VGS: Security and branding
The story behind VGS and how they built one of the strongest brands in the security space
By RC and Richard
It’s not often that I find well-known alumni from my alma mater, University of Maryland. There’s Sergey Brin (Google and class of '93), Brendan Iribe (Oculus and class of '01), and the Mokhtarzada brothers (Truebill and class of '01).
But today, there’s one more person to add to the list: Mahmoud Abdelkader, co-founder of Very Good Security and class of '06.
Very Good Security (VGS) makes data “unhackable”. They provide security for sensitive data such as payment information and social security numbers.
Companies send VGS their sensitive data and VGS sends back aliases to store in company databases. Then, when it’s time to use the data, the company pokes VGS with the alias and receives corresponding data.
This intricate dance allows companies to outsource security infrastructure to VGS. If a VGS customer gets hacked, hackers only get VGS aliases rather than real customer data.
The downside to this model is that if VGS gets hacked, well, that wouldn’t be pretty. To date, VGS has not been breached — an astonishing feat that sets them apart from other security companies like Okta, Lastpass, Duo, and Auth0.
Funding
Founding Story
Back in 2011, Abdelkader was the CTO of Balanced, a payments platform for marketplaces such as CrowdTilt, TheFancy and Reddit Gifts.
After going through the Y Combinator Winter 2011 batch, Balanced raised a $3.4 million seed round by Andreessen Horowitz. Despite the larger-than-average seed round, Balanced had a hard time competing with another Y Combinator alum, Stripe. In 2015, the team shut the company down and transitioned customers to Stripe.
As Abdelkader sold off Balanced’s assets, he kept fielding offers on the compliance and security engine that he had built for Balanced. As part of building a payments company, Abdelkader had developed a PCI-compliant security layer to protect the sensitive payments data from customers. The attention for Balanced’s security layer dwarfed the demand for Balanced’s core payments products.
In Mahmoud’s telling, Balanced wasn’t alone in building out the security layer for their financial product:
So we at Balanced raised $2 million and $1 million of it went just to build our security, data compliance, security, privacy… So it turns out, companies are basically building these DIY solutions, just to go to market. So they have to build a secondary company inside of their own company.
Inspired by the demand for Balanced’s security engine, Abdelkader teamed up with Marshall Jones, the VP of Engineering at Balanced, to start Very Good Security in 2015.
The name Very Good Security is a nod to Pretty Good Privacy, a cryptographic encryption program for data communication.
VGS’ thesis was that they could build a productized version of Balanced’s security engine. Then, customers could use that engine instead of building out their own expensive security and compliance layers.
While the first word of “security and compliance” describes VGS’s product, it’s actually the compliance aspect that makes VGS most attractive for companies.
Companies are required to have Payment Card Industry Data Security Standard (PCI DSS) compliance when handling card data from Visa, Mastercard, Discover, American Express, or JCB International - pretty much every fintech company out there.
PCI-DSS compliance focuses on three main components: collecting payment data from customers, storing payment data, and validating that access/security controls are in place. It’s a pain to achieve compliance - depending on the payment volume, audits range from 1-8 months with quarterly network scans to onsite Annual Reports on Compliance (ROC’s) by a Qualified Security Assessor (QSA).
As a result, companies find creative ways around PCI compliance. They can offload to a larger financial company - Stripe abstracts a large part of PCI through Elements and Checkout, and companies like Idemia and Bluemark can build/ship credit or debits card without the fintech or neobank ever touching the card.
The tradeoff? Flexibility, and to some extent, scalability too.
At a certain point, it’s more pragmatic to bring in-house. From there, PCI compliance usually requires hiring on a full-time security professional or paying a vendor like VGS to solve the first two parts of PCI compliance, processing and storing payment information.
With a contact list from interested buyers, Abdelkader quickly added LendUp (now Mission Lane) to its first class of customers. In July 2016, VGS raised a $1.4 million seed round from Slow Ventures, Vertex Ventures, and Graph Ventures.
Product-Market Fit
It took a while for VGS to fully rebuild Balanced’s security features and add on new features to serve customer use-cases. About a year after their seed round, VGS started to poke their heads out.
Marshall Jones, CTO at VGS, started publishing blog posts on Proxies Demystified and the release of their first product, the Proxy Secure Logger.
These posts were quickly followed up by others. The whole team pitched in - Gordon Young (DevOps/SecOps) posted Threat Modeling for Data Protection, Ulyana Falach (HR / Marketing) posted User Management Feature Release, and Stefan Slattery (Marketing) posted PCI Scope Reduction: Understanding the Process.
In July 2018, VGS passed their PCI-DSS 3.2 compliance audit. The milestone marked the maturing of VGS’s product - they could finally effectively sell their product to a broader class of fintech companies.
In August 2018, VGS announced their $8.5m Series A, led by Andreessen Horowitz. The closing remarks from Abdelkader was, “I’m selling trust.”
With VGS out of stealth, product development accelerated.
Beyond just financial data, VGS improved their tokenization API to work on personally identifiable information (PII) and even health records. They also partnered with third parties to create integrations for developers. For example, their Netlify plugin allows users to create secure forms directly from the Netlify dashboard to safely collect and store sensitive user data.
Instead of traditional cash-burning marketing techniques, the company has spent time and effort focusing on the “how”. VGS’ content delves into technical security details, changes in product offerings, and staff updates.
For example, in November 2018, VGS published a piece titled, "How to Avoid Using Components with Known Vulnerabilities”. And in May 2019, VGS launched their Compliance Academy, a series of lessons that talk about popular compliance certifications such as PCI, SOC2, GDPR, and CCPA.
These written pieces established trust and authority within the security space.
In April 2019, VGS coined an ingenious term that further cemented their brand - “zero data”. The introduction of their Zero Data mission was accompanied by a special promotional video and quote from Brex’s CEO:
The Zero Data concept is the reason we became your customer. The idea of reducing compliance scope, and not having to directly hold sensitive data really aligns with our philosophy.
- Henrique Dubugras, Brex CEO
Zero Data was an inflection point.
In October 2019, VGS raised a $35 million Series B led by Goldman Sachs’ Growth Equity.
Growth
In early 2020, Visa took note of Very Good Security’s work with companies like Petal and Brex. Shortly thereafter, they invested a large, undisclosed amount.
Once again, VGS’s thought leadership and branding building was paying dividends.
VGS’ ‘Zero Data’ platform is an example of this. Companies can reduce the scope of their data security and compliance requirements by eliminating the sensitive data in their systems, enabling them to develop innovative ways to pay without compromising security or functionality.
- Kevin Jacques, Vice President, Visa Ventures
By mid-2020, Amazon joined Visa in issuing a vote of confidence. They assigned Select Technology Partner status to VGS.
Taking brand-building a step further, VGS threw its weight behind development and promotion of the Open Finance Data Security Standard. This new standard aims to raise the bar for data security in finance. Regulators and the industry at large simply haven’t kept pace with rapidly changing tech.
And VGS isn’t pulling any punches. VGS’s blog includes outspoken critiques of how government agencies and the tech industry are falling short of the high mark consumers deserve.
At this point, VGS really started to accelerate. They 10x’ed data under management in just a year while doubling customer count. Beyond just startups, VGS was now serving banks like Texas Capital Bank (NASDAQ: TCBI).
Vertex Ventures led VGS’s $60 million Series C in December 2020.
Throughout its history, VGS was relatively soft-spoken. They’d written a lot about industry standards and general educational topics - yet, very little information about the company had surfaced came out. That would change in 2021 and 2022.
In quick succession, Abdelkader appeared on multiple podcast (full list in footnotes) and authored a Forbes piece titled, “Data Security's Secret: Data As An Asset”.
Expansion
Rapidly expanding companies test their leaders’ adaptability. Leaders ideal for the early vision-and-grind eras are often less excited about the rapid scaling stage. Many don’t know when to let go of the reins.
Not Abdelkader.
In a thoughtful November 2022 announcement, he revealed that he’d be taking a step back:
My wonderful wife put it best: We built the ship; I played a small part in being the tugboat captain to navigate the ship out of the internal waterways, but it requires different skill sets to navigate the ship across the Pacific.
Mahmoud Abdelkader
Chuck Yu (formerly of Visa and Drivewealth) stepped up in April 2023 to fill the talent gap at CEO. He’s joined by a power team of recent hires and promotions:
Stefan Slattery, promoted internally to Head of Growth Marketing
Ashuvinder Ahuja, (formerly of Avo Automation) joining as Director of Sales
Ashwani Wason, (formerly of Citrix and Opengov Inc) joining as Executive SVP of Engineering
Clarke Mitzner (Formerly of Illusive and Tanium) joining as Director, Global Sales Development & Enablement
Ian MacDonald, (Formerly of Regora and Touchplan) joining as Director of Revenue Operations
The list goes on. However, it’s clear from their investment into expert leadership that VGS is beefing up its growth and engineering capabilities.
Final Thoughts
By recognizing and seizing the opportunity they found within Balanced, Abdelkader and Jones created an exceptional data security platform.
VGS’ reputation is stellar. Equally impressive to their PMF and business success - has been their vigilant focus on data security, a flawless track record (0 breaches), and their ability to remove so many regulatory and compliance hurdles for their customers.
Footnotes
[0] Podcast appearances by Abdelkader
March 2021 - https://alejandrocremades.com/mahmoud-abdelkader/
October 2021 - https://codestory.co/podcast/bonus-mahmoud-abdelkader-very-good-security-vgs/
January 2022 - https://www.audacy.com/podcasts/breakfast-leadership-show-66688/interview-with-mahmoud-abdelkader-1186967236
March 2022 - https://www.youtube.com/live/IwuADkf_Z-o