Certified SaaS

Um Now ladies and gentlemen if you are In SAS then you will have heard of the Fact that uh you may have to be Regulated if you are dealing with Regulated Industries regulated Industries obviously would include Things like the finance industry or Health care for instance so in order to Play in that space you'll have to get Some kind of certification Um an example might be having to have an SOC 2 certification then there's gdpr For instance in in the EU ISO 27001 and HIPAA many other kinds of Regulations and certifications so in This session we'll be talking to Christina Cassiopo from vanta who helps startups Gain these certifications and that uh Yop van devort from remote which due to Its Global nature needs to comply with a Lot of local rules so to moderate this Session please well welcome to the stage A fantastic reporter with TechCrunch Catherine shoe big round of applause Everyone Foreign [Music] Thank you so much for joining us today Thanks for having us so before the Session when I was brainstorming my Questions on how to intro Youtube I was Thinking about because both your Companies do pretty different things on

The surface level like remote you're About helping organizations figure out How to hire remotely and that includes Globally and vanta you help with cyber Security compliance but you know what Both of you have in common is that You're kind of tackling some of the most Time consuming uh busy work when it Comes to compliance certification like Complying with local regulations in Different places uh and you know all These issues are perculated underneath The lid of a company's operations and You help them make sure that all your Eyes and T's are crossed outer eyes are Dotted and T's across so they don't they Don't run into potentially expensive Very problematic issues later on so Um what I want to start with is like I Don't think for any founder like They think of compliance and it sets Their heart a flutter you know I think For most of them maybe thinking about Certifications and compliance it's not The most sexy topic but both of you have Taken that as the core of your Businesses and turned them into Companies that have achieved unicorn Valuations I was wondering just before You started your companies what kind of Let that fire what made you think oh Okay certification is something that I Want to basically make my life's work Revolve around

And I think for me I so prior to vanta I was Not working directly in security I was Product manager at Dropbox working on a New tool there and through doing that And trying to take this new product to Market I like learned the importance of Security certifications like sock 2 or ISO 2701 or gdpr Because literally we like couldn't Launch to business customers without Them and I also learned how painful and Onerous they were to go get and so there Was something kind of interesting or Like kind of Market inefficiency in There to me where it's like okay you Know at the time and this was Dropbox in 2015 2016 so sort of like the height of Its power in in Silicon Valley it was Going to take us our whole Dropbox paper Engineering team a year and a half to go Get these certifications like that was All we could do for 18 months we did not Know if we had product Market fit yet And so you're looking at that and you're Like well I could do all this work and Then maybe find out I don't know product Market fit in 18 months why would I do That but the answer was because you you Couldn't launch without it right and it Just kind of felt like this like really Frustrating really interesting puzzle Where and clearly valuable where if you Could cut down that 18 months to

Something more reasonable cost time all Of that there was this huge payoff and This hugely valuable thing that you know People would clearly want and pay for And value and so I think it was kind of That Insight of of seeing how important These certifications are and how much Work it certainly used to take for Small companies large companies to go And get them Yeah I think for us it's more about you Know we want to make something possible Which is that irrespective of who you Are and where you are you should be able To have access to great jobs to great Opportunities and what we found was like The the major thing standing in the way For companies hiring people Internationally was this giant pile of Rules and regulations and complexity and I mean if we were able to compress that Somehow and make it somehow more simple We could actually solve this like very Fundamental problem of I'm a person in a Random place in the planet and I want to Have a great job and so that's enough of A motivator besides the fact that I Think that I mean any entrepreneur I Think is is driven by solving something Complex and making it simple right it's The greatest thing you can do it should Take something crazy complex maybe Really boring but and I make that into Something beautiful and something

Straightforward or make it disappear Altogether and so for us that was a Really strong motivator to do this and That that certainly helped and to this Day keeps us going Uh one of the things I was thinking About is for Um Founders and Company operators is When dealing with legal compliance is That laws and regulations are changing All the time like Um you know I remember on the prep call He said that sometimes like it's not Really there was a wasn't there a issue With an employee falling down a Staircase and the law didn't say who Covered it and then of course with Um cyber security there's always you Know gdpr is relatively new then there's The EU AI act coming up and of course That's probably going to influence other AI regulations around the world so I was Wondering like how do you sense you have Since you're responsible for Um so many customers and helping them Comply and keep up to date how do you Maintain the agility to adapt to Changing laws and regulations I can go first so we actually have an Internal project uh we call it Watchtower where we partially Automatically and partially with own Experts and partially with external Experts we track all changes to laws and

Regulations and like there's no magic to It it's really just Blood Sweat and Tears and we use all the smart tricks That we can we use AI where we can but For a lot of things we can't and there's No other choice I I I'm curious to hear Christina does it but for us it's just a Matter of like you just have to be on The ball there's no there's no startup Magic that you can apply to these kind Of things if a government publishes or The EU publishes a new rule you have to Just read it and you have to figure out How to address it and I think the Challenge as a business is to figure out A way to then use that and package it in A way that's understandable usable and Helps you protect your customers Ultimately yeah I think very similar There's I wish we had magic if anyone is Building this let me know afterward but Actually Um but I think actually with all the Customers it gets easier over time Because you can sort of amortize the Cost of this over a larger and larger Customer base Everything you said I think the the only Kind of domain specific stuff for us is There's two things we're watching up for One is just how things change or what's Coming up new the other one is where we Can opportunities to to your point try To like simplify these to our customers

So one specific example is right Everyone's very familiar with gdpr in The US increasingly like CCPA and California and now lots of U.S states Are starting to make their own sort of Versions of the gdpr and it's state by State right in the US and it's unclear If we're going to get a federal thing Ever certainly not anytime soon entered Your company your new customers across The United States let alone the world You're looking at like a state-by-state Regulations right and the way we Approached that was to actually make Kind of we called the US data protection Standard usdp Um to try to Umbrella those and that was Just an abstraction to make it simpler For our customers and Founders who are Trying to do this but that's kind of the Other a part of like Watchtower knowing What's going on then sort of like Rebundling or bubbling or like Umbrellaing where we can to to try to Make everyone's lives a little simpler What about cases where laws and Regulations aren't clear or there's a Lot of you know I'm sure for both Employment cyber security there's been Areas where you probably look at it You're just like oh gosh it's just this Is not clear-cut what do you do in that Case can you think of any examples and What do you do how do you handle that

A great question we get this a lot Because a lot of it at least in our World a lot of the the regulations are Written at a high level and so it's not Implementation especially if like you're An engineer or someone used it you're Just like what what is this supposed to Mean and so I think a couple things one Like subject matter expertise is Invaluable Um and so hiring folks who have deep Backgrounds and can pattern match and Say well you know this is written this Way but it's similar to ISO 2701 and That's written this way and you know the Industry best practice in ISO 2701 is This thing so we can bring it over here Um that's a really big piece because Often the regulatory bodies or these Certification bodies Um Don't don't do a lot of Outreach or Education like these standards and our World at least purposely Choose Your Own Adventure because they're trying to give Flexibility and so they don't they don't Want to clarify right it is up to the Implementer or the auditor Um I think in our world we do work with Auditors and assessors but but probably Just the base answer is like subject Matter expertise intuition judgment Quick feedback loops if something feels Off I think for us we we are in a unique

Scenario where usually we work with Local governments right so we look Mostly the things that we struggle most We then deal with most with our labor Laws and labor laws they change on a State or a national level and and indeed Many cases you are in a gray area where It's not completely clear And what we end up doing sometimes is Reach out to local governments like that Ultimately is is what we end up doing Especially because we are operating you Know what we enable is companies to hire People internationally but the the loss It and assuming that people actually did The work locally right and in fact they Are written to the degree that you can Only do work locally right as if you are Painting a house you can only paint a House in the country in which you are in But in our case many of the people Getting paid through remotes they do the Work from one country for an employer in Yet another country and maybe they are Citizens of yet another country and so We are almost always operating in a gray Area and so to clarify it one of course Everything casino is saying having Subject matter experts but for us it Just meant sometimes having to talk with The government and say look this is what We're doing these people are stay in Texas so yeah this is what we argue for And this is how we think we should

Actually interpret the law do you agree With us and if not let us help help us Figure out where we should go Are both you know automating or taking Care of a lot of the relativity is busy Work that comes with cyber security Compliance with employment laws but I Was wondering like at what point do you Go to your clients and say I was I mean What part of compliance can't be Automated at what point do you need to Go to them and be like look you need a Cyber security expert to come in or you Need a lawyer to come and look at this At what point do you say you need a Human to come intervene and you need That expertise Yeah I can take that Um so we think about this at vanta and And kind of like a maturity curve sense So right you can imagine like use myself As an example like founder just starting A company like kind of just wants to run Through brick wall and if they hear they Need to get sock 2 they will just get a Sock too and it's sort of tunnel vision To that end like classic founder right And then as the company grows you know They'll have new demands from customers They'll probably sell out market and Enterprises will want more their board Might start asking about cyber security Right they're sort of like they get more Mature unless like thinking about cyber

Security And so that's like kind of the broad Arc I think vanta's original MVP and what it Was so good at she didn't quite realize At the time was it took sock 2 which was This messy Choose Your Own Adventure Like everything was a gray area nothing Was defined and said no no this is 70 Things If you do these 70 things you're good And that was great for a Founder uh Because all the founder won't so the List to just burn through and like get To the outcome they want It's less great to an expert right who's Like oh I see your 70 things but I have Mine done so over the last couple of Years a lot of what our investment has Been is like taking Banta from Um just automating stock 2 or just Automating compliance into a trust Management platform and having experts When they come in and be able to say Look like you have this whole security And compliance program you want to run You want automation for your program not Ours great so how can like we kind of Encode all the things you want all the Best practices you want the rules you Want the company to follow and give you The Automation and the monitoring the Visibility and like alerting and all the Great stuff but if your program not ours Right so it's it's kind of like that

Piece and and I think broadly just Figuring out where our software can Augment like a very smart you know human And subject matter expert Um and which the customers want that Versus which really want the Prescriptive like here are the things Just run For us it's uh it's it's really complex Because the amount of variables that Play into anything that can happen Within our business related to Compliance is massive and so that means That we start by focusing on what causes The greatest pain or what solves the Greatest problem and so for us one of The things we learned early on was like Oh we have to take in all this kind of Information well that's easy to automate Right it's just a form but one of the Things that we find is extremely hard to Automate is everything related to Off-boarding or like special cases which Is that oh you have person X that lives In a country y that has you know a Certain thing happening to them Z so now You have this really high dimensional Problem that is probably only going to Happen once every two or three years That's very hard to automate and so for Us we try to focus on like what causes The greatest pain you can measure this Right we measure like how often do Particular cases happen and then the

Amount of pain that it creates that is The more likely that we're going to work On automating it that said whenever you Need like a subject matter expert on a Single case which happens quite a lot With us and we can really automated Yeah I was wondering because as a Reporter most of the companies I talked To are really early stage to be about Maybe a team of two to eight people and They're not thinking about approaching a Company like Banta remote yet they're Taking a DIY approach to hiring remotely You know they're going through Linkedin Looking at profiles doing word of mouth And then unborning people Manually or they're taking care of cyber Security by themselves I mean you were Talking about the maturity curve so I Was wondering for both of you like at What point do startup Founders Approached you and say look I need help Yeah we actually Uh uh historically the bulk of vanta's Business with startup Founders now we're Starting to change as we move up market And sell to larger companies but I think If you just think about the the most Recent YC batch the ones that like just Said demo day and went through the Summer I think about two-thirds to three Quarters are vanta customers as of being In that batch so it's like very much a Founding team of like a B2B SAS company

That wants to sell to bigger companies Which almost definitionally is like Everyone else and they're getting asked To like are you secure what are you Doing with the data are you going to Have a data breach like how can we trust You Um and they find uh working with Fanta As a way to help them answer those Questions unlock those customers and That revenue and and really like kind of Accelerate their growth Yeah for us it's about just offering Products that are available to all right And so what we see is that early stage Startups they want to avoid complexity And they might start hiring out Contractors and so we just make it Possible to to do that through us but in The end for us it's mostly like you know The the whole Market in which we're in Is driven by the need to hire great People and so companies approaches they Say I want to hire this great person but I can't or I don't know how to and That's the problem we solve and so yeah I think one of the things that we Realized early on was that like we don't Really have like a good Target size Because we work pretty well from like Really small companies up to extremely Large companies Um and we've done pretty well and I Think the the most important thing we

Did in that is just making sure it's Easy to get started with us but if you Want to go deep you can go deep with us Um remote recently launched a global HR Platform and you were telling me that This is by all the headlines about Remote work coming to an end you know Companies demanding that people come Back into office that's not going to Happen you know if companies of anything They're going to move to a hybrid model So I want to ask both of you basically Remote work Or hybrid Quark what kind of cyber Security challenges has that presented And how has that evolved since the Pandemic when you know people were Forced to go remote very quickly I I think it's very interesting I spoke With a extremely large well-known Company like right after the pandemic And they were very worried what to do About all of this I think the first Thing is is the immediate disconnect From like your work and where it is done And where the person is and the fact That you can take your laptop like Suddenly companies became very aware of The fact that you can actually pick up Your laptop and do your work elsewhere And until I think before the pandemic This was not a very big issue and it Suddenly became a very big issue because People started working in this way I

Think that is the biggest one that we Saw of course we're not in cyber Security so I'm sure Christina has more Insights in this but Um yeah this is the biggest one that we Saw where we now have for compliance Reasons also have to track where people Are but also I have to just be aware Like if you're going to take your laptop Into certain countries yeah you might be Exposing your employer to quite you know Significant cyber security risks yeah It's a good point I think what we've Seen I mean similar to you know all the Other Trends in the pandemic it's sort Of cyber security and a lot of adoption Of tools got accelerated over the Pandemic and what had looked like it was Going to be a longer you know adoption Curve happened like way faster I also Think startups were generally on the Front of that curve too and so it's it's Some of the larger companies that are Starting to think about remote access For the first time what are like vpns or Kind of new age vpns look like or like Beyond Corp sort of setups Um Now that everything not everything but Like a lot of things are SAS tools and There's so much customer data that a Company puts in other people's tools how Do you think about that risk and again If you're you know we put a bunch of

Antidata in another Tool customer data And that tool got breached like we would Still have to let our customers know I Don't think our customers would care it Wasn't really our fault because it Fundamentally was Um and so I think the pandemic sort of Accelerated a lot of companies thinking About spaces like vendor risk management Like third-party risk management and Just really broadly how are they being Good stewards of all of the customer Data that they've been entrusted with So you'll be like remote obviously has a Lot of employee data and then your Customers are dealing in turn with Employee data so I was wondering are you A remote avanta customer too as remote As a customer I think we are yeah okay I think one of the we when we started The company we knew like and I was often Asked I think in the earliest a deck Like what is the greatest risk to our Company and I always said like oh it's a Data breach like for sure it's like That's the biggest risk because we have A lot of bii in our platform so we have If you are getting paid through us we Have all your identity information all Your bank account information how much You're going to get paid every single Month and so yeah for us it's one of the Things that we're most careful about Beyond anything else

Yeah I want to ask because you're Talking about like locales people moving Until cows are potentially more risky so I was wondering when someone I was Curious when someone crosses into a Country or a region that is considered a Security risk like China or does at Least more opaque Um what steps do you take to make sure That everyone and everything is Protected So you can even Advanced aside so I Think vanta itself doesn't do much kind Of in this vein initially but we've kind Of tried to make it easy for customers To set up alerting or turn offs or kind Of let customers orchestrate what they Want to happen here and so sometimes we Have customers who are you know we'll do The hey if this if a login happens from You know one of these countries like Just to spend access and we can deal With it later some some country or Rather other customers are like This is you know noisy and our Engineers Will complain and we just don't want any Friction and so won't do that so it's Kind of customer by customer specific From what I see yeah for us I mean we It's for us internally right because we Want the people that have access to our Information those are the ones where we Have to worry about it and in those Cases yeah we're just a very strict

Device management right so if you go Into certain territory you're left of One starts it's essentially essentially What it is for our customers it doesn't Really change anything we employ people Everywhere on the planet so And one of the things I want to ask Which I think you know a lot of Cup out right now is like what kind of Challenges for cyber security and in Compliance do you see coming from Generative Ai and other AI Technologies Yeah I think for us one of the there's Two risks that we see uh several but I Think for us internally there's two that We worry about one is the large usage of Large language models when it relates to Like uh talking about the knowledge of Compliance related matters and and Hallucinations but we can't really rely On a large language model that has a Tendency to make up things Um to like tell us what the actual laws Are so we have to be extremely careful With that and the other one is of course Leaking any sensitive data so for us we Have to be really careful with what kind Of data do we put into a model and how Do we use that I think those are the two Primary ways that we we have Um other than but you know of course we Have to try to work and experiment with These kind of tools but we've been Anxiously awaiting you know things like

GPT Enterprise rather than like the Existing solutions that are very open And Lucy goosey yeah I don't have much It's a great Point Um Watchtower with your program do I Yeah right like you don't want to like Kill your Watchtower program or shut That down and then just like ask chat Gbt like what's going on in gdpr uh Because you'll get something back right But like probably not something you want To go shop from the rooftops Um so I think that we think a lot about That and then the the data and the Training piece and I think you know There's so much research going on here It's you know reasonable and I think We'll get better very quickly because Like people are identifying this is like A real issue but just the like how do You you know train models for a specific Use case and it's like kind of a more Specific set of data labeling on real Data without leaking data Um and it's not It's not as easy as it could be I think It will get easier over time but I think There's just like kind of in product Violence like a lot of foot guns and Ways you can like shoot yourself in the Foot there entirely accidentally it'll Get better but we're like not quite at The like You know

Do it during a hackathon and just ship It stage with that Yes Wonder Christina do you see an Uptick in business or in potential new Customers approaching you after a high Profile data breaches like Equifax Target or Yahoo I mean Yeah a little bit Um I think we also honestly just see it In response to different Industries Opening up so actually AI companies we Work with a ton of Um like almost all of the YC Bachelor That's why you see companies was working With vanta and we have some working on Some more specialized things there but I Think it's actually where where there's Going to be a lot of scrutiny on the Service right and so because of the Conversation you know the risks we just Identified about AI customers have they Are very excited about the power of Generative Ai and have a ton of security Questions and whether those are like Sent over in a spreadsheet or email or On a call it's very real in the trust Building exercise a new startup needs to Go through it's very real there and so That we see a ton from that yeah Yeah so I was wondering basically uh What's what's in the future for because Both Fanta and remote cover like free White scope worldwide already so I was Wondering basically um in the future

Like how do you plan to grow your Companies Um would that take the form of like Covering more compliance I was wearing Because both your companies seem pretty Large already so I was wondering like Where are you going to go on from here I know I think I think we're sort of in The same boat where you know as we grow Our business we also Target larger Organizations and as you target large Organizations the requirements are Significantly higher you have to be much More stringent about the way you run Your own business and the kind of Products that you offer and so I think In the same way for us it means that we Want to own more of everything in in US Owning means we own the fundamental Foundational technology and Infrastructure necessary to offer our Services and that could mean entities That could mean the things that allow You to generate a payslip and it could Mean the things that help you I don't Know pay out benefits and actually Generate those benefits and for us That's a whole range of different things But uh what we what we what we do over Time is just bring more of that in-house So that you know even the highest form Of scrutiny we can we can stand up to Yeah I think vanta we started with this Premise

Appliances This wonderful carrot to have A company start building Program to build trust and so sort of Those three pillars right there's like The compliance piece and there's always More compliance certifications and these Are always changing you're increasingly Serving larger customers and they have Their own demand so there's like a whole Thing there Um like they deeply believe that a Customer might come in because they want Sock two they want to go sell the remote Right which might require it but then Over time as the experts come in you can Actually help them build up their Security program and be that single pane Of glass for them And then this is all under the umbrella Of like building trust with customers And helping like our customers grow Their businesses By kind of by being secure right and Then sort of aligning security with Revenue in a way that Um hasn't historically been done I think A lot of security historically was you Know hey you're going to get breached if You don't buy this which is like more of A risk pitch and it's very real but the Hey you know help secure your systems And like get more customers Um I think it's a lot of legs to it

Still I think that's really interesting Like instead of doing a wrist pitch how Do you approach customers because I Always imagined like you know if you're Selling a product vanta I mean it's From a position of like you don't want To you know you don't want people to Think you're not trustworthy or you Don't want To potentially have a breach I was Wondering instead of doing that like how Do you approach potential clients yeah There's some of that but it's also it's Kind of like you want to be trustworthy Right and like what's the cost of not Being trustworthy like maybe you know You're trying to sell the remote to give You an example but like and they won't You know and they say hey we need you to Talk to or like maybe you're trying to Sell into regulated Industries Healthcare or fintech and they say hey We you know need some sort of external Third-party assessor to come in and see How you're doing Um and so then you can be like oh well If you if you you know spend this cost And more realistically spend all this Time you can go sell to all the fintech Companies like imagine what that Market Expansion is like Um so much more than that sort of pitch So we only have a couple minutes left so I want to see if um what kind of advice

Since this is disrupts it's all about Founders what kind of advice do you have For Founders either from a personal Perspective or from your domain Expertise oh goodness I mean my advice to Starbucks is always It's like well the startup is really Difficult and you just have to do Whatever is necessary to make it happen And don't listen too much to advise Because it's so hard to get it off the Ground you kind of have to ignore all The advice and just keep going and do Whatever makes it possible to build your Company Um I should also of course say you Should definitely start off with you Using remote event to build your company But above all just hire great people and And work really hard that I think that Always works Yeah yeah I think that's very true I Remember a time when like you as a Founder have spent so much more time on Your problem and your customers than Anyone else and there's like very shiny Executives who are exceedingly smart and Good at what they do but they don't know Your business Um and there's something like very which Kind of obviously but like there's some Deeper thing there where I remember I Would you know kind of take those coffee Chats and then spend 50 minutes

Explaining vanta and then the very smart Person would ask you know eight Reasonable questions and say like three Things that I thought of and it was like It wasn't their fault you know it was Sort of mine for thinking I would kind Of could bring someone up to speed on Everything I knew in an hour like that Was just a bad setup on me Um I think going along with that the Trying to balance the like optimism you Have to have and like you know like Through the state of the world I want to See your Visions a big word for it but Whatever like I believe in this idea and This problem and I believe I can solve It with the like day-to-day You know kind of getting punched in the Face all the time it's like the startup Parlance and like learning things from That and it's like the realism of not Having happy years and listening while Also maintaining like macro optimism and Like trying to do that balance I think I think it's like it's like just Keep going like even if you feel like I Think that's sort of The Secret of Startups yeah that's true the successful Startup is one that didn't die and like Like the first way to die is if the Founder gives up right and so if you Just if even if you feel like and You just keep going that that works a Lot yeah like even if you're not

Optimizing there's been time where I was Not optimistic at all and I was like but I'm not gonna give up yeah and that that Usually pays off yeah and I I and also I I think it's hard to admit but I think Working hard makes a huge difference Yeah yeah Okay yeah so that's all the time we have Thank you so much for making compliance It's such a complicated and Broad and Huge topic and dry sometimes to be Honest but thank you so much for make it Come alive and you know just kind of Talking and sharing your expertise with That thank you so much thank you thank You okay [Applause]