(I work at/started Vanta. Email support@vanta.com and they should be able to give you guidance and help out. If that doesn't work, email me -- christina at vanta)
Thanks for the feedback. What we should probably do is take the credential, start scanning, and then nag them with a failing test about overly-permissive roles. Our own role is an easy check because we know what to expect, but there's other best practices here we can check for (and in some cases do, though not 100% comprehensively across all clouds.)
The Trust Reports contain programmatically-validated information (basically: Vanta's code says the control was in place continuously.)
There's (obviously) pros and cons of trusting a software provider (like Vanta) to validate technical configuration compared to trusting a human auditor to do the same.
Our bet with Trust Reports is that for some cases, having software do the checking and validation continuously is better than having a human auditor do it once a year.
We work with companies doing B2B sales and looking for help with compliance certifications like ISO 27001 and SOC 2. Some folks come to us early but most come with a deal on the line — which is to say, this is a process you can start “just in time” if you must.
From what I’ve seen, saying “no I won’t go through your security review process” is an (obvious) dealbreaker, but there’s a lot of ways to get through that process: ISO cert, SOC 2, the promise to get either of those certs by your go-live/implementation date, security questionnaire hell, etc.
As mentioned previously, ISO is preferred by European companies; SOC 2 is more likely to be mandated by American companies, and you’re likely to get pretty far, even in Europe, on just a SOC 2. If I had to construct the situation that’s most likely to be deal-breaking, it’d be an old-school European company that’s operating off a rigid flow chart: “if no ISO 27001 cert, go back to start. Do not pass Go. Do not collect $200.”
A few folks have mentioned cost (dollar and organizational) — ymmv and/but the cost of obtaining ISO 27001 certification varies with the number of employees, say $10-20k for smaller companies. Implementing ISO 27001 and an ISMS can be blitzed by small teams in a few weeks but probably will take a couple of months to a year for larger organizations.
(And we’d love to help if you decide to pursue this at Vanta etc etc)
We just signed up with Vanta to do our SOC2. I have to say that the process is a lot of work but can give a +1 for any other SaaS to use Vanta, they make the process simpler and lore automated helping guide you through the complexity and you have regular calls with your Vanta account rep, who actually gets on zoom calls with you every couple of weeks to make sure you get through the process, which is amazing support.
Thanks Christina and the Vanta team for making the SOC2 compliance process… digestible :)
Very much agree with you about SOC 2 == obvious best practices if done reasonably!
That’s one of the “secrets” of SOC 2: if you speak some compliance, you can make most of the SOC 2 work for you, implementing best practices, getting the rest of the org to prioritize them, etc. (This is what we like about SOC 2 at Vanta: it can turn meaningful, difficult-to-measure security work into high-pri sales collateral.)
If you don’t speak compliance and have a SOC 2 consultant who doesn’t speak engineering, you’re more likely to end up with absurd arguments and bookkeeping (“but you have to use a WAF there’s just no other way!” etc.)
Christina, Vanta founder here. Can confirm we don’t make money on any difference, and no money changes hands between us and auditors. It’s just a lower price for customers.
Vanta is security-in-a-box for technology companies, covering everything from laptops to infrastructure, and using a suite of simple, effective, and easy-to-deploy tools. We're in closed beta, have a backlog of customers to engage, and since we began onboarding users, we've had no customer churn. Help us secure the internet, increase trust in software companies, and keep consumer data safe.
To learn more about who we are, our engineering culture, and whether this is the right place for you, read our Key Values profile: https://www.keyvalues.com/vanta
Vanta (YC W18) | San Francisco, CA | Onsite (eng, sales) and remote (product support) | https://vanta.com
Hi! Christina, a Vanta founder here.
Vanta is security-in-a-box for technology companies, covering everything from laptops to infrastructure, and using a suite of simple, effective, and easy-to-deploy tools. We're in closed beta, onboard new teams every week, and work with software companies you'd recognize.
Help us secure the internet, increase trust in software companies, and keep consumer data safe.
To learn more about who we are, our engineering culture, and whether this is the right place for you, read our Key Values profile: https://www.keyvalues.com/vanta
Vanta (YC W18) | San Francisco, CA | Onsite (eng) and remote (product support) | https://vanta.com
Hi! Christina, a Vanta founder here.
Vanta is security-in-a-box for technology companies, covering everything from laptops to infrastructure, and using a suite of simple, effective, and easy-to-deploy tools. We're in closed beta, onboard a new team every week, and work with software companies you'd recognize.
Help us secure the internet, increase trust in software companies, and keep consumer data safe.
To learn more about who we are, our engineering culture, and whether this is the right place for you, read our Key Values profile: https://www.keyvalues.com/vanta
