- Valuation Model
- Expert Interviews
- Founders, funding
What motivated Vanta to focus on compliance as a market opportunity?
Christina Cacioppo
Co-founder & CEO at Vanta
Around late 2016 and early 2017, cybersecurity was starting to be this massive sector, but if you walked around startup offices, none of them were using any cybersecurity products.
Hanging out in the offices of friends with startups in San Francisco, I started realizing the core problem was that people didn’t know what was good enough. Also, there was a little bit of that early startup attitude, like: "Look. My job is to get product-market fit. If I don't get customers, my company shuts down. I go home. It's not really clear to me that doing all the security stuff helps, because no one's really asking me for that.”
You have these conversations, and you realize people care about the security of their company and product, but it’s hard to prioritize actively tackling it.
Then I walked into Figma’s office, and they were just doing all of this security stuff. There were maybe 30 people there at the time, and I remember asking why they were doing all of this. Their answer was, "Oh, we just closed a deal with a big tech company. It's really small, but we're really excited about it, and in order to get them to sign, they asked us 9 million security questions. We wanted to say yes to all their questions, so we went and did everything we needed to do.”
That showed me you could have this incentive alignment where in order to grow you need to be secure. That's how I got to compliance as a space -because compliance certifications like SOC 2 offer companies of any size a common language to compare and talk about security.
Then, I spent a few months talking to people about compliance, and what I learned was that the closest thing to what we have with Vanta today is this category of tools called GRC tools: governance, risk, and compliance.
These GRC tools are basically spreadsheets in the browser. You can map the things you're supposed to be doing to one another in a way that's helpful, but it's just a spreadsheet. It doesn't actually do anything. It just helps you keep track of things.
We looked at that and said, well, if you want to make sure every employee has two-factor authentication on their email, you have to go do that separately. We thought, "Why can't we do that?"
We talked to people, and they told us you can't build a tool for SOC 2, because SOC 2 couldn’t be standardized—that each report was so specific and unique.
Then you read the reports, and you realize that they’re different, but they're also not. Every one asks if you have two-factor on the important things, data encryption at rest for the database, and so on. There’s a bunch of commonalities. Etsy and Dropbox are very different businesses, but should they have vastly different security practices? Not really.
One of the first things we did was standardize what we would need to do to get a SOC 2 certification, and that helped us write code against it and build a product around it. No one had done that before.
If you're in a services business, and your service is consulting, you don't think things can be standardized. That's not your world. But if you come at it from a software mindset, you're like, "Well, if I want to make this faster, easier, cheaper, more widespread, I've got to standardize." So how do you make that work? It's a very different way of approaching the problem.
