Jan-Erik Asplund
Background
Christina Cacioppo is co-founder and CEO of Vanta. We talked to Christina to learn more about the trend of startups helping companies acquire certifications like SOC 2, how they're thinking about automating away the manual, time-consuming processes involved on the back-end, and how these kinds of businesses cooperate and co-exist with auditors.
Questions
- Can you start off by talking a little about Vanta and the problem you're solving?
- Can you talk a little about why compliance emerged as an interesting-enough subject for you to start a company around?
- You said your thesis has been validated faster than you expected. How do you think about why that happened—is the PLG motion a big part of it?
- Carta positioned themselves as helping lawyers rather than replacing them. Are you seeing anything like that emerge in the compliance space with auditors?
- How do you think about expanding from SOC 2 to all these other kinds of certifications?
- What is the recurring value that customers of Vanta get that justifies the recurring SaaS business model?
- How did this process of getting compliance certification work before Vanta?
- On the flip side, how does the process of getting these compliance certifications change with Vanta?
Interview
Can you start off by talking a little about Vanta and the problem you're solving?
We started Vanta in 2018, and we have helped companies do two things: get secure, and then prove that security through compliance certifications like SOC 2, ISO 27001, and GDPR.
The biggest pushback I got from investors early on was that this was a small market and no startups get these certifications. Empirically, this was true at the time. The vision I was pitching was that more and more startups were going to get these kinds of certifications, and Vanta was going to be a part of that.
That part of the thesis has panned out faster than we even expected.
Can you talk a little about why compliance emerged as an interesting-enough subject for you to start a company around?
Around late 2016 and early 2017, cybersecurity was starting to be this massive sector, but if you walked around startup offices, none of them were using any cybersecurity products.
Hanging out in the offices of friends with startups in San Francisco, I started realizing the core problem was that people didn’t know what was good enough. Also, there was a little bit of that early startup attitude, like: "Look. My job is to get product-market fit. If I don't get customers, my company shuts down. I go home. It's not really clear to me that doing all the security stuff helps, because no one's really asking me for that.”
You have these conversations, and you realize people care about the security of their company and product, but it’s hard to prioritize actively tackling it.
Then I walked into Figma’s office, and they were just doing all of this security stuff. There were maybe 30 people there at the time, and I remember asking why they were doing all of this. Their answer was, "Oh, we just closed a deal with a big tech company. It's really small, but we're really excited about it, and in order to get them to sign, they asked us 9 million security questions. We wanted to say yes to all their questions, so we went and did everything we needed to do.”
That showed me you could have this incentive alignment where in order to grow you need to be secure. That's how I got to compliance as a space -because compliance certifications like SOC 2 offer companies of any size a common language to compare and talk about security.
Then, I spent a few months talking to people about compliance, and what I learned was that the closest thing to what we have with Vanta today is this category of tools called GRC tools: governance, risk, and compliance.
These GRC tools are basically spreadsheets in the browser. You can map the things you're supposed to be doing to one another in a way that's helpful, but it's just a spreadsheet. It doesn't actually do anything. It just helps you keep track of things.
We looked at that and said, well, if you want to make sure every employee has two-factor authentication on their email, you have to go do that separately. We thought, "Why can't we do that?"
We talked to people, and they told us you can't build a tool for SOC 2, because SOC 2 couldn’t be standardized—that each report was so specific and unique.
Then you read the reports, and you realize that they’re different, but they're also not. Every one asks if you have two-factor on the important things, data encryption at rest for the database, and so on. There’s a bunch of commonalities. Etsy and Dropbox are very different businesses, but should they have vastly different security practices? Not really.
One of the first things we did was standardize what we would need to do to get a SOC 2 certification, and that helped us write code against it and build a product around it. No one had done that before.
If you're in a services business, and your service is consulting, you don't think things can be standardized. That's not your world. But if you come at it from a software mindset, you're like, "Well, if I want to make this faster, easier, cheaper, more widespread, I've got to standardize." So how do you make that work? It's a very different way of approaching the problem.
You said your thesis has been validated faster than you expected. How do you think about why that happened—is the PLG motion a big part of it?
There's very much a PLG component here. If you have a few people at Google using your tool, you want to be able to approach Google IT and say, "Hey, here's this compliance certification.” That’s really helped the startups with explicit enterprise sales go-to-markets because they could have those conversations earlier.
Another part of it was Vanta dropping the cost of getting these compliance certifications. When I say cost, I mean money but mostly time. Typically, startups who got one of these certifications would hire a consultant who would spend tons of time and charge tens of thousands of dollars to "get them ready".
Then they would hire an auditor, who would also be tens of thousands of dollars and all these hours.
What happened after we launched Vanta and dropped that cost was that more startups started doing it. The expectation became that more startups would do it. Startups were like, "Well, now my competitor did it. So I had to do it."
Carta positioned themselves as helping lawyers rather than replacing them. Are you seeing anything like that emerge in the compliance space with auditors?
In the early days, Carta couldn't give 409A valuations, so they partnered with outside accounting firms to do that.
Vanta is similar. We can build software that helps someone through an audit. Our software helps an auditor do their work, but we are not auditing the company. We can't. This is per auditor guidelines that say, you can't audit your own work. Running software counts as your own work. We are not an audit firm. We will never be an audit firm. However, we work very closely with some accountants and audit firms.
These audit firms historically wouldn't work with startups. Their bills would be like $50 to $100K, and a startup would be like, "Well, we're not going to pay that. We’ll figure out a way to grow without a SOC 2 report.”
Vanta came along, and then these startups were actually much better prepared for these audits. The auditor could treat them more like a big customer that had an internal team that knew what was going on. Then there was downward pricing pressure, because so much could be done inside the software.
We've iterated through a few models since we've been at the forefront here and figured this out. Today, we work with this set of very tech-forward, process-based auditors who understand that their ACV might be lower, and they might be charging less, but that they can do Vanta audits so much faster. We’re seeing auditors embrace this lower price, higher quantity kind of revenue growth.
How do you think about expanding from SOC 2 to all these other kinds of certifications?
One of the original hypotheses of the company was that when you looked at startups, they got none of these certifications.
If you looked at big tech companies like Slack or Okta, they had lots of these badges on their website, but it seemed pretty clear that you get one first, and then you wait as long as possible because these things are terrible to get and can be distracting.
What technology fundamentally does here is just make it all happen faster. We went to market with just SOC 2 because we had to start somewhere focused and do that one thing well. The plan was always that people would want more of these, and the core technology is very similar. The core of the product is just taking configuration information, taking company practices, testing them, seeing what's in place and what's not, and comparing it to a given compliance standard—that's pretty easy.
There is a lot of overlap in the actual security work required to obtain each standard, but they all look different structurally. Vanta helps startups obtain more standards, with less effort, by doing this mapping in the background. We spent the first half of 2021 taking our SOC 2 MVP and making it a more general platform where you're, "You want to SOC 2? Cool. You want a GDPR? Cool. You want to XYZ? We can do that."
What is the recurring value that customers of Vanta get that justifies the recurring SaaS business model?
One point here is that these certifications need to be renewed. Fundamentally, the certification is a PDF, and the auditors are smart. They put dates on them. They'll say, "This report is valid from April 14th, 2021, to April 13th, 2022.” You can send out an old PDF, but no one wants to do that when they’re trying to sell to Okta or Google. It’s not a good look.
The other bit is that while the certification is certainly a helpful part of Vanta, it's the tip of a spear. The long-term value is having insight into the security practices of your organization and knowing, "Hey, I just onboarded 14 people, and 5 of them haven't set up two-factor authentication in their email. Let's go make sure they do that." Similar to compliance certs, we’re seeing economic incentives develop around showing this type of real-time validation. We just launched Trust Reports which allows customers to proactively share a real-time look at their security posture, along with commonly requested documentation. These have already become a wildly popular and useful feature for customers who are used to filling out lengthy security questionnaires or have not yet gotten their SOC 2.
How did this process of getting compliance certification work before Vanta?
Pre-Vanta, a company would decide they want a SOC 2 report, and they’d Google what that entails, and they’d find this 80 page PDF filled with what are called controls: every employee has two-factor on their email account, all databases are encrypted at rest, we always use TLS on our website, public websites, whatever. You have 80 or 100 of these things.
The report itself is an auditor saying, "I checked, and yes, every employee at Rocketship Inc has two-factor on their account. I checked that every database is encrypted at rest. I checked by looking at AWS on this date, and I saw it was true.”
This is a long research project—longer than I think it needed to be. You can probably tell. You literally invite an auditor into your office and they ask you to prove that you have TLS on your website. While sitting in front of them, you go to http://vanta.com and you show them that it redirects. They're like, "Ah, yes, it redirects. I understand. Thank you.”
To check on two-factor, they go pick three employees in your office, and —not kidding—tap them on their shoulder and ask them to log out and back into their email.
Then the auditor would go back with their notes and their screenshots and all this and write the 80 page report. Then you'd have a SOC 2 report. Then you get to rinse and repeat and do it next year.
You can imagine it’s hard for a small startup to figure out what's going on, how to talk to an auditor, what your controls should be, what your rules should be, and so on.
On the flip side, how does the process of getting these compliance certifications change with Vanta?
The Vanta world is like, "Okay. Here are the best practices listed out for you. You can change stuff on the edges, but these will work for you.” As an organization matures, they develop more preferences and want more customization. Totally legit.
Anyway, you have the list, and then we're just checking things automatically: Does everybody have two-factor on? Well, why don't we just go ask the G-suite APIs? We can return you a list of who does and who doesn't.
What the company ends up getting is dashboards around all the practices and what's in place and what's not. They know what they're working on and there are instructions for how to fix stuff.
The auditor in Vanta gets a different view of that data, but it’s the same data, and it's more mapped to the compliance language. “You want information on two-factor? Here's hourly information on every employee in the company for the last six months. We can give it all to you. Here’s how we generated that information so you can be confident."
For a smaller company that's not doing a lot of customization, it’s more prescriptive, but a lot faster. For the auditor, it’s a much higher level of assurance.
Disclaimers
This transcript is for information purposes only and does not constitute advice of any type or trade recommendation and should not form the basis of any investment decision. Sacra accepts no liability for the transcript or for any errors, omissions or inaccuracies in respect of it. The views of the experts expressed in the transcript are those of the experts and they are not endorsed by, nor do they represent the opinion of Sacra. Sacra reserves all copyright, intellectual property rights in the transcript. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any transcript is strictly prohibited.
