Subscribe
Share
Share
Embed
Stripe cofounder John Collison interviews founders, builders, and leaders over a pint.
[00:00:13.19] John Collison
Christina Cacioppo founded Vanta in 2018 to solve a problem most founders didn’t even know they had. Compliance. Under her leadership, the company has defined the trust management category, growing to over 15,000 customers.
[00:00:15.00] John Collison
Cheers.
[00:00:21.16] Christina Cacioppo
Cheers.
[00:00:22.09] John Collison
Good to see you.
[00:00:23.05] Christina Cacioppo
Good to see you.
[00:00:24.07] John Collison
Tell the Vanta story.
[00:00:27.01] Christina Cacioppo
We help companies start or build out their security programs and then get credit for all that work through an audit, through a security questionnaire. A trust center but it's basically do all the work to improve your security, and then go get credit for that with your customers.
[00:00:43.18] John Collison
All the Vanta billboards I see use the word compliance rather than security. What's going on there?
[00:00:48.16] Christina Cacioppo
It is one of those where you're, well, "vitamin" and "painkiller." I think compliance is… SOC 2 is a word that no one knows what the heck it means until they deeply know, and then they want it.
[00:00:59.09] John Collison
But they know that they have to do it this quarter.
[00:01:01.02] Christina Cacioppo
Exactly. One of the original founding hypotheses of the company is if you want to start a security company for startups, you should actually start a compliance company because your customers never ask you for security, but they do ask you for compliance.
[00:01:15.19] John Collison
Compliance is like the buying moment for startups.
[00:01:18.06] Christina Cacioppo
Exactly, and then when you're going through that, you have to implement a bunch of… Do a bunch of best practices, maybe buy some tooling. But even if you want to, you don't do it before that moment because you're doing the thing the customer wants.
[00:01:30.07] John Collison
I guess at a later stage, the buyer would be split, where security would be the CISO versus compliance would be the CFO, GC, something like that.
[00:01:38.22] Christina Cacioppo
I actually think Stripe is a little, in what I see, which is biased, but different. In that usually, compliance is there's this unified GRC, Governance Risk and Compliance function, and that lives in the CISO org. That will centralize internal audit. It'll centralize enterprise risk. You put those teams together. Third-party risk. Those teams are all together in CISO org.
[00:02:00.10] John Collison
You're mostly selling to CISOs?
[00:02:01.16] Christina Cacioppo
Yes.
[00:02:02.19] John Collison
How did you... You woke up one morning, and you decided you were passionate about starting a compliance company.
[00:02:08.20] Christina Cacioppo
When I was three years old, it was my first word. Yes, we joked in the early days. We'd never be able to pull that story off. I don't know. I heard training businesses are good.
[00:02:17.21] John Collison
I've heard more absurd founding myths. I think you could just go for it.
[00:02:21.18] Christina Cacioppo
The real story is twofold. One, prior to Vanta, I worked at Dropbox. I worked on what at the time was a new product, Dropbox Paper. We were trying to take it to market and didn't take it to market as well as we could have for several reasons. One of which was... It turned out at the time, all the Dropbox contracts had written into them, "We're secure, we're compliant, we're pen-tested, we're XYZ." Our new thing had none of those. In order to talk to someone with a Dropbox account, which was 100 million people or whatever it was, we had to go through this process.
[00:02:57.18] Christina Cacioppo
This was Dropbox 2015, so the height of its Silicon Valley power, year and a half, 10 engineers, feature building, all that. That all happened. I was not smart enough to then be like, "Aha, startup idea." Instead, this... Dropbox, what are you doing? This sounds bad. It was about a year and a half later, just talking to startups and founders about security, trying to figure out, is there a company to be built here? How do you get more startups to care about security? How do they do it?
[00:03:30.10] Christina Cacioppo
Kind of came across companies that either did nothing for security but felt really badly about it sometimes, but still did nothing. Then companies that had a lot of stuff in place. The lot of stuff in place was because they'd gotten a questionnaire, they'd gotten SOC 2, because of an enterprise customer. That was the, "Oh, that thing." I remember that being crazy, and onerous, and terrible. But also if you do it, that is like, Pass Go, Collect $200. Huge benefit on the other side. It was the combo of those two things.
[00:04:04.10] John Collison
What you're describing, I think, is just so commonly the experience in founders who start companies. I mean, it was our experience with Stripe as well, where we had just run into the problem before. But it's funny, I often run into people in university who are excited about starting a startup. That's generally… Obviously, there's lots of sexy stories of people who dropped out of college to start something. That's generally a bad time because you talk to university students, often, their ideas for companies are pretty half-baked.
[00:04:33.13] Christina Cacioppo
Find My Friends.
[00:04:34.07] John Collison
Yeah, it's Find My Friends. It's like a college textbook exchange app. It's like the five apps, whatever. Whereas so frequently, what happens is people go out, and they build successful products in the world, and they do Dropbox Paper, or they get some experience. It turns out there are huge markets available with problem spaces that most normal people have not heard of with things like SOC 2. But you have to spend a while seeing how the value flows in the real world work to discover those big opportunities.
[00:05:03.11] Christina Cacioppo
How do you feel when you go to YC now, and you have these founders who've dropped out and been like, "My passion is sales enablement." But they actually do know surprisingly much about it.
[00:05:14.06] John Collison
I mean, if you truly manage to learn enough about sales enablement to be able to field a strong product there, then good on you. I just think you're more likely to discover those areas after five or 10 years. What stage is the business at now?
[00:05:27.22] Christina Cacioppo
We have 15,000 customers. Our growth rate has actually quickened the last couple of years, and quarters, and months. It's been 60% annual plus for the last couple of years since that milestone, so a ballpark number there.
[00:05:42.13] John Collison
That's pretty good.
[00:05:42.13] Christina Cacioppo
Yeah, it's a proper business.
[00:05:44.08] John Collison
Yeah. You go to market, it's all sold?
[00:05:47.22] Christina Cacioppo
All sales. Yeah, it's just one of the blessings and curses I've had.
[00:05:51.04] John Collison
With what company sizes?
[00:05:53.00] Christina Cacioppo
We call them the 'two founders on the couch.' But it's the two founders on the couch who are building their thing and someone ask them for SOC 2, and they're working on it on Friday night because when else are you going to do the thing? All the way up to at least one member of the Fortune 50.
[00:06:08.05] John Collison
I would have thought that compliance is very different for founders who have never even heard of it, versus companies who have a lot of existing teams here with opinions and stuff built out. How does that work?
[00:06:21.17] Christina Cacioppo
Yeah, it is true. Down market, we're not quite TurboTax but I think that is the experience a founder wants. It's like, "This is high stakes, and I don't want to get it wrong, and I don't really know, but just guide me through." That's more of the product experience. Then the output is like, "Here's a set of controls, security rules you follow that are monitored on an ongoing basis." Because of that, you're constantly audit-ready, you always have everything in place. Great.
[00:06:50.22] Christina Cacioppo
That's the experience a founder wants, but the output is still a security program that's monitored all the time. Upmarket, especially when I'm talking to an engineer, it's more Datadog for your compliance controls. You're like, "I have my program, I have my thing, but it lives in a spreadsheet. It lives in Jira, custom Jira, it lives in something like that. I want real-time dashboards and visibility, and deviations, and auto-remediation, I want that world."
[00:07:18.00] John Collison
There's almost two layers to Vanta. There is what your controls should be, and then how the controls are monitored and implemented. Early-stage companies want both. Later-stage companies may want more of the latter.
[00:07:28.12] Christina Cacioppo
Exactly. Then the tie to audit is great. In some ways, its like a controlled direct monitor, you just pass the logs to an auditor. It's more complicated than that, but that's the base model.
[00:07:38.03] John Collison
Okay, you're getting to a question I had, which was, compliance at some level is not a thing you can just buy, it's a thing you have to do. If you actually talk about all these rules, I don't know about SOC 2 in particular, but for example, a lot of compliance regimes have this notion of doer and approver being separate for something. It's like the—
[00:07:58.17] Christina Cacioppo
Code review.
[00:08:00.00] John Collison
Yeah. The nuclear submarine where you have to have the two keys turned simultaneously to launch the PR, I guess, in this analogy. Again, Vanta can't do that for you, you have to do this. What you do is, one, for a startup, you actually just let them know the complete list of things they actually need to do. I presume there's some, maybe you can talk about, there's some logic of only telling them the stuff that actually applies to them.
[00:08:24.09] Christina Cacioppo
Yeah, exactly.
[00:08:25.03] John Collison
Then there's actually, how do you enforce, say, separate doers and approvers in something like code review?
[00:08:30.18] Christina Cacioppo
Yeah, so for something like… This was the first thing we built, and we call it Test. It's like modeled after unit tests. You're like, turn each of these controls into a unit test. Pull from version GitHub, GitLab, whatever. Look at every pull request and check these fields or this thing, or run some logic over it. That is our test for the control. That was the first thing we built, were these tests. But tests are just ways to prove control.
[00:08:57.22] John Collison
You're just a test suite. You're the battery of unit tests for the compliance rules.
[00:09:02.14] Christina Cacioppo
Exactly.
[00:09:03.03] John Collison
Why don't you just say that? Why doesn't your billboard just say that?
[00:09:06.20] Christina Cacioppo
There was a niche audience in San Francisco that would be like, "Oh, now I understand."
[00:09:10.12] John Collison
Yeah, but I think for the 101 billboards... What's the controversy with your 101 billboard?
[00:09:15.04] Christina Cacioppo
Oh, my goodness. How much do we want to do this? We had a great 101—
[00:09:20.13] John Collison
Great billboard, I used to drive by it every day.
[00:09:22.07] Christina Cacioppo
"Compliance that doesn't SOC 2 much." Arguably, hundreds of millions of dollars in market cap attributed to that billboard. It was funny. That was just in the annuals of Vanta and startups. The person who came up with that billboard, very pleased with herself, as she should have been.
[00:09:38.04] John Collison
As she should be.
[00:09:39.03] Christina Cacioppo
As she should have been, 100% right. Her manager at the time was very skeptical of that billboard. Are we negging our users?
[00:09:44.17] John Collison
That's a Cannes-level tagline.
[00:09:47.00] Christina Cacioppo
Is this okay? Are we too far over the line? Anyway, you can guess which one of those people is still at Vanta today. Not just because of that, but it was a good—
[00:09:56.17] John Collison
It's a cultural test.
[00:09:57.12] Christina Cacioppo
Exactly. Anyway, so we had this billboard. It was great.
[00:09:59.22] John Collison
For many years.
[00:10:00.17] Christina Cacioppo
For many years. I used to joke that we've had it locked up for years. Turns out we didn't, and I'm an idiot.
[00:10:06.09] John Collison
Oh, you forgot to renew it?
[00:10:07.21] Christina Cacioppo
Not even.
[00:10:08.17] John Collison
You should have had a little Vanta check for that.
[00:10:10.03] Christina Cacioppo
I know. It was like your domain, and you're just the thing you're not supposed to do. It was slightly better, but still bad. The agency we worked with, one, we should have caught this, our contract was just written in crayon. We got a lot of people asking about our billboard. We introduced them to lots of startups. Some of those startups were also buying with that agency.
[00:10:31.14] John Collison
Wow. A startup you introduced to them went and took your billboard—
[00:10:35.09] Christina Cacioppo
They didn't even do it on purpose. The agency went to them and was like, "We have this great inventory. Would you like it?" Then we found out.
[00:10:43.09] John Collison
Okay, that's rough.
[00:10:46.17] Christina Cacioppo
This is the drama of the compliance world.
[00:10:48.12] John Collison
People will learn about Vanta in other ways.
[00:10:50.06] Christina Cacioppo
We do like to market.
[00:10:53.03] John Collison
Then going back to the other part of the question. How does the layer work for… The rule book might be a thousand pages long. Compiling that rule book into the steps that are actually actionable for me, because I am not a farm, and so all the farm parts of the rule book don't apply to me.
[00:11:08.02] Christina Cacioppo
Yeah. The initial… The initial version of it actually was… This was back when we were founders on a couch, was getting as many SOC 2s as we could. It was Salesforce, Slack, AWS, whatever, and actually opening them all and just comparing them and trying to extract what was common and doing it that way. That was the first cut. What we do now is, hopefully more advanced, but there's a bit of… Now that we have probably 30,000 audits completed, we can just go back and be like, "Okay, for a company that looks like you, and for this auditor often, what sorts of controls are there?" We have that input in.
[00:11:49.10] Christina Cacioppo
Then we can also layer in both for a company in particular and in general. You get questionnaires. What are the themes and the questions you're being asked? We just launched a new commitments product that ingests contracts and scans the contracts for things that are contracted. Then you can both pull them out and say, "Hey, this should be a control." And God forbid, something happens, but you're like, "What are my obligations to my customers?" You can just basically have all that structured data.
[00:12:17.17] Christina Cacioppo
But one of the most important things is they just want to see progression over time and increase maturity over time. You've probably had this at Stripe where you wanted to use some cool new tool that had no security posture and a contingent… Sorry, hack that, maybe. But one part of it was like, "Can you just walk this up over time and show me you're making progress?"
[00:12:59.09] John Collison
Yes. Is SOC 2 the main bible?
[00:13:05.02] Christina Cacioppo
Basically, it's funny. We don't break it out by framework anymore because they're all just inputs into the system.
[00:13:14.13] John Collison
Sure. But ultimately, you need to comply with some specific thing.
[00:13:17.02] Christina Cacioppo
Yes, most customers will come to us for that first. Number two is ISO 27001, which is, "Europe SOC 2."
[00:13:26.03] John Collison
Who demands ISO 27001?
[00:13:26.19] Christina Cacioppo
European enterprises. If you're a European company selling to Europeans, you will start with that. If you're a European selling to Americans, you'll start with SOC 2.
[00:13:36.04] John Collison
How aligned are they?
[00:13:37.10] Christina Cacioppo
I think our mapping is 60% or 65%. The additional ISO stuff is often documentation, which is a great place for software to help you out.
[00:13:47.02] John Collison
Sounds like Europe.
[00:13:47.15] Christina Cacioppo
Yeah, exactly. There's less, please implement these six more rules.
[00:13:52.03] John Collison
Is it SOC 2 and its international equivalence, is basically that captures most of what you're doing?
[00:13:57.11] Christina Cacioppo
It is probably plurality, not majority. We see a lot of growth… There's this whole host, "a thousand flowers bloom" of AI standards right now. It's the whole thing there. There are a bit of healthcare-specific things. There's the PCI piece, which I know you're very familiar with. There's like that.
[00:14:15.12] John Collison
On healthcare, is this… Which—
[00:14:18.07] Christina Cacioppo
There's HIPAA, which is US law. You can just declare yourself compliant with HIPAA. You get to decide.
[00:14:24.05] John Collison
Yeah, self-declared.
[00:14:24.05] Christina Cacioppo
Yeah, exactly. The downside of doing that is if you do that and are breached, the fines are enormous. That's the check, the semi-market check there.
[00:14:33.02] John Collison
Can you describe the policy goals that something like SOC 2 seems to accomplish? You might say, "It's simple, it's just security." But as we know, there's many different facets to that. It could be preventing information leaks, or it could be preventing fraud against the customer, or it could be all these different things. If you were to stack rank, what is SOC 2 actually trying to accomplish at a policy level?
[00:15:01.01] Christina Cacioppo
I would say it is trying to ensure customer data is protected. I think that is what it is trying to do.
[00:15:16.02] John Collison
Just to round out the point to your Java/JavaScript comparison is that Java was a very popular language before the emergence of web browsers with JavaScript. When they invented JavaScript, they wanted to ride off the Java halo as a need-to-use programming language, despite the fact Java and JavaScript share no exactly commonality at all. It was just good branding. What you're saying is that it's similar with SOC 2 here. Okay, so you're saying the primary goal is to ensure that the data that you are giving this company—
[00:15:48.18] Christina Cacioppo
Your software provider, whatever.
[00:15:49.21] John Collison
...Is adequately protected. Many companies have had humongous data breaches.
[00:15:58.05] Christina Cacioppo
Equifax was a great… It's a great easy version.
[00:16:00.14] John Collison
Equifax, AT&T, I believe.
[00:16:02.11] Christina Cacioppo
Kind of all of them.
[00:16:03.18] John Collison
Exactly.
[00:16:04.13] Christina Cacioppo
Assume every big company as a SOC 2.
[00:16:06.10] John Collison
Yeah, but there's a difference between some data was leaked in some context versus in the Equifax case, "Sorry, we lost all of your data."
[00:16:15.09] Christina Cacioppo
Exactly. "We didn't fix the database."
[00:16:17.11] John Collison
"Which data did you lose?" "All of it." It's very hard to find that moment in the Equifax stock price chart. What's going on there? As in, we think society cares, society should care. It's valuable to not lose this data, and yet it does not seem to impair what investors deem to be the terminal value of the company.
[00:16:36.23] Christina Cacioppo
Yes. What are investors betting on? They're betting on, will anyone churn off of Equifax because this happens? I think the cynical but correct take is no. Sometimes, because you're like, "Equifax or Delta, am I going to stop?" I'm not going to stop flying Delta, especially 10 to 15 years into this where you're like, "Oh, another one. I'll add an eighth credit monitoring service." I think there is a cynicism there that is probably correct.
[00:17:06.05] John Collison
Yeah. The other thing that feels like it's changing in this ecosystem is that the costs of having data breaches are going up because Europe, in particular, is getting very strict about notifications. Sometimes, fines around these breaches. How is that changing your world?
[00:17:34.20] Christina Cacioppo
We also cover some of the data privacy standards. Your GDPR, your CCPA, there's, again, alphabet soup of acronyms here. Honestly, we see demand for that that goes in waves. It tracks what you expect. It's higher in Europe. I mean, Vanta, as a product, in general, does even better in Europe and better than you would guess for a California company that doesn't have European roots. I do think there's some cultural affinity and just seriousness there, versus the easy critique of Americans in compliance is like, "I'm just checking. You tell me where the bar is, and I'll meet your bar."
[00:18:13.14] John Collison
It's a box-checking exercise.
[00:18:15.06] Christina Cacioppo
Exactly. Where it's just culturally something that is more important. "You can tell me where the bar is, I'll meet it, but also I have my own internal bar," which is more the European take. But we see demand for, say, CCPA, which is a California version of GDPR, go in waves. Right now, it is definitely… I mean, all the American regulation is at a total nadir, but it's down right now.
[00:18:38.23] John Collison
Well, it's down at a federal level. Is it also down at a state level, the energy around the CCPA type of thing?
[00:18:44.15] Christina Cacioppo
Yes, it is, even with… It's not clear what California is going to do, and it could go multiple ways. I still think the national politics cast a larger shadow, even over a state like California.
[00:18:59.09] John Collison
That's interesting. Okay.
[00:19:00.05] Christina Cacioppo
Yeah. On the national side, current administration is very into streamlining regulation through automation and AI. But that is the catchphrase that they deeply believe in and are driving.
[00:19:12.04] John Collison
I would have thought that this stuff is just too boring to be caught up in any reform initiative, or will this be streamlined?
[00:19:18.17] Christina Cacioppo
I think there's very hard-working folks in DC, across the board, but in GSA in the office trying to do this. The primary lever they're using is FedRAMP.
[00:19:31.08] John Collison
Yeah.
[00:19:33.18] Christina Cacioppo
Which broadly, I would think of as SOC 2 for the federal government. But basically, a very onerous set of both controls and requirements and documentation, in order to begin trying to think about selling to federal, and often state, sometimes even local governments.
[00:19:51.20] John Collison
I hadn't realized state and local governments also use FedRAMP as their—
[00:19:56.01] Christina Cacioppo
There's state RAMPs.
[00:19:56.19] John Collison
Yeah.
[00:19:56.22] Christina Cacioppo
There's literally Texas RAMP—
[00:19:58.12] John Collison
But they conform to FedRAMP.
[00:19:59.15] Christina Cacioppo
Exactly. There is a part of GSA, and one team in particular led by a guy called Pete Wasserman, who is trying to modernize FedRAMP. They make a like 2020 version of FedRAMP where the current version feels a bit more '90s. It is unclear if he will get the traction to succeed, but he's fighting the good fight and he gets it.
[00:20:25.04] John Collison
But even if they do that, I find it hard to imagine the Society of Accountants just copying the new FedRAMP lock, stock, and barrel.
[00:20:33.10] Christina Cacioppo
I don't think they will. I think you're just going to have even more divergence between these things. It's like less control over—
[00:20:41.06] John Collison
I feel like your life is the XKCD of we have 15 standards.
[00:20:47.17] Christina Cacioppo
It is, and the answer is the 16th. Yes. That is also my answer when people are like, "Isn't Vanta going to make a standard? Couldn't you make a better one?" We have that posted on the office wall.
[00:20:54.10] John Collison
Because it is your life. Going back to the effects of the European strictness, it doesn't show up in the form of... Maybe American companies previously were looking to check the SOC 2 box versus now they're like, "Okay, it's really important I don't cross this quite strict European rule."
[00:21:12.22] Christina Cacioppo
Right. Where they think now, and I think in the… It's funny, when we were starting Vanta—Vanta as what it is now today—in spring of 2018, which is when GDPR was going into effect. I was running around and being like, "Will you talk to me about compliance?" Everyone said, "Yes." I was having this great luck. Then I'd show up, and I'd be like, "SOC 2." They'd be like, "GDPR is a priority. Next, please."
[00:21:35.20] Christina Cacioppo
That energy has mostly dissipated, especially in the United States. I think because it's like… The theory at the time was GDPR is written by lawyers at a very high level. It's not a spec you can hand to an engineer, comically bad as an engineering spec. But it's fine. We will clarify that in court over the next 10 years. Now we're, whatever, seven, eight years in. It hasn't really happened. It still is hand wavy for an engineer, at least, to go implement as it ever was.
[00:22:05.16] John Collison
How does this work with agentic coding where the honest answer to the number of human reviewers to this code is zero?
[00:22:13.06] Christina Cacioppo
Yes. How should it work? Because right now it is like, well, somebody needs to be like, "I did code..." I think right now it's like agent writes code, human or agent puts up PR, maybe human or agent reviews it. I think to a naive SOC 2 audit, you're like, "Those seem like two user IDs had that conversation, and so we can go forward."
[00:22:35.21] John Collison
But it's more about having two throats to choke as opposed to we read the code of this ATM software and guaranteed that you didn't introduce a money glitch.
[00:22:47.16] Christina Cacioppo
Yes. My interpretation from talking to folks is some of the impetus behind that or the primary impetus was insider threat. That's what you're preventing against, which maybe that's my macro answer is, just go through the SOC 2 controls and be like, "What are we trying to do here?" And be like, "Okay, great. Let's design for that." That may or may not be how it's written today.
[00:23:07.17] John Collison
That's a good question because on all the insider threat stuff, having two reviewers is one way to do it. Does SOC 2 mandate a lot of other insider threat stuff? Because presumably, you should be logging a lot of activity, auditing a lot of activity. There should be processes that you have in place.
[00:23:22.23] Christina Cacioppo
No. I think this is where actually you get to the technical standard made by folks who often aren't as in their depth in engineering, let's say. The controls for… There are a bunch of logging and monitoring controls that are suggested. One thing maybe we also mentioned, unlike PCI, SOC 2 doesn't have a prescribed control list. PCI is different, and it's like, "You must buy this tool, whether or not it's useful to you." I'm sure you have your own story with that.
[00:23:51.10] John Collison
I'm familiar, yeah.
[00:23:53.00] Christina Cacioppo
SOC 2 is like, "You must log useful events and have a system to look at them. But it is up to you to decide what the heck that means," which sometimes it's helpful. I think for a startup that's never done this, it is unhelpful because it opens up a maze in a way that's just not great. That's where being prescriptive is part of, I think, Vanta's initial product market fit. I think it's actually largely due to that. In a way, that wasn't the plan. But I think it's like figuring out how to take that high-level guidance, bring it down in some places in a way that actually makes sense.
[00:24:30.06] John Collison
Christina and her team at Vanta are helping their users automate compliance, which for many companies is the thing standing between them and being able to sell to enterprises. We're very familiar with this category of products with Stripe, where you have a complex web of rules that businesses need to be able to comply with so they can move on to actually improving their products.
[00:24:47.04] John Collison
Just take tax compliance and our product, Stripe Tax. As you start selling in more states and more countries, you discover there's thousands of rules you need to follow. For example, did you know Chicago actually has a lease tax, which applies to SaaS companies, too, since you're leasing out software? Stripe Tax is built to automate all of this. With one integration, it knows what you're selling, when and where you have to collect transactional taxes, and how to register and file on your behalf. If you want to sell globally without becoming an expert in tax rules, check out Stripe Tax.
[00:25:19.19] John Collison
The joking reference that everyone makes is they talk about competition from Claude Code for software products is, "You're not just going to vibe code your X in a weekend." But obviously, something like SOC 2 is actually the kind of thing that a Lens or coding agents are good at working with because there's just so much training data out there, and it's a codified set of rules.
[00:25:49.22] John Collison
How is AI helping with what you're doing, and what is your plan for… You were describing some of the scale economies you have and having seen other customers, and I'm curious what the defenses are against… A customer could, in theory, say, "Hey, Claude, give me the plan for our SOC 2 compliance, make no mistakes." That is a thing you can contemplate.
[00:26:09.13] Christina Cacioppo
I think you can do the very defensive thing, but actually, the very defensive thing is like, "Right." But this is a place where you don't want to get stuff wrong. Spending much time on it does not make your beer taste better. Is this really the place? Even if you really want to vibe code a bunch of stuff, is this really what you want to vibe about? Fine, whatever. There's all those rumors. Ignore them all.
[00:26:29.05] Christina Cacioppo
I think where the LLMs are excellent and a little dangerous in a build versus buy, but then we just need to build better experiences on top of this is like, "Hey, Claude, I'm going to give you a mess of data. You go make sense of it to me and get me ready. I'm just going to give you a bunch of AWS screenshots or API calls. I'm going to give you all my policy documentation. I'm going to give you my existing Jira workflow. Go turn it into a thing." You can go do that today. We are building… This is our onboarding flow or will be our onboarding flow, which is, "Oh, you have an existing program that's already running. Give you all the stuff. We will go map it into the Vanta world."
[00:27:12.21] Christina Cacioppo
Then in a Claude or an LLM, it's like, "Okay, cool. Now you get files in a folder structure that you then box share that over to EY and call that your audit." Fine. You can do that. In a Vanta world, the outcome is, now, hopefully, we have your program mapped and is observable and monitored and alerted. You have continuous control monitoring. You get your dashboard, you always know what is in place and what is not. Yes, you can go send a share link to your auditor here, too, and they can log in and see everything. We think about it as they have lowered the initial audit prep in a way inside, outside Vanta. Or if they're not inside Vanta, what are we doing? Building that. But the continuous monitoring piece. That you're not going to get out of at least LLM chat. You've got to go vibe code that whole system.
[00:28:04.22] John Collison
Okay, so you're saying that everyone just wants… No one enjoys spending time in SOC 2. Everyone wants to have been SOC 2 compliant as of yesterday.
[00:28:13.13] Christina Cacioppo
Yes.
[00:28:13.21] John Collison
You're saying part of the advantage here in this new landscape is you can just take a whole bunch of unstructured stuff and just empty it into the Vanta hopper and Vanta will make sense of it.
[00:28:25.03] Christina Cacioppo
We'll get widgets that…
[00:28:27.01] John Collison
I presume part of the defensibility comes from the fact that preference amongst practitioners, in this case, the auditors that are reviewing your SOC 2 materials, is a very strong effect.
[00:28:39.08] Christina Cacioppo
That is very true.
[00:28:40.20] John Collison
Both QuickBooks and Xero, to some extent, really grew off accountants becoming familiar with those pieces of software. Companies could have opinions about what they were using, but those opinions were not that strong, and they were overridden by the opinions of the auditors.
[00:28:58.23] Christina Cacioppo
We have a version of that. I don't think it's as those effects yet, at least. But even again, we've seen 20,000 audits and thousands for particular firms, and so you're like, to control… We now do AI evidence eval. It's like, "Oh, you're going to provide this piece of evidence." We can just tell you, is it going to work for this auditor? Did you upload a cap picture? Did you upload a screenshot without a timestamp on it? You're going to get told to put the timestamp back on. Just that feedback loop. We already have, and we've thought about a lot about doing things for auditors as well with that. But yeah, it moves in the direction of an AI internal audit, at least.
[00:29:37.20] John Collison
It feels like the data you have of anonymized prior audits is an incredibly powerful network effect that cannot be replicated because it doesn't exist in the public interest. The AIs don't have it available to them. It's just private data. Stripe is an advantage because we have all the fraud data. We know what a normal buying pattern looks like versus not. We can offer the best anti-fraud performance just because we're working with a larger data set than other people. Similarly, people are going through an audit, you can tell them that this will work and this won't.
[00:30:10.22] Christina Cacioppo
This is our Radar.
[00:30:11.17] John Collison
Yeah, exactly. In a way that just you cannot do even if you decided to buy it yourself. That's a big deal.
[00:30:20.16] Christina Cacioppo
Yeah, that's kind of cool.
[00:30:22.15] John Collison
Where else have you seen that be useful?
[00:30:25.03] Christina Cacioppo
In relationships between a software vendor and buyer. Vanta core, we think of ourselves as broadly and what we're best known for is serving software vendors, but people who make software and want to sell it to the world. Do you have security work? Is it secure?
[00:30:43.18] Christina Cacioppo
Then we have this third-party risk product, but it's basically, I think of you're an organization, maybe it's tech, maybe it's not tech. You're buying software, and you're going to go put a bunch of your customers' data in it. You want that software to be secure, because if not, you have to turn around and tell your customers, "I lost your data, but it's actually our email provider. But you don't care about our email provider. You think it's me, and I've sent you the email anyway." No one wants to send that email. There's a whole world of third-party risk or vendor reviews, and we built a product for those folks.
[00:31:15.23] John Collison
But is there a compliance versus security tension here as you're doing this stuff?
[00:31:19.23] Christina Cacioppo
We haven't seen as much. What we have seen is the person buying software, they might work at a tech company and be quite savvy and up to date on those threats. They might work… One of our customer is literally a hotel chain. They certainly don't get compliance themselves because they don't build software, but they buy it. Fine. What we generally see is some companies will come in with their set of questions they want to ask. Maybe I will read your SOC 2, maybe I will not, but I really want to ask you questions one through 10.
[00:31:51.07] Christina Cacioppo
Some companies don't have that. Again, there's some part of the Vanta value proposition is, "We'll prescriptively guide you." We have a product principle just around reasonable defaults. It's like, "Can we make the reasonable default questionnaire, in this case, something that leads into security versus compliance?" Or versus, "Do you have a policy to X? Can you just ask them if they X, if you care?" That's a place where we've tried to, on the margin, nudge the buyer questions toward more security, knowing that will change the economic incentive of the vendor.
[00:32:22.21] John Collison
One of the big debates people are having right now is how AI productivity gains show up. I feel like you could have an opinion on this because we have filled out a lot of security questionnaires at Stripe, and I think we'd be very happy if the machines could take over from here. We really don't need to... We filled out enough.
[00:32:42.01] Christina Cacioppo
We should talk about this, yes.
[00:32:42.14] John Collison
Exactly. One case you could make is the machines are getting quite good. They can understand what Stripe is and isn't and can do and can't do. Every time we get a security questionnaire, AI can fill it out. The counterargument you could say is maybe Jevons paradox will show up and there'll be even more exhaustive and elaborate and custom security questionnaires. The total amount will increase. How do you see AI productivity showing up here in the effect?
[00:33:10.20] Christina Cacioppo
The questionnaire is actually the great example because the questionnaires do that. We tried to build this product in 2018, actually before SOC 2, because it seems easier, actually, but the language models were not good enough. Then we tried again in early '21, and then BERT came out, and you're like, "Oh, is there more?" It was not good enough. Now it is good enough. To that, actually, GitHub gets 92% of all of the questionnaires they receive answered through Vanta. You're not at 100, but you're like, "It's GitHub. They have AI tools. They have Copilot. It's a lot." We are absolutely seeing this. The models are definitely good enough.
[00:33:45.23] John Collison
Sorry, people ask GitHub to fill out security questionnaires before—
[00:33:49.03] Christina Cacioppo
Used to fill it, exactly.
[00:33:49.19] John Collison
Using GitHub, and now they can mostly turn around and return those security questionnaires with 92% filled out.
[00:33:58.03] Christina Cacioppo
Filled out. We have a human, but just it's review and approve. Then the confidence scores on prioritizing even for the reviewer. It's like, "You can look at the section if you want, but you kind of don't have to." Whereas, "Will you really look at these 10." All of that work, our product does that.
[00:34:15.15] John Collison
That's cool. Okay, so where do you think it goes broadly?
[00:34:17.15] Christina Cacioppo
I think that so much of the work of a compliance team is, again, keeping things in sync, keeping different sorts of text in sync. Adding on new compliance regimes, which is just adding controls. But really, do you want to map the new ones to the old ones and figure out what the duplicates are? That's actually a huge part, classically, of the work of a compliance team. I think there are so many opportunities for LLMs and agentic workflows in Vanta's business.
[00:34:53.00] Christina Cacioppo
We probably have a couple dozen of them. If I think about our roadmap, knock on all the things, we'll have hundreds by the end of the year. What we've been doing is breaking down what folks do. You're like, "Okay, there's the questionnaire piece." If you send out a questionnaire, someone has to read it on the other side. Then you have to think about it and figure out where does it work, where it doesn't? "Oh, I have this new policy update. I need to put this thing in a policy. We're going to start doing ISO 42001, which is the new AI standard. How do I map that in? I need to rerun a risk assessment. I'm going to change my risk score."
[00:35:32.11] Christina Cacioppo
Anyway, all of these things, all of these tasks are all just workflows that you could have an AI do, write an eval against with subject-matter experts, and then hill climb until they're quite good.
[00:35:44.05] John Collison
It feels like you can't reason about the number of people in a profession, especially at a certain stage of company changing. If you think back to ancient times, I don't know, the year 2000, if you had a 10-person company with 10 Gateway 2000 beige workstations, they probably would have had an IT person. That IT person would have had—
[00:36:07.20] Christina Cacioppo
Had the servers in the closet.
[00:36:09.02] John Collison
Yeah, exactly. They had servers in the closet, they had Microsoft Access database, they had to do software updates for all the machines. Occasionally, lint and stuff will get stuck in the mouse ball, and you'd have to take it out and clean it.
[00:36:18.12] Christina Cacioppo
Oh, yeah, you have to take it out. I haven't thought of that in a long time.
[00:36:23.00] John Collison
IT was a real job. Now, I don't think a 10-person company really has an IT person because the hardware is super reliable. You just buy a new version every now and then. Everything's in the cloud, so there's no porting data over. You just use Google Workspace for everything. It works really nicely. IT still exists as a profession. There's lots of interesting things. But Stripe has a bunch of IT people. You don't need a bunch of IT people.
[00:36:43.20] Christina Cacioppo
You've got to mail laptops to how many countries in the world? It's actually kind of hard.
[00:36:48.00] John Collison
We have some IT challenges. But again, we're 10,000 people. Again, it naively feels like you will have a similar effect with compliance as we had with IT, where the profession very much stays around. It actually gets more skilled rather than… I think the stuff we do in IT is harder than the basic IT, the 10-person company would have done. Is that basically where compliance is going?
[00:37:09.16] Christina Cacioppo
I think it's basically true, yes. One model we've thought about with Vanta, even pre-AI, is we will delay the point at which you have to bring on a full-time security compliance person or a consultant who's spending meaningful time. But in the past, if you were an enterprise company, maybe you did that at 50, 100. It's like, "Can we actually push that further out?" Because what we see is then an engineering leader or someone in the engineering org can manage more of this because they have the mental models, and they're usually system thinkers, and they can—
[00:37:40.18] John Collison
They're responsible for it, so they can change the stuff.
[00:37:43.12] Christina Cacioppo
Exactly. You have this—we call them Amelia Engineers—but the Amelia Engineers just going further here. Then you can bring on a unified security and compliance person versus, you have your security person, your IT person, your compliance person. But it's a little bit of what we're seeing in the engineer-PM-designer collapse. You have the security-compliant IT collapse into one role.
[00:38:08.23] John Collison
You can keep them unified for longer.
[00:38:10.15] Christina Cacioppo
Exactly. If you can give them good tools, they can do that. Okay, fine. Then again, pre-AI, but then over time, that team starts to grow, and then you have a GRC team, and you have CISO, and all this. What we're talking about now, and we haven't seen yet, but if I had to future cast and guess, is we're going to see those GRC teams collapse a bit more into these single-threaded owners. Because you think of a GRC team today, there's maybe one person answering questionnaires, one person just reviewing new software vendors.
[00:38:42.20] Christina Cacioppo
You look at those, and you're like, "Okay, I think you can agent the work and then have someone oversee it with 20% of your time." But like, okay, great, you've collapsed two into 40%. You have some person who's responsible for bothering the engineers to get evidence for them for the audit or to get the control in place because they don't own the control, but they own the program, so they have to go to the engineer and be like, "Hello, I noticed you have a new database that is not encrypted. Will you please encrypt it?"
[00:39:14.05] Christina Cacioppo
You're like, you can just have software go nag that person. Anyway, it collapses. I do think we will seek smaller GRC teams managing agents, but actually in the future. Then they are doing more. I'm not doing the security reviews. I'm thinking about the findings and overall managing this risk portfolio, this vendor risk portfolio, versus being like, "Oh, this vendor doesn't have this thing, and I need to go get it from them."
[00:39:41.14] John Collison
Yeah, I think what you're saying is there's a strategy component to how should we be doing things, and then there's an hourly labor component to compliance, which is like, "Oh, we did 10 times as many sales. We need 10 times as many bodies on the security reviews." You're saying that AI will eat up a lot of the hourly labor part of compliance and leave people doing the strategy work.
[00:40:01.05] Christina Cacioppo
Yes, I do think that.
[00:40:03.17] John Collison
What changes are coming down the pike in the world of compliance?
[00:40:06.14] Christina Cacioppo
I think there's, to the XKCD, there's lots of folks both trying to make new compliance standards, but there's a little bit of what's the difference with the 22nd one? From a Vanta perspective, we've taken out like, we will support them all because we have built a machine where it is easy to add a new one in.
[00:40:24.00] John Collison
But obviously, you only want to support ones that customers actually want to comply with, so you're not—
[00:40:27.23] Christina Cacioppo
Yeah, but what we do... We used to spend a bunch of time debating which ones those would be, and it was honestly so frustrating.
[00:40:34.12] John Collison
Now it's too long to model.
[00:40:34.12] Christina Cacioppo
Exactly. Now you're just like, build the machine that just lobs them in. The debate and the document you would write—
[00:40:40.05] John Collison
It's like us with payment methods. Do you want to support this payment method? Sure.
[00:40:42.22] Christina Cacioppo
We did that with compliance standards and integrations because it was just the prioritization debates were just too intense. We can take all of that debate time. Anyway, there's a bunch of those. Would I bet on any of them? If you really pressed me, I would say ISO 42001 just because it's the European one.
[00:41:02.08] John Collison
I don't know that ISO. You got a—
[00:41:04.12] Christina Cacioppo
42001?
[00:41:04.12] John Collison
You got to catch me up on this new ISO.
[00:41:06.02] Christina Cacioppo
It's a good one. I recommend it as bedtime reading. ISO, you know this, is a European standards body, and it is their version of what one should care about with AI. It ends up being pretty data privacy-focused and pretty high level. Those are the counters. The pros are that European enterprises are the ones that care the most about AI, and this is where they return. It's the thing that has the most market traction so far.
[00:41:32.06] John Collison
But again none of these are—
[00:41:32.11] Christina Cacioppo
But none of these are breakout. None of them have product-market fit.
[00:41:35.22] John Collison
None of them are regulatory. They're all—
[00:41:38.01] Christina Cacioppo
Correct.
[00:41:38.01] John Collison
You opt into—
[00:41:40.02] Christina Cacioppo
It is like, this market has roughly agreed, you might need this thing. There's that. I think the… Okay, I'm kind of proud of this. Are you familiar with the trust centers?
[00:41:53.06] John Collison
Mm-mm.
[00:41:53.19] Christina Cacioppo
They're the security status pages.
[00:41:56.08] John Collison
Sure. Yeah.
[00:41:56.17] Christina Cacioppo
Trust dot blah, blah, blah. Trust.vanta.com.
[00:41:58.21] John Collison
I didn't know they were called trust centers. It's just a status page.
[00:42:01.12] Christina Cacioppo
Yeah, but for your security posture. You get the green bars or green traffic lights or yellow traffic lights, but it's for your controls.
[00:42:10.17] John Collison
I see. They all say the same thing. A status page is red, amber, green. Hopefully, the trust center always says, "We're really compliant, boss."
[00:42:20.11] Christina Cacioppo
Yeah, exactly. There's a version of that. If nothing else, what they actually are, they're ticket deflection for the GRC team.
[00:42:27.06] John Collison
I see.
[00:42:27.19] Christina Cacioppo
Because one, your sales team sends them out, and you're like, doesn't it look good? Then, if you have any questions, here you go.
[00:42:35.00] John Collison
It's the prefilled questionnaire.
[00:42:36.12] Christina Cacioppo
Yes, exactly. It's like, here's the binder of information. Please read it. If you have questions for me thereafter, I am here.
[00:42:42.23] John Collison
Does that work?
[00:42:43.13] Christina Cacioppo
It does, actually. I think part of it is the just show of strength and the show of I'm on top of it. Then there's the like, yeah, read things first. Then, if you want to ask me, go for it.
[00:42:53.21] John Collison
Has outbound selling gotten harder now that everyone has a million AI bots spamming everyone?
[00:43:00.02] Christina Cacioppo
I think what I have heard is phone calls work in a way that I wouldn't expect.
[00:43:06.00] John Collison
For now, right?
[00:43:07.03] Christina Cacioppo
For now. But now, emails... A million AI bots. I mean, how many ChatGPT written emails do you get in your inbox a day. But outbound phone calls are currently working.
[00:43:19.12] John Collison
Got it. But again, it's only a matter of time.
[00:43:21.06] Christina Cacioppo
It's only a matter of time. I think then you're just back to, oh, events. Especially small curated events.
[00:43:28.10] John Collison
A topic we talk about sometimes here is on-demand software. Patrick is taking the thing that software should be like pizza, delivered fresh, piping hot. But why are you using software that someone coded five years ago rather than just the computer deciding what to render to you at that moment? Is that coming to Vanta?
[00:43:48.11] Christina Cacioppo
It is. It's something we're playing with internally, but really excited about is having an agent that maybe is guiding you through the process or doing something and then needs the user to render an opinion or make a connection or do something. You're like, can the agent just generate UI specific for that task, so the user completes it and then move on? You get this bespoke agent-generated, hand-generated UI just for that. That does not exist.
[00:44:17.02] John Collison
Are you talking about because maybe people have a little bit of experience with agentic UI, an AI chat interface is people's first experience.
[00:44:25.09] Christina Cacioppo
It has some stuff in it.
[00:44:26.01] John Collison
Maybe there's three options you can choose, for example. That's like agentic UI, but you're talking about a full UI.
[00:44:31.19] Christina Cacioppo
Maybe you have that agentic chat bar on half of the page or a third of the page, and the other two thirds would be a SaaS app. You can imagine a data table with a view and columns rather than just customizing it, you're like, "No, I just want you to do this thing, and I will take over that right-side canvas of the page, generate the UI for the thing, or generate the report. I think reporting is another great use here.
[00:44:54.14] John Collison
What step of the process would this be? Would this be like you have 14 things you need to fix to get to—
[00:45:01.21] Christina Cacioppo
We thought about it in two ways. You're setting it up and you're going through. Actually, reporting is another, I think, great case. It's like no one wants more knobs and whistles on their reporting tool. Also, no one really wants to learn SQL. I want to report for this, go, generate it. Not quite right, take this out.
[00:45:21.11] John Collison
That's cool. When will we be seeing generated UI in Vanta?
[00:45:25.16] Christina Cacioppo
This summer.
[00:45:26.11] John Collison
Wow. What has worked well from a go-to-market perspective for you guys?
[00:45:30.00] Christina Cacioppo
In a way that we don't… We have tried to… But brand spend, honestly. The billboards, we do all the stuff people do of zip code tracking and all of that. Gong call mentions. Recorded sales, like mentions of the word billboard on recorded sales calls, and then you can track—
[00:45:48.02] John Collison
To measure the billboard.
[00:45:48.23] Christina Cacioppo
Exactly. Then you track those deals through to closed one and like that.
[00:45:52.18] John Collison
You're ultimately doing a geo split. You're looking at the locations where you had a billboard versus not.
[00:46:00.00] Christina Cacioppo
Then just does the prospect say the word billboard in a call at some point. Some of that. Podcast advertising has been exceedingly effective for us. It's funny because we started doing it in late 2020 with our first salesperson, Eric, who's still at the company. He really wanted to advertise, I think, on This Week in Startups. I thought it was silly because my model is the only companies that advertise on podcasts are founders who want to hear about themselves. This is just nonsense.
[00:46:30.00] John Collison
Or mattress companies.
[00:46:31.06] Christina Cacioppo
Exactly. Or mattress companies. But we are neither. Doesn't everybody really need to talk to... Anyway, he came to me and was like, I want to spend $60,000 on this ad. My deal with him was "Fine, but you got to sell four more Vantas" because a Vanta basically cost $15,000. The next month, he sold 34 more Vantas because of the podcast ads. That was when you were like, "Well, I know nothing. You should just keep going."
[00:46:55.12] John Collison
I call this, by the way, I think there's a founder negative value add at times.
[00:47:00.00] Christina Cacioppo
Yes, exactly.
[00:47:00.20] John Collison
Founders have these incredibly strong views that are wrong.
[00:47:02.22] Christina Cacioppo
That are just deeply wrong.
[00:47:03.15] John Collison
But it's really hard to remember. It's good that you let them go and do it because sometimes I think some people would have said, "No, we're not doing that, it's silly" and it would have taken many more years to learn.
[00:47:11.20] Christina Cacioppo
The deal is you have to sell four extras.
[00:47:13.20] John Collison
I feel like I've heard you on the Acquired podcast.
[00:47:16.12] Christina Cacioppo
We do. We advertise on Acquired. We do Invest Like the Best. I think in the early days, so this was helpful and then deeply unhelpful, but in the early days before we had competitors, we tried to basically make this call response of someone says SOC 2, someone says Vanta. There's really close association, which in the early… Again, when we were just competing against consultant—
[00:47:37.20] John Collison
You wanted to own the term SOC 2, basically?
[00:47:39.13] Christina Cacioppo
Yes, basically. Which worked really well until we had competitors who were like, "Well, we do a SOC 2. We're Vanta but cheaper. Worse, but better." Then you're like, "Oh, God. Now we're all pointing at a thing we don't own, and that's bad." Then there was a great reframe on that one, I'd say.
[00:47:58.17] John Collison
What did you learn working with Fred Wilson?
[00:48:01.00] Christina Cacioppo
USV is a very special place in lots of ways, and I think USV is fundamentally about ideas.
[00:48:08.17] John Collison
More so than other venture firms.
[00:48:10.02] Christina Cacioppo
Yes. I think most venture firms are a herd of great-man, great-person firms. They're about the person, and this person will do the thing.
[00:48:17.04] John Collison
I have no idea what this is, but I like the cut of his jib.
[00:48:19.05] Christina Cacioppo
Exactly, yes. I think USV is, it's just too black and white, but it's basically the opposite. Whatever person can walk in, but if it is an idea that is interesting and compelling and intellectually engaging and networked, that is classic USV. It matches back some great people. I don't mean that, but it's just first thing... First, second, and third thing is the idea. Really pressing on that. It was that piece that I think was very important.
[00:48:51.16] Christina Cacioppo
I think the second part is market sizing is bullshit. You can be as academic or whatever, strategy-ish as you want about it. The market size today is only a predictor of the market size today. I think I deeply learned that because if you looked at the SOC 2 market in 2018, my best estimate was there was $10 million spent globally, and you would never start a startup on that.
[00:49:22.10] Christina Cacioppo
But the theory of Vanta was like, "Well, if we can make this thing easier to get and take down the cost of dollars but really time, more people will get them." That ended up being deeply true. But that was not a market, especially for startups. The market for startups getting SOC 2 in 2018 was zero dollars.
[00:49:42.22] John Collison
Yes.
[00:49:43.08] Christina Cacioppo
Truly zero.
[00:49:44.04] John Collison
Yes. Vanta is an example of the company that being too TAM-brained—
[00:49:50.08] Christina Cacioppo
Yeah, you would not come up with it. Now it's like, "Oh, but of course everyone gets it." You're like, "Right." But like, 2017. Again, when did Stripe get a SOC 2?
[00:50:00.00] John Collison
Probably reasonably early on because it's so core. It's not a small part of your stack, but definitely before 2017. It's very interesting framing on USV where I feel like you can see this a little bit in Fred's blog and stuff where it's clear.
[00:50:18.05] Christina Cacioppo
It's the ideas.
[00:50:18.08] John Collison
Yeah, exactly. Attraction to ideas and a prepared mind for something like crypto.
[00:50:23.10] Christina Cacioppo
It comes along. You're like, that thing.
[00:50:25.01] John Collison
You're ready to strike. Is that across the firm or is that Fred in particular?
[00:50:29.10] Christina Cacioppo
It's Fred and Brad, for sure. Brad is the under-sung Fred partner. I mean, they started the firm together.
[00:50:36.02] John Collison
You're talking about the Fred and Brad relationship.
[00:50:37.23] Christina Cacioppo
Yeah. Brad Burnham is a venture capitalist, mostly retired now, but also excellent and incredible track record. He and Fred started Union Square Ventures in, I think, 2002. First fund was '04. Took them two years to raise that fund. If you go look up USV '04 Vintage, God, we all should have invested in that. But it was the two of them. Then Albert came on as the venture partner, I think in '06. He was on the fund of the partner.
[00:51:05.06] Christina Cacioppo
Going real deep here, sorry. But it was like the two of them. There is just… It's not Yin-Yang. It's not the right frame.
[00:51:12.20] John Collison
Complementarity.
[00:51:13.14] Christina Cacioppo
Yeah. Many of the ideas of the firm went back and forth by them. Then Fred was excellent at articulating those ideas in a way the rest of the world could understand, check it on ABC. Which he did on I think one of the under-appreciated things is how much back and forth there was there in the creation there. That pairing, I think, probably should be in the annals of the Khosla-Doerr pairing, maybe like Leone-Moritz.
[00:51:47.19] Christina Cacioppo
These venture pairings where you had two people who could play off one another, and they were just like that. I think Brad and Fred had that for a decade and a half.
[00:51:57.11] John Collison
What's the difference in person? Because I'd say Doug and Mike Moritz at Sequoia are very different people. Again, I think that's part of how it works.
[00:52:04.18] Christina Cacioppo
Yeah. I don't think Fred and Brad are as different as those two are. But yeah, Brad is cerebral, philosophical, academic, so interesting to talk to, and you have this wonderful conversation, and you'll be like, "Are there any ties to the business world in that?" But truly, these are… Then one thing Fred could do was go back and forth with him and be like, "Oh, freemium." Then run with freemium. But it wasn't just I'm going to market this term. It was the back and forth and then the communication out.
[00:52:33.18] John Collison
Wait, did Fred coin the term freemium?
[00:52:35.13] Christina Cacioppo
He did. Yeah. In a blog post in, I don't know, '08, '09, something like that. Doesn't it feel like it was just always a term?
[00:52:42.11] John Collison
Yeah, exactly. That's just what it's called.
[00:52:43.21] Christina Cacioppo
In 1952, didn't they talk about freemium?
[00:52:46.09] John Collison
Yeah. It's like when you learn those things like, did you know saying the quiet part out loud? That term comes from The Simpsons. In what ways are you a different CEO coming from your experience as an investor?
[00:52:56.17] Christina Cacioppo
I wouldn't have done it. It's a real answer.
[00:52:58.17] John Collison
That's a good start.
[00:53:01.08] Christina Cacioppo
I'm really lucky in approximately nine million ways with them. One of the ways was for two years, I just met 15 founders a week for two years straight. I think whatever model I had of what a founder is or does, it was like, "Yeah, that exists." But look at all the ways one can do it. There's some coming out, some more success, but just there's a lot of ways to do this thing.
[00:53:26.05] Christina Cacioppo
I think that exposure was super helpful for me because you got to see people who I felt more affinity or similarity to in whatever dimension also do it. It was the role model thing, but not one person. You meet a thousand of them, and you can pick out the pieces.
[00:53:47.20] John Collison
Having all that training data, what patterns do you think you see in people who went on to be successful? Or maybe conversely, what anti-patterns did you see in the people who—
[00:53:58.02] Christina Cacioppo
I think there is a… Someone said this better than me, but there is a totally a truth-seeking piece of it, or just sometimes you can bend reality to your will, but often reality is reality, and you got to embrace it and figure out how to work around it. Reality, sometimes it's an immovable object. I think there was a—
[00:54:14.20] John Collison
It was a delusion to the unsuccessful founders.
[00:54:16.16] Christina Cacioppo
Exactly.
[00:54:17.04] John Collison
I haven't noticed that.
[00:54:17.16] Christina Cacioppo
Yeah. They're like, "Oh, no, but I can change this." You're like, "That one, I don't…" Gravity is gravity, isn't it?
[00:54:23.19] John Collison
The version of this I talked about with Des Traynor is, I feel like investor updates with a lot of words and no metrics.
[00:54:32.02] Christina Cacioppo
Oh, yeah, those are bad.
[00:54:33.05] John Collison
Those are bad. Actually, no investor updates is fine.
[00:54:36.17] Christina Cacioppo
No, either way. No is either very good or very bad.
[00:54:40.02] John Collison
Metrics is fine, but a lot of words and no metrics is almost a sure sign of failure.
[00:54:46.06] Christina Cacioppo
Bad, yes.
[00:54:48.04] John Collison
Because, again, I think it gets at that delusion, failure to truth-seek tendency.
[00:54:53.11] Christina Cacioppo
What else? They're famous, Etsy and Kickstarter. There's a bunch of these companies of this era stories where I think I developed—that's true—this huge appreciation for product-market fit. That sounds so dumb, but now it's the like, "If you think you have it, you don't" framing.
[00:55:12.21] John Collison
Or if you're asking whether you have it, you don't.
[00:55:15.11] Christina Cacioppo
Etsy, great example. Co-founder CEO spent 80% of his time for years making people desks because they had this lovely cultural thing. When you joined, you were getting homemade bespoke desk because they sold homemade bespoke things.
[00:55:30.21] John Collison
This is the thing, Yancey would make people a desk?
[00:55:33.21] Christina Cacioppo
I think it was Rob Kalin at Etsy. He would make people a desk.
[00:55:37.10] John Collison
Sorry, I'm getting confused between Kickstarter and Etsy.
[00:55:39.13] Christina Cacioppo
This is the Etsy version. Now, if you're like, 80% of a CEO's time is making desk and the business is on fire.
[00:55:46.18] John Collison
See, Amazon had it figured out where you had to make your own desk. It's a much more scalable way.
[00:55:51.11] Christina Cacioppo
Rob made the desks. But you're just like… It's a funny story, but you're like, "The business was fine." There are just these things that have their own immovable objects, and you can be making desks for people all day long.
[00:56:07.05] John Collison
Doing a podcast.
[00:56:07.12] Christina Cacioppo
It doesn't matter. If you don't have that… It's not that we should all… I mean, maybe we should all go make desks. I don't know. Would you spend time making desks at this stage?
[00:56:17.23] John Collison
I think woodworking is very… I don't do it, but I did it as a kid. It was satisfying. Last question. Does Vanta expand from here beyond security? Do you start helping people apply with everything else? Do you continue taking over the world until all the world runs on Vanta?
[00:56:34.05] Christina Cacioppo
Yeah.
[00:56:34.15] John Collison
What's the plan?
[00:56:35.03] Christina Cacioppo
Definitely taking over the world, making desks along the way. No. I think right now we do think about, especially in this world where in theory, code has become much cheaper, actually. Two things. One, it's like, "Can we add different pillars or verticals?" There's a whole lot in security, especially for a small business or a mid-market business. I think enterprise, it's a different ball game there, but there's things there.
[00:57:00.00] Christina Cacioppo
Then when we really think about parts of the CISO organization versus, for the most part, other parts of an organization. But we would think about enterprise risk or internal audit. Financial audit is adjacent and interesting.
[00:57:15.11] John Collison
What can you do in an internal audit or financial audit?
[00:57:17.20] Christina Cacioppo
Internal audit is easier for us, given what we've built in a way, is we have all of this, and currently we're packaging material and sending it to the auditor. But you can imagine packaging it sending it to an internal auditor.
[00:57:31.15] John Collison
It's the same thing. It's a controls platform. It's like, "Decide what it is that you should do and then validate that you're doing it."
[00:57:37.07] Christina Cacioppo
Prove that you are doing it. Exactly. Financial audit is the system is similar. It's a different set of integrations on data. It's thinking through, okay, at what is the right point to start building out those ERP integrations, payments integrations, all of that to get that data to parcel this in.
[00:57:56.01] John Collison
Exciting. Christina, thank you.
[00:57:58.03] Christina Cacioppo
Thank you.