As startups, entrepreneurs may find it difficult to set aside business development to focus on security.
In this episode, Sabrina Serafin interviews Christina Cacioppo, Founder and CEO of Vanta, a SaaS solution that recently raised $50 Million in Series A funding. With her experience in early-stage venture capital and technology startups, Christina discusses the importance of establishing a security and compliance mindset and how it can fuel business growth.
Listen now using the player below or download for later. (If you cannot see the player, please accept our Privacy Policy below and refresh).
Culture of Compliance™ was named #1 in “Top 25 Regulatory Compliance Podcasts You Must Follow in 2020” by Feedspot and named one of the “20 Best compliance Podcasts of 2021” by Threat.Technology.
Follow Culture of Compliance on iTunes, Google Podcasts, Spotify or wherever you listen to podcasts.
Culture of Compliance | Security as a Founding Principle
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance Practice.
Today, we’re talking to Christina Cacioppo, Founder and CEO of Vanta, a continuous security monitoring solution that helps internet companies simplify the process of complying with security certification requirements. Christina, welcome to the podcast.
Christina Cacioppo Thank you so much for having me.
Sabrina Christina, I was very interested to hear about your background. I understand you started your career in early-stage venture capital, then moved to product management for a software as a service company with both experiences inspiring you to found your current company; it’s an interesting trajectory that I wanted to explore. First, can you share some of your observations from the VC perspective? What did you see as security related issues with companies that were investment targets?
Christina Absolutely. As you mentioned, I started my career at an early-stage venture capital firm in New York City. We invested in Seed Series A, a level kind of somewhere between, I don’t know, two and 20 or 30 person companies so early on. One of the things we saw was security was certainly important, it was something people were aware of and thought through, but it was also often something that was hard for them to prioritize working on.
Right, because when you’re in early stages of starting a business or in the later stages of operating a business, there’s just a lot going on. You have increasing amounts of whether from sales or customers or employees and all of these things, and security was often something that people would tell us was important. They did think about they did absolutely care about. But when they sort of got into work in the morning and looked at their priority list, it was really hard to put security on the top of the list.
So, kind of a consequence of that is they’ll often be focused on things that immediately grew the business. So, maybe for the product-based company, new features that attracted new customers or help them retain existing customers or if they’re growing quickly, it’s like, how do we find and retain talented employees to help scale managing risk, again, with something people said was very important? I think they believed it was very important, but was just hard in that stack rank of, “How should I spend my Tuesday.”
It’s really hard to say, “I’m going to pause on hiring, I’m going to pause on new future development, I’m going to take a step back and really think about the risk facing the company, particularly security risk or technical risk.”
That was just very clear in it, people understood the tradeoff. They cared, they knew about it, but they keep making this trade off. So, we definitely saw that and then I think some of the light bulb moment or something else that we thought was really interesting was every once in a while, a company would come in and they actually had a very good understanding of their security posture and risk facing the company and started to mitigate or accept or control for some of those.
And they were just like, “How did you pull this off?” Kind of in the idea of, “Hey, if we can get you to pull it off, can others pull it off?” And broadly, what we saw was these folks had thought through their risks and thought about their security posture because of a sales deal or a customer in the process of selling to a larger customer, the larger customer or prospect kind of went back and said, “Hey, we’re only going to buy your software, we’re only going to give you data if you can prove to us you’re actually secure.” That then turned security into sort of a sales accelerant and a way to grow. That was really interesting, you’re like, “Oh, this is a way that fast-growing companies that mean really well are actually able to prioritize this actually really important thing.”
Sabrina Great perspective. So then when you moved into product management with a software company, how did that influence your perspective?
Christina Yeah, so this is a different take. I worked at a company that had a bunch of security certifications, a mature security program and compliance program, and it had figured that out over a few years of going to market and finding, “Hey, we can’t sell to this segment of customers without the certification, so let’s go prioritize it.” So, that was sort of the company wide setup. I was working on a brand-new product that came in through an acquisition, so I was totally separate from everything else.
And in the beginning, we thought, “Hey, this is great. We’re the startup within a startup, we don’t have to deal with all this big company nonsense aren’t we so cool?” And then reality hit, and what we found was, “Hey, we are still part of this company and we need to meet their security and compliance bar ranks under the same umbrella.” But we don’t get to benefit from all the resources they figured out. We sort of have to either figure it out on our own and figure it out at this very high standard, or we can migrate and have the broader company take care of it, but then we’re sort of giving up our cool kid status. So, it was this like very clear trade off, I think, in sort of how to proceed or what path is best.
I think the part, backing up a moment, that wasn’t trade off, it was an easy one, was, “Well, do we need to go through and do the security and compliance pieces?” And that was a no brainer, absolutely. If we want to take this new product to market, we need to meet the expectations that customers and prospects have of the larger company, we’ve got to do this stuff. Then, it just becomes a question of, “how do we best do it?”
Sabrina One of the topics we discussed before the podcast was a subject close to my heart, and that is the view of the space between security and compliance. Can you talk about that for a minute?
Christina Yeah, I think compliance often gets a bad reputation. I think at its worst, it’s work about work, it’s bookkeeping, it doesn’t actually do anything. It’s checking the silly boxes for kind of silly people. The view we sort of came to was not at all that, compliance is about proving the security you have and proving it to a credible, trusted third party.
So, as part and parcel of that, you should not be proving things you don’t have, right? If you don’t think you have enough that leads on the security side, how can you improve your security posture and get to a place where you feel proud to show it off. And then compliance, we can get that translation and that showing off of, “Hey, here’s all the things we do. Here’s how we’re aware of the data we store, how it that should be protected, the safeguards we have in place.” At Vanta, we think about it as two parts of the same whole. So, being secure, having that security and then demonstrating that and articulating that and communicating that to others. But again, not at all communicating valuable things and things you have, not things you don’t have.
Sabrina Thank you for that. As someone who works with a high number of smaller companies in terms of headcount, do you have any observations about culture in the smaller environments and security?
Christina Yeah, one thing we found and honestly, it’s been surprising. Predominantly, we work with generally smaller organizations, couple hundred employees and down to the proverbial two founders on a couch but literally like just getting off the ground. One thing we found that embedding security early, maybe it’s the two founders on the couch stage, maybe it’s five or 10 employees stage, just kind of make everything else easier because it becomes a part of what the company does and what the company cares about.
Then, when you hire your next employee, they come into the company and you’re like, “Hey, we care about security, here’s the ways that manifests itself.” From making sure there’s 2FA on your emails to here’s our cloud infrastructure safeguards to here is a security training, whatever it is, and the new employees like, “Oh, great. guess that’s the thing this company does, sign me up.” Versus the change management. I saw this in a prior job, when you have 1000 employees and then you go to them and you’re like, “Hey, we’re going to put 2FA on emails. We’re going to change how cloud access is provisioned, we’re going to put everyone through security training.”
You get a lot of, “Why do we have to do this, I’m smarter, I don’t need your training.” You get a lot of pushback versus taking it in early and it just becomes a thing you do and People kind of go along with it. So, all of us say as we’ve worked with small companies, it ends up being remarkably easier, both initially and to implement things. They’re just getting five people on board, ten people on board. And then, over time, when you’re a multiple hundred-person company it’s just the thing the company does, and so you don’t go through these rough change management haggling, “Oh, only these people do security training this year, and everyone next year.” Just these discussions that I think everyone has better things to do, for the most part, tended to haggle over that sort of thing.
Sabrina That’s a good point. Besides security, where else would you see there being challenges in the smaller organizations when one of the main challenges can often be funding?
Christina Funding is a big part, also customers. This is one of the reasons we started with small companies, actually, is to a small company, a compliance standard often opens up a new market to them. And there’s often, “It’s a small company, who trusts them?” No one does, not because they’re untrustworthy people, just because they’re five people on a couch. You really want to send all your customer data to five people on a couch?
So, there’s this bigger trust gap with them and consequently having this sign off of a rigorous auditor on, “Hey, you met the SOC 2 standard, you met the ISO 2701 standards,” you’ve met whatever it is ends up being really valuable in the trust gap and it actually opens up new customers for them. So, there’s this whole kind of group of customers who normally wouldn’t talk to a five-person company, again, don’t know what’s going on over there and would take us a lot of effort to go figure it out, we can go buy from somebody else. But, if the five-person company can come to the table and say, “Hey, rigorous auditor, these standards, happy to talk through any part of the control environment.” It actually ends up being this kind of growth factor for them, this way to, again, expand their market as customers and add new revenue in a really meaningful way. I think that’s substantially different than how compliance historically has been thought of as a necessary evil, cost center, we have to do, but sort of no upside. Again, for these small companies it’s all new market, a new revenue.
Sabrina That’s a great point and, obviously, our tagline turning compliance requirements into investments in your business supports that. I’d love to hear more about the trust gap and how you discuss that with your current customers, how do you explain the importance of narrowing that gap?
Christina Yeah, it’s interesting. We don’t have to explain the existence of the gap, they live it. In a way that people if, again, they’ll try to sell to someone larger and someone larger will look them up and be like, “Come back when you’re more mature.” So, they live that part, the part that we spend time talking through, “How can you close it?” We all know it exists, and so what is the fastest, most efficient, best way to truly close it? Not, fake close it, paper over etc. And so, that’s where we end up often talking about specific compliance standards.
To something like a SOC 2 is where Vanta started, and we started there because that just seemed to be the first thing that companies were asked for and the first thing they provided. Seemed like a good place to start. And I think it’s been borne out so now, I think it’s probably the standard ways to be like, “Oh, might a SOC 2 work for your business?” and you’re like, “Hey, you can talk to people who have similar businesses for whom it worked, you can talk to people who have similar businesses that made a different decision.” But sort of that social proof piece, it’s really helpful.
Also, we honestly just encourage these companies to talk to your buyers, go back to the person who said no, and say, “Hey, if we got a SOC 2 would you want to engage more?” Because that’s ultimately what matters, and so having those conversations and prompting people to have those is both easy, I think it is the best answer. Then, they hear, “Oh, we had a conversation, and we got a SOC 2.” Its tremendous motivator to go through the process in a standardized way.
Sabrina Thank you for that, Christina. As we close out, any thoughts that you’d like to share with particularly our audience members with smaller organizations who really are trying to do more than just “paper over” their compliance requirements?
Christina Absolutely. I think, again, small company, it might feel like it’s hard to prioritize something like this. There’s a lot going on, there’s a lot of really trying to grow and prove out your business. I guess what I’d say for those folks, if you do get the sense that your prospects and your buyers and your customers would be more willing to buy with some sort of rigorous security proof, whether that’s a compliance audit or which one it is, encourage the early investment. Again, the time and prioritization trade-off is hard but it will actually never get easier. Your company will get bigger, there’ll be more people, but you will also be doing more things, and as you have more people these processes just get longer and there’s more people that get in line and manage expectations around. So, if this is something that you feel like might be interesting or good for your business to prioritize, I just really encourage you to kind of think through that because it might get more valuable in the future, but it will certainly get more difficult to do in the future. So, if you can knock it out or knock out the first one and sort of build that culture today, I think it’ll set you up very well for the longer term.
Sabrina Great advice, and sooner rather than later is the best answer to that. Christina, thank you for being with us today and sharing your views about security and compliance.
Christina Thank you so much for having me, this was a treat.
Sabrina And to our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.