The year 2018 was a different era when it came to security. It was a time when there were a lot of security companies, and it became quickly apparent that more scrutiny and regulation was on the way, as the European Union’s new General Data Protection Regulation just came into effect.

It was around that time when some noticed that most startups didn’t do a lot for security. Those companies might know that they should, but when push came to shove, they ended up prioritizing features that customers wanted and what would grow its revenue versus features that might make them more secure in the future, according to Christina Cacioppo (pictured), chief information officer and founder of Vanta Inc.

“That trade-off kind of made sense in a lot of ways. Then we found a company that prioritized a bunch of security work, had done a bunch of work at 30 people, so relatively early,” Cacioppo said. “What happened is they had just signed a contract with [one of] the largest tech companies there is.”

As a part of getting that contract, the large company sent over a questionnaire and asked the startup if it had certain practices in place, what policies it had in place and if its cloud infrastructure was set up in a certain way. The answer roughly to all of it was no, according to Cacioppo.

“But they didn’t want to tell their new customer this. So, they said, ‘Yes. We do all those things,’ and then immediately turned around and did them all,” she said. “That was kind of this ‘aha’ moment.”

Cacioppo spoke with theCUBE industry analyst Lisa Martin, during a CUBE Conversation ahead of the “Cybersecurity” AWS Startup Showcase event on September 14, an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed SOC 2 and Vanta’s trust management platform. (* Disclosure below.)

The ‘aha’ moment

The “aha” moment for the company Cacioppo was discussing involved being able to couple compliance, or the idea of proving or verifying security, to actually doing it. It was about having security or risk mitigation for some future point not be something a company feels guilty about, according to Cacioppo.

“[Instead, it’s] something that drove revenue for your business in that moment. So, you dug deeper, you get to questionnaires, you get to compliance, you get to a lot of work there,” she said. “It really informed Vanta and, honestly, the company’s mission, which is secure the internet and protect consumer data.”

When it comes to Vanta, a lot of what the company thinks about is how to help companies build out its security programs, and then get credit for that, by showing off all the work done and building trust with customers, according to Cacioppo. SOC 2 is also a key part of this conversation.

“Again, taking us back to 2018, small companies — and by small, I mean under 400-person company — would not get SOC 2 or compliance because it was too hard, it was too onerous,” she said. “What we saw was [a company] would always get stuck in sales. They’d have to do a lot of CTO time, and just spend a bunch of effort because they didn’t have a SOC 2.”

More data, more risks

Vanta realized that if there was an easier way for companies to get real, valid, high-quality SOC 2s, then everyone would get on board. That has been the thesis underlying Vanta, according to Cacioppo.

“It’s been amazing how quickly that has happened. I think probably at the time I thought it would be a five-year journey. Turned out to be 18 months,” she said. “It was just much faster. [But] I think companies knew this because software is truly eating the world.”

As that happens, and as businesses are tasked with working with more and more data, so too follows more risks and more breaches. It’s clear that no company wants to have a breach, and if a vendor or supplier breaches a company’s data, customers don’t care if it’s someone else’s fault, according to Cacioppo.

“As far as they know, they gave you the data. And SOC 2 just kind of was, and has become, the sort of industry-standard way to say, ‘Hey, I follow a bunch of reasonable practices.’ And not just I’m telling you that, but a rigorous third party came in and checked and said I do all these things,” she said. “You don’t have to trust me. You can trust this third party, where I have baseline reasonable practices, at least. I do reasonable things. You can trust me with your customer data too.”

Here’s the complete video interview with Christina Cacioppo, part of SiliconANGLE’s and theCUBE’s pre-event coverage of the “Cybersecurity” AWS Startup Showcase event:

(* Disclosure: Vanta Inc. sponsored this segment of theCUBE. Neither Vanta nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE