Virtual CISO Moment #200: Startups, SOC 2’s Future, and AI Agents — with SCI’s Caleb Mattingley
For episode 200, Greg digs into Caleb’s origin story, why some startups over-engineer security too early, and a provocative vision: AI agents that continuously attest vendor security — replacing “check-the-box” compliance. If this resonates, you’ll also like GRC Room: Five Questions and Compliance Hell Is Optional.
Highlights
- Don’t overbuild security on day one. Founders need product and GTM first; right-size controls to stage and data sensitivity.
- Frameworks ≠ the mission. Start where business impact and control requirements overlap; expand from there. Related: Five Questions on GRC.
- SOC 2 is becoming commodity. Useful for sales, but not destiny. Expect more continuous, evidence-based assurance.
- AI agents for assurance. Enterprise and vendor AIs exchange real signals (with non-repudiation) to score risk continuously.
- Secure defaults should be default. Examples: EBS encryption enabled account-wide; MFA and SSO on day one.
How SCI started
Caleb: A side goal to work fewer hours turned into 50+ hours of consulting in two weeks. Brought in an intern, learned fast (including “don’t rely on one client”), and kept building.
The startup mistake: gold-plating security too early
Caleb: If you’re pre-product/market fit, chasing an enterprise-grade posture can starve product and GTM. Right-size controls for the data you actually handle, then mature with revenue.
Frameworks vs. what the business needs
Greg: Picture a Venn diagram: one circle is the framework; the other is the business. Start where they overlap.
Caleb: Not every control applies to every startup. Use frameworks for coverage, but prioritize by risk and sales blockers.
Will AI replace “attest-and-hope” compliance?
Caleb: Expect agents that read live configs, policies, and logs (with immutability / non-repudiation) and exchange signals between buyer and vendor. Output: a dynamic risk score you can trust more than a one-time PDF.
SOC 2 today
Caleb: It’s become pay-to-play. You may still lose the deal even after getting the report, so focus on real security + evidence gathering. We embed to implement and operate controls, not just write them — more in this Q&A.
Cloud defaults that should be default
Caleb: In AWS, set account-level EBS encryption default to on. Turn on MFA for the root user (then vault it), and use SSO (Google/Okta) for everyone else. Build secure by default so you don’t have to “think to be secure.”
Decompressing from founder/CISO stress
Caleb: Guitar, sci-fi reads (Heinlein), hikes with the family — creative outlets keep the program sustainable.
Favorite Moment
“Secure defaults should be the default. Make people think to decrease posture — not increase it.”
— Greg & Caleb
Quick Checklist for Early-Stage Teams
- SSO + MFA everywhere; disable daily use of root accounts.
- Encrypt storage by default (e.g., EBS default encryption) and backups cross-account/cloud.
- Role-based access, quarterly reviews; log privileged actions.
- Centralized logging; alert on auth anomalies and failed backups.
- Policy-to-control mapping that matches your stage; expand with revenue and risk.
Need a hand? SCI embeds with startups to implement, evidence, and maintain controls — without cutting corners. For more founder-friendly takes, see Compliance Hell Is Optional and GRC Room: Five Questions.
