Compliance at scale and why TAM is a distraction with Christina Cacioppo of Vanta

Vanta's origin story and its compliance-focused strategy for startups

Christina Cacioppo founded Vanta in 2018 to assist companies in establishing and verifying their security programs through audits and questionnaires. The company consciously uses the word 'compliance' instead of 'security' on its billboards, signaling a distinct market approach.

This strategy stems from the idea that compliance acts as a 'painkiller' for startups, whereas security is often perceived as a 'vitamin.' Startups don't proactively seek security until a critical event, like a customer demanding a SOC 2 report, makes compliance an urgent necessity. This immediate need becomes the primary buying moment for security-related tools and practices among early-stage companies.

Cacioppo's personal experience at Dropbox significantly informed Vanta's genesis. While launching Dropbox Paper, she observed that the new product lacked the security and compliance certifications required by existing Dropbox contracts. This forced a ten-engineer team to halt feature development for a year and a half to address compliance, highlighting the immense friction it could create.

Later, while researching why startups adopted security measures, she noticed that most either did nothing or implemented robust systems only when driven by enterprise customer demands or security questionnaires. This reinforced the idea that compliance, despite being arduous, offered a substantial benefit by unlocking critical business opportunities, leading her to found Vanta to streamline this process.

If you wanna start a security company for startups, you should actually start a compliance company. 'Cause your customers never ask you for security, but they do ask you for compliance.

Real-World Experience Guides Market Discovery and Vanta's Growth

Founders often uncover significant market opportunities, such as complex problem spaces like SOC 2 compliance, through direct real-world experience rather than early university-stage ideas. While college startup concepts tend to be half-baked, deeper value flows and pressing problems are typically revealed after spending years building products and observing how industries operate. This hands-on engagement is crucial for identifying less obvious but impactful challenges.

Vanta has achieved remarkable scale, now serving 15,000 customers. The company's growth rate has accelerated, maintaining over 60% annually for the past couple of years. This rapid expansion underscores the strong market demand for their solutions.

The company's go-to-market strategy is entirely sales-driven, utilizing a high-touch approach to customer acquisition. Vanta caters to a diverse range of clients, from small startups with just two founders to large Fortune 5 compliance departments, demonstrating broad applicability across various organizational sizes and needs.

you have to kind of spend a while seeing how the value flows in the real world work to, to discover those big opportunities.

Vanta Customizes Compliance Solutions for Different Company Sizes

Vanta tailors its compliance offerings based on a company's maturity. For new founders or smaller companies, it provides a guided, "TurboTax-like" experience. This approach helps users navigate high-stakes compliance requirements without prior knowledge, ensuring they establish a continuously monitored security program.

For larger, more established companies with existing compliance teams and programs, Vanta shifts to a "Datadog-like" real-time dashboard. This allows enterprises to monitor their compliance controls, which might otherwise live in spreadsheets or Jira, providing real-time visibility, deviation alerts, and potential auto-remediation.

In both scenarios, the core output is a security program that is continuously monitored, ensuring the company is always audit-ready. This approach acknowledges that while early-stage companies need a comprehensive guided setup, later-stage companies often require sophisticated tools to manage and monitor their existing, complex compliance frameworks.

Fundamental compliance principles, such as the separation of duties, where a "doer" and an "approver" are distinct roles for specific tasks, are integrated into these tailored solutions. This highlights that compliance is an ongoing activity that cannot simply be purchased but must be actively performed and monitored.

Upmarket, I switched on talking to engineer, it's like, it's more Datadog for your compliance controls, right?

Vanta's Platform Uses "Unit Tests" to Prove Compliance Controls

Vanta helps startups understand their compliance obligations by providing a tailored list of necessary tasks. Instead of a generic checklist, the platform identifies only the relevant items for a specific company's needs.

To ensure these controls are met, Vanta developed a system of "tests," which are modeled after unit tests in software development. These tests act as automated checks to verify that security practices are being followed.

For example, to enforce a control like requiring separate doers and approvers in code reviews, Vanta's tests can integrate with systems like GitHub or GitLab. They check every pull request to ensure specific fields are completed or certain logical conditions are met.

Ultimately, these "tests" serve as verifiable proofs of control implementation. They form a comprehensive suite of automated checks, much like a battery of unit tests, designed to confirm adherence to compliance rules.

The Drama Behind Vanta's "101 Billboard" Campaign

Vanta's "101 billboard" campaign garnered considerable interest, prompting many startups to ask about it. Vanta then connected these interested startups with the advertising agency they had used for the campaign.

The same agency later offered similar "101 billboard" inventory to other startups. This was not a deliberate act of hijacking but rather the agency applying a successful concept it had previously executed.

This segment transitions into explaining how Vanta's product simplifies navigating complex compliance rulebooks. The initial version of Vanta's product extracted common elements from major platforms such as Salesforce, Slack, and AWS.

Currently, Vanta utilizes data from over 30,000 completed audits to deliver customized controls for companies based on their profile and chosen auditor. The platform also incorporates insights from questionnaires and has a new product to ingest contracts, identifying commitments that should be converted into controls.

So how does the layer work for, you know, the rule book might be a thousand pages long, compiling that rule book into the steps that are actually actionable for me because I am not a farm, and so all the farm parts of the rule book don't apply to me.

Vanta Consolidates Diverse Compliance Frameworks and Monitors Maturity

Vanta processes customer obligations and various compliance frameworks into structured data, moving beyond individual rulebooks. The system prioritizes demonstrating progression and increasing maturity over time, which is a key expectation for maintaining compliance.

Instead of handling frameworks separately, Vanta treats global and industry-specific standards like SOC 2, GDPR, ISO, and emerging AI regulations as unified inputs. This approach streamlines the process for businesses needing to comply with diverse regional and industry requirements.

The platform helps manage the overlap and unique aspects of different standards, noting that frameworks like SOC 2 and ISO share roughly 60-65% common ground. It also addresses specific needs such as the extensive documentation often required by ISO, an area where software provides significant support.

We don't break it out by framework anymore, because they're all just inputs into the system for us.

SOC 2 Aims to Protect Customer Data, But Major Breaches Show No Market Impact

SOC 2's fundamental policy goal is to ensure customer data is adequately protected. This encompasses various facets of security, such as preventing information leaks and guarding against fraud affecting customers. The standard aims to build trust that a software provider will safeguard the sensitive information entrusted to them.

Despite these intentions, the real-world impact of significant data breaches presents a paradox. Major companies like Equifax and AT&T have experienced humongous data breaches, where entire datasets of customer information were compromised.

The market's reaction to these large-scale data losses reveals a striking pattern. Even after a catastrophic event like the Equifax breach, it is challenging to identify a corresponding negative impact on the company's stock price chart. This suggests that investors do not perceive data breaches as a long-term impairment to a company's terminal value.

This disconnect highlights a gap between societal expectations for data protection and what investors seem to prioritize. While society might expect severe consequences for companies that fail to protect customer data, the market's response indicates a different calculation, where the long-term financial health of the company appears largely unaffected by such security failures.

It's very hard to find that moment in the Equifax stock price chart.

Data Breach Costs Rise with Stricter European Regulations

The financial impact of data breaches is escalating, primarily due to increasingly strict regulations in Europe. European authorities are implementing rigorous policies for breach notifications and imposing significant fines, which is driving up the overall cost for organizations experiencing such incidents.

Companies are observing a higher demand for adherence to data privacy standards such as GDPR in Europe and CCPA in California. There's a notable cultural difference in how compliance is approached; European nations tend to exhibit a stronger, more serious commitment to meeting and often exceeding regulatory requirements.

This contrasts with a perceived 'box-checking' mentality often attributed to American compliance efforts. While Europe shows a consistent and higher demand for robust data privacy solutions, American data regulation is currently experiencing a period of minimal activity and impact.

The costs of having data breaches are going up because Europe in particular is getting very strict about notifications and sometimes fines around these breaches.

US government initiatives aim to modernize federal compliance with AI, specifically FedRAMP.

The current US administration is actively driving an initiative to streamline regulations using automation and artificial intelligence. This effort is seen as a key strategy to update cumbersome compliance processes across federal agencies.

A central component of this modernization is FedRAMP, an extensive set of controls, requirements, and documentation vital for companies to sell to federal, state, and often local governments. A team within GSA, led by Pete Wasserman, is working to transform FedRAMP into a "2020 version" from its current outdated state.

However, there is skepticism regarding the widespread adoption of these modernized standards. It is considered unlikely that traditional accounting bodies will fully integrate the updated FedRAMP, which could result in greater divergence in compliance frameworks rather than unified standards across different entities.

I find it hard to imagine the Society of Accountants Just copying the new FedRAMP block, stock, and barrel. And I don't think they will.

Compliance Standards Proliferate While AI Code Review Requires Accountability

Companies are encountering an overwhelming number of compliance standards, often needing to satisfy fifteen or more simultaneously. The focus has shifted from internal frameworks like SOC 2 to navigating strict regulations, particularly those originating from Europe.

When Vanta started in 2018, coinciding with GDPR's implementation, there was significant initial interest in the new European data privacy regulation. However, GDPR was drafted by lawyers at a high level, making it impractical as an engineering specification. Even after seven or eight years, it remains broad and lacks the court-clarified specifics that were initially expected.

The increasing use of AI for generating and reviewing code introduces new complexities for audits. While current processes rely on human reviewers for accountability, AI agents can now write code, create pull requests, and even perform reviews. This blurs the lines of responsibility, making it difficult for auditors to identify distinct user IDs responsible for actions.

For audit purposes, it is crucial to maintain clear points of human accountability, even when AI is heavily involved. The underlying principle is the need for "two throats to choke," ensuring there are identifiable individuals responsible for the code and its review, regardless of agent involvement.

It's more about having two throats to choke.

SOC 2's Flexibility and Vanta's Prescriptive Value

Compliance measures like the separation of duties in software development are primarily designed to prevent insider threats. The underlying goal is to prevent individuals from introducing critical vulnerabilities or "infinite money glitches" into systems without proper oversight. Understanding this impetus helps in designing more effective security controls.

Unlike highly prescriptive standards such as PCI, which mandate specific tools or actions, SOC 2 offers flexible, high-level guidance. While PCI might explicitly require purchasing a particular tool, SOC 2 leaves it up to the company to interpret and implement its controls, including those related to logging and monitoring.

This flexibility can be a significant challenge, especially for startups new to compliance. The broad nature of SOC 2's requirements can feel like navigating a maze without clear instructions, making it difficult to know how to concretely achieve compliance.

Vanta's initial product-market fit largely stemmed from addressing this challenge by making high-level SOC 2 guidance actionable. By translating general compliance suggestions into concrete, understandable steps, Vanta helps companies, particularly startups, automate and achieve compliance to unlock opportunities like selling to enterprises.

SOC 2 is, but it is up to you to decide what the heck that means.

AI streamlines initial compliance prep, but continuous monitoring remains Vanta's key differentiator

Large Language Models (LLMs) are exceptionally good at taking disparate, unstructured data and making sense of it for compliance purposes. Companies can feed an LLM a wide range of messy information, such as AWS screenshots, API calls, policy documents, and existing Jira workflows, and the LLM can process it into a usable format for compliance readiness.

Vanta leverages LLMs to enhance its onboarding process. When a company with an existing compliance program joins Vanta, they can input all their current documentation and processes. The LLM then maps this information into Vanta's framework, significantly reducing the initial burden of setting up a compliance program.

While LLMs excel at the initial data organization and audit preparation, Vanta's core value proposition extends further. The platform provides continuous control monitoring, offering real-time observability, alerts, and dashboards. This ensures that compliance is not just a one-time setup but is maintained ongoing, allowing auditors to log in and view up-to-date status.

The crucial distinction is that LLMs alone cannot provide this continuous, real-time monitoring and alerting. Vanta's system is built to provide this ongoing oversight, ensuring that once a program is mapped, it remains observable and compliant, which is a key differentiator beyond what AI models can offer in isolation.

everyone wants to have been Sock2 compliant as of yesterday.

Vanta Uses Anonymized Audit Data to Predict Auditor Reactions

Vanta builds a powerful network effect by processing over twenty thousand audits and thousands for specific firms. This extensive, anonymized historical data allows the platform to understand how auditors evaluate evidence.

This unique dataset enables Vanta to predict whether a company's submitted evidence will be accepted by a particular auditor. For example, it can identify common errors like missing timestamps on screenshots and provide immediate feedback to ensure compliance.

The predictive capability derived from this private data creates a significant advantage. Unlike public AI models, Vanta's system has access to an unparalleled volume of audit-specific information, much like Stripe leverages its fraud data for superior detection. This allows Vanta to guide companies effectively through the audit process.

Of anonymized prior audits is an incredibly powerful network effect that cannot be replicated because, again, it doesn't exist in the public internet. Like the AI's don't have it available to them, it's just private data.

Vanta's Third-Party Risk Product Nudges Buyers Towards Security

Organizations buying software, particularly those handling customer data, face significant third-party risk. A security breach at a vendor, such as an email provider, can compromise a company's own customer data, creating a difficult situation where they must inform customers of a data loss originating from a third party. Vanta provides a product to help manage this vendor review process and mitigate such risks.

A common challenge in vendor assessment is the tension between merely checking for compliance policies and genuinely evaluating security practices. Buyers vary widely, from sophisticated tech companies to non-tech businesses like hotel chains. Many may lack internal security expertise or a prepared set of questions, often leading to generic inquiries focused on whether a vendor has a policy for a certain action, rather than probing actual security implementations.

Vanta addresses this by employing a "reasonable defaults" product principle. For companies without specific questions, the platform offers prescriptively guided questionnaires. These defaults are engineered to subtly nudge buyers toward asking more security-centric questions, moving beyond basic compliance checks to effectively assess a vendor's true security posture.

Can we make the reasonable default questionnaire in this case something that leads into security versus compliance?

AI Automates Security Questionnaires and Compliance Workflows

AI has now become proficient enough to automate complex tasks, specifically filling out security questionnaires. While previous attempts in 2018 and early 2021 found language models insufficient for this specific application, current AI capabilities have proven to be robust enough.

A prime example of this newfound efficiency is GitHub, which utilizes Vanta to automate 92% of all the security questionnaires it receives. This allows GitHub to quickly process requests that historically demanded extensive manual effort, with human oversight primarily for review and approval.

The impact of AI is expected to extend beyond just questionnaires, transforming other critical aspects of compliance work. Compliance teams frequently spend significant time synchronizing various documents, integrating new regulatory regimes, and mapping them to existing controls to identify redundancies.

AI agents are well-positioned to streamline these labor-intensive processes, potentially allowing compliance professionals to shift their focus from repetitive data management to more strategic analysis and oversight.

GitHub gets ninety-two percent of all of the questionnaires they receive, answered through Vanta.

AI and Agentic Workflows Are Consolidating Compliance Roles

AI and agentic workflows are set to transform compliance roles by automating numerous tasks. This shift is compared to the evolution of IT, where many foundational processes that once required dedicated staff are now handled by technology.

Decades ago, a ten-person company would have employed an IT person to manage physical servers, perform software updates, and maintain hardware. Today, reliable hardware and cloud services like Google Workspace have eliminated the need for a dedicated IT person in small businesses, though the IT profession still exists at higher skill levels for larger organizations.

Similarly, AI is poised to streamline compliance tasks. Actions such as answering questionnaires, reviewing new software vendors, or rerunning risk assessments can be automated by AI agents, overseen by human experts. This allows companies to delay hiring a full-time security and compliance professional, with engineering leaders managing these responsibilities for a longer period.

This consolidation can lead to security, compliance, and IT functions merging into unified roles. Rather than separate personnel for each, well-equipped individuals can manage more. The long-term forecast suggests GRC teams might become smaller, with single-threaded owners overseeing agent-driven work, rather than having different people dedicated to each discrete task.

What we're talking about now, and we haven't seen yet, but if I like had the futurecast and guess, is we're gonna see actually those GRC teams collapse a bit more into these single-threaded owners.

AI Shifts Compliance from Hourly Labor to Strategic Oversight

AI is expected to transform compliance by automating the repetitive, hourly tasks that currently consume significant time. This includes duties like repeatedly gathering evidence from engineers for audits, ensuring security controls are in place, or chasing vendors for missing compliance items. The shift means human compliance professionals will spend less time on manual, operational workflows.

Instead, AI will enable smaller GRC teams to manage automated agents, allowing humans to focus on higher-level strategic work. This involves thinking about overall findings, managing a comprehensive risk portfolio, and defining the strategic direction of compliance rather than executing individual security reviews or administrative follow-ups.

This transition is crucial because it allows compliance teams to concentrate on the 'strategy component' of their work. They can dedicate their expertise to determining how things should be done, overseeing enterprise-wide risk, and managing policy direction. This automation also simplifies the adoption of new compliance standards, as the underlying machine can easily integrate new requirements once built.

AI will eat up a lot of the hourly labor part of compliance and leave people doing the strategy work.

New AI Compliance Standards and the Role of Trust Centers

A new European compliance standard, ISO 42001, is emerging for artificial intelligence. It focuses on data privacy and is high-level, catering to European enterprises that prioritize AI compliance. While not yet regulatory, it's gaining market traction.

Companies are increasingly adopting "trust centers," which function as security status pages. These pages, like trust.vanta.com, display a company's security posture using indicators for various controls.

The practical utility of trust centers is to deflect routine inquiries from GRC (Governance, Risk, and Compliance) teams. They serve as a comprehensive, pre-filled resource, akin to a binder of information, that sales teams can provide to potential clients, reducing the need for direct security-related questions.

Trust centers are the, security status pages.

Vanta is developing agent-generated UI and notes a shift back to phone calls in outbound sales

Outbound sales strategies are seeing a temporary reversion as email outreach becomes saturated with AI-generated content. Many businesses are observing that phone calls are currently more effective than emails, although this trend is expected to be short-lived as AI capabilities for phone outreach also advance.

Vanta is actively developing an innovative concept called "agent-generated UI," where artificial intelligence creates bespoke software interfaces on demand for specific user tasks. This approach goes beyond simple chat interfaces, aiming for a full, dynamic UI that can render elements like data tables, reports, or other necessary components for a user to complete an action.

The vision for agent-generated UI involves an AI agent guiding a user through a process and, when a user input or action is required, generating the precise UI needed for that specific task. This could significantly streamline workflows, especially in areas like reporting. Vanta anticipates releasing this agent-generated UI by summer.

Can the agent just generate UI specific for that task so the user completes it and then move on?

Vanta's Evolving Go-to-Market Strategy and the Pitfall of Generic Keyword Ownership

Vanta successfully used unconventional marketing, such as podcast advertising, which proved surprisingly effective for their go-to-market. This strategy went against traditional advice, illustrating how dismissing "silly" ideas can lead to missed opportunities for accelerated growth.

Initially, Vanta's strategy involved being "call responsive" to generic industry terms like "SOC 2." This approach was effective early on, before the market saw a rise in competitors.

However, as new companies emerged, this generic branding became a significant problem. Competitors could easily present themselves as "SOC 2, but cheaper" or "better," essentially leveraging a term Vanta didn't own, which made differentiation challenging and the original strategy deeply unhelpful.

Oh, that got, you know, like now we're all pointing at a thing we don't own. And like, that's bad.

USV's Philosophy on Ideas and the Flaws of Market Sizing

Christina Cacioppo of Vanta learned a crucial lesson about market sizing from Union Square Ventures. In 2018, the estimated global market for SOC 2 compliance was only $10 million, a figure that would typically deter a new startup.

Vanta's theory was that by making SOC 2 compliance easier and less time-consuming, the market would expand significantly. This proved correct, turning what was a 'zero-dollar market' for startups into a substantial opportunity, demonstrating that current market size does not always predict future potential.

This approach aligns with USV's philosophy of being drawn to powerful ideas and maintaining a 'prepared mind' for new trends. This intellectual framework was largely established by co-founders Fred Wilson and Brad Burnham.

Brad Burnham is described as the more cerebral and philosophical partner, while Fred Wilson excelled at articulating their shared ideas to a broader audience, famously coining the term 'freemium' in a blog post around 2008 or 2009, born from their collaborative discussions.

market sizing is bullshit.

Recognizing Delusion and Lack of Metrics as Founder Anti-Patterns

Christina Cacioppo's experience meeting thousands of founders revealed that there is no single model for what a founder is or does. This extensive exposure showed her the diverse paths to success and offered various role models, demonstrating that founders can succeed in many different ways.

A significant anti-pattern among founders who struggle is delusion, characterized by an inability to accept reality. While some might bend reality to their will, often reality is an immovable object that must be embraced and navigated, not ignored. Attempting to change unchangeable facts, like gravity, is a clear sign of this delusion.

Another clear sign of impending failure is a lack of clear metrics or investor updates. Founders who provide many words but no concrete data often fail to truth-seek, a critical tendency for navigating challenges effectively. This absence of data reflects a deeper issue of ignoring tangible progress and reality.

a lot of words and no metrics is almost a sure sign of failure.

Product-market fit is an immovable object that demands full focus.

Product-market fit is often misunderstood; if a company is questioning whether they have it, they likely don't. It acts as an immovable object, defining a business's true priorities and demanding unwavering attention.

For example, Etsy's co-founder, Rob Kalin, dedicated significant time over several years to making custom desks for new employees. This was a cultural practice intended to reflect the company's ethos of selling homemade, bespoke items.

However, even well-intentioned activities like making desks, or engaging in other pursuits, become distractions if they do not directly contribute to the core business's market demands. Without achieving product-market fit, these efforts are irrelevant.

A business must prioritize actions that move it closer to its core market needs, understanding that tangential efforts, while potentially satisfying, will not lead to success if the foundational fit is missing.

If you think you have product-market fit, you don't.

Vanta plans to expand its platform to cover broader enterprise trust functions.

Vanta intends to extend its platform's reach beyond its current focus on security for mid-market businesses, aiming to serve the enterprise market. This expansion targets various functions within the CISO organization.

The company is looking at areas like enterprise risk management and internal audit, leveraging its existing capabilities. Given Vanta's current process of packaging material for external auditors, applying this to internal audit processes is a logical next step.

The platform's core functionality involves defining controls, validating their implementation, and proving compliance. This framework is highly transferable to internal audit and even adjacent areas like financial audit, which operates on similar principles of system validation and proof.

Internal audit is sort of easier for us given what we've built in a way. We have all of this, and currently we're packaging material and sending it to the auditor, but you can imagine packaging it and sending it to internal.