Scaling trust to unicorn status with Vanta CEO Christina Cacioppot | TechCrunch Disrupt 2024

Vanta and its CEO, Christina Cacioppo

• The discussion begins with an introduction to Vanta and its CEO, Christina Cacioppo, highlighting her unique career path from graduating in economics to working in venture capital before founding a company. (12s)
• Christina Cacioppo describes her early interest in the internet and Apple computers, which led her to pursue a career in startups despite feeling underqualified due to her economics background. (1m0s)
• She recounts how she discovered a blog post by Fred Wilson from Union Square Ventures, which was seeking a new young hire, and despite initial doubts, she applied and surprisingly got the job. (1m47s)
• At Union Square Ventures, Christina worked with a small team and learned a lot, but she realized she wanted to be a founder after meeting with various founders daily. (2m59s)

Christina's Journey to Venture Capital and Founding Vanta

• Christina reflects on the media narrative of founders, noting that it often portrays them as having been coding from a young age, which contrasts with the diverse types of founders she encountered. (3m40s)
• The discussion highlights the diverse ways people can become founders, emphasizing that one does not need to create a product used by billions to be considered a founder. (3m50s)
• Christina Cacioppot expressed a desire to start a technology startup despite not knowing how to code, which led her to quit her job, use her bonus to learn coding, and create several projects that were not widely recognized. (4m30s)
• Her first project was a book website intended to be an improved version of Goodreads, driven by her personal interest in seeing friends' bookshelves, although it did not succeed as planned. (5m8s)
• After working at Dropbox, Christina Cacioppot left to found Vanta, motivated by the opportunity to work on necessary but often avoided tasks like SOC 2 certifications, which she found rewarding due to the gratitude of those she helped. (5m39s)

Vanta's Origin and Early Focus on Security for Startups

• The initial insight for Vanta was that small companies often neglect internal security and customer data security, not out of indifference, but due to prioritizing customer acquisition over security. (6m32s)
• To encourage startups to prioritize security, it was important to link security efforts to their primary concern, which is growth in revenue and customer base. (7m5s)
• To encourage startups to prioritize security, compliance can be used as a reward, such as obtaining SOC 2 or HIPAA certification, which can open up new markets and accelerate revenue growth (7m16s).
• This approach has proven effective, as it couples the work of achieving compliance with the reward of new customers, motivating startups to invest more in security (7m58s).
• The initial plan for Vanta was to build a security company starting with startups, obtaining SOC 2, and then expanding to other security tools, which has largely been successful (8m12s).
• In the early days of Vanta, the founders would manually perform tasks, such as writing emails to customers, to test the market and validate their product before writing code (8m34s).
• One example of this manual work was sending weekly emails to customers about security issues, such as employees without two-factor authentication, and tracking the effectiveness of these emails (9m25s).
• Although time-consuming and sometimes error-prone, this manual approach provided valuable feedback and signals that the product was being used (10m17s).

Vanta's Frugal Approach and Culture

• Vanta has maintained a frugal approach, even after reaching a valuation of $2.245 billion, with a focus on efficient spending and a culture of Midwestern values (10m27s).
• The idea is to invest in areas that drive growth while avoiding unnecessary expenses, which can be a tricky balance to strike, and cultural implications can arise if not managed properly (10m44s).
• It's easy for startups to spend money on things that seem reasonable but don't actually matter, and this can lead to disappointing outcomes (11m7s).
• Vanta is more aggressive about what they spend on and what they don't, and they try to strike a balance between treating employees like adults and not overspending on luxuries (11m27s).
• Vanta's offices are nice but not extravagant, and they prioritize spending on things that drive growth rather than on lavish amenities (11m45s).
• The company provides food a couple of days a week, but only around get-togethers or team offsites, rather than providing three meals a day like some other companies (12m12s).

Vanta's Growth and Realization of its Potential

• The realization that Vanta was onto something came incrementally, with growing confidence over time, and a moment of clarity came when a former coworker asked for help with a security audit (12m44s).
• The company started with a manual process, working with a few companies, and then received an email from a former coworker asking for help, which was a turning point in realizing the potential of the business (13m20s).
• The early competition was spreadsheets and consultants, but Vanta had an advantage in that their consultants were engineers rather than accountants, which was appealing to startup CTOs (14m12s).
• The company started writing code to become a proper business, and this marked a significant milestone in their growth and development (14m8s).
• The company initially considered becoming a consultancy or a bootstrap business, but ultimately decided to build a software company and productize their services (14m35s).
• The plan was to build software and become a software company, but it took around four to five years to achieve this goal, longer than the expected one to two years (15m9s).

Vanta's Transition to a Software Company

• The company faced challenges such as hiring and software estimation, which contributed to the delay in achieving their goal (15m39s).
• The company is now a software-as-a-service (SaaS) company with a support team and a software product (15m30s).

Vanta's Focus on Evolving Security Standards and Regulations

• The company's customers are driven by their own customer demands, and are now focusing on meeting AI standards and regulations such as the EU AI Act and NIST regulations (16m47s).
• The company aims to make it easy and legitimate for their customers to meet these standards, but notes that the regulatory landscape is still evolving and unclear (17m38s).
• The company believes that the regulatory landscape will eventually become clearer, with larger enterprises driving the requirements and pushing them down to software companies that do business with them (17m46s).

Challenges and Opportunities in Security for Big Companies

• Big companies often make the mistake of trying to control more than they can, expecting to tag, analyze, and understand all data flows at any point in time, which is a difficult goal to achieve (18m17s).
• This expectation mismatch can lead to a lack of transparency and trust between big companies and startups, with startups trying to find ways to get comfortable with the delta between what they can and cannot do (18m54s).

Vanta's Principles and Focus on Trust

• Building trust is crucial, and Vanta is trying to productize trust by helping customers build and maintain it (19m16s).
• One of Vanta's company principles is to "do what it says on the tin," meaning to be transparent about what they can and cannot do, and to follow through on their promises (19m26s).
• Vanta tries to apply this principle to its own relationships with customers and their customers, aiming to build trust by being upfront about what they can deliver (19m33s).
• To achieve this, Vanta constantly tries to improve and, when mistakes are made, conducts root cause analysis and communicates with customers to understand and fix the issues (20m10s).
• Vanta acknowledges that it's not perfect and doesn't always get everything right, but it tries hard to fix mistakes and understand what went wrong (20m27s).
• The company recognizes that human systems are imperfect and that it's unrealistic to expect 100% accuracy, so it tries not to pretend otherwise (20m54s).

Vanta's Acquisition Offers and Strategy

• Vanta has not received any serious acquisition offers, except for a brief interest from a company in 2018, but nothing has come of it (21m7s).
• The company has received acquisition offers from both large companies and private equity firms, but they didn't make sense at the time and were ignored, which in retrospect seems like a good decision (21m31s).
• The company is digitizing an older industry and practice, which is an area where pure-play tech companies have not historically played, making it a unique space (22m1s).
• There are many startups trying to help people with their audits, and larger companies are making acquisitions, but Vanta has only made one acquisition almost two years ago and is constantly looking at other opportunities (22m40s).
• Vanta is more interested in acquiring companies with adjacent technologies that are different from what they use, as it's easier to reason through why it's a good decision (23m20s).

Vanta's IPO and Future Growth

• The company has no idea when they will IPO, and it doesn't matter to them, as they view an IPO as a financing milestone rather than an exit (23m42s).
• The CEO believes that an IPO is often not an exit for the team and founders, but rather a milestone that brings new challenges and responsibilities (24m12s).
• The company's focus is on growth and development, and they are constantly looking at new opportunities and technologies to expand their business (24m54s).
• Vanta has two main areas of focus, but the details are not specified due to time constraints (25m9s).
• Vanta's business is divided into two parts: one catering to startups and smaller but ambitious and growing businesses, and the other to bigger companies, with the former often being the first certification and revenue unlock for these businesses (25m12s).
• For startups, Vanta aims to do more in building out a security program, as there is a lot of potential for growth in this area (25m27s).
• Initially, it was thought that the problem of security was mainly a small company issue, but it has been found that bigger companies also face similar challenges (25m35s).
• In bigger companies, security teams often perform tasks manually, as there are few tools available to help them, presenting an opportunity for Vanta to provide solutions (25m50s).
• Vanta is thinking about the two parts of the business separately, recognizing the different needs and opportunities in each segment (26m0s).