 Hey everyone, welcome to this CUBE conversation featuring Vanta. I'm your host, Lisa Martin. Today excited to be joined by Christina Castiopo, the CEO and founder of Vanta. Christina, thanks so much for joining us today, looking forward to this conversation. Thank you for having me. Tell me back in 2018 where you came up with the idea for Vanta. What were some of the things going on in the market that just made it the right time? Yeah, so back in 2018 to try to take you back there, this was an era where there was a lot of security companies and it was kind of clear that there would be more and more security scrutiny, more regulation, GDPR was about to come into effect. But one thing we noticed was most startups did not actually do a lot for security and they felt they knew they should, they felt badly about it. But when kind of push came to shove, they ended up prioritizing features that customers wanted and that would grow their revenue versus features that maybe might make them more secure and might head off something in the future. And that tradeoff kind of made sense in a lot of ways. And then we found a company that prioritized a bunch of security work, had done a bunch of work at 30 people so relatively early. And what had happened is they had just signed a contract with one of the largest tech companies or it's like one of the top three large tech companies. And as part of that contract and getting that revenue, the large company had sent over a questionnaire and said, hey, small startup, do you have this practice in place? Do you do this? Do you have this policy? Is your cloud infrastructure set up in a certain way? The answer roughly was no, the startup had none of those things in place. But they didn't want to tell their new customer this. And so they said, yes, we do all those things. And then immediately turned around and did them all. And that was this kind of aha moment of being able to couple compliance or the idea of proving or verifying your security to actually doing it and having security not be something you feel guilty about not doing or risk mitigation for someone's future point, but something that drove revenue for your business in that moment. And to dug deeper, you get to questionnaires, you get to compliance, you get to a lot of work there, but it really informed Vanta and honestly the company's mission, which is secure the internet and protect consumer data. And when we think about that, we think about Vanta. A lot of what we think about is how do we help companies build out their security programs and then get credit for that by showing off all the work they did, demonstrating their security and building trust with their customers. That trust is currency these days. It's so, it can't be understated the importance. But do you talk about Christina, why SOC2 and other security compliance frameworks are so important for companies to focus on earlier in their journey? It's been really impressive because again, taking it back to 2018, small companies, and by small I mean under 400 person company would not get SOC2 or come on because it was too hard. It was too onerous. But what we saw was once they kind of, they'd always get stuck in sales. They'd have to do a lot of CTO time and just spend a bunch of effort because they didn't have a SOC2. And what we thought of is like, wow, if there's like easier way for these companies to get real, valid, high quality SOC2s, everyone would go do this. And that was sort of the thesis underlying Vanta. It's been amazing how quickly that has happened. I think probably at the time, I thought it would be a five year journey turned out to be about 18 months. It was just much faster. But to your question, I think companies knew this is because there's just software is truly eating the world. But as that happens and as there's more and more data and businesses have more data, there's also more risk and there's more breaches. And it's just very clear that if no company wants to have a breach, right? And if one of your vendors or suppliers breaches your data, like your customer doesn't clear care of somebody else's fault, right? As far as they know, they gave you the data. And SOC2 is just kind of was and has become the sort of industry standard way to say, hey, I follow a bunch of reasonable practices. And not just I'm telling you that, but a rigorous third party came in and checked and said, I do all these things. You don't just have to trust me, right? You can trust this third party where I have baseline reasonable practices at least. I do reasonable things. You can trust me with your customer data, too. That verification by a third party is probably music to a lot of companies ears. But I imagine just from a challenge customer challenge perspective, those customers that either weren't on the SOC2 journey or were somehow in it, but it was very convoluted, they're missing revenue generating opportunities by not being able to verify or prove their security practice. Are you finding that most of your target audience customers have started the SOC2 journey or had they just been like, there's so much complexity here and cost, we don't know what to do? Where are they on that? Yeah. Yeah, it's actually Jenna, it's changing over time. So for the past couple years, it was very much somebody who hadn't gone through the process yet, maybe didn't even know what they needed to do. Just knew there was a ton of work that and they needed the end results, right? So they had to figure it out somehow, but they didn't really know much more about what they had to do. That's still a big portion of the business today, but actually increasingly as a product has matured and gotten ready for more just a kind of larger companies, savvier audiences in various ways. We now see a lot of companies that have been doing, running these compliance processes or GRC programs in manual spreadsheet, path tracker driven ways, moving over to automation and continuous monitoring. So that's been very heartening to see as well. Big opportunities there. When you're in customer conversations, Christina, which I imagine you are a lot every week, every month, every quarter, what are some of the major challenges that they articulate to you that they're looking to van to the comments? I just wipe this off the plate for us. Yeah, so I think at the first level, often our first touch point is getting an initial certification. It might be a SOC2 for an American company, it might be a ISO 2701 certification for a European company or Asian company, but there's something there of just, hey, I'm trying to take a new product to market, trying to sell to companies that are bigger than I am, because most definitionally, everyone is bigger than you are in the early days. And as part of that, I need to prove my trust and show that I'm trustworthy. And so I need to go get this compliance certification. And that'll mature over time though, right? Because the company is getting more complex, it has new security workflows. Probably often the company they're finding, they get their compliance certification, but there still can be a round of questionnaires where automation can be helpful there. And so the needs kind of stuck, but if I had to bucket them or try to explain them crisply, I think there's a whole group around building out a security program to even what that means and how it changes and matures over time, right? And then getting credit with your customers for all that work. So that's proving your practices, demonstrating trust, again, sort of the external demonstration of all of that internal security work you've been doing. I'm just curious, in terms of time to value, how, what can prospects expect if they sign up with Vanta to be able to prove to their prospective customers everything is copacetic here? Are we talking months? Are we talking weeks? Yes, the way we talk about it, and truly think that to bear out is for a company that's called under 20 employees, it's about 40 hours of work all in. And so we've certainly had the canonical two founders who sit down on a couch on Friday night and are done by Monday morning. This is not the standard, right? But many companies will spread the 40 hours over, call it a month or two. And it's kind of, of that, probably 20 hours or technically, you probably want an engineer or someone fluent in engineering to do. The other 20 or more administrative, sort of someone who's kind of a strong project manager, is great to take helm of. But that's kind of the guidance we give for a small and nimble, but like a upstart. So that time to value is very real for organizations. So we talked about the folks that maybe haven't started on that SOC2 journey. But for startups or any company who may already have SOC2, talk about what Vanta's trust management platform provides to them. Yeah, it's quite neat. And again, it's just been really gratifying. We've kind of talked about serving these sort of customers for years, but are really, have been upgrading the product so that we can. So what that looks like is often, you know, these customers have security programs, they have compliance programs, they have a set of controls they're used to. What they can now do in Vanta's trust management platform is, you know, we can take that set of controls, we can monitor for it. So they still get all the monitoring, the alerting, the dashboarding, their controls, right, which is just often again, almost revolutionary for a team that used to working out of spreadsheets or out of a task tracker to have just real time up-to-date information on everything. So there's that piece, right? But often that team is responsible for more than just, you know, getting a SOC2. They're running quarterly or monthly access reviews. They're continuously evaluating new vendor requests for the company. They're running a vulnerability management program. And so the trust management platform is our way of kind of encompassing all of this work into a single pane of class for these security and compliance professionals. Speaking of those security and compliance professionals, what's your favorite customer story, Vanta customer story that really you think shines the spotlight on the value proposition that you're delivering, whether it's a startup that didn't have SOC2 and you help them get there or a furniture company? What do you think is your favorite story to go to? Yeah, there's about a, this is kind of a quickly growing IT services company. They were probably about 10 people and they started using Vanta. Now I think they're about 250 people today, so we, you know, much larger. And, you know, they get their SOC2, they get their ISO, they always, they don't got their things and are, you know, wait, I think operationally savvy but large across their company. But they recently started using our trust reports and trust reports, you can think of the like real time security monitoring sort of a security status page, right? If you go to status.vanta.com, you see our uptime and it's kind of monitoring. This is monitoring for your security status, which I think is a very core to Vanta. What we're trying to do is get people to build out their security program, show it off. Anyway, so this IT company started was brave enough to like proactively show off their security posture. And what they found is that actually they lead with it in their enterprise sales cycles. It does seem to close deals faster because it is such a strong statement and kind of confidence and trust. All the information is right there. It is all buttoned up. You have again real time security status of the company available to the customer. There's just so much trust building there that it's it's really rewarding that it's, you know, not to, you know, just to talk to you or just, you know, I so start but it's really been able to accelerate this company sales cycles and move them into the enterprise faster than it would be otherwise. What a great story and that's exactly what what companies want is that accelerant. Now, speaking of accelerants, we have to talk about AI. It's the probably the one of the hottest topics of the moment globally. How Christina, are you thinking about AI and Vanta and leveraging it for your customers to get secure compliant maybe faster? Yeah, we're very excited about this because I think if you're just going to zoom out a little bit and think about what LLM these large language models are good at, right? It's taking a bunch of information that might be structured and understanding it and putting it in another format. And there's a lot of the compliance process that is that and it tends not to be people's favorite part because it sort of feels like work about work, right? I know this information here. I need to put it in the spreadsheet. I need to put it in a long-term document. I need to, you know, do something like that. So we we have some announcements that are coming, but I think are quite exciting around a couple pieces. But a lot of it, a lot of the initial thoughts will be, you know, a person can read an 80 page document and summarize it in language models. You can do both, right? We're not going to, you know, just go into, you know, just trust the language model. But there's some stuff there. There's, again, a bunch of document generation is just a key part of this. And so, you know, rough drafting there where folks can then edit around the edges, but they don't, you know, they're not responsible for, again, writing a 10 page document to describe their company because that even other founder of it, you know, would not be my favorite activity, certainly. I can understand that. So take us out, Christina, with your vision for Vanta as it continues to grow and develop. And you've done so much since just 2018. And what is that vision that crystal ball look like? Yeah, what we're really trying to do writ large, like across the software industry, is have folks think about security and trust and displaying their security in this continuous way, not as point in time checks. So, look, evidently, companies think about security continuously inside the company, right? The security team for operating a continuous way. But when we think about security verification, right, showing off your security to customers or partners, that tends to be point in time. It's annual audits, it's manual spreadsheets, it's once a year, you know, get on the phone and say all the big words in the right way. And so that the customer will trust you. And we're just almost trying to turn that into an engineering process or turn this into a continuous process. So we don't have incidents like equal facts where, right, like everything was kind of done by the book when the auditor came in, but three months later, all bets were off. Our thing is you can get this to be continuous and use the customer pressure and customer demand for trust. You're going to ultimately build a more secure internet. Definitely, that continuity is critical. Christina, thank you so much for coming on theCUBE. It's been great to hear the Vanta story, really what was behind it, the catalyst, what you're enabling organizations, young organizations, mature organizations to achieve from a security and compliance perspective that really helps them drive revenue with their customers. We really appreciate you spending the time on theCUBE today. Thank you. Thanks for having me. My pleasure. We want to thank you for watching and remind you that you can find all of our CUBE on-demand content on thecube.net, editorialsiliconangle.com. But keep it right here on theCUBE, your leader in hybrid tech event coverage.