Christina Cacioppo: From Y Combinator to redefining trust in cybersecurity with Vanta
Download MP3Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk:I am Ross Haleliuk.
Mahendra Ramsinghani:And I am Mahendra Ramsinghani. We have spent decades building, investing, and researching cybersecurity companies.
Sid Trivedi:On this podcast, we invite you to join us Inside the Network, where we bring the best founders, operators, and investors building the future of cyber.
Ross Haleliuk:We will talk about the hard parts of the founder journey, launching companies, getting to product market fit, raising capital, and scaling to an exit.
Mahendra Ramsinghani:And, yes, we will also be talking about epic failures.
Sid Trivedi:But, Mahendra, we're here to make the founder journey easier.
Mahendra Ramsinghani:That is correct, Sid. But we cannot make it too much easier because startups are hard, And, of course, you already knew that.
Ross Haleliuk:Alright. You too. And now let's get started with this week's episode.
Mahendra Ramsinghani:Our guest today is Christina Cacioppo, CEO and founder of Vanta, the first platform serving over 15,000 customers. Vanta has raised over $500,000,000 from investors like Sequoia, JPMorgan, Goldman Sachs, and CrowdStrike. Yet it started as a solution for an expensive, painful, and a long manual process, SOC two compliance. It would typically take over eighteen months and $100,000 for a company to achieve SOC two certification. Can you streamline and automate something like this?
Mahendra Ramsinghani:How did Christina go about building a product using spreadsheets from a complex process that had no precedent. But what makes this episode compelling is not just the product story, but the founder's journey. When Christina started Vanta, most of the VCs shrugged, this is your first startup. You do not have any relevant background. Is compliance even a market?
Mahendra Ramsinghani:Maybe the total market size is $10,000,000. Pops. That's million with an m. Christina did not wait for any VC validation. No website, no marketing, just word-of-mouth.
Mahendra Ramsinghani:She signed up hundreds of customers. She even got to cash flow breakeven on a $3,000,000 seed round. Let me repeat that. Cash flow breakeven on a $3,000,000 seed round. So naturally, when she met Sequoia, they promptly led her series a round, a $50,000,000 series a round on her terms and her timing.
Mahendra Ramsinghani:In this episode, Christina shares all about finding a secret, a market opportunity that no one knows, scaling in stealth, and raising from the best. This episode is a masterclass on how a first time founder built a company valued today over $4,000,000,000, especially when the VCs thought the entire market size, the TAM was $10,000,000. That's million with an m.
Sid Trivedi:Hey, Christina. Welcome to Inside the Network.
Christina Cacioppo:Thank you so much for having me.
Sid Trivedi:So we wanna talk about a whole bunch of things, and we'll get to Vanta. But before we get to Vanta, we'd love to talk a little bit about entrepreneurship and your path to the cyber community. You grew up in the Midwest with academic parents, and we heard that you even ran a Beanie Baby reselling business at 11 years old. Unprofessional. Well, it's it's and then after that, you went to Stanford.
Sid Trivedi:You didn't initially think of yourself as a technical founder. What was the the piece that got you excited to be an entrepreneur, and how did you overcome that self doubt to focus on entrepreneurship?
Christina Cacioppo:Yeah. I think a couple of things. I studied economics as an undergrad. I loved it. I thought I wanted to be a microeconomics professor.
Christina Cacioppo:Realized there were other things to do. And then through a chain of just really lucky events, my first job was at an early stage venture firm in New York City, Union Square Ventures, where my job was basically, like, meet with, I don't know, 10 to 20 founders a week every week for two years. And I think through that, I saw a lot of different founders and different ways someone could be a founder and a lot of different, you know, definitions of strong founder say. And I think there was a big unlock in that for me because I think I went in and I wouldn't have said this out loud, it sounds dumb when you say it, but my model of, like, a Silicon Valley founder was someone who grew up, taught themselves to program at age five, and has been, like, doing it ever since and also has the ability to, like, sit down and, like, imagine the future and then build a piece of software that a billion people use. It sounds it sounds very silly when you say it that way, but I think that was, like, kind of the implicit, like, model.
Christina Cacioppo:You're gonna read about Jobs and Allison and Zuckerberg and Larry and Sergei. And, like, their stories do kind of rhyme with that, the stylized stories at least. Anyway and so the two years at USC were really helpful because I just saw like, I saw I met people who kind of fit that archetype and character, and I met a lot of really successful people who didn't. And so I think there was just, an unlock there. I think the the thing that was still kinda locked or I had a chip on my shoulder was it still seemed like both the most successful software companies were started by people who could build software.
Christina Cacioppo:And for me, I felt, I don't know, unprepared to run a software company if I didn't understand how to build software. And so I took kinda two years, lived off my bonus, and taught myself to code. Didn't build anything anyone's ever heard of, but it was just kind of that last piece for me.
Sid Trivedi:And I'm curious, how was it like being at Stanford at the time that you were there? I mean, Facebook had just been created. I'm sure it was one of the the the places where it was really being utilized. I'm sure that had an impact. You talked about Zuckerberg.
Sid Trivedi:It probably had an impact in your thinking of what is a founder.
Christina Cacioppo:Yeah. That is very true. I mean, it's funny because I was there in, like, the late oughts, call it, mid to late oughts. And that era, Sandhill Road still didn't really fund software. And you go back to, like, the, you know, the 02/1945, like, Excel round that Facebook did.
Christina Cacioppo:You know, it's just incredible, like, you know, round for the record books, but actually wasn't that obvious. And a lot of what Sandhill World was funding was cleantech. This is like the John Dort cleantech era. And so even the the Stanford and so even the, like, entrepreneurial thought leader seminar, the speaker series that were like, somebody come to campus once a week and get the talk. Somebody kind of bold faced tech name.
Christina Cacioppo:There were a lot of clean tech people. They weren't really software people, and they definitely weren't consumer software people. So it was like that thread. And then but then there was also, like, Facebook was down University Ave in Palo Alto. You know?
Christina Cacioppo:Someone knew somebody who was dating such and such cofounder. You know? Like, they were just in the milieu because they were 22 in Palo Alto and you know? And so it's kind of both of those, but I think it's funny. I do remember talking to my, like, social psychologist father about Facebook and telling him about it and, like, how compelling it was and how I thought Savvy, their product designer slash they were about making it compelling.
Christina Cacioppo:So it's very silly, but the pre news feed, the homepage used to just be a list of your friends alphabetized. And then there was like a and you need kind of log in and then you gotta click on people and, you know, see if they updated their profiles. And then they start they've changed that order to people organized by last profile updated, and everyone logged on 40,000,000 times more often. And, I mean, it was just, like, product decisions like that kind of watching and being like, oh, these people are good at what they do. You know?
Christina Cacioppo:This is impressive.
Ross Haleliuk:Christina, you went through the YC in early days of Vanta. And today, I would say you're one of the very few YC companies in cybersecurity that scaled into a true category defining business. As you look back, what role did YC actually play in in Vanta's success? Was it about the real value, distribution given that you were selling to startups and obviously YC had had a large pool of startups, or was it more about the forcing focus, speed, and clarity early on?
Christina Cacioppo:It was both. I do think YC startups are kinder to one another when everyone is small than they, you know, quote unquote, should be by some, like, rational model. And by kinder, just mean, like, you email another YC founder and, I don't know, ask for advice or an intro or get on a call. And, like, the hit rate's surprisingly good. And there's kind of, like, a bit of a pay it forward culture or pay it backward culture maybe.
Christina Cacioppo:Or we're in the early days when you're starting to build something. I just kind of think honest feedback from actual customers. It's like oxygen. And, you know, you're kinda building a plant to call it. And, like, if your plant gets oxygen, it will grow.
Christina Cacioppo:And if it doesn't, it will die. And it is, like, kind of as simple as that. And so having a Rolodex, basically, of white people you could email and be like, hi. You did YC five years ago. I'm in it now.
Christina Cacioppo:You know, here, I'm working on x y z. Can I talk to you or someone on your team? And it's not that the hit rate's a 100%, but that hit rate, I don't know. For me, it's probably like a third. Like, it was high.
Christina Cacioppo:It was so much higher. Anyway, and so that is, like, very real. And I think the community benefit of YC to me is that or primarily that. I think the other side is YC. It's just you know, I think the the at least when I went through it, the core structure of the program I mean, it was more than this, but it also wasn't.
Christina Cacioppo:It was like, you come in week one or two, you pick a metric. Also, if you're building b to b software, it should probably be ARR. If you're building consumer software, it should probably be, like, daily active users or weekly active users. You pick a metric. You pick a goal for yourself for ten weeks from now on demo day, and then everything you do is driving that metric to the goal by demo day. And you have to stand up every week and be like, told you, you know, my goal is x, and I was supposed to do y this week, and I did or didn't do it. And I have to tell you that, and I'm gonna do z next week.
Christina Cacioppo:And you just have to say that in front of, like, 20 people every week, and it is shocking how much behavior that drives.
Mahendra Ramsinghani:So, Christina, you did not come from a deep security background. And sometimes that can be a huge advantage. Sometimes that can be a disadvantage. Talk to us about what was going on inside your head as you were starting this journey, and how did you see the world of SOC two audits at that point?
Christina Cacioppo:Yeah. I think it was it was both the advantage and disadvantage, and I don't know where that scale balance is in absolute. But I think on the advantage side, part of what we're able to do with compliance and GRC and, you know, continuous control monitoring and sort of the the GRC words for it, but it would say, hey. A compliance audit like a SOC two should be a demonstration of the security practices you have. And so step one is implement good security practices, and we can talk about what that means, but, like, do that.
Christina Cacioppo:And then because this is a system like any other technical system that you're monitoring and logging, you should just kind of have logs and exhaust and data from that process that you can show to an author. That's kind of, like, how the system should work, quote unquote, from first principles. Or if you take, like, a engineer engineer mind, like, infra engineer or platform engineer mindset to it. And I think and that is, like, not how the system worked at all. But I think the the kind of fortunate part was be like, well, I can, like, look at this from a very different point of view.
Christina Cacioppo:I think the on the disadvantaged side, I think there's a lot of domain knowledge. There's a lot of credibility. There's a lot of I don't know. Like, any domain expertise group, there's a bit of, like, you gotta be able to hang with the domain experts. And if you can't, like, you you know, like, what do you what do you sort of expect?
Christina Cacioppo:And I think cyber has has some of that. Not good or bad. Just exists. I also think, actually, something I learned afterward was a lot of go to market now for early cyber tools is, again, very in network, very find the lighthouse or the thought leader CISOs, work with them, get them on board, kind of get them truly happy customers, and then use that case study elsewhere. And we just didn't we didn't play that playbook at all and, like, should've.
Christina Cacioppo:Because people I mean, kind of accept how kind of everybody else did it. And so we were different, but, like, not in a good way in that sense. And I just kinda didn't know enough to know that.
Mahendra Ramsinghani:I know despite, not knowing enough, I think it's remarkable what Vanta has achieved. There is a story about you struggling with SOC two audit when you were a product manager at Dropbox. Can you go back in time and relive that pain with us for a little bit?
Christina Cacioppo:Yeah. For sure. It was this was, like, Dropbox kinda 2014, 2015, 2016, so, like, the height of its Silicon Power Valley, like, power and prowess. I was a product manager working on what at the time, was a new product. It was called Dropbox Paper.
Christina Cacioppo:It's like a real time collaborative editor. So it's, like, sort of like a Google Docs for a Notion, but, like, very integrated into Dropbox. And we the tech had actually come through an acquisition. So we were, like, separate code base, separate deploy, separate kind of everything from file sync and share Dropbox, which was great for us, we thought, because we could move much faster. We could have our own software development life cycle, like our own, you know, build merge queues, whatever.
Christina Cacioppo:Pick your favorite. Like, we could just kinda move. And it was great until it wasn't in that, we had built this product. Basically, everyone at Dropbox used it every day. Like, it just became the default text editor or, like, document editor, but we did not have very many external customers.
Christina Cacioppo:And so I think inside, there's a bit of like, oh, this is so great. We love this product. And, of course, it'll be the best thing ever, and everyone will love it. But we can't figure out how to get it to the rest of people who, you know, don't don't work at this company. And so one of the things we started doing was just kinda giving it away, working with account managers, and just giving it away to some of the startups that use Dropbox for file sync.
Christina Cacioppo:And I was great at my job, and this was such a smart idea. And so would get a you know, I felt like I was great. Like, I'm basically ready to be promoted to chief product officer over here with my decision making. And, that was not the case. Started doing that.
Christina Cacioppo:The legal team finds out, comes over very politely but sturdly, and they're sort of just like, what are you doing? And I'm like, being excellent at my job. You know? Getting you And they're like, no. You are avoiding all of our contracts and, like, opening up with all this liability.
Christina Cacioppo:And, don't you know what's in these Like, no. And they're like, well, you know, you're are you SOC two pen tested vulnerability monitor? You're meeting SLAs. Like, are you and I was like, but can you slow down on those words so I can, like, write them down and Google them? You know, like, what what are the words you're saying?
Christina Cacioppo:Anyway and so that was my first introduction to this. And what I learned I mean, it's, like, again, lawyers were, again, more reasonable than I was being to be very clear. Like, the the point was Dropbox had signed contracts with these companies and made commitments security, around privacy, around audits and auditability that applied to Dropbox products of which we were one. And so if we wanted to work with these customers, we had to uphold these commitments. And so then then it was like, oh, great.
Christina Cacioppo:Well, what would that take? What does it take to be pen tested twice a year with, you know, remediation done in two weeks? And what does it take to go through a SOC two audit with all five TSCs at the Dropbox standard? And, you know, just like, what does it take? And, you the answer was about a year and a half of engineering time for our team.
Christina Cacioppo:And so then the decision was like, okay. Do we kind of pause all product development for a year and a half and go do all these things such that we can then get customers? Or should we just go try to find customers some other way, people that don't have Dropbox contracts? Because we don't think we have product market like, we think we need to iterate more. We took path b.
Christina Cacioppo:I don't know if that was the right decision or, like, the the score, you know, score doesn't look great on that decision. I you know, option one may have been better. But that was sort of my first first introduction, and it was, you know, like, this all logically makes sense. And, man, we're at the, again, kind of the height of Silicon Valley and Dropbox and its power, and it's still 10 engineers in a year and a half. That feels crazy.
Sid Trivedi:I wanna talk a little bit about the founding of Vanta. So you go through this experience being at this amazing company, Dropbox, at, you know, certainly at its early stage of of massive growth. And then post that, you leave and join YC. How did you decide to focus on this problem you had had at at Dropbox? We'd heard, by the way, that you were thinking about a bunch of other ideas.
Sid Trivedi:One of the ideas that we heard about was building a voice assistant for biologists. Like, how did you go from that to working on SOC two, which is, you know, a specific type of compliance requirement created by a bunch of accountants? It's not a very obvious area to focus on.
Christina Cacioppo:Yeah. There was definitely about a year of confusion and looking deeply unemployed in there. So I think okay. There was, like, a lot of desire of, like, let's start a startup. What to sort of do?
Christina Cacioppo:I don't know. We'll figure it out. Hence, year. I think in that, there there was there was definitely some just silly or, like, very silly stuff. Like, the broad framework was pick things either you think you okay.
Christina Cacioppo:Pick things that either were, like, the technology is changing, and so you might have an advantage there. Stuff you just really care about because you'll do it better and, like, you kinda wanna learn anyway. Or if it doesn't work, you're you're gonna you're gonna feel bad, but you're gonna feel as good as you can in that scenario or places where you have an advantage. And so in that, it was like in the technology changing, and this was 2017. So I actually spent some time on, like, ML models and sounds like AI now, but really ML stuff.
Christina Cacioppo:Voice was something that was new. Like, Alexa was starting to gain steam, and so there was a vein of, can you build a microphone that dumps meetings into Slack, like, transcribe to meetings and put some in Slack? So, like, granola esque, although granola is much better than what we were prototyping and thinking about. But, like, something there, there was this call like, Alexa works really well for cooking in the kitchen. What jobs look like cooking biology work and, like, wet labs kind of look like cooking in some ways.
Christina Cacioppo:Can you build something there? I mean, no was sort of the answer, but, like, that is one of those things where you're like, you could sort of logic chain it out and every chain every piece of logic made sense, but the results were like, why are we building an Alexa for biologists? This makes no sense. And then the just interest was security. And so that was something where it's like, again, I want I want the startup to work.
Christina Cacioppo:But if I spend, I don't know, three years learning about Internet security, like, I actually I get I'll feel bad, but, like, I would like I would be as okay as I can be with that. I think it's important. I think it's interesting. I think it's complicated, and then it's fully moving. You know, it just, has all these contours.
Christina Cacioppo:Anyway and so it was just kind of exploring that and learning about why startups do and don't implement security practices, which I'd mostly say they want to, it is often tough to prioritize. Because when you're looking for product market fit, you're looking for the feature you're gonna do the things your customers are asking you for. Customers don't often ask you for security. They do actually ask you for compliance, though. And so we kinda got to, like, well, if you wanna start a security company that changes the behavior of startups, you should actually start a compliance company.
Christina Cacioppo:And Vanta kinda came out of that.
Sid Trivedi:And did you how did you think about cofounders in that whole kinda company building process? Talk a little bit to us about that whole experience.
Christina Cacioppo:Yeah. So started the company with one other person who's around through all of that, someone I knew socially, and then we both worked at Dropbox, so they're not together. I think especially in those early days, it's really helpful to have someone to bounce ideas off of to also just kind of be in the boat because from the outside or I think it sounds like a very cool time. And in some ways, is. Cool time as in, like, the world's your oyster.
Christina Cacioppo:You can work on whatever you want. You've, like no one's you know, you can, like, literally go learn whatever you want and do whatever you want. And then the day to day reality is you're kinda just sitting in a room thinking of ideas, googling them, realizing five people have started that company and being like, shoot. What do I do next? And, like, trying to email people and be like, well, you talked to me about security, and they're like, maybe in five weeks, could I have an actual job?
Christina Cacioppo:You know? And so just, like, having someone else in that period is really helpful.
Ross Haleliuk:Christina, in a classic y c, doing things that don't scale fashion, your Teams v one product wasn't even a software. Right? It was just a color coded spreadsheet. I you've heard stories that you've even spent some time at Segment's office for weeks with a spreadsheet of everything that they needed for SOC two and and as you were working with them to actually help them get on that journey. How did those scrappy manual, consultations and how did that rapid iteration early on help you nail the product market fit quickly?
Christina Cacioppo:Yeah. So the theory of that is, like, my cofounder and I could both code, and we were coding some stuff. But, really, the theory was, like, it's so much easier to change a spreadsheet than a database model. And we have this vague idea of, like, okay. We wanna automate a SOC two.
Christina Cacioppo:But, like, what does that look like? What does it feel like? How do you actually do that? And it was just easier to prototype within a spreadsheet than, again, in a database model or with a bunch of TypeScript. And so there were like, there was some coding that was going on in the background, and it was, you know, sort of, like, trying to test, like, what data can we pull out of different tools a company is using?
Christina Cacioppo:Can we use that data to, like, verify their security controls in place? And there was, like, some of that almost, like, I don't know, engineering derisking going on. But for everything customer facing as a spreadsheet because, again, it was just so much be like, oh, you want this, not that? Okay. Cool.
Christina Cacioppo:I will, like, add and delete a row again, and it was just so much easier to iterate there. And then when we got to, like, oh, you really like this spreadsheet that, like, yes, I filled in manually. Great. Like, now how do I get software to, like, generate at least the same data that's in the spreadsheet? But it sort of let us crystallize on, like, what that end state is much faster.
Ross Haleliuk:So as somebody who probably hasn't done tens of the SOC two compliance reports before you started Vanta, what was the actual story of you going through those spreadsheet? Like, how did it look? Did you just end up googling every single day, hey. What is this control and how to satisfy it? Like, talk to us about the messiness of these early days.
Christina Cacioppo:Kind of. I mean, what we actually did was grabbed found every SOC two we could get our hands on. So we didn't buy much software at the time, but, like, Google Workspace, AWS, and Slack had our friends email us whatever PDFs they could, which was somewhat breaking NDAs. But, like, basically, it was, like, can we get, you know, SOC two reports from, like, every company we can? And so I think we got, like, 10 or 11 of them.
Christina Cacioppo:And they're just PDFs, and you're like, open a mic up. And you're like, okay. And SOC two is broken down into the into subsections. And so you're like, okay. Subsection, you know, 1.1.
Christina Cacioppo:What does Adobe do, Slack, Salesforce, Google Workspace, AWS? Okay. Like, what is common across all of these? What is different? Like, how do you kind of abstract what subsection 1.1 is trying to do?
Christina Cacioppo:Okay. Write that down. Okay. 1.2. Go look across 11.
Christina Cacioppo:And it was just kind of it was that exercise, basically. And then we and then you kind of get that list and then you're do they I mean, you wanna validate it with customers, like, you know, a CSO, a CTO at a startup being like, hey. Here's a list of things we think you need to do for a SOC two. How do you feel about it? And then also tried to verify it with, like, auditors or consultants.
Christina Cacioppo:Right? So it's like, okay. Does this look like in their language, is this the control set that you would expect for a baseline for SOC two? Like, is this the list of stuff you would expect to be on there and be verified? I'm kind of iterating on those.
Christina Cacioppo:But, again, just so much easier to do in a spreadsheet.
Mahendra Ramsinghani:It's quite fascinating to hear your journey, Christina, going from a coder to now being a product manager. The next phase of Vanta's journey was quite interesting where you end up with several 100 customers with no marketing, not even a website. Was that by design kind of a stealth play? Or talk to us about what was going on behind the scenes there.
Christina Cacioppo:Yeah. It was. So we were the first to kind of take this automated approach to early GRC or early stage, you know, company GRC. And we were pretty convinced it would not just work, it would open up the market because a lot more companies would go through like, the reason companies didn't get sock tooth in 2015 wasn't because they didn't want to. It was because it spent a year and a half of engineering time and a $100,000, and that was a tough trade off.
Christina Cacioppo:And so we're like, look. If we can make it spend sixty days of engineering time and $20,000, We just believe there would be more demand. I think at the time to outsiders, it seemed like a really silly idea because it was like, we're gonna spend a bunch of time and effort to automate processes in a basically $10,000,000 global market. And so, know, think of that as a VC and you're like, well, that's good luck over there. Like, let me know when you want a job, you know, sort of a thing.
Christina Cacioppo:And we kind of felt like we've figured out a Silicon Valley secret. Like, we knew something people didn't. But as soon as they realized this is a good market, they were gonna start competing with us. And so it was like, great. Think we're idiots over here.
Christina Cacioppo:Like, that's fine. And we had the word-of-mouth that would, like, create customers and would, like, tell us. And so it's like, okay. We will you know, we'll do a launch when word-of-mouth stops delivering us customers, but word-of-mouth continued to deliver us customers. And then it was like, oh, well, this is working and it's working way better than kind of people on the outside expected.
Christina Cacioppo:And so let's let them think we're confused for as long as possible so we get to run and get ahead of everybody else as much as possible.
Sid Trivedi:I'm curious, Christina, as we kind of go from the initial stages of Vanta to talking a little bit Vanta's growth over a period of time, give us a sense for kind of why you chose not to go and raise multiple rounds of funding early on. You you had a very unique strategy. You kind of started the company within YC. You raised a little bit of angel money from a few individuals and from Pear, I believe, as well. And then, you know, you kind of built the business for three years, cash flow breakeven, and you scaled it over time.
Sid Trivedi:And then your first true round was that 50,000,000 series a that I believe Sequoia did. How did you make that decision to kind of wait for these multiple years and run a business in a very different way to the rest of the world? I mean, this was a period of time when we are talking about blitzscaling and, you know, everyone was raising large rounds over multiple years. And certainly, that's very different to today where we are seeing very, very large seed rounds in security. Yep.
Sid Trivedi:So I'm curious to get your take on what did you do then and just what's your thoughts of the the the broader landscape and what's happened?
Christina Cacioppo:Yeah. So a couple things. So I think it was two pieces. One was trying to think through, like, what is the constraint to growth? And in those days, it was not money in our bank account.
Christina Cacioppo:It was we needed to hire someone in, like, this role, but we're actually really bad at figuring out what the roles and hiring them. So we were kind of in our own way. Like, we actually should have hired more engineers than we did. We just weren't very good at engineering recruiting for a while. But there were kind of a bunch of things like that where you're like, the binding constraint isn't money.
Christina Cacioppo:And two things. One, I could go take one to four weeks away from the company and raise money, and then we'd have more money in our bank account, but all the problems would still be the problems. Plus more probably in the, like, one to four weeks away. The second bit was, like, also, we could have more money in the bank account. We could all own, I don't ten, twenty, 30% less of the company.
Christina Cacioppo:But, again, like, that doesn't feel like the binding constraint. And so the the theory was, like, okay. We'll raise when money is a binding constraint. And we eventually got there, but it kind of let us I think it let us develop our own sense of, like, this is a good business, and it's a good business because we know it's a good business rather than I think what can inadvertently happen. Like, no one wants this, but it's, like, the kind of feeling of, no.
Christina Cacioppo:This is a good business because Sequoia, because Benchmark, because Excel said it was a good business. And sort of, like, outsourcing, not just the thinking, but the the almost, like, are we doing a good job? Which I it's tough, you know, because if you, like, give somebody else control over that, then, like, you're at their whims whether or not they even know they have that control. And so I think there was something kind of important culturally in the early days of, like, why is this working? It's working because we know it's working.
Christina Cacioppo:Wonderful that Sequoia likes us too. Like, that is great and important, but that is second like, they like us because it's good because we know it's good.
Sid Trivedi:Now the one other advantage was that by the time you went and raised that round, I mean, it was very clear that there was product market fit. I think that question wasn't a problem for VCs. And because you had been a VC before, you likely knew most of the different players. How did you decide to pick Sequoia? What was the reasoning?
Sid Trivedi:I'm sure you had enough options on that first round. What was the decisioning behind going with Sequoia?
Christina Cacioppo:Yeah. It's funny. I, I had this whole framework and actually, don't think I have the spreads, but a spreadsheet. And you're like, okay. There's these two or three attributes, and I'm gonna go meet with folks and, you know, think through them on the two or three attributes.
Christina Cacioppo:And, like, I wanna give myself time to do that and whatever. The whole thing did the whole thing. Square wasn't even on the spreadsheet because, one, like, I didn't actually know them very well. And the early conversations I'd had with them were kind of in the, like, have fun automating a $10,000,000 a year business. Like, let us know if you, you know, change what you're doing or, like, want a job.
Christina Cacioppo:And, like, I don't mean to be mean to them. Like, that is in fact what it looked like weird. Like, 90% of people we talked to had that reaction. So that is, like, not just them. Like, that was a very reasonable reaction.
Christina Cacioppo:And then a friend basically said, you know, hey. You can yeah. You should do this, but, like, you're kind of an idiot if you don't put Sequoia as a row on your sheet. And so just put them on a row, see where they fall out. And so, you know, it's funny.
Christina Cacioppo:The other rows had, like, thought about and spent time with in two or three months. And Andrew from Sequoia, I met and basically decided to go with over the course of ten days, but in a way that was just, like, totally on it. It's worked very well. And so it's one of those times when, yeah, you make the framework, you do all the homework, and then you kind of rip it up at the end of the day.
Sid Trivedi:And was there a is there advice that you can give founders on how you make that decision? I mean, you described this spreadsheet. There are probably a a few different columns on that spreadsheet that you are grading VCs on, and you have the advantage of being both a founder and a VC. Give feedback to a few of our listeners who are predominantly founders in cyber. Like, how should they be grading that decision?
Christina Cacioppo:Yeah. I think what do I think? I think investors are investors, not operators. But I which is, like, no kidding. But, like, I mean that deeply and truly.
Christina Cacioppo:You know your business way better than they do, and you always will. And so I do think you want or at least for me in that, I wanted someone who saw themselves as an investor. That's Andrew actually very I mean, there's lots of people this. But, they, you know, like, they are so good at investing, but that is not operating a large organization or a business or, like, building a product in many ways. So I kinda wanted someone who's clear eyed about that.
Christina Cacioppo:I wanted someone who had a number of successes underneath them, not just so they seemed like they were good, but actually really so they were more confident. And so because I think early in one's venture career, you really wanna win or you really want your first couple wins. Again, totally reasonable and rational, and people try to deal with it, I'm sure, in the best ways they can. But that can end up pressuring a founder. Right?
Christina Cacioppo:Because you're you're like, oh, are you the one that's gonna make this person's career? And you kinda don't wanna be the company that someone is betting their career on in some ways. You kinda want them to have, like, have a couple of other of those. And so whether I mean, you obviously want your company to work, but whether or not your company works is not existential for your investor. Because I think that drives a bunch of behavior on their side that then can come back on you.
Christina Cacioppo:So, again, as much as possible for me, if somebody saw them as an investor who had a couple wins already, Again, hungry, motivated, all that, but just like Vanta's success or failure was not going to be, like, their entire self image. What else? I don't know. Having worked at a venture firm that I think is was excellent and did not offer a lot of, quote, unquote, services to the portfolio companies when I was there, I've always kind of been skeptical of those. There's parts of it that are very helpful, but I think, one, it's just tough to sustain at scale.
Christina Cacioppo:And I think the the sales and post sales distinction that exists, like, VCs have it. Like, when they're trying to win an investment, they will talk about their recruiting support and the council of experts and the buyer's council and this, and the other. And then when you're one of 200 companies trying to get those things, like, it'd be different. And, again, it's not malice or anything. It's just sales and post sales are different motions.
Christina Cacioppo:NBCs have that too. And so for me, I didn't really weight that stuff. I mean, Sequoia had some of it at the time. They have slightly less now. Actually, user recruiting stuff, it's great.
Christina Cacioppo:You know? Like, I don't people that work super hard and are really good at what they do. I just to me, that was sort of like a tertiary variable because it also seemed like regardless of being like, do I really wanna, like, rely on this entirely? No. It's like, even if I did rely on it entirely and it worked, it means, like, my company wouldn't be able to stand without that, and that seems bad too.
Mahendra Ramsinghani:So, Christina, did, this come up during your pitching with Sequoia that, you don't have security background? You don't have compliance background. What was their reaction to your background in particular?
Christina Cacioppo:No. I mean, it quite possibly should have. I think I got, you know, lucky in that the investor I was speaking to also didn't have a cyber background, doesn't consider himself a cyber person, and is just like a smart motivated person who learns new things and is curious. And that's sort of how I see myself. And so it worked very well because we kind of saw, I think, parts of that in one another.
Christina Cacioppo:I think there were definitely cyber stuff we both missed for sure, though. Again, pros and cons.
Ross Haleliuk:After Vanta started, it didn't take all that long for this $10,000,000 market to explode and the strong competitors like Drata and Secure Frame, entering the space. How did that shift for you from being alone in this market that people didn't believe existed to just jumping into this incredibly crowded space? And how did all of that change your thought process about differentiation? What did you decide to deliberately double down on at Vanta? And what were some of the things that you decided to consciously not compete on?
Christina Cacioppo:Yeah. I had a lot of feelings and emotions on that stuff. I think in the early days okay. We always knew competition would come. Again, good idea.
Christina Cacioppo:Someone's gonna copy it. I think the copying was more aggressive and shameless. Some and I don't mean shameless in a moral sense. I just mean, like, no shame. Like, fact like, just, you know, like, copying that I would not be okay with, but, like, I might be wrong here.
Christina Cacioppo:That just came faster and harder than expected. I think there's an initial bit of, like, hurt, anger, like, hey. Where's the ref? Who's gonna call the foul here? And, like, there aren't refs in capitalism.
Christina Cacioppo:No one, you know, no one's gonna call the foul. And I think there is, like, a little bit of a period of reckoning with that. And then I and I think a bit of too of, like, well, you know, we started this. And, like, I mean this, like, politely, but, like, customers don't care. You know?
Christina Cacioppo:And they shouldn't. Like, again, capitalism. Like, you care about the thing that is the best for you right now and you believe will be the best in the future. And maybe that was the thing that started it, and maybe it wasn't. And, like, no one remembers Betamax.
Christina Cacioppo:And I think, like, that kind of, like, there's a reckoning around that. And then from out of that, you're like, a couple things. One is like, okay. Well, what matters is what we ship lately, and so how are we shipping quickly and often and iterating with customers so that we get to the right thing fastest. And, like, build a machine that does that, also does that at speed and scale such that even if it's someone that's gonna read our release notes and copy everything immediately, which definitely happened, it's like, we're just gonna outrun you.
Christina Cacioppo:And so you can do that, but we're gonna pile the release notes on you and, like, good luck catching up. So there's some of that. There was also a shift in kind of external comms because I think in the trying to be quiet, both strategically and it's more my personality, like, would worldview almost, I'd like much rather. It's just like, no. Heads down.
Christina Cacioppo:Go good. Do good work. You don't really have to talk about your good work. Customers will know. People know it'll filter out.
Christina Cacioppo:Yes and no. You know, we had one competitor who's hyper aggressive who at times went around and said they created the space. But even if they didn't, it was like, yeah. Well, Vanta created it, but they suck. They haven't shipped anything in a while.
Christina Cacioppo:Like, we're killing them. They're about to be dead. And none of that was ever true, like, you know, ever. They were never larger than us, but that wasn't or even close to it. But that wasn't the narrative from the outside.
Christina Cacioppo:And I think I my responsibility in that was I was quiet. So I let somebody else tell Vanta's story. I didn't like what they were saying, but, like, had to learn that and be like, okay. Well, now I gotta go tell Vanta's story because if I don't, again, someone I someone's gonna tell a story that I deeply disagree with. It's on me letting them give that opening that space for them to do that.
Mahendra Ramsinghani:Hey, Christina. I have a funny anecdote here that I wanna share. I think this was right after your maybe six months after your Sequoia round, you had probably spoken at some conference, and some of the investors who were in the room had heard you speak. And I was having coffee with this one investor who shall be unnamed and said, oh, so Mahendra, you invest in cybersecurity companies. Have you heard about Vanta?
Mahendra Ramsinghani:I said, yes. I've heard about Vanta. Who has not? And I said, do you think about the company? I said, like, I don't have an opinion yet.
Mahendra Ramsinghani:I had not studied the space. So I said, don't have an opinion yet, but clearly, if Sequoia is writing a $50,000,000 check, there is something to be said. So this person said, you know, we would have loved to invest in this company, but, you know, the CEO does not have the security background and so on. And so I hope that they're listening to this episode today and they realize what a marvelous job that you've done in continuing to build the company despite those perceptions and biases that exist. As you look at scaling, Vanta, you started with SMB customers.
Mahendra Ramsinghani:You know, small and medium sized have a certain, you know, let's call it ACV. There is a certain market motion that goes into them. You know, we've had, in the past, Duo Security and Cloudflare, who both are a classic company that started going with that motion. And then, of course, sooner or later, there's pressure to go upstream. Talk to us about your philosophy and challenges and advantages of going upstream.
Christina Cacioppo:Yeah. So when we think about kind of we do think about and talk about moving up market at Vanta a lot. When I think about it, it's like a expansion of what we serve. So we we continue to always serve startups in the smallest early stage companies, and then we could then then we just, like, build more and more capability for more mature companies and teams and security programs on top of it. So that's the theory and the goal and hopefully the practice.
Christina Cacioppo:It's hard because it means you are building both for a five person company and they call it 500, 5,000, someday 50,000 person company and doing both at once. And that is hard, and there's trade offs. Because, again, in the vein of what have you shipped for me lately, like, yes, lots of five person companies have used Vanta successfully for years. The product, quote unquote, works. But if if we stop shipping and iterating on that product, the next wave of five person companies won't use Vanta.
Christina Cacioppo:And so it's it's a lot of fronts. I think it is much easier. And with the other the other move you see companies do is they kind of say, okay. We started with five person companies, but now if someone comes with us and really wants to buy, we'll sell it to them. But, like, really, all of our effort and focus and energy is gonna be on, I don't know, 500 to 5,000 person companies.
Christina Cacioppo:And, you know, again, well, we're gonna stop development for anyone under 500, basically, and we're gonna get some churn, and we're gonna increase or, like, decrease win rates, but, like, in conversion rates, but that's fine. And that's a painful decision in different ways. It's not the one we've made. What we've done and tried to do, one, is trying to be more rigorous about, like, what are our investments at different customer segments? This is often tied to headcount, but it's really tied to the maturity of security team.
Christina Cacioppo:But, like, how do we think about that portfolio mix of investments? And, you know, there's tough trade offs there all the time. And, also, then how are we building product, whether it's UI or workflow or agents that are just easy to use and bring a, like, prosumer level of Figma level, I don't know, user experience. Because I mean, one it's it's kind of an annoying statement, but one thing we do say is they are like, look. Figma doesn't have a different product for a five person design team and a 500% design team.
Christina Cacioppo:They all use Figma. And, again, Vanta isn't Figma in lots of ways, but, like, there is, I think, a kernel of truth to that. And so it just pushes on being really rigorous about, like, who you're designing for and when and how you think about prioritization and and all of that. But we try to do a lot at once.
Sid Trivedi:Wanna in the in the last few minutes of this conversation, we wanna kind of shift and talk a little bit about leadership culture and the vision going forward at at Vanta. On the topic of leadership and, you know, culture, you've talked about hiring and hiring slowly in the early days and deliberately to find folks who fit a very specific culture at Vanta. I'd love for you to talk a little bit about the DNA that you were trying to build in those early days, and then the company is obviously scaled over that period of time from tens of employees to hundreds to now thousands, and it's a very different business. And I'm assuming you can't interview every single person who comes through Vanta. How do you kind of ensure that there are certain principles that you want to keep and then there are others that you have to shift away from just at scale?
Christina Cacioppo:Yeah. I think in the early days, we hired very slowly, it was deliberate. But I don't know it was deliberate in the right ways. I think we've our lives comp and our candidates and people who are trying to complicate it. So a couple things.
Christina Cacioppo:I do think we we had a set of we talked about a set of principles very early. We didn't interview on them just in that, like, the first well, certainly, like, the first engineering hires, it was all it was all workdays. It was come in for a day. We'll give you like, sit next to us and help build Vanta. We'll give you some tasks off our list, and we'll, like, pay you, you know, whatever, a $100 an hour or whatever kind of San Francisco contract salary was then.
Christina Cacioppo:And that that was the interview because it was sort of like, we're two people sitting in a room. Like, what else are we gonna do? So that worked really well. And then I think when we got out of that, there was we had a list of things. It was probably in our address for pretty milk toast.
Christina Cacioppo:It was, you know, prioritize customers and business impact and do the right thing and, you know, these kind of, like, motherhood and apple pie sort of platitudes that are both important, but I think aren't aren't that interesting. Don't force trade offs. Everyone wants to have them, you know, not that. And then our seventh or eighth hire was a former founder who was very strong and came in and it just didn't work. And it they worked hard, cared, smart, motivated, all the things.
Christina Cacioppo:Like, and, like, it was kinda like oil and water. And I think of the vain of mistakes in the early days, like, they tried to make it work. They tried to pull out. We tried to make it work. We tried to dive and save.
Christina Cacioppo:We tried, like, three or four things. Should've called it way earlier for everyone's sanity. But it was reflecting on that and being like, what was off there? Because, again, when I look at my, like, nice list of platitudes, everything is there. But, like, there's clearly some way about how we work and this person didn't work that I should articulate and tell people and screen them on so, like, we don't put anyone else in this position.
Christina Cacioppo:That's, not fair to them. Nothing else. Let alone, like, ineffective for us. Anyway so then, like, kind of the the list of principles sort of got a little bit more interesting and a little bit more fleshed out. And then we created an interview that, you know, everyone went through no matter what of trying to ascertain those things.
Christina Cacioppo:And that, I think, worked pretty well. I mean, not a 100% hit rate, but there was kind of a bit of, like you know? And it's not that we always followed it. Sometimes we'd be like, oh, for instance, like, feels weak on these two dimensions, so we saw strength here and, like, let's just go. And then it's funny.
Christina Cacioppo:It's, like, we ended up parting ways. It was usually because one of those two dimensions. So, like, there there did feel predictive power in it in terms of scaling it. Then it was just, like, codifying the question. Like, whatever I was doing in this, it was just, like, trying to write it down and train other people and have other people do.
Christina Cacioppo:And then you kind of figure out in that, like, who's really there were, like, people really excellent at it. And then, like, have them do a take on, like, writing down what are they doing. And, you know, some people are less excellent at it. You give them fewer interviews, but, like, just kind of iterating from there. And so to this day, everyone like, that interview still happens ever on Vanta.
Christina Cacioppo:I do it for everyone director plus, so I don't interview everyone, but did start redoing it director plus. And, again, it's not or the reason we call it principles is they're not moral right or wrongs. They're they're things that, like, it is very reasonable to disagree with or want or not want, but there are kind of things that end up mattering a lot at Vanta. And so it seems best to be upfront about them. So, again, person's clear eyed about how we wanna work.
Christina Cacioppo:We're clear eyed. We've told it to them. People can opt in or opt out. And, again, not a moral thing at all, like a a match thing.
Sid Trivedi:I'm curious. Any advice for founders on how to hire leaders? And by leaders, I mean, your first VP of sales, your first VP of marketing, your first VP of engineering, who isn't your cofounder. Like, what was the the learning? I'm sure there were lots of cases where things worked and they didn't work, and there are probably one or two things that you'd wanna highlight that are important.
Christina Cacioppo:So hard. I think one of the hardest things because you're gonna mess it up a bunch. And, unfortunately, you're practicing on real people, on real people's careers. And, like, you don't wanna mess it up when you're doing that, and you will. And that that's one of the toughest parts.
Christina Cacioppo:I don't know. So there's some, like, reckoning with that. And, like, you should work really hard not to mess it up, to be clear. And then even with that, you will still mess it up. I think what I found helpful?
Christina Cacioppo:These are now pretty established tips, but I do think, like, the calibration conversation. So, basically, being like, okay. I'm gonna hire VP of sales. I'm gonna go ask friends, VCs, mentors, whoever to go introduce me to a bunch of VPs of sales they think are good. I'm gonna shoot for 10 of these.
Christina Cacioppo:I'm going to spend thirty to sixty minutes with 10 different VPs of sales and talk to them about what the heck they do every day and why they do it and how they think about it. And at the end of that ten hours, like, I will probably have better opinion. Like, I like this person. I don't like this person for this reason or, like, this person or, like, this person totally great, not my not my jam, but, like, they're gonna go do them. I wanna do something over here and just get sharper on what you actually want.
Christina Cacioppo:So then you're able to articulate that to yourself, to a recruiter, to the candidates in a way that, again, lets smart people, like, opt in or opt out early. But, like, getting clear of yourself when I don't know. At least for me, like, hadn't not only I hadn't been those roles, I mostly hadn't worked with those roles. Like, you know, there's a bit of just, like, I don't even know. Or, like, I have a theory in my head of what a VP of sales is, but it's wrong.
Christina Cacioppo:Like, what is actually a VP of sales or VP of whatever.
Ross Haleliuk:Christina, I think we are all on this call super excited about the potential AI has to reinvent the way we do security for companies of virtually every size. And the the compliance market and the compliance assurance, the trust assurance market is also affected quite a bit. We know that there is quite a few competitors and new entrants coming in to go after the market that that Vanta, to a large degree, has created. Where do you see AI genuinely helping teams make better security decisions and then compliance decisions versus just automating noise or creating a ton of false positives and giving people that false sense of confidence? And sort of subsequently, how is Vanta positioning itself for the next five to ten years, particularly with the rise of AI in security?
Christina Cacioppo:Yeah. So we've shifted to calling ourselves an agentic trust platform. But, basically, I think the the germane parts of that is the is, like, if someone thinks they're gonna be Vanta, but with AI and they actually succeed, yeah, we did not do our jobs. Because, like, the Vanta with AI should be Vanta. And, again, I think I mostly ball in our court on that.
Christina Cacioppo:You're like, okay. Can we execute on that or not? You know? Again, nothing nothing is given or deserved. You know?
Christina Cacioppo:But I think that is the opportunity and the aspiration. I think within that, think about agents and AI first taking on tasks within roles. So there's some amount of like, oh, well, well, you have a DRC analyst. And I think that's a it's a tough way to reason about it and think about our security analyst or, you know, pick your you're like, what will the GRC analyst be doing today versus a year from now versus a year ago? And I think, like, AI and agents will shift that.
Christina Cacioppo:And so a couple specific examples. You know, one one tough thing about running a GRC program, especially in a larger organization with multiple business units or products or frameworks, is just keeping everything in sync. You know? The silly examples. This policy said the SLA is here, but our practice over here is you know, actually, thing that's implemented is, you know, another SLA that we're alerting on.
Christina Cacioppo:And our ISO twenty seven zero one, ISMS says this, but, like, over in PCI, we have this other thing. And, like, so much of the job is that. And that is, I think, a great place for agents to really surface things for someone to then decide. You don't want this SLA, that SLA? Do I want, you know, this provision in the policy or that provision in the policy?
Christina Cacioppo:But, like, keeping all of that aligned and simplify. I think another example are, you know, vendor reviews. Like, lots of thoughts on third party risk, but often companies are not, you know, reviewing all their vendors for lots of reasons. It can feel like busy work. It's a lot of time.
Christina Cacioppo:What's actually ROI? If I don't like this vendor security posture, what, you know, decision making authority do I actually have? Right? Like, there's kind of a lot going on there. And I think if you believe in, like, an AI taking a first pass on a vendor review or a first pass on compliance documentation, policy documentation, security questionnaire answers, and flagging things, I think then the the kind of TPRM analyst job looks more like, okay.
Christina Cacioppo:I've got all these I've got all these vendors, all these third parties. Like, there are a bunch of risks to the business in lots of ways. But, like, let me think about it holistically in this portfolio. Like, where do I wanna take that risk and where do I really wanna push? And and I can kind of, like, think about that on almost like a portfolio manager level versus, like, someone wants to use random startup.ai, and I've gotta read their SOC two and put a thumbs up emoji on it and not my favorite part of my job.
Christina Cacioppo:Right? So I think there's just kind of places where the the jobs will change, but it's because some of the tasks get kind of taken by AI, and then it'll be replaced by this, like, higher level task. Does that all make sense?
Mahendra Ramsinghani:So, Christina, as we try to wrap up, one question that comes to my mind is you came as an outsider, a venture capitalist who became a founder and and quite a successful one at that. What has been the toughest part of this journey? And then on the flip side, what has been the most rewarding part for you along the way?
Christina Cacioppo:Yeah. I think the answer to both is the people side of things. I think on the toughest part, mean, I said about hiring execs, but it's true across the board. So much of, like, leading managing, I think is experiential. And one can read all the books.
Christina Cacioppo:I try to read all the books. Helpful or not. Like, you just kinda gotta do it and you gotta practice. And, unfortunately, you're practicing on real people. And you mess stuff up and it sucks.
Christina Cacioppo:It's the worst. And, yeah, I mean, when I think back of, like, things I wish I could go change, it's like they're basically all in that category. And all you can do is be like, I had to learn this lesson on you, and I am so sorry whether you know it or not. And I will try not to, like, repeat the mistake on anybody else. But, like, that that's hard.
Christina Cacioppo:I think on the positive side, though, you get to watch people do stuff that they didn't think they could do, and that is the coolest thing. I mean, lots of examples of that. You know, people joined early, people who joined late, who are just over a, like, longer arc in a short like, you gave me this project, I thought you were crazy in a bad way. And then I pulled it off, and it's kinda awesome. And you're like, it is kinda awesome.
Christina Cacioppo:And so it's it's kind of both sides of that coin.
Mahendra Ramsinghani:Christina, we wanna thank you for your time today. It's such an inspiring story. And I think one of the few founders who's very authentic with how they see the world, how they feel, how they conduct themselves. So thank you for taking time to inspire the next generation of founders. Also, for the record, I think you're the first founder on our podcast who's actually found a secret, guarded it well, and then once you exposed it, it sort of became everyone else's.
Mahendra Ramsinghani:So we certainly wish you success in continuing to build Vanta as you progress.
Christina Cacioppo:Thank you so much. You're so kind. Had a great time.
Sid Trivedi:Thank you for joining us Inside the Network.
Ross Haleliuk:If you like this episode, please leave us a review and share it with others.
Mahendra Ramsinghani:If you really, really liked it and we have some feedback for us, wrap it on a bottle of Yamazaki and send it to me first.
Sid Trivedi:No. Don't do that. Mahendra gets too many gifts already. Please reach out by email or LinkedIn.
