About this Episode:
Do you have to comply with the complex, time-consuming, and tedious process of preparing for a security audit? In this episode, Eric Martin from Vanta, a cybersecurity startup, will discuss automated security and compliance. Discover why security compliance is essential, and how automation can help you with SOC 2 audits and HIPPA compliance requirements. Listen up!
TestGuild Security Testing Exclusive Sponsor
Micro Focus Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today
About Eric Martin
Eric Martin is the head of sales at Vanta, a cybersecurity startup that automates the getting and renewing of SOC 2, HIPAA and ISO27001.
Connect with Eric Martin
- Company: vanta.com
- Website: vanta.com
- Twitter: ericlongmartin
- LinkedIn: ericlongmartin
Full Transcript Eric Martin
Joe [00:01:27] Hey, Eric, welcome to the Guild.
Eric [00:01:30] Hey, Joe, thanks so much for having me. Excited to be here.
Joe [00:01:32] Awesome. Great to have you on the show. Before we get into, is there anything I missed in your bio that you want the Guild to know more about?
Eric [00:01:37] You crushed it. And you nailed it. Yeah. So thank you so much.
Joe [00:01:40] Awesome. So as I explained in the preshow, I am a newbie to security and so we're gonna take it step by step and really dive into this before we actually hit the meat of the topic. But so before we actually dive in deeper, how would you explain what is security compliance?
Eric [00:01:54] Yeah. Interesting. At a very high-level security compliance, they more often than not, work hand in hand. We like to encourage companies to be security first and what I mean there is to kind of take the necessary precautions from how they operate their business to derisk that business. Okay, so there are simple things that companies can do. Whether it's kind of enabling two-factor authentication to getting connected to your cloud infrastructure or requiring employees to take security awareness training, right? There's a full spectrum of what kind of measures, simple and kind of complex or robust that companies can do to beef up their security and then kind of put themselves in a better position to adhere to and then go get these different compliance certifications or reports.
Joe [00:02:37] Nice. So what are some myths around security compliance? One I could think of is that it's only applicable to enterprise-wide companies. Is that true or what are your thoughts on that?
Eric [00:02:46] Yeah, I think so. When you think about security and compliance there are two certifications that immediately come to mind. There's the SOC 2 and there's ISO 27001. A SOC 2 is like a North American cybersecurity compliance report that when a company gets it and then presents it to a prospect, the partner, a customer, it effectively communicates that to a certain extent they are safe to do business with. As in like that company is going to take X, Y, and Z precautions to make sure that they're handling and processing your information and they're using their own sub-processors in a way that kind of the industry kind of expects they should be dealing with them. And so to answer your question, is this only applicable to enterprise businesses? No. More often than not, what we're seeing now are early-stage companies going out and pursuing these compliance reports just because they're table stakes it based on the sub-industry that they're in and or kind of the types of customers who they're trying to sell to. I can elaborate more. I can pause there.
Joe [00:03:44] Yeah. If you could just go into a little bit more details. Some examples maybe would be helpful.
Eric [00:03:49] Yeah. So, for example at Vanta, right? Like most of the companies that come to us who want help getting a SOC 2 report or becoming HIPAA self-certified are between two and one hundred people, right? More often than not, they're between five and 15, five and 20 employees. These are like precede seed-stage sometimes Series A. And the reason they're coming to get a SOC 2 report and eventually HIPAA and an ISO 27001 is because of a couple of things. One, they may have a customer or a prospect who is hard requiring it. They may be in an industry like fintech where it's just table stakes. So in order to get your business off the ground, right? One of the things you're gonna do is partner with a major financial institution and to partner with those folks, you need a SOC 2. But more often than not, these companies today are coming to kind of pursue these compliance reports as presumptive blockers. So they may have been asked for them once. They may have never been asked, but they don't want them to be blockers. They don't want them to slow deals down. Some of them see having these compliance reports as a competitive advantage. And if historically, getting a SOC 2, for example, took a 20 person company, you know, 60 grand and six to 12 months for them to be able to come to a, you know, leverage software like a Vanta that can help them get it done for twenty thousand dollars in two to four weeks. All of a sudden, like, the tables have changed and like what was originally or initially some of that felt out of reach or kind of something that didn't seem realistic to ask a small company to get. Now all of a sudden feels very realistic. And so maybe right place, right time for businesses like ours. But, yeah, more often than not, it's not enterprise companies that are that we're seeing, although these enterprise companies inevitably also do have these reports.
Joe [00:05:36] Awesome. Yeah. The person I spoke to today told me more about this. It was a startup and I guess they use a Google API and Google requires them to get a SOC audit. And it was some outrageous amount of money. And then they found you. You all. So what do you offer them that makes it more cost-effective? Because the rate they originally were quoted was like some outrageous amount.
Eric [00:05:56] Yeah. So historically, when companies wanted to go pursue these compliance reports and we're kind of picking on the SOC 2, because that's the compliance support that Vanta helps to streamline. But historically, if somewhere to go get this, they would hire an auditing firm. That auditor would come to their office in the old days. Now, they'd probably do a Zoom call and they would do what's called a gap assessment or a readiness assessment. That's where they're gonna run these companies through a laundry list of things that they need to see in place before they can file these reports. They would charge you for that assessment. And then they would send you off to your own devices to go kind of get those docks in a row. Prove that those docks in a row in the form of screenshots, often in the order magnitude of hundreds of screenshots, and then upload those into some portal or some drive that these auditors have built. The auditors then have some processing time where they need to shift through these things, confirm them, go through their checklist, and then draft the reports. And so there was frankly, like originally (??), this just took a lot of man-hours hence, like add it up to large sums of money. In the Vanta world, simply put, we built software that connects with read-only API to certain systems that companies use. So like your cloud infrastructure, your version control system, your identity provider, and we continuously run tests against these API connections. The way that we've designed Vanta is so that in Vanta if you're passing these tests, you're communicating to one of our audit partners that you're satisfying different technical controls. And then as it pertains to the non-technical requirements that often go into getting these compliance reports, such as having policies of vendor management platform, doing vulnerability scans, etc., we built ancillary tools to help companies satisfy those requirements within the platform as well. And once again, right? Like you talked about, like the juggle between security and compliance or compliance and security. We'd like to think of ourselves as a security monitoring and a learning tool. It just so happens that the framework that we built these security tests around mapped back very neatly to SOC 2.
Joe [00:07:51] Nice. So it seems like it's an ongoing thing as well. So it's not just like you get audited once you have the document and you're good to go. Or is it something the company has to be aware of, ongoing new features being released? You need to have some sort of traceability, I guess, with that.
Eric [00:08:03] Yeah, it's a good question. So and it's good for our business model because companies do need to get a SOC 2 report and they need to well, they need to renew it every 12 months. And so when you're thinking about the different types of SOC 2 reports, there's a SOC 2 Type 1 and there's a SOC 2 Type 2. A SOC 2 Type 1 is a point in time report. This report kind of communicates to your partners prospects, etc., that, hey, on this date we had all of our kind of processes and procedures in place. A SOC 2 Type 2 is more of a continuous report, which like the main difference is that a SOC 2 Type 2 requires what's called an observation period. And that's this like three to six to twelve-month window were to, like Vanta, is continuously monitoring that you are adhering to these controls, as they're called, in SOC 2 world or these kinds of processes and procedures over the duration of that time period. And so because we run these tests on the hour, we can flag to companies when these tests fail, that might take them out of compliance. And we tell them very specifically how to go fix them. And so, yeah, a more detailed picture there of the different flavors of SOC 2 reports as well.
Joe 00:09:05] So what happens if someone doesn't meet these requirements? It seems like it's two-pronged. Almost if it's like a government regulation, you're going to get fined. And two, I guess if you wanna make more sales, I guess more and more companies asking you, are you compliant before they do business with. Is that a two-prong type of thing you see as a scenario for why you need to be audited and compliant?
Eric [00:09:24] Well, so the reason why companies need to go get these reports generally stems from hard customer requirements and or its just table stakes for the space that they're playing. And in terms of like kind of what happens if companies don't have these things. In simple language, if a company doesn't have a SOC 2 report and it's a hard requirement from one of their prospects in order to do business with them, it like very immediately it's gonna stall or immediately put the deal to a halt, right? So more often than not, we're in this really interesting position where the stakeholders or the people that own pursuing these compliance reports are more often than not technical leaders or security leaders or compliance leaders. But the drivers are the revenue team. It's the people that like it's the sales reps and the sales managers that are saying, hey, we need the support to get this deal done. Let's get it done.
Joe [00:10:17] So without a tool like yours, how does someone who does a SOC 2 audit? And then how do they know if they're compliant, I guess? Is that like a feature, a company someone hires a SOC 2 audit person? Or is it just it's like a contractor? Someone comes in and takes a look at things.
Eric [00:10:33] Yeah. So quite literally who will kind of write these reports for companies are AICPA accredited auditors. So you could do a simple Google search for like SOC 2 auditor and you'll find hundreds, if not thousands of auditing firms are out there, large and small. Vanta is a software company, but we partner with these auditing firms. So today we have a team dedicated to kind of like onboarding and training these auditors to file reports using Vanta software. We have over two dozen of these firms ranging from small local regional firms all the way up through the big four. And for them, it makes a lot of sense. Right. Like, for better or worse, software companies are more approachable than auditing firms. I think in this day and age, folks would rather kind of get a leg up on working towards anything that has the word audit in it, using software as opposed to kind of going to the human first, for better or worse. And so our partners lean into us and we lean into them and it ends up being this like really kind of strong relationship.
Joe [00:11:37] Nice. So you mentioned a few times that Vanta what it does is it automates things. So automates your security compliance. Could just talk a little bit more? Like, give me an example of how that works. Is it built into the actual software pipeline where they develop software and before it's released? Who runs these checks?. Would you mean it runs every hour? Does it add a lot of overhead? Like, what's the whole process?
Eric [00:11:55] Yeah. So at large, when we make these API connections, whether it's like your AWS, your GitHub, or your Okta, we're running to see, test to see are you leveraging these tools in the most kind of like appropriate manner, right? So we're looking at configuration and metadata. And so it's like, are you retaining log groups for365 days? Like, are these S3 buckets where you store sensitive data encrypted? And so it's really lightweight. You know, a lot of these third parties that we've built, these API connections to have built custom kind of like permissions sets for third party audits. So the tests that were running are not intrusive. We don't have access to customer data. We look quite literally cannot get access to these things. And they're kind of like draws a line like some controversy in terms of like how kind of meaningful or powerful SOC 2 is, given like the limited scope of what SOC 2 actually looks at. But once again, as you think about kind of solutions like Vanta, SOC 2 is kind of the starting point, right? It's like as we kind of work towards building our own kind of de facto online security. Kind of label, let's call it, and we automate different certifications like ISO 27001 and we support different security frameworks. Naturally, the breadth of these tests that we run and the depth that we go will increase. And so, yeah, it's all very exciting.
Joe [00:13:20] That sounds very cool. I know this makes sense for automating other things. You need something in place so like a manual process that's working for you can automate it. How much does a company need to have in place before they can use an automated solution like Vanta? Would you go and say, well, you don't have this and this, so, therefore, you do this legwork for we even get to automating it with that software?
Eric [00:13:39] Yeah, it's a good question. At large, I'm laughing because we've had companies come to us before they were even incorporators. And they're like, we don't actually have a company name yet. Actually, one of those companies that came to us and signed up before they were incorporated is now like two hundred person company, which is kind of fun. So one, hopefully, incorporated, but be at a minimum we encourage companies to pursue a SOC 2 once they've kind of decided on their kind of core text (??). So which cloud infrastructure are you gonna use and which version control system are you gonna use? Which identity provider you gonna lean on? And the reason being there are a number of controls or parts of the SOC 2, that are tied to kind of how you leverage those different systems. So that would be the baseline requirements. Most of the companies that we work with are, as I said, they are so early in their existence like many of them are like they have an MVP product. So as you're thinking about, like, are there sales thresholds or product thresholds before you can go pursue these things? The short answer is no.
Joe [00:14:33] That's pretty incredible. It' before they even, it's MVP. How do they know about you? Like how do they know what to look for that this is actually a need? Because it's the first time I've really heard of it. So it's something that everyone's aware of. So it's just as easy as to do a Google search and then find someone like you.
Eric [00:14:47] Well, so for us right now, people hear about us in a number of ways. We have partnerships with dozens of venture capitalists. We're tied into many of the kind of start-up accelerator communities. Every customer that we sign up refers to at least one new customer. Right. So we also have a very strong outbound engine that's kind of like making people aware of us who formerly had no idea we existed. At large, though once again, I'll just go all the way back to that kind of original kind of statement, which is that companies find out very early on in their lifecycle whether or not compliance reports like SOC 2 are going to be meaningful. Frankly, think about like think you're at an early stage company and you're going out to try to find your first customers, right? Inevitably, what's gonna happen is you're gonna find a couple of interesting companies. You're gonna discount them aggressively. They're going to agree to put their logo on your website. But at the end of the day, in order to work with them, you're still gonna have to go through some form of a security or risk assessment. And more often than not, these really early-stage companies come to us after going through that risk assessment and learning that, oh, shoot Twitter wants a SOC 2, Slack wants a SOC 2. Like so we're gonna work with this company as a beta customer, but apparently, we need to get this thing done. And so that's when kind of they put the word out. And somehow or another, they always find us.
Joe [00:16:05] So so far, we've only talked about SOC 2. And I know you also support HIPAA. So just explain a little bit what HIPAA is and maybe when someone needs to use that as Wolf Compliance?
Eric [00:16:15] Yeah. My wealth of knowledge on HIPPA is way more shallow than my wealth of knowledge on SOC 2. At large right like, so for starters, HIPAA is a compliance certificate or a report that where companies can self certify. And so when we think about which compliance reports we want to support, the reason that we went from SOC 2 to HIPAA was because there's a huge overlap in the number of controls or requirements from one to the other, right? So notably, there are a couple of additional policies that companies need to have in place if they are to be HIPAA self-certified. There are also certain flags where they need to tell us where EPA GUI is contained. It's interesting as we learn more and more about HIPAA and the types of businesses that need it. Right now safely, it's the health care tech companies who we support who are the ones that need to also be HIPAA, self certified, or the SAS businesses that sell into or partner with these major like medical institutions. And then, as you think beyond HIPAA right like we mentioned, ISO 27001. ISO 27001 is effectively like the international version of SOC 2. And so once again, it's still early days for us. Because we don't support that yet, I would be winging it too aggressively to talk too intelligently about it. But once again, I think it's one of those things where we do look forward to supporting that so that we can further support international based businesses.
Joe [00:17:33] Nice. So I would think also with compliance, regulations change all the time. But it seems like if you have an automated solution, this is being updated as well. So people I guess, when they use a solution like this, they have confidence in knowing that it's all up to date and that it's meeting all the current regulatory types of requirements. So, yes.
Eric [00:17:51] Yes. So this is where, once again, that partnership with our auditors comes into play, right? So at these folks are leaning heavily into Vanta to write these reports. And so they are just as invested as we are. And the legitimacy of kind of the tests that we run and the controls that we encompass and making sure that we are up to speed on things. So we have our own internal team that kind of keeps on top of these specifically SOC 2 requirements. But anytime there's a change or an update, we get an e-mail from literally like 30 different auditors saying, hey, just FYI there's this new thing that we need to consider. Vanta does have it today. How quickly could we see it in there? So, once again, to your point, yes. Like, we have any number of hands, I guess, involved in making sure that we stay on top of what's required.
Joe [00:18:37] So it sounds like once again Vanta, I notice someone to use it, it's just a matter of making API calls right?. It seems like it's an API based solution. Are you just making calls to it or your hooks to API so it's really lightweight?
Eric [00:18:50] Yeap, very lightweight. I've now onboarded a couple hundred businesses and that's just a fraction of the companies that we support today. And I remember like even when I was doing this back in the early days, it would take someone five to seven minutes to go through it and make those various connections. I think the way that we think about it now is that there as we go out and support bigger and bigger orgs, these orgs will more often than not have more complex tools or systems that they rely on. And they will have controls or SOC 2 requirements tied to how they use those additional frameworks or not additional to additional (??) systems. So it's on us as we kind of build to support bigger and bigger businesses to build more and more of these integrations. And that's something that, like we have teams of engineers dedicated to continuously working on.
Joe [00:19:38] So are there any vendor management, best practices for monitoring security?
Eric [00:19:44] Yeah and these are some of the companies can do, regardless of if they're pursuing a compliance report or not. Effectively, a healthy exercise to use to go through. And first off, figure out who internally is going to be responsible for the different vendors that your company relies on to operate your business, right? It's healthy to like, bring one or two or more stakeholders to the room, get those vendors listed out, and then from there. And this is something that, like comes into play when you get a SOC 2 but you don't need a SOC 2 to do this. It's a healthy exercise to kind of collect the security documents from those vendors on an annual basis, review those security documents, and make sure that you're comfortable with their security posture. And so once again this vendor management portal is built in to like Vanta. And there are controls that companies will include in their SOC reports tied to how they manage their party vendors. But regardless of if you're pursuing one of these reports or not, it's a healthy exercise to kind of stay on top of the vendors that you're truly relying on. Making sure that someone is responsible for those and that they're collecting the security docs and reading them on some kind of regular cadence.
Joe [00:20:49] So, Eric, I know this could be very expensive. So how much should companies budget for a SOC 2 type audit?
Eric [00:20:55] Yeah. So at large, we'll give like a high-level answer here that companies can kind of work around. But companies one to 20 budget all-in costs around 20K. And that would include the software fee and the audit filing fee. Companies in that 50 to 100 range, budget anywhere from 30 to 40K. And then companies north of a hundred be ready to budget, you know, 40K plus. And that's largely because these auditors today will price based on headcount and then the type of SOC 2 report that you need. And these software vendors, more often than not, price based on headcount as well. So it's one of those situations where when folks come to us having spoken with an auditor first, it makes pricing a really easy discussion because auditors will more often than not, quote, folks, 3X the numbers that I just gave you. And so that it's often a welcome surprise when they find us. But if you're hearing this for the first time and you haven't spoken with an auditor, then, yeah, reasonably coming with those expectations. And you can challenge our reps to honor those ranges.
Joe [00:21:54] That's pretty transparent. So why headcount? Is it just more documents that they have to review based on headcount?
Eric [00:22:00] There's no good answer for why headcount. And it's TBD if that's gonna be the model that sticks. Historically, the way we've priced by headcount is because tools like Vanta have immediately replaced what is called that gap assessment. And so if you think about auditors charging companies based on headcount size, it was the easiest kind of anchor for us. And so TBD, if that sticks, there's a bunch of experimentation happening, including with us around pricing models. But at large, the way we think about it is the number of employees that are in scope for a soft use. So we have detailed scoping features with Vanta where companies can dictate which employees are in or out of scope for this particular report. And as part of that, any employee that's in scope, we're gonna continuously monitor kind of their account status, which tools they have access to, whether or not they are adhering to kind of access SLAs and the works. And so the reality is, is that like we do keep tabs on lots of data tied to individual employees as well.
Joe [00:23:00] Awesome. Okay, Eric before we go, is there one piece of actionable advice you can give someone to help them with the security compliance efforts? And what's the best way to find and contact you or learn more about Vanta?
Eric [00:23:10] Yeah. My advice is this. It asks tough questions early. Especially, and this is notably for the early-stage businesses listening. But it's like as you're kind of getting through these sales cycles and you're getting towards the end, be sure to be cognizant of the fact that you're gonna have to go through a risk assessment, especially if you're handling sensitive customer data. And so, once again, this is me just speaking at it from a salesperson. It's like qualify early, right? So as early as you can, figure out what those hurdles to close are going to be. And if one of those hurdles involves pursuing one of these compliance reports, then give us a shout. Come to us at vanta.com. That's V-A-N-T-A dot com. Or you can email me directly, eric@vanta.com. Yeah, E-R-I-C at vanta dot com.
Resources
Don't miss Secure Guild 2020 dedicated 100% to security testing. Check out our awesome lineup and register for the event.
Rate and Review TestGuild Security Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.