance were treated as cost centers. You hired a CISO to keep the regulators off your back, you paid for a compliance audit every year, and you hoped nothing got breached in the meantime. The money spent on security was money that did not go into product development. Everyone accepted this framing.
That framing is breaking down. And the companies that spotted it first — the ones building security and compliance tooling that enables sales rather than just satisfying legal requirements — are producing some of the strongest retention economics we have seen across any software category.
The Compliance-as-Sales-Blocker Problem
A few years ago, a consistent pattern started emerging in our deal diligence: the most frequent reason enterprise software deals stall is not pricing or competitive features. It is the security review process. Procurement teams at large companies have become significantly more rigorous about vendor security posture, SOC 2 compliance, and data handling practices. What used to be a formality in a 30-day sales cycle became a 90-day process involving dedicated security review teams, questionnaires that run to 200+ questions, and frequent deal-killers over data residency or encryption standards.
For vendors that are not prepared for this, the sales cycle stretches. Revenue gets pushed. In one egregious case we saw during diligence on a target company, a signed LOI turned into a six-month security review delay that pushed the deal into a new fiscal year — and the customer's budget got reallocated. The deal died.
For vendors that turn security and compliance into a competitive advantage, the dynamic inverts. An enterprise software company that walks into a security review with pre-built SOC 2 Type II certification, GDPR and CCPA-ready data handling documentation, and automated responses to the most common security questionnaires compresses the review process from 90 days to under 30. That is not just a compliance feature. That is a sales advantage that translates directly into faster time-to-revenue.
Two Investment Angles
We see the shift playing out in two distinct ways:
Security posture as a product feature. Enterprise software companies that build security and compliance deeply into their product — not as an afterthought, but as a first-class capability — command higher contract values, win regulated-industry customers that others cannot close, and retain at higher rates because switching vendors means restarting a security review process the customer does not want to go through again. We have started evaluating our portfolio companies' security posture not just as a risk management question but as a growth driver question.
Compliance automation as a standalone product. The companies building platforms that automate evidence collection, continuous compliance monitoring, and vendor security review response have found a market that is growing faster than most enterprise software categories. The tailwind here is straightforward: every enterprise needs more of this, the manual effort is enormous, and the cost of non-compliance is existential in regulated industries. We backed Veracode Systems in this space because they built specifically for the API security and distributed microservices case — a segment where compliance requirements are especially poorly served by older tools.
What Makes This Market Durable
Regulatory requirements only get stricter. We have not seen a meaningful rollback of enterprise security and compliance requirements in any jurisdiction we follow closely. GDPR enforcement has increased. State-level privacy regulations in the US continue to proliferate. Industry-specific frameworks — HIPAA, SOC 2, PCI DSS, FedRAMP — have all become more rigorous in their audit requirements over the past five years.
This is not a market where the demand goes away if the macro environment changes. If anything, a downturn tends to concentrate more regulatory attention on enterprise vendors. The compliance spend is non-discretionary for any company with institutional customers.
The question is not whether enterprises need better security and compliance tooling. They unambiguously do. The question is which product category and which company captures the value. Our thesis is that the winners will be the ones who turn compliance from a defensive moat into an offensive sales motion.
The Cultural Shift in the CISO Role
Something has changed in how chief information security officers think about their role and their budget. Five years ago, the CISO's primary job was keeping the company out of breach headlines and passing audits. Business enablement was secondary. That has flipped at a growing number of large enterprises.
We now regularly see CISOs who are actively involved in evaluating vendor relationships from a revenue perspective — which vendors help us close deals faster, which customers do we lose because of our security posture, which compliance certifications are prerequisites for entering certain market segments? That is a fundamentally different set of questions from the traditional CISO playbook. It opens up a category of security and compliance investment that gets funded from revenue-facing budgets rather than pure risk-management budgets. Larger budgets. Stickier budgets.
The companies we back in this space are building for both of those CISO personas at once — the risk manager who needs audit evidence and the business enabler who needs faster deals. The best products serve both, and the ones that do are generating NRR numbers that consistently surprise us to the upside.
