Breeze Through SOC 2 Compliance, with Vanta CEO Christina Cacioppo
In this podcast, WorkOS CEO Michael Grinich and Vanta CEO Christina Cacioppo cover how businesses can unlock new markets and accelerate deals with SOC 2 compliance. They also talk about bug bounties, security practices, and enterprise sales.
Michael:
Welcome to Crossing the Enterprise Chasm, a podcast about software startups and their journey moving up market to serving enterprise customers. I'm your host, Michael Grinich. I'm the founder of WorkOS which is a platform that helps developers quickly shift common enterprise features like single sign off. On this podcast, you'll hear directly from founders, product leaders and early stage operators who have navigated building great products for enterprise customers. In every episode, you'll find strategies, tactics, and real-world advice for ways to make your app enterprise ready and take your business to the next level.
Michael:
Today I'm joined by Christina Cacioppo, the co-founder and CEO of Vanta. For those of you unfamiliar, Vanta provides a software solution to companies looking to really achieve security and compliance certifications such as SOC 2, ISO and HIPAA compliance. If you've never heard of those, or they sound like Greek to you, don't worry, we'll dive into those.
Michael:
Vanta recently, they announced their Series A financing which was led by Sequoia, and they've already put some pretty big numbers on the board working with over a thousand customers today. A fun fact, WorkOS was actually one of those early customers back in the early days. So, I'm super excited to chat with Christina about how Vanta also helps make apps enterprise ready. Christina, welcome to the podcast.
Christina:
Thank you so much for having me. I'm looking forward to this. Excited for this conversation.
Michael:
So, let's just jump right in. Give us a quick update on Vanta, where's the business at today? Where's your team at? Where's the current focus?
Christina:
For sure, so Vanta started about three and a half years ago. We've been in market for about almost three years. Team with about 110 folks now, so we've doubled in 2021 so far. Started the around 50, 55 people. And then similarly on customers, so we've two and a half X our customer base in 2021 so far, so shooting for more before the end of the year. 2021 has been kind to us, we're very grateful for and a year of a lot of growth overall.
Michael:
Well, let's go back a little bit here. I want you to paint a picture of the enterprise chasm and how SOC 2 fits into that. Talk to you seems like Vanta's bread and butter from early days. If you were to explain SOC 2 to somebody not in the tech world, how would you describe it? And why is it so important to enterprise customers?
Christina:
For sure, so as SOC 2, I think oftentimes Greek, the way I explain it is, it is the default way you as a B2B company show your customers that you have good security practices. So sort of its purpose, right, what it actually is, is it as a 70 page PDF that is written by an auditor. And basically the auditor comes in, looks at your security practices, is rigorous and thorough, writes everything up and gives you this long document. And then again, the idea is like, "Oh, well, because the auditor went through this process, someone else can trust them and so they don't need to vet you as much from a security perspective."
Michael:
So it sounds like there's pieces here, just to be clear. There's Vanta and then the auditor. So Vanta is not an auditor, right?
Christina:
Correct. Yeah, not an auditor, we partner with auditors. In old parlance, which of course I don't like, but in a kind of a pre-Vanta world, we were kind of a readiness assessment. Sort of readiness assessment and evidence collection, or how I explain it to people who know the world. Not my favorite frame. But sort of the ideas with Vanta, you can connect the tools you use. We will kind of check configuration, then settings, run tests over them in our par ones and so you can get an up-to-date dashboard on both your company's security posture kind of holistically. And then how it maps to a SOC 2, a HIPAA and ISO, one of these recognized compliance frameworks so you know where you are, what you need to do and how that's all going to sort of work for a company. And then just the other part, I mentioned Vanta partners with auditors, so auditor and come in and use Vanta and can use the data within the product to go ahead and help them write to that 70 page report for you.
Michael:
Got it, got it. So, Vanta is kind of this mega platform working with a lot of different auditors. It doesn't seem like there's a good way to describe that in the security industry, and this kind of leads me to this other question I wanted to ask. So conventionally, it seems like security companies are all built around fear. Fear of being hacked, fear of some intrusion, detecting something like that. That hasn't really been vantage posture, not necessarily through your marketing or even how you describe the product. And SOC 2, along with this as kind of become this go-to certification which isn't really a fear based approach. It's something else. Walk me through that kind of how you see SOC 2 playing in the industry.
Christina:
Yeah, it was really important in the early days. Is just so many security companies I think, market and sell either on fear or on like, "Hey, we're really smart and you can't be a smarter with us in terms of catching the hackers. So, you should really pay us to do it for you." Which we sort of found us PMs engineers sort of distasteful. The other joke that's not at all a joke about Vanta is that if you want to start a security company, you should think about starting a compliance company. Because, the thing we realized about compliance and SOC 2 is to your point, it's often a purchase driver, it opens up new markets. And so it ends up being this growth accelerant, this driver of revenue in a way that just most security tools aren't.
Christina:
Most security tools are, again, did you lock all your doors and windows? Did you miss one? Are you too silly to mess that up? You should pay us. And, we're really excited actually about sort of riding on the coattails of a SOC 2 or something like that and saying, "Hey small startup, you want to sell the big enterprises. One terrible part of that is the security review. We can help you get through that faster and so your product can compete with enterprise behemoths, right? You don't have to get held back by not having the certification or others."
Michael:
It sounds like SOC 2 opens up this access to the enterprise market and lets you step into it faster, hence us having this conversation. How fast would you say that actually happens? When you get your SOC 2 report, does this accelerate your ability to do it in a week, in a month? If you don't have SOC 2, can you ever get these deals? How should people think about SOC 2 as it unlocks customers or revenue?
Christina:
Great question, and it's changed quickly over the last few years. So when we started three, four years ago, SOC 2 was sort of an accelerant, right. You could probably get through selling to, I don't know, a mid-market or enterprise company, especially a tech one without it. But it would mean putting the CTO in the phone, answering questionnaires, kind of white boarding out your architecture diagram, sort of just doing these things. I think the generous interpretation of them was convincing your buyer you were reasonable and secure, and wouldn't leak their data all over the internet. We could do that, right. There's sort of two paths.
Christina:
I think over the last few years it's been really striking how the request for SOC 2 have just proliferated, and so now it's often a case where a SOC 2 is sort of the table stakes. Like, "Hey, if you don't have a SOC 2 another vendor does or another couple of vendors do, come back when you have one. If you do have one, great. We might actually still do some security vetting afterward." But again, it's sort of gone from being the, I don't know, magic accelerant to just an admission ticket often to selling to these larger companies.
Michael:
Funny enough, we picked a vendor of one over another just because they had SOC 2 and we ourselves, obviously are SOC 2. It kind of spreads out in the ecosystem like that as a requirement.
Christina:
When you all got SOC 2, I imagine there was some sort of customer requirement or request behind it.
Michael:
Yeah, part of it was that I knew that we were going to need to have it given building infrastructure for companies that they, themselves, are going to need to be SOC 2. And, so even having it sort of in advance of them coming online. But even from some of the first conversations with bigger companies, they asked about a security posture and there's no way to avoid that conversation when you're building infrastructure. So, it was really like a day zero requirement for us.
Michael:
I remember when we got our SOC 2, I remember talking to the auditor and I think we had five people in the company. And when we started the process and the auditor was like, "I've never seen a company this small do it." And I was like, "Don't worry, we're going to grow up. Don't worry and we got advantage by our side." What triggers a company to start going through SOC 2? With WorkOS, we did it really early on. If you were to kind of talk to founders, when should they be thinking about this? As soon as possible? Maybe only when a deal happens? What advice would you give?
Christina:
I mean, general advice is like a lot of other startup founder advice which is let your customer be your guide. And so as you're talking to customers, my actual advice is early on sort of preempt some of this and ask them about security review. I think this can sound scary to our founder who sort of like, "Oh, if I don't mention SOC 2 like... Or if I mentioned it, will they bring it up only because I mentioned it? And I don't want that."
Christina:
I think the lived experience I've seen across our customers, it's sort of the opposite. Like if they want a SOC 2, they will let you know. And if you say it and they didn't want one, they're not going to go ask you to jump through go do that unnecessarily. But, if a founder brings it up early or a person at a company brings it up early in the sales process, it actually kind of signals maturity and signals that, oh, they've done this before. Right, and so I think the question... I mean, you can't just say, "Hey, will you require a SOC 2?" But I think there's kind of a savvier version of the question which is, "Hey, we're talking. Let's just say evaluation looks good, can you take me through what procurement looks like?" I'm like, "Oh, is there a security part of the procurement process?" And, these questions sound a little savvier and then you're sort of teeing them up to be like, "Oh, yeah I am going to hand you off to the security team in the last for a SOC 2." And you would say like, "Great, thanks so much for the information."
Christina:
Right, but would encourage customers or startups to ask their customers and prospects ask early, so they get information about who wants it and how much of a blocker it is. And, that's kind of step one of information gathering. And then step two is just the internal prioritization, right? Like at any startup, there's 90,000 things you want to build at any one point in time, SOC 2 does take engineering time. And, so it's just trading that often terminally against all the other things you would like to do.
Michael:
One thing I remember too is because SOC 2, there's an observation period, there's kind of this natural time window that you go through. And so if you're talking to prospects and you tell them, "Oh, yeah we're working on it." That's actually a pretty acceptable answer, because they know there's the time window of needing the evaluation. So, they won't totally balk and run over.
Christina:
If you're using Vanta, can give you reports and collaterals and letters than just kind of sales collateral broadly defined in ways where you can sort of show your prospect. "Hey, we're working on it." And we actually are, right, we're not just saying that.
Michael:
Where do you see SOC 2 going? It sounds like it's being pushed downstream and effect, smaller and smaller companies are requiring a vendors. Obviously more people are adopting it, great for Vanta providing this as a service. Do you think consumers are going to start requiring SOC 2? I mean, is it going to be that widespread? Where would you imagine this going?
Christina:
That's a good question. It's actually something we talk and think about, and ask people's opinion of all the time internally as we figure out our own roadmap. It has truly been striking how quickly the requirements for SOC 2 have been pushed down and through. And companies, again, even are much smaller than WorkOS also are like, "Hey, we got a SOC 2. It's two founders, now do we only have to use SOC 2 vendors? Right, and we're two founders. Come on." I think that will just continue to happen and continue to happen out of the technology industry. And so the SOC 2 wave as it were, I think, will just continue to get bigger.
Christina:
There's a host of other standards too, is kind of an alphabet soup of other certifications that companies get over time increasingly earlier in their lifetime now. There's always attempts to make a better SOC 2 for some definition of better. Usually, the definition of better is different checks. I very much understand why those exist. I've thought through them. I think they're tough on product market fit because SOC 2 has incredible product market fit.
Christina:
We might think it's not the best product for various ways it's used, but everyone knows it. It's just the default thing, it's trusted and relied on. And you kind of come up and you say, "Hey, I'm Christina and I want to make Christina standard." And it's better because it checks these five things, SOC 2 doesn't. That's just not a compelling value proposition, right, to do. I mean, if I pitched you on that and you'd be like, "Oh, wait till five people ask me for that. Thank you." And so actually, I think, SOC 2 is quite sticky and then quite hard to dislodge. For with good and bad, but it is something that has incredible product market fit that I think other founders you sort of have to respect.
Michael:
How do you think about the other compliance standards as it relates to that? Talk through like ISO 27001 is something we hear about. There's the whole family of ISOs. There's many different variants of that, there's also a HIPAA compliance. Do you see those having the same sticking effect? Should founders reach for those sooner or the same advice? How would you advise a founder through hearing about these from customers?
Christina:
Similar advice. And like Vanta's more eponymous for SOC 2 today, we've never thought of ourselves as a SOC 2 company. Even in the early days when that was very much our customer facing marketing, that thinking was always, "Hey, we want to help startups get more secure and then demonstrate that security broadly but the default way people do that as a SOC 2. So, start there and build."
Christina:
And, I think that coupled with the stay close to your prospects and customers advice is still probably paramount here. Of the other standards, I think I'd probably divide them into three categories. First category or industry specific standards, so something like HIPAA for healthcare or something like PCI for credit card data. Particular industries, whether per law or per sort of industry association have their own standards. So if you're a founder in one of those markets, you probably know. And if you don't, you're probably not in one of those markets.
Christina:
Second category are different geographies, so the ISO body is a European consortium, so European buyers tend to prefer those. That's often where the requests come, American centricity. You can often get the European to accept the American SOC 2 where it's a little harder to get the American to accept the European ISO. So to receive people getting SOC 2 first, but they serve similar purposes a little different under the covers. But anyway, different geos. Singapore has one, Australia has one, et cetera, et cetera.
Christina:
And then the third category are things I'd probably call is people trying to make a better SOC 2. So these tend to be industry things, the Cloud Security Alliance, those sorts of things. So again, similar purpose, less product market fit. When you look at a larger company, they tend to have them but these tend to happen a little bit after because the SOC 2 does get folks pretty far.
Michael:
I believe it's Google who open-sourced their vendor security questionnaire, which unsurprisingly is actually very good. But even with Google's scale and reach, it hasn't had anywhere near the same level of adoption as SOC 2 today. I guess that just goes to show you the power of standards. So, you see a lot of startups going through this early days in security when early stage startups kick off this process around thinking about SOC 2, going through the audit. Who's the typical person working on this? Do they build a security team? Do they need to hire a dedicated security person? How do these startups go after securing their product for enterprise customers?
Christina:
Yeah, it's a good question. So, often what we see is.... And I'm getting very biased, because we've talked to folks who are considering or use Vanta. But part of the purchase of Vanta is so they can delay hiring a security person, and that's not to say the person isn't needed or valuable. It's actually just to say that it's an extremely difficult hire for a startup, and so anything that allows them to kind of spend more time on it or not need it yesterday is helpful. And so consequently, the person tasked will be an engineering leader, CTO, VPN, head of engineering, eng manager, kind of those sort of titles.
Christina:
And often, and also strip requests but when it's a CEO, it's often quite a technical CEO. Truly someone who can kind of reason through cloud infrastructure configuration and develop points of view there. But, yeah I mean, the folks we work with, we tend to be their introduction into security and compliance. And so a little bit of Spider-Man, with great power comes great responsibility. Try to teach them along the way so they both get this certification done and they get that, but they actually start to kind of build some internal knowledge and competence around security and compliance as well.
Michael:
Yeah, it seems like the kind of thing you don't want to fully outsource since you're also day-to-day making the decisions that you need to be secure.
Christina:
Yeah and I mean, you know this better than I do, right, but a lot of this stuff can have product implications. And, so what seems like a totally reasonable decision to a consultant can sort of have semi disastrous product implications on the inside. 1
Michael:
Yeah, I've totally seen that too. And if you're making those day-to-day product decisions as a team, there's sort of the internal aspect of security that's sometimes separate from even the certifications kind of the external side. You need to make sure you have both bases covered for sure. Where else do you see startups and maybe also enterprise customers getting stuck in this compliance security phase of buying software? We talk about crossing the enterprise chasm, this gap that exists between startups just building product, getting product market fit, and actually landing in the enterprise. Around security, SOC 2 is part of this, where else do you see folks getting stuck?
Christina:
Yeah, so I think it depends who you're selling to, but there'll be potentially other certifications or questions. One thing we start to see more and more is, again, SOC 2 as the admissions ticket but then some questionnaire of follow-up. And, then you go ask about these questionnaires and they sort of range the gamut. Some are security focused and ask generally what's in a SOC 2, some are security focused ask everyone's favorite questions that they're not sure about, and so those seem a little more like convenience for the internal team. Again, I could read your SOC 2 but everyone's is different. It's just easier to get this in my format.
Christina:
But then we talked to some folks and they're like, "Look, privacy is a big initiative for our company this year, so we're asking all of our vendors about privacy and so we have the separate privacy questionnaire." And so something's sort of adjacent there, so I'll just say a whole host of things. I think probably the flavor of the quarter half year is actually privacy is what I've been seeing more and more around.
Michael:
Are bug bounties part of that too? Is that something you see in terms of companies requiring or something that if you're a new startup, creating one of these can help you be more secure?
Christina:
It's a good question. Yeah, actually we do see them amongst generally Bay Area, grown up, startups, scale-ups, tech forward companies, your Dropbox, your Slack, your Robinhood, right. These companies that have very strong engineering teams, very strong security engineering teams that have sort of grown up again post Facebook and realized that as much as you can do internally to try to write secure software, it's just exceedingly hard. And, so sort of the best second thing you can do after trying very hard to write secure software internally, is have someone externally poke at it who will just tell you what is wrong and you can reward them for it with the bug bounty. But, yeah we see that particularly amongst Bay Area strong engineering companies.
Michael:
It seems like to invite the gray hat hacker to poke at your system, and maybe you get a reward out of it is a good way to get some real world testing.
Christina:
Totally, totally and we recommend them to customers with a caveat. And, the caveat is if you stand up one of these things and get vulnerabilities and don't fix them, that is even worse than a bad look. You're just inviting kind of catechism on some level. And so if you want to stay on one of these up, just to make sure you and your team can triage appropriately, respond, fix payout, et cetera. The just putting the logo up or just putting the form up, and not answering it is really a recipe for unpleasantness all around.
Michael:
Yeah, that sounds really dangerous. Like you're provably incompetent then at that point, which is not good. Christina, last question before you wrap up. So other than SOC 2 and other than these compliance certifications, if it fell out early stage founders going through this process of moving up market. If you were advising them on the most important aspects of becoming enterprise ready, what would it be? What have you seen companies do to actually crack through this as they move up market and cross the enterprise chasm?
Christina:
Oh, it's a great question. Okay, so in terms of a go-to market motion, some companies hire enterprise AEs that come with Rolodexes or people they've sold to and are sort of the type of sales person who gets really excited about navigating an org chart and puppeteering different people they've never met to make decisions. Totally a type of person, it actually very impressive. It's very much not me. I've also seen other companies basically have Pms, or founders, or engineers as salespeople who are, of course, worse at the tactics of sales or navigating an org chart but get really high resolution product feedback from an enterprise buyer.
Christina:
And, so it is interesting to kind of can't actually race two companies and run the natural experiment, but actually think I would probably bet on the PM or engineer sales and that they will sort of inherit. They will start out much slower, they will have to relearn a lot of what is sales or this like, "Oh, you send a contract. Oh, and then you have to nag people to sign it but that's fine, right." They'll have to do a bunch of that sort of JV sales stuff and figure it out from first principles. But they will just get, again, infinitely better product feedback that they will be able to translate into specs that get built. And, I think ultimately kind of be able to make a product that's just much easier to sell to the enterprise.
Michael:
I think that's some fantastic wisdom. Well, it's definitely what's happened at a lot of these early product led growth companies have been really successful for them. So, I think that's some pretty Sage advice. All right, great. Well with that, we can wrap up. Christina, thanks so much for joining us. Really appreciate your time.
Christina:
Thank you so much for having me. This was super fun.
Michael:
And, we're really excited to see where Vanta grows in the next year. You just listened to Crossing the Enterprise Chasm. A podcast about software startups and their journey moving up market to serving enterprise customers. Want to learn more about becoming enterprise ready? The WorkOS blog is full of tons of articles and guides outlining best practices for adding features like single sign on, skim provisioning and more to your app. Also, make sure to subscribe to this podcast so you're first to hear about new episodes with more founders and product leads of fast growing startups. I'm Michael Grinich, founder of WorkOS. Thanks so much for listening, and see you next time.