1 00:00:00,920 --> 00:00:05,040 S1: Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 2 00:00:05,160 --> 00:00:10,000 S1: national security, AI, technology and society, and how best to 3 00:00:10,039 --> 00:00:18,640 S1: upgrade ourselves to be ready for what's coming. All right, 4 00:00:18,640 --> 00:00:21,960 S1: so today we're going to be talking about the Vanta 5 00:00:22,000 --> 00:00:26,200 S1: GRC solution. And we have Faisal Khan with us. Faisal, 6 00:00:26,239 --> 00:00:27,880 S1: welcome to unsupervised Learning. 7 00:00:28,760 --> 00:00:31,400 S2: Yeah. Thank you for having me. I'm very happy to 8 00:00:31,400 --> 00:00:33,479 S2: be here. Excited to talk about Vanta and the world 9 00:00:33,479 --> 00:00:34,240 S2: of GRC. 10 00:00:35,840 --> 00:00:38,199 S1: Sweet. So can you start off by telling us a 11 00:00:38,200 --> 00:00:41,560 S1: little about yourself and what you do there at Vanta? 12 00:00:41,600 --> 00:00:44,400 S2: Yeah. Of course. So my name is Faisal Khan. I'm 13 00:00:44,400 --> 00:00:48,000 S2: a GRC solution specialist at Vanta. I've been at Vanta 14 00:00:48,000 --> 00:00:50,440 S2: for a little over a year now. I work with 15 00:00:50,440 --> 00:00:53,560 S2: our go to market segment. So about pre-sale and post-sale 16 00:00:54,200 --> 00:00:57,640 S2: really to illustrate his value as a trust management platform 17 00:00:57,640 --> 00:01:02,320 S2: in the space And, um, focus on how organizations can 18 00:01:02,320 --> 00:01:05,920 S2: implement their GRC programs and why their trust management portfolio 19 00:01:05,959 --> 00:01:10,399 S2: with Vanta. That goes all the way from talking to 20 00:01:10,440 --> 00:01:13,880 S2: customers in the presales process based off of their requirements. 21 00:01:14,040 --> 00:01:17,160 S2: And then also helping with some implementation activities. When it 22 00:01:17,160 --> 00:01:20,319 S2: comes down to how do you operationalize Vanta according to 23 00:01:20,360 --> 00:01:22,720 S2: how they may want to either build a GRC program 24 00:01:22,720 --> 00:01:25,400 S2: for themselves from scratch or bring in their own? 25 00:01:26,800 --> 00:01:30,720 S1: Okay. Yeah. In the Front Sight focuses a lot on, uh, 26 00:01:30,720 --> 00:01:36,600 S1: automation compliance. Um, obviously compliance, but basically automating it, like 27 00:01:36,600 --> 00:01:42,080 S1: having it be as non-manual as possible. Um, for people 28 00:01:42,080 --> 00:01:45,080 S1: who haven't heard of vanta. Like, you gave a pretty 29 00:01:45,080 --> 00:01:48,559 S1: good intro there, but like, what is this specific problem 30 00:01:48,560 --> 00:01:50,920 S1: that we're trying to solve? Like, what are you trying 31 00:01:50,920 --> 00:01:51,560 S1: to address? 32 00:01:52,120 --> 00:01:55,680 S2: Yeah. Of course. So to start off, I'll do another 33 00:01:55,720 --> 00:01:58,210 S2: do a bit more detailed introduction of Production of Vanta 34 00:01:58,210 --> 00:02:02,130 S2: so Vanta. It provides a trust management platform that gives 35 00:02:02,530 --> 00:02:06,330 S2: capabilities to customers to help build, scale and really prove 36 00:02:06,330 --> 00:02:09,890 S2: their security and compliance programs, both for themselves internally, but 37 00:02:09,889 --> 00:02:14,570 S2: also to illustrate that externally to customers as well. The 38 00:02:14,610 --> 00:02:18,090 S2: and other external parties for that matter. To do that, 39 00:02:18,210 --> 00:02:21,610 S2: you know, you have to really think about, okay, well, 40 00:02:21,610 --> 00:02:26,210 S2: let's say that if we think about how organizations approach 41 00:02:26,210 --> 00:02:27,970 S2: this today and what are the goals for security and 42 00:02:27,970 --> 00:02:33,290 S2: compliance programs, it's all surrounded the aspects of improving security, 43 00:02:33,450 --> 00:02:36,850 S2: increasing visibility to risk, making it easier for teams to 44 00:02:36,930 --> 00:02:41,130 S2: get the right information about the compliance posture, making it 45 00:02:41,250 --> 00:02:44,690 S2: easier for some of those sales cycles to occur and 46 00:02:44,690 --> 00:02:48,929 S2: really grow the business and show how they're differentiated. Uh, 47 00:02:48,930 --> 00:02:51,610 S2: in a lot of that includes this whole notion of 48 00:02:51,650 --> 00:02:56,010 S2: being able to demonstrate that trust to those organizations. But 49 00:02:56,410 --> 00:03:00,170 S2: when we think about just that, those goals, there's a 50 00:03:00,169 --> 00:03:02,930 S2: lot of, I'd say, uphill battles that come into play 51 00:03:03,050 --> 00:03:05,690 S2: when you, you think about, okay, well, how do you 52 00:03:05,690 --> 00:03:10,530 S2: achieve them? There are growing buyer security expectations. Right. Like 53 00:03:11,050 --> 00:03:14,010 S2: as you go to different customers, maybe different third parties 54 00:03:14,010 --> 00:03:17,770 S2: that you work with, the security requirements, they tend to 55 00:03:18,250 --> 00:03:20,890 S2: be similar but also different in some way just depending 56 00:03:20,889 --> 00:03:23,610 S2: on who you're talking to. But then also this notion 57 00:03:23,610 --> 00:03:27,050 S2: of your security is also related to your vendor security. 58 00:03:27,050 --> 00:03:30,050 S2: And the number of vendor security reviews also tends to 59 00:03:30,050 --> 00:03:33,650 S2: go up as the organizations grow too. And then to 60 00:03:33,690 --> 00:03:37,090 S2: not tack on to that even more, we think about regulations, right. 61 00:03:37,090 --> 00:03:42,090 S2: And there's this growing regulatory regulatory impact. So we're left 62 00:03:42,090 --> 00:03:45,770 S2: with how do you address that space. And oftentimes it's 63 00:03:45,930 --> 00:03:51,570 S2: individual processes manual efforts sometimes pointed solutions to do it 64 00:03:51,570 --> 00:03:54,410 S2: individual thing, which is where Vanta tries to solve that 65 00:03:54,410 --> 00:03:57,810 S2: problem with a bit more of a unified way to 66 00:03:57,850 --> 00:04:01,570 S2: start to scale and then ultimately manage your security and 67 00:04:01,570 --> 00:04:03,010 S2: compliance programs together. 68 00:04:04,050 --> 00:04:06,330 S1: Yeah, just taking a couple of notes here. I like 69 00:04:06,330 --> 00:04:08,210 S1: the way you broke it down there in the beginning 70 00:04:08,210 --> 00:04:11,810 S1: with like, there's different groups that we want to prove 71 00:04:11,810 --> 00:04:17,050 S1: that we're secure to. Right. And the fact that we 72 00:04:17,210 --> 00:04:21,730 S1: are secure or are working towards it, um, can be 73 00:04:21,730 --> 00:04:24,970 S1: used to enable business. Right? Or alternatively, you could say 74 00:04:24,970 --> 00:04:27,890 S1: that it slows down business when we have to constantly 75 00:04:27,890 --> 00:04:31,289 S1: do manual work to be able to get through these hurdles. 76 00:04:31,570 --> 00:04:33,610 S1: So it seems like a big part of the platform 77 00:04:33,610 --> 00:04:37,370 S1: is not only making sure we're doing a good job, 78 00:04:37,529 --> 00:04:42,010 S1: but broadcasting that. Having a narrative around it. How much? 79 00:04:42,930 --> 00:04:47,090 S1: How much of it is presentation to the customer themselves? 80 00:04:47,089 --> 00:04:49,250 S1: Do they have like a portal that they can go to? 81 00:04:49,890 --> 00:04:54,930 S2: Yeah. Yeah, definitely. Uh, so for my customer presentation perspective. 82 00:04:54,970 --> 00:04:57,450 S2: We have what's called the trust Center, and we can 83 00:04:57,450 --> 00:04:59,450 S2: do a brief overview later on in this session as 84 00:04:59,450 --> 00:05:00,610 S2: well to show what that looks like. 85 00:05:00,610 --> 00:05:02,170 S1: Especially I would love to see that. 86 00:05:03,490 --> 00:05:05,850 S2: But the trust center is supposed to be that way 87 00:05:05,850 --> 00:05:09,210 S2: in which you can represent your not only controls, but 88 00:05:09,250 --> 00:05:12,089 S2: resources that you might have that you want to share 89 00:05:12,089 --> 00:05:15,330 S2: and build processes around those things so that you don't 90 00:05:15,330 --> 00:05:18,490 S2: have to manually provide them or go dig for them. 91 00:05:18,490 --> 00:05:22,050 S2: You can build in workflows, let's say, from your CRM 92 00:05:22,050 --> 00:05:25,890 S2: system to determine approvals and how to get that information 93 00:05:25,890 --> 00:05:28,850 S2: and make it a bit more self-serve. So when a 94 00:05:28,850 --> 00:05:31,450 S2: customer goes to a customer or a partner or any 95 00:05:31,450 --> 00:05:34,170 S2: other external party goes to the trust center, they're able 96 00:05:34,170 --> 00:05:37,810 S2: to see the information and really self-serve that request for 97 00:05:37,810 --> 00:05:43,370 S2: access to that information and get that information a lot quicker. Um, 98 00:05:43,410 --> 00:05:46,289 S2: it becomes even especially even more important when we think 99 00:05:46,290 --> 00:05:51,010 S2: about just representation of commonly asked questions about security program 100 00:05:51,089 --> 00:05:54,970 S2: That if it's all illustrated in a central place, it 101 00:05:54,970 --> 00:05:59,849 S2: just makes that process a bit quicker and increases efficiency overall. 102 00:06:00,650 --> 00:06:04,609 S1: Yeah, yeah, I'm I'm adding to my list here. Uh, 103 00:06:04,610 --> 00:06:07,930 S1: this is really interesting because, uh, I've pretty much been 104 00:06:07,930 --> 00:06:10,410 S1: in this world my whole life. I've never directly been 105 00:06:10,410 --> 00:06:12,890 S1: in GRC, but I'm always dealing with it. It's always 106 00:06:12,890 --> 00:06:16,050 S1: right there. Uh, especially risk management side of it. So 107 00:06:16,050 --> 00:06:19,890 S1: I've got customers. Uh, questionnaires is kind of a meta 108 00:06:19,890 --> 00:06:23,050 S1: because that could come from anyone but customers usually questionnaires 109 00:06:23,050 --> 00:06:30,570 S1: come from customers. But customers, procurement auditors, regulators. What are 110 00:06:30,570 --> 00:06:33,810 S1: some other groups that are like user buckets? 111 00:06:33,850 --> 00:06:36,490 S2: I would say that partners are also a pretty big 112 00:06:36,490 --> 00:06:38,930 S2: use bucket in a past life. The partners that you 113 00:06:38,930 --> 00:06:43,849 S2: work with, whether it's integration between systems or them using 114 00:06:43,850 --> 00:06:47,530 S2: your service to go in and perform a service to another, 115 00:06:47,570 --> 00:06:49,450 S2: another client of theirs, where you might be the fourth 116 00:06:49,450 --> 00:06:53,020 S2: party in that in that engagement. It's what it's it's 117 00:06:53,020 --> 00:06:55,380 S2: an important aspect to consider because they'll also have their 118 00:06:55,380 --> 00:06:57,820 S2: own version of security questionnaire. And it goes back to 119 00:06:57,860 --> 00:07:02,060 S2: this notion of the security of your your own organization 120 00:07:02,060 --> 00:07:05,660 S2: oftentimes depends on the other vendors and other parties that 121 00:07:05,660 --> 00:07:08,780 S2: you're using or using by virtue of another provider. 122 00:07:09,940 --> 00:07:13,380 S1: Yeah, that makes sense. Okay. So I've got questionnaires on top. 123 00:07:14,140 --> 00:07:19,460 S1: And then. So I added partners I think that's spot on. 124 00:07:19,580 --> 00:07:22,660 S1: Um how about executive team and board. 125 00:07:23,500 --> 00:07:29,580 S2: Yeah. So executive team board are absolutely, absolutely very big. Um, 126 00:07:29,620 --> 00:07:32,540 S2: stakeholders as part of it. Uh, I view that in 127 00:07:32,580 --> 00:07:36,540 S2: two layers, though, so we can think about internal representation 128 00:07:36,540 --> 00:07:38,860 S2: of your security and compliance posture to the board of 129 00:07:38,860 --> 00:07:43,260 S2: the company. And then we can also think about external members, 130 00:07:43,260 --> 00:07:46,660 S2: and especially for maybe those smaller organizations that have a 131 00:07:46,660 --> 00:07:50,780 S2: bit more focus and their main contact is the CEO. 132 00:07:50,780 --> 00:07:53,260 S2: It's really the executives are getting the startup on the 133 00:07:53,260 --> 00:07:56,580 S2: ground as an example. And in both ways, one way 134 00:07:56,580 --> 00:07:59,860 S2: you could solve that through Trust center as an example, 135 00:07:59,860 --> 00:08:02,180 S2: where you can use the trust center to still embody 136 00:08:02,180 --> 00:08:06,300 S2: the same information, including resources that you want to download 137 00:08:06,300 --> 00:08:08,820 S2: and surface. We also have a chatbot on the trust 138 00:08:08,820 --> 00:08:12,540 S2: center for folks to go in, and self-service questions based 139 00:08:12,540 --> 00:08:16,580 S2: off of what's available resource wise, but then also right, 140 00:08:16,580 --> 00:08:20,060 S2: we think about program management and reporting of internal security 141 00:08:20,060 --> 00:08:24,980 S2: and compliance to stakeholders within the company. And Vanta does 142 00:08:24,980 --> 00:08:28,100 S2: a really good job of looking at the different aspects 143 00:08:28,100 --> 00:08:32,460 S2: of of the trust management program. So we think compliance, vendor, 144 00:08:32,500 --> 00:08:37,900 S2: vendor security, your overall risk management management program, and having 145 00:08:37,900 --> 00:08:42,860 S2: a risk register, knowing where your risks lie, access reviews 146 00:08:42,860 --> 00:08:47,980 S2: and collecting that information into operational metrics and reporting dashboards 147 00:08:47,980 --> 00:08:51,420 S2: that can help tell the picture of, hey, we have 148 00:08:51,540 --> 00:08:54,100 S2: X amount of tests that need to be remediated at 149 00:08:54,100 --> 00:08:57,340 S2: X point of time, and the following are running close 150 00:08:57,340 --> 00:09:00,220 S2: as an example for a more operational perspective. But okay. 151 00:09:00,260 --> 00:09:02,819 S2: Hold on. Look, we have our audits that are also 152 00:09:02,820 --> 00:09:05,580 S2: coming up and available. And they're scheduled for X amount 153 00:09:05,620 --> 00:09:07,540 S2: of days. So it gives a lot more high level 154 00:09:07,540 --> 00:09:11,620 S2: visibility to say, hey, this information can be grabbed and 155 00:09:11,620 --> 00:09:13,100 S2: presented to that higher leadership. 156 00:09:14,420 --> 00:09:16,460 S1: That's really cool. When you say test, do you mean 157 00:09:16,500 --> 00:09:19,179 S1: like technical testing? You mean like pen tests that are 158 00:09:19,179 --> 00:09:24,420 S1: running and assessments like that? You could actually see, um, 159 00:09:24,460 --> 00:09:27,020 S1: maybe that they're scheduled or see that findings are coming 160 00:09:27,020 --> 00:09:30,059 S1: out of them that can affect the GRC posture. 161 00:09:30,580 --> 00:09:32,820 S2: Yeah. This is actually a really good segue to just 162 00:09:32,820 --> 00:09:37,179 S2: talk about the compliance module of Anta, right. Um, at 163 00:09:37,179 --> 00:09:41,620 S2: its core, what we do is take an integration first approach, um, 164 00:09:41,620 --> 00:09:45,300 S2: where we, we plug into your integrations, of course, we 165 00:09:45,340 --> 00:09:47,550 S2: give you the you the workflows, the instructions on steps 166 00:09:47,550 --> 00:09:51,390 S2: to follow and say, hey, if you wanted to connect AWS, Azure, GCP, 167 00:09:51,630 --> 00:09:54,550 S2: and any other service providers that you use that you 168 00:09:54,590 --> 00:09:58,750 S2: that help with illustrating your security compliance posture are impacted 169 00:09:58,750 --> 00:10:00,670 S2: by virtue of it. Plug them in. We're going to 170 00:10:00,670 --> 00:10:04,709 S2: go run integration based automated automated tests to go check 171 00:10:04,710 --> 00:10:10,590 S2: for specific configuration and and uh, configurations that help show 172 00:10:10,590 --> 00:10:15,550 S2: a specific posture. A good example that will also do 173 00:10:15,550 --> 00:10:19,230 S2: a showcase of is data encryption at rest. Um, very 174 00:10:19,230 --> 00:10:23,309 S2: common common security ask is having the data stores that 175 00:10:23,309 --> 00:10:26,350 S2: you're using to store your sensitive data be and even 176 00:10:26,750 --> 00:10:30,270 S2: confidential and sensitive data to be encrypted at rest. And 177 00:10:30,270 --> 00:10:34,070 S2: we have integration checks that check for your in-scope databases 178 00:10:34,070 --> 00:10:35,710 S2: that we can see and say, hey, do you have 179 00:10:35,710 --> 00:10:39,990 S2: encryption enabled on these things or not? Similar to texts 180 00:10:39,990 --> 00:10:41,990 S2: like that, where if we can see a resource and 181 00:10:41,990 --> 00:10:44,189 S2: we have a technical test that we can run that's 182 00:10:44,309 --> 00:10:47,590 S2: relevant from a security and compliance perspective. We'll go in 183 00:10:47,590 --> 00:10:50,310 S2: and run them and report them to you so that 184 00:10:50,309 --> 00:10:54,030 S2: you have visibility of, hey, this one is detected, that 185 00:10:54,030 --> 00:10:57,670 S2: there's one database that hadn't been encrypted. What gives? And 186 00:10:57,670 --> 00:11:01,510 S2: you can go in and and remediate those things. The 187 00:11:01,510 --> 00:11:05,270 S2: additional cool bit to that is automated tests are also 188 00:11:05,270 --> 00:11:09,390 S2: pre-mapped to controls that come down to the different frameworks 189 00:11:09,390 --> 00:11:10,590 S2: that you're trying to comply with. 190 00:11:10,590 --> 00:11:11,990 S1: At the end. Yeah, I was going to ask that. 191 00:11:11,990 --> 00:11:14,110 S1: So so you could basically say, okay, we're now going 192 00:11:14,110 --> 00:11:18,270 S1: to be under this one. Uh, that given uh, compliance 193 00:11:18,270 --> 00:11:23,150 S1: standard then has requirements and the requirements are linked to 194 00:11:23,150 --> 00:11:28,589 S1: the automation tests, which leverages which leverages the integration I assume. 195 00:11:29,230 --> 00:11:33,310 S1: So it knows what to either build inside of that 196 00:11:33,309 --> 00:11:37,150 S1: integration or just kick off inside of that integration. And 197 00:11:37,150 --> 00:11:39,910 S1: then it's actually taking signal from the results of that 198 00:11:39,910 --> 00:11:46,110 S1: and hitting your, uh, compliance status for that given compliance thing. 199 00:11:46,270 --> 00:11:47,150 S1: Is that correct? 200 00:11:47,309 --> 00:11:50,430 S2: Yeah, yeah, for the most part, yeah. Um, we have 201 00:11:50,470 --> 00:11:54,150 S2: tests that are running that we've built and and they 202 00:11:54,150 --> 00:11:57,310 S2: are pre-mapped to controls that belong to the requirements of 203 00:11:57,309 --> 00:12:01,830 S2: different frameworks. So Soc2 and the AICPA criteria and the 204 00:12:01,830 --> 00:12:04,189 S2: related controls that we create on top of that. 205 00:12:04,790 --> 00:12:07,830 S1: But you have to build those tests inside of their platform, right? 206 00:12:08,270 --> 00:12:11,510 S2: Actually, no. We actually have those tests that we build 207 00:12:11,510 --> 00:12:15,230 S2: and we run those tests against the provider, against the 208 00:12:15,230 --> 00:12:17,829 S2: resources that we see for the provider. So we would 209 00:12:17,830 --> 00:12:19,910 S2: be the ones building the tests. And based on the 210 00:12:19,910 --> 00:12:23,750 S2: data we see, we can run configuration checks against that 211 00:12:23,750 --> 00:12:26,390 S2: data that we're collecting that we're able to gather. 212 00:12:27,110 --> 00:12:32,110 S1: Sure. But let's say it's like, um, let's say it's like, uh, 213 00:12:32,110 --> 00:12:36,030 S1: an endpoint system, like Tanium or something, or some cloud, uh, 214 00:12:36,390 --> 00:12:39,510 S1: AWS thing. Um, in order to run the test against 215 00:12:39,510 --> 00:12:41,390 S1: the cloud infrastructure, I mean, don't you have you have 216 00:12:41,390 --> 00:12:43,229 S1: to be inside of that infrastructure? 217 00:12:43,790 --> 00:12:46,470 S2: Absolutely, yes. No doubt about that. So we need to 218 00:12:46,470 --> 00:12:49,830 S2: have a connection to to that infrastructure. And what we 219 00:12:49,830 --> 00:12:53,430 S2: do is we, we, we strive for the minimum possible 220 00:12:53,429 --> 00:12:56,270 S2: permissions that we need for the most for for most 221 00:12:56,270 --> 00:12:59,790 S2: of it, outside of, let's say, task management integrations, where 222 00:12:59,790 --> 00:13:04,030 S2: it's a bit more permissions on creating tasks. It's read only. 223 00:13:04,030 --> 00:13:06,510 S2: So we're going in and we do need access to 224 00:13:06,510 --> 00:13:09,790 S2: your environment to go look at the available resources that 225 00:13:09,790 --> 00:13:13,309 S2: you have. And once we've established those connections, which would 226 00:13:13,309 --> 00:13:16,829 S2: depend on what integrations you are able to make, we 227 00:13:16,830 --> 00:13:20,030 S2: can then go run those tests from our end to say, hey, 228 00:13:20,030 --> 00:13:22,670 S2: we see these databases, we see this load balancer as 229 00:13:22,670 --> 00:13:27,309 S2: an example. We see these EC2 instances in AWS. Um, 230 00:13:27,309 --> 00:13:30,390 S2: are you're running these things, we're running these checks. And 231 00:13:30,390 --> 00:13:33,390 S2: the following instances need to be looked at. Similar example 232 00:13:33,390 --> 00:13:36,790 S2: for vulnerability scanners. Right. Different type of test. We see 233 00:13:36,790 --> 00:13:41,870 S2: these vulnerabilities these critical high medium and lows. And we 234 00:13:41,910 --> 00:13:45,429 S2: give customers and other users of our platform the ability 235 00:13:45,429 --> 00:13:48,470 S2: to set SLA for those severities and say, hey, look, 236 00:13:48,630 --> 00:13:52,270 S2: you said that critical vulnerabilities are going to be remediated 237 00:13:52,270 --> 00:13:56,630 S2: in a 14 day period, but we see this one. 238 00:13:56,630 --> 00:14:01,030 S2: It's 15, 16 or hey, look, it's 13 days. You 239 00:14:01,030 --> 00:14:03,190 S2: got to remediate it. Why isn't it remediated? 240 00:14:04,270 --> 00:14:07,230 S1: Yeah. So so on that point, is that based on 241 00:14:07,230 --> 00:14:10,550 S1: the policy that you've stated somewhere that we, we have 242 00:14:10,550 --> 00:14:13,670 S1: stated we want to remediate within that amount of time, 243 00:14:13,670 --> 00:14:16,510 S1: or is that coming from requirements that we've said that 244 00:14:16,510 --> 00:14:17,590 S1: we want to fall under? 245 00:14:18,270 --> 00:14:21,190 S2: Yeah. So it's a little bit of both. So some 246 00:14:21,190 --> 00:14:24,150 S2: standards depending on what the standard is, is going to 247 00:14:24,150 --> 00:14:30,150 S2: require specific configurations. Yeah. Um in Vanta there are additional 248 00:14:30,150 --> 00:14:34,950 S2: configuration features if you will, that are called SLAs. And 249 00:14:34,950 --> 00:14:38,880 S2: you can edit those SLAs to represent What that time 250 00:14:38,880 --> 00:14:42,600 S2: period is that's acceptable based on your policy. So let's 251 00:14:42,600 --> 00:14:46,600 S2: say my policy and my my vulnerability management policy. And 252 00:14:46,600 --> 00:14:52,160 S2: I specified that 1430 90 um, 14 critical 30 for 253 00:14:52,160 --> 00:14:56,080 S2: high and then 90 for medium and low. Let's just 254 00:14:56,080 --> 00:14:59,480 S2: assume then you can go not make those same edits 255 00:14:59,480 --> 00:15:02,680 S2: in your SLAs and say, hey, we've updated them for 256 00:15:02,680 --> 00:15:05,920 S2: our policy and we can run tests according to those 257 00:15:05,920 --> 00:15:08,600 S2: values to say, hey, look, are you meeting it or not? 258 00:15:09,240 --> 00:15:12,040 S1: Interesting. So if you get a finding back, the finding 259 00:15:12,040 --> 00:15:17,720 S1: might say this is a violation. Oh, this is, um, 260 00:15:17,760 --> 00:15:21,520 S1: PCI or this one is, um, SoC version two or 261 00:15:21,520 --> 00:15:25,400 S1: whatever it is, SoC type two. Um, or it might 262 00:15:25,400 --> 00:15:28,280 S1: come back and say you're compliant with all those standards, 263 00:15:28,280 --> 00:15:32,000 S1: but you're violating your own policy. Is that would it 264 00:15:32,040 --> 00:15:32,840 S1: would it see that? 265 00:15:33,440 --> 00:15:37,280 S2: So to to clarify, usually when you go in And 266 00:15:37,280 --> 00:15:38,960 S2: when we think about SLAs and I think a lot 267 00:15:38,960 --> 00:15:42,120 S2: of this will become even more evident in the platform. Um, 268 00:15:42,120 --> 00:15:46,200 S2: the when we think about policy. Policy is the, the 269 00:15:46,200 --> 00:15:51,600 S2: rules really that you establish to govern security compliance. Um, 270 00:15:51,640 --> 00:15:55,320 S2: the SLA configurations that I'm referring to are additional way 271 00:15:55,320 --> 00:15:58,280 S2: that you can configure specific time periods based on your 272 00:15:58,280 --> 00:16:00,840 S2: policy that you've written. So you use the data from 273 00:16:00,840 --> 00:16:03,880 S2: your policy and you'd say, hey, my policy says X. 274 00:16:03,920 --> 00:16:06,520 S2: Let me modify the SLAs so that the tests can 275 00:16:06,520 --> 00:16:11,360 S2: run the way they should. Um, the it's your policy. 276 00:16:11,560 --> 00:16:15,000 S2: And what you're trying to comply with should be matching 277 00:16:15,000 --> 00:16:18,840 S2: to begin with. And that's the that's where the value 278 00:16:18,840 --> 00:16:21,600 S2: comes in as well, where we provide policies and procedures 279 00:16:21,600 --> 00:16:24,600 S2: to utilize out of the box and customize as needed 280 00:16:24,800 --> 00:16:27,520 S2: based off of what a requirement of a customer might be. 281 00:16:28,160 --> 00:16:28,480 S3: Mm. 282 00:16:29,680 --> 00:16:33,160 S1: Yeah. Interesting. Yeah. I like the direction that we we went. 283 00:16:33,160 --> 00:16:36,840 S1: We just jumped right in. Uh. Let's see. Yeah. Um, 284 00:16:36,880 --> 00:16:37,560 S1: let's see here. 285 00:16:38,000 --> 00:16:41,240 S2: Uh, I know it's a very broad space, I'll say. Yeah. 286 00:16:41,240 --> 00:16:44,880 S1: What what do you feel like other, like, um, players 287 00:16:44,880 --> 00:16:46,480 S1: in the field are not doing well. 288 00:16:47,840 --> 00:16:52,520 S2: Ooh, that's a that's a good one. Um, I'd say that, uh, 289 00:16:52,520 --> 00:16:55,160 S2: it's there's two things that come to mind. I think 290 00:16:55,160 --> 00:16:58,080 S2: one is breadth of integrations. Um, I can I can 291 00:16:58,080 --> 00:17:00,760 S2: attest to this, having been a vantive user in a 292 00:17:00,760 --> 00:17:04,160 S2: past life where when I started my journey, it was 293 00:17:04,160 --> 00:17:06,600 S2: several years ago, I think when I started with Vanta, 294 00:17:06,600 --> 00:17:10,199 S2: it was 9 or 10 integrations. And now if I 295 00:17:10,200 --> 00:17:13,919 S2: look at our portfolio today, we have over 300 integrations. 296 00:17:13,920 --> 00:17:16,240 S2: And of course, like the depth of those varied, there's 297 00:17:16,240 --> 00:17:19,320 S2: different things that we can do with the various integrations. 298 00:17:19,320 --> 00:17:22,119 S2: But all that to say is we're able to connect 299 00:17:22,119 --> 00:17:24,520 S2: with way more, and the more that we can see 300 00:17:24,560 --> 00:17:27,440 S2: and see, the more we can run tests against and 301 00:17:27,440 --> 00:17:30,960 S2: go in and provide that visibility to you where it's 302 00:17:30,960 --> 00:17:34,199 S2: less tracking it outside for the specific systems that you 303 00:17:34,200 --> 00:17:36,720 S2: might be working with. You can come to a unified 304 00:17:36,720 --> 00:17:39,720 S2: experience and say, hey, look, I'm running these tests against 305 00:17:39,720 --> 00:17:42,080 S2: these integrations, and I have it all in one spot 306 00:17:42,080 --> 00:17:44,639 S2: for me to go in and action on. That's one 307 00:17:44,640 --> 00:17:48,280 S2: piece I'd say, is breadth of integrations. The second piece 308 00:17:48,280 --> 00:17:50,800 S2: that I'd probably call out is, is customer feedback and 309 00:17:50,800 --> 00:17:55,640 S2: product listening. I do think that as a whole, especially 310 00:17:55,640 --> 00:17:58,400 S2: just been working here internally with our product and go 311 00:17:58,400 --> 00:18:03,040 S2: to market teams. We have really good process around understanding 312 00:18:03,040 --> 00:18:06,359 S2: customer feedback, taking that and actioning it based off of 313 00:18:06,359 --> 00:18:08,719 S2: what the feedback is and taking that back into the 314 00:18:08,720 --> 00:18:12,360 S2: product accordingly. Um, because at the end of the day, 315 00:18:12,400 --> 00:18:14,879 S2: you know, we want to make sure that our customers 316 00:18:14,920 --> 00:18:18,640 S2: are getting the value out of the platform in terms 317 00:18:18,640 --> 00:18:21,520 S2: of managing their compliance program, and that they can scale 318 00:18:21,520 --> 00:18:22,399 S2: with us as well. 319 00:18:23,280 --> 00:18:26,639 S1: Yeah. So so let me ask you this. The thing 320 00:18:26,640 --> 00:18:29,080 S1: that's forming in my mind after hearing this is like 321 00:18:29,080 --> 00:18:35,450 S1: there's a distinct two things. One is securing the org. 322 00:18:36,250 --> 00:18:39,090 S1: It's finding what we need to be compliant with and 323 00:18:39,130 --> 00:18:41,450 S1: like doing the actual work of the security, like vol 324 00:18:41,450 --> 00:18:45,090 S1: management and stuff like that. And then the separate part 325 00:18:45,130 --> 00:18:50,330 S1: is like explaining the security, uh, presenting the security. It 326 00:18:50,330 --> 00:18:54,930 S1: seems like those are two very distinct things. Not not completely, 327 00:18:54,970 --> 00:19:00,570 S1: you know, disentangled. But do you, do you see Advanta 328 00:19:00,609 --> 00:19:04,050 S1: like it being those two main things? 329 00:19:04,090 --> 00:19:06,010 S2: Yeah, I think that those are. That's a really good 330 00:19:06,010 --> 00:19:09,290 S2: way to to look at it. Right. Um, it's distinguishing 331 00:19:09,290 --> 00:19:14,370 S2: between your internal, your efforts internally on how you go 332 00:19:14,369 --> 00:19:18,010 S2: in and secure and maintain compliance for your environment at large. 333 00:19:18,010 --> 00:19:20,290 S2: And I would like to distinguish those two because they're 334 00:19:20,290 --> 00:19:23,050 S2: both related. But compliance and security at the end of 335 00:19:23,050 --> 00:19:25,370 S2: the day are different things. But one can help with 336 00:19:25,369 --> 00:19:30,410 S2: the other. Right. Um, and by virtue of that, it's 337 00:19:30,690 --> 00:19:33,770 S2: a that information, the efforts that you take from a 338 00:19:33,770 --> 00:19:38,970 S2: security and compliance perspective feed the external communication because you 339 00:19:38,970 --> 00:19:42,250 S2: can't if you don't have anything to communicate, then you're 340 00:19:42,290 --> 00:19:44,250 S2: kind of at a loss of like how you represent 341 00:19:44,250 --> 00:19:47,770 S2: yourself to your customer. And that's where, again, having a 342 00:19:47,770 --> 00:19:53,889 S2: unified experience like Avanta is very critical to to demonstrating 343 00:19:53,890 --> 00:19:58,970 S2: that notion, because you can complete the required checks, whether 344 00:19:58,970 --> 00:20:03,649 S2: it's automated or manual colon in show representation against the 345 00:20:03,650 --> 00:20:06,530 S2: frameworks that you're trying to adhere to. See some of 346 00:20:06,530 --> 00:20:09,010 S2: that cross mapping across standards. Because if we have a 347 00:20:09,010 --> 00:20:11,530 S2: test and we know it applies to another standard, we 348 00:20:11,530 --> 00:20:13,210 S2: provide out of the box, we're going to do that 349 00:20:13,210 --> 00:20:16,570 S2: mapping for that framework too. And then once you've done 350 00:20:16,570 --> 00:20:20,250 S2: that bubble that up into the the output from a 351 00:20:20,250 --> 00:20:24,570 S2: control and reporting perspective and documentation to put on your 352 00:20:24,570 --> 00:20:28,410 S2: trust center and show that and say, hey, customer A 353 00:20:28,410 --> 00:20:32,770 S2: or partner A. Here's the list. Here's the representation of 354 00:20:32,770 --> 00:20:36,130 S2: our compliance program. Here are the different controls that we're running. 355 00:20:36,530 --> 00:20:40,850 S2: And here's what you need from to see that. We 356 00:20:40,850 --> 00:20:43,210 S2: want to show you the trust that you can have 357 00:20:43,250 --> 00:20:45,330 S2: with us, and the data that we're storing for you 358 00:20:45,330 --> 00:20:47,649 S2: and the services that you're going to be using from us. 359 00:20:48,730 --> 00:20:51,969 S1: That makes sense. That makes sense. Um, you know, what 360 00:20:51,970 --> 00:20:56,330 S1: I'm thinking of is, like, there are adjacent spaces that 361 00:20:56,330 --> 00:21:00,050 S1: if you're doing this holistically, we're kind of naturally fall 362 00:21:00,050 --> 00:21:02,530 S1: into you, and it seems like you're already kind of 363 00:21:02,530 --> 00:21:06,450 S1: integrating them. One would be vendor management, another one would 364 00:21:06,450 --> 00:21:10,649 S1: be vulnerability management. Have those kind of just naturally folded 365 00:21:10,650 --> 00:21:12,090 S1: into you over time. 366 00:21:12,730 --> 00:21:15,129 S2: Yeah, yeah, I'd say I'd say so as well. And again, 367 00:21:15,130 --> 00:21:18,450 S2: from a customer like a past customer experience perspective, it's 368 00:21:18,450 --> 00:21:20,609 S2: always fun looking at it as a before and after 369 00:21:20,609 --> 00:21:25,129 S2: being part of the organization. Um, absolutely. The vendor VRM, 370 00:21:25,170 --> 00:21:28,540 S2: I'd say it's one of my favorite, favorite tools. Um, 371 00:21:28,540 --> 00:21:31,859 S2: especially because we use AI to go in and help 372 00:21:31,859 --> 00:21:35,620 S2: with that analysis to accelerate your your reviews. Um, we 373 00:21:35,619 --> 00:21:38,900 S2: also provide integration with, with procurement tools to go in 374 00:21:38,900 --> 00:21:42,420 S2: and trigger when a security review might be occurring, whether 375 00:21:42,420 --> 00:21:46,020 S2: it's a renewal or a new opportunity. But the thing 376 00:21:46,020 --> 00:21:48,460 S2: with vendor reviews and I'm going to make a little 377 00:21:48,460 --> 00:21:50,859 S2: tie in to questionnaire automation too, because I think that 378 00:21:50,859 --> 00:21:53,820 S2: that's a very good tangential ones, internal, like the ones 379 00:21:53,820 --> 00:21:56,660 S2: about your vendors and one's about you being the vendor 380 00:21:56,660 --> 00:21:58,900 S2: to another to another consumer. 381 00:21:59,060 --> 00:22:00,979 S1: Oh yeah, I was actually thinking of both at the 382 00:22:00,980 --> 00:22:04,100 S1: same time. But you're right. Uh, one is like almost 383 00:22:04,100 --> 00:22:08,700 S1: like supply chain management internally. And then that's a good point. 384 00:22:08,700 --> 00:22:11,659 S1: I hadn't thought of that one. So that's actually another space. 385 00:22:11,660 --> 00:22:13,900 S1: Supply chain management kind of starts to merge with this 386 00:22:13,900 --> 00:22:18,180 S1: as well. But I was thinking of the one specifically of, uh, 387 00:22:18,180 --> 00:22:21,460 S1: when you start, when you go into a partnership situation, 388 00:22:21,460 --> 00:22:24,740 S1: they want to make sure you're secure. Um, they want 389 00:22:24,740 --> 00:22:27,100 S1: to know the list of vendors you're dealing with. Like 390 00:22:27,100 --> 00:22:30,940 S1: all these questions keep keep coming up. You mentioned AI. 391 00:22:30,980 --> 00:22:33,500 S1: Is that to handle the fact that people ask the 392 00:22:33,500 --> 00:22:35,620 S1: same question over and over in different ways? 393 00:22:36,100 --> 00:22:38,580 S2: Part of it. Right. Yeah. Part of it is that right? 394 00:22:38,580 --> 00:22:43,380 S2: There's different variations to different types of questions. Like it's 395 00:22:43,380 --> 00:22:46,820 S2: it's um, you can you can have a questionnaire that's 396 00:22:47,340 --> 00:22:50,300 S2: 20 to 30 questions long. I've done questionnaires that are 397 00:22:50,300 --> 00:22:54,340 S2: over 500 questions long. Um, and they're all like different 398 00:22:54,340 --> 00:22:57,420 S2: depths and breadths, if you will. Um, and because of that, 399 00:22:57,420 --> 00:23:01,260 S2: it's a tedious exercise. Um, a lot of there's a 400 00:23:01,260 --> 00:23:04,340 S2: lot of effort that goes into just that aspect of it, right, 401 00:23:04,340 --> 00:23:07,620 S2: where you're speaking from a being a service provider to 402 00:23:07,660 --> 00:23:11,540 S2: a customer. Uh, so we use AI to go in 403 00:23:11,540 --> 00:23:15,660 S2: and analyze the data library and information that we can 404 00:23:15,660 --> 00:23:18,620 S2: gather based off of what you have input to, to, 405 00:23:18,619 --> 00:23:22,460 S2: to collectively answer some of those questions and provide those outputs. 406 00:23:22,460 --> 00:23:25,060 S2: And of course, the more data we can get, the more, 407 00:23:25,540 --> 00:23:28,139 S2: more refined some of those responses are going to be 408 00:23:28,420 --> 00:23:31,300 S2: for you to go in and see, maybe even make 409 00:23:31,300 --> 00:23:33,260 S2: some tweaks and updates for the next time so that 410 00:23:33,260 --> 00:23:36,260 S2: the next time, sometimes some of those questions comes up, 411 00:23:36,260 --> 00:23:40,660 S2: it's there and it's ready to go. Um, so and, 412 00:23:40,660 --> 00:23:43,300 S2: and that also then feeds back to the trust center. 413 00:23:43,420 --> 00:23:45,420 S2: So if we think about the trust center and being 414 00:23:45,420 --> 00:23:48,580 S2: able to ask questions from our trust center, that's also 415 00:23:48,580 --> 00:23:52,139 S2: related here, where it's all a unified experience from that lens, 416 00:23:52,500 --> 00:23:55,900 S2: from a supply chain management perspective. I think you've hit 417 00:23:55,900 --> 00:23:58,860 S2: on you've made a really good point, right. Like one's internal. 418 00:23:58,900 --> 00:24:02,619 S2: The other question of automation is a bit more external. Um, 419 00:24:02,619 --> 00:24:06,340 S2: the when we think about vendor reviews, there's so much 420 00:24:06,340 --> 00:24:09,660 S2: that goes into making sure that they're doing the things 421 00:24:09,820 --> 00:24:12,580 S2: according to what you expect them to do and what 422 00:24:12,580 --> 00:24:17,540 S2: third party management policy have established. Um, and this gets 423 00:24:17,540 --> 00:24:20,780 S2: even even trickier when you think about legal agreements and 424 00:24:20,780 --> 00:24:24,899 S2: regulations and things. And if we think about regulations and 425 00:24:24,900 --> 00:24:27,700 S2: some of the requirements that they have, the expectation is 426 00:24:27,700 --> 00:24:30,619 S2: that the providers that you're using are doing the same 427 00:24:30,619 --> 00:24:33,820 S2: as you. Right. That's the general general feel of things. 428 00:24:34,180 --> 00:24:37,139 S2: So it becomes this exercise of you have to find 429 00:24:37,140 --> 00:24:40,500 S2: a quick way or a quick ish way to be 430 00:24:40,500 --> 00:24:42,620 S2: on top of that and not slow the business down 431 00:24:42,619 --> 00:24:43,420 S2: at the same time. 432 00:24:44,260 --> 00:24:44,780 S3: Mhm. 433 00:24:45,180 --> 00:24:47,980 S1: That makes sense. Well I'm excited. Let's uh let's check 434 00:24:47,980 --> 00:24:48,820 S1: out the platform. 435 00:24:49,260 --> 00:24:49,900 S2: Yeah let's do. 436 00:24:49,900 --> 00:24:50,260 S3: It. 437 00:24:50,859 --> 00:24:52,420 S2: All right. Can you see my screen. 438 00:24:53,340 --> 00:24:54,900 S1: I can yeah yeah yeah. 439 00:24:55,580 --> 00:24:55,980 S3: Cool. 440 00:24:56,660 --> 00:24:59,140 S2: Um, you should be seeing Aventa homepage. I just want 441 00:24:59,140 --> 00:25:01,100 S2: to confirm that. You see. See the home. 442 00:25:01,420 --> 00:25:01,660 S1: Yes. 443 00:25:01,660 --> 00:25:02,940 S3: That's right. Cool. 444 00:25:02,980 --> 00:25:06,220 S2: Awesome. Okay, so this is the product. We're on the 445 00:25:06,220 --> 00:25:09,420 S2: homepage of the product, but I always like to call 446 00:25:09,420 --> 00:25:13,580 S2: attention to the left nav first. Just to illustrate, especially 447 00:25:13,580 --> 00:25:17,500 S2: in context of our conversation. Uh, we have compliance. This 448 00:25:17,500 --> 00:25:20,460 S2: is the frameworks, controls and related tests that we've talked 449 00:25:20,460 --> 00:25:23,150 S2: through where we provide out of the box frameworks such 450 00:25:23,150 --> 00:25:26,110 S2: as Soc2, ISO, HIPAA and so on and so forth 451 00:25:26,390 --> 00:25:30,950 S2: for organizations to use to illustrate their compliance against those standards. 452 00:25:31,430 --> 00:25:34,389 S2: There's this audit component to some standards just depending on 453 00:25:34,390 --> 00:25:37,869 S2: what they are. ISO 27,001 and Soc2 are common examples, 454 00:25:37,950 --> 00:25:41,390 S2: where we also give the capability to customers to bring 455 00:25:41,430 --> 00:25:44,429 S2: to invite their auditors to come in and perform audits 456 00:25:44,430 --> 00:25:46,590 S2: within the Vanta platform, which I thought was a really 457 00:25:46,590 --> 00:25:49,270 S2: cool and nifty feature there. But then there are other 458 00:25:49,270 --> 00:25:51,590 S2: aspects that we've also talked through on this on the 459 00:25:51,590 --> 00:25:54,910 S2: session so far. We think about the trust center, which 460 00:25:54,910 --> 00:25:58,790 S2: is that external communication of your security and compliance process 461 00:25:58,790 --> 00:26:01,669 S2: and your overall trust management program. The knowledge base that 462 00:26:01,670 --> 00:26:05,070 S2: I'll be referring to and the aspect of doing questionnaires, 463 00:26:05,070 --> 00:26:09,430 S2: the risk management module, our risk management module. Think it's 464 00:26:09,430 --> 00:26:12,630 S2: it's a risk register and risk management platform based off 465 00:26:12,630 --> 00:26:18,230 S2: of ISO 27,005 risk assessment guidelines. It's very it's the 466 00:26:18,230 --> 00:26:23,109 S2: standard for showing risk management practices as part of ISO 27,001, 467 00:26:23,109 --> 00:26:26,670 S2: which is all about. Security management system. And then you 468 00:26:26,670 --> 00:26:30,310 S2: get into vendors having a vendor risk management program and 469 00:26:30,310 --> 00:26:31,710 S2: being able to streamline some of that. 470 00:26:31,710 --> 00:26:32,550 S3: This is great. 471 00:26:33,030 --> 00:26:35,270 S1: This is great. I mean, you almost have it organized 472 00:26:35,270 --> 00:26:38,230 S1: by the spaces that that are involved with vendor management, 473 00:26:38,230 --> 00:26:42,350 S1: risk management. Um, and I guess supply chain kind of 474 00:26:42,390 --> 00:26:45,830 S1: trickles in and out of these. What about vulnerability management? 475 00:26:45,869 --> 00:26:47,230 S1: Where does that fall into. 476 00:26:47,270 --> 00:26:49,590 S2: Yep. So that's exactly what we're going to NASA. We 477 00:26:49,590 --> 00:26:51,950 S2: thought we put that under assets. And this is where 478 00:26:51,950 --> 00:26:54,990 S2: we would surface vulnerabilities. And just a sneak peek right. 479 00:26:55,030 --> 00:26:58,909 S2: We think about this from a vulnerability management perspective. We 480 00:26:58,910 --> 00:27:01,310 S2: were able to pull in that vulnerability data just depending 481 00:27:01,310 --> 00:27:04,510 S2: on what your vulnerability scanner is of course. And surface 482 00:27:04,510 --> 00:27:07,590 S2: that information here so that we can run those SLA 483 00:27:07,630 --> 00:27:10,230 S2: based tests. And just as a quick example, just just 484 00:27:10,230 --> 00:27:12,510 S2: kind of print this out. You'll see the due dates 485 00:27:12,510 --> 00:27:15,429 S2: associated with it. And that's going to trigger back to 486 00:27:15,430 --> 00:27:18,750 S2: this tests page which I'll quickly highlight to show. Hey, 487 00:27:19,350 --> 00:27:23,270 S2: let me go do a quick example here. Hi. Vulnerabilities 488 00:27:23,270 --> 00:27:25,550 S2: that are identified in packages are addressed. And this is 489 00:27:25,550 --> 00:27:28,550 S2: one specifically for AWS Inspector. We're able to show you 490 00:27:28,550 --> 00:27:33,790 S2: that the following vulnerabilities. They need attention um and need 491 00:27:33,790 --> 00:27:36,389 S2: to be actioned on. It's due in X amount of days. 492 00:27:36,390 --> 00:27:39,670 S2: You need to go in and do something about it. Um, 493 00:27:39,670 --> 00:27:42,109 S2: but before I get too far along the integration path, 494 00:27:42,109 --> 00:27:44,550 S2: I do want to make sure I call attention to 495 00:27:44,550 --> 00:27:47,430 S2: the integration side, because that's actually where like it all 496 00:27:47,430 --> 00:27:52,510 S2: starts with a vendor platform. Um, our automated compliance platform, 497 00:27:52,630 --> 00:27:56,590 S2: it's built around the integrations that we're able to see 498 00:27:56,630 --> 00:27:59,110 S2: plug and play with and see resources from to run 499 00:27:59,109 --> 00:28:02,429 S2: those tests against. So there will be integrations such as 500 00:28:02,430 --> 00:28:08,230 S2: your cloud service provider, your version control systems, your identity providers, 501 00:28:08,270 --> 00:28:10,990 S2: and even Mdms as well that we can go run 502 00:28:10,990 --> 00:28:15,190 S2: different types of tests. For MDM, we think about, uh, 503 00:28:15,230 --> 00:28:19,710 S2: having Uh, having a screen lock enabled and configured. We 504 00:28:19,710 --> 00:28:22,870 S2: think about detecting malware being installed and running on your 505 00:28:22,869 --> 00:28:27,350 S2: machines from a cloud service provider perspective, making sure that, again, 506 00:28:27,390 --> 00:28:31,230 S2: data encryption at rest is enabled, unrestricted ports aren't used, 507 00:28:31,230 --> 00:28:33,350 S2: and if they're used, you have the ability to go 508 00:28:33,350 --> 00:28:36,630 S2: in and make those deactivations. We're able to go in 509 00:28:36,630 --> 00:28:39,670 S2: and run those tests against against resources that we can 510 00:28:39,670 --> 00:28:45,310 S2: see to then illustrate into the compliance side of the House. Um. 511 00:28:45,590 --> 00:28:48,710 S1: Real quick on that previous one. Um, so for those 512 00:28:48,710 --> 00:28:56,230 S1: different classifications, cloud providers, uh, CRM documents, like in document management, 513 00:28:56,230 --> 00:29:00,990 S1: what would you be doing pulling in documents like reviewing policies, uh, 514 00:29:01,030 --> 00:29:04,670 S1: checking against documents like what would that look like? Looking 515 00:29:04,670 --> 00:29:05,350 S1: at wikis. 516 00:29:05,950 --> 00:29:06,430 S3: Yeah. Yeah, it's. 517 00:29:06,430 --> 00:29:10,190 S2: A great question. So document management would, would be if 518 00:29:10,190 --> 00:29:13,670 S2: let's say that you have a security compliance program today 519 00:29:13,670 --> 00:29:16,040 S2: and you manage your artifacts in artifacts in a separate 520 00:29:16,040 --> 00:29:19,240 S2: data store, whether it's your policies, maybe it's evidence that 521 00:29:19,240 --> 00:29:21,840 S2: you want to manage, where we give you the capability 522 00:29:21,840 --> 00:29:24,880 S2: to manage to integrate with those systems and pull that 523 00:29:24,880 --> 00:29:27,800 S2: information in so that you can upload that, whether it's 524 00:29:27,800 --> 00:29:31,440 S2: a policy that you're trying to implement or it's a document, manual, 525 00:29:31,440 --> 00:29:34,680 S2: evidence piece that you're trying to satisfy. So it'd be 526 00:29:34,680 --> 00:29:37,520 S2: really that facilitation of evidence from a store that you 527 00:29:37,560 --> 00:29:40,160 S2: maybe just want to manage outside of into. And you, 528 00:29:40,160 --> 00:29:41,640 S2: you want to continue doing that. 529 00:29:43,280 --> 00:29:49,440 S1: Yeah. That makes sense. Okay. Yeah. Endpoint identity providers. MDM. Yeah. 530 00:29:49,480 --> 00:29:54,320 S1: Task management. Yeah. So in terms of task management, could 531 00:29:54,320 --> 00:29:58,880 S1: you can you actually see like where something is in 532 00:29:58,880 --> 00:30:02,560 S1: like a vulnerability management process. 533 00:30:02,600 --> 00:30:04,200 S2: Could you clarify that question for me. 534 00:30:04,280 --> 00:30:09,120 S1: Yeah. Like so for example um given vulnerability is like uh, 535 00:30:09,120 --> 00:30:11,560 S1: it's in the process of being patched or it's being 536 00:30:11,560 --> 00:30:15,920 S1: currently being Got it. 537 00:30:16,040 --> 00:30:19,800 S2: So the way that our task tracker tax management integration 538 00:30:19,800 --> 00:30:22,040 S2: would work is we give you the capability to go 539 00:30:22,040 --> 00:30:27,040 S2: in and create, um, tasks or link existing tasks based 540 00:30:27,040 --> 00:30:29,040 S2: off of what's done. So in the instance of a 541 00:30:29,040 --> 00:30:33,160 S2: vulnerability being detected, we could go in. We can integrate 542 00:30:33,160 --> 00:30:35,880 S2: with your task management provider and give you the ability 543 00:30:35,880 --> 00:30:39,600 S2: to either create the task here manually, or create a 544 00:30:39,600 --> 00:30:42,200 S2: workflow to auto create that task to send over to 545 00:30:42,200 --> 00:30:45,520 S2: your task management provider. Those would then be reflected here 546 00:30:45,520 --> 00:30:47,320 S2: to go in and see the status of. And you 547 00:30:47,320 --> 00:30:50,440 S2: can centrally view that information here to make sure that 548 00:30:50,440 --> 00:30:54,320 S2: those things are closing. Um, but that would be the, 549 00:30:54,320 --> 00:30:57,080 S2: the that would be how task management would play in there, 550 00:30:57,080 --> 00:30:59,120 S2: where it's a bit more of a two way street 551 00:30:59,120 --> 00:31:01,680 S2: where you can create the task, or you could link 552 00:31:01,680 --> 00:31:05,800 S2: that task and start to see that status information. 553 00:31:06,520 --> 00:31:10,240 S1: Nice. And then the trust center is where, um, you're 554 00:31:10,240 --> 00:31:13,240 S1: broadcasting outwards. Can the Can the customer see any part 555 00:31:13,240 --> 00:31:15,360 S1: of this? Is there any part of this like public to. 556 00:31:16,040 --> 00:31:18,360 S1: Customers to check status or anything like that. 557 00:31:19,400 --> 00:31:23,000 S2: The. So as far as task integrations. 558 00:31:23,040 --> 00:31:26,280 S1: No no no just the top level just trust center 559 00:31:26,280 --> 00:31:29,800 S1: of like something that they could do on. Their own 560 00:31:29,800 --> 00:31:34,080 S1: like self-serve to see the the status of anything like 561 00:31:34,080 --> 00:31:37,960 S1: status of questionnaires or. I don't know what else would 562 00:31:37,960 --> 00:31:38,560 S1: be in there. 563 00:31:39,080 --> 00:31:43,040 S2: Yeah. So questionnaires not quite. But this actually makes a 564 00:31:43,040 --> 00:31:46,400 S2: very good segue into the trust center. Um, and what 565 00:31:46,400 --> 00:31:49,760 S2: a customer can see relative to that information. So if 566 00:31:49,760 --> 00:31:53,440 S2: we think about the trust center, um, the the trust 567 00:31:53,440 --> 00:31:57,640 S2: center is a summary of information from a compliance perspective. 568 00:31:57,720 --> 00:32:00,360 S2: The different certifications I pull up is a really good 569 00:32:00,360 --> 00:32:04,920 S2: example here where we were really into for ourselves and 570 00:32:04,920 --> 00:32:07,800 S2: showcase the different standards that we're adhering to, whether it's an. 571 00:32:07,840 --> 00:32:09,040 S3: Attestation. 572 00:32:09,040 --> 00:32:11,479 S2: Situation. But then you can you can also see the 573 00:32:11,480 --> 00:32:14,080 S2: controls that we want to represent on our trust center 574 00:32:14,200 --> 00:32:16,840 S2: and showcase the status of those things. Make sure that 575 00:32:16,840 --> 00:32:22,440 S2: we're socializing what's working, what's what's showing and what's what's, uh, 576 00:32:22,480 --> 00:32:26,320 S2: operating as part of our security and compliance program, going 577 00:32:26,320 --> 00:32:29,120 S2: to a lot of the vendor type conversations we've been 578 00:32:29,120 --> 00:32:32,440 S2: having illustrating your subprocessors that are relevant. 579 00:32:32,520 --> 00:32:33,640 S3: Oh, really cool. 580 00:32:33,680 --> 00:32:37,160 S2: It's very, very important. And we can we give you 581 00:32:37,240 --> 00:32:41,200 S2: give customers the ability to surface that information as part 582 00:32:41,200 --> 00:32:45,040 S2: of the trust center as well. And then one also 583 00:32:45,320 --> 00:32:48,120 S2: like relatively recent, it's it's been a minute since it's 584 00:32:48,120 --> 00:32:49,840 S2: been here. But I thought it was really cool. Was 585 00:32:49,840 --> 00:32:52,440 S2: this rollout of updates and the time that I've been here, 586 00:32:52,440 --> 00:32:55,720 S2: which was the ability to go in and surface what's 587 00:32:55,720 --> 00:32:58,160 S2: what's happened as part of your security and compliance program 588 00:32:58,160 --> 00:33:01,800 S2: and really show, hey, what's what are the changes? What 589 00:33:01,800 --> 00:33:04,960 S2: have you newly achieved? Um, is there things that you 590 00:33:05,000 --> 00:33:08,840 S2: want other external parties to know about your security and 591 00:33:08,840 --> 00:33:11,760 S2: compliance program and push that upward. 592 00:33:12,840 --> 00:33:17,320 S1: Yeah. Really cool. Really cool. Uh, so any, uh, any 593 00:33:17,320 --> 00:33:19,520 S1: new stuff that you're able to talk about that uh, 594 00:33:19,520 --> 00:33:24,280 S1: people should expect, uh, coming soon, like, like, uh, what's 595 00:33:24,280 --> 00:33:27,600 S1: your area of, like, trying to develop and build for 596 00:33:27,600 --> 00:33:28,240 S1: the future? 597 00:33:29,040 --> 00:33:34,960 S2: Yeah. So I'd say that we've, we've actually recently and, uh, 598 00:33:34,960 --> 00:33:37,720 S2: released a lot of cool stuff. I think that's also 599 00:33:37,720 --> 00:33:40,640 S2: relevant to just how the markets and markets playing, especially 600 00:33:40,640 --> 00:33:43,480 S2: what we see in the industry. Uh, two one thing 601 00:33:43,480 --> 00:33:46,160 S2: a framework that comes to mind is CMC. Uh, so 602 00:33:46,160 --> 00:33:50,160 S2: CMC is a hot topic, especially for DoD contractors and 603 00:33:50,160 --> 00:33:52,880 S2: subcontractors that are having to adhere to that framework and 604 00:33:52,880 --> 00:33:56,440 S2: get certified or do a self-assessment for, uh, and because 605 00:33:56,440 --> 00:33:59,280 S2: of that, we we took the initiative to really build 606 00:33:59,280 --> 00:34:03,400 S2: out an OtterBox framework to go in and guide customers 607 00:34:03,400 --> 00:34:06,120 S2: on how to implement some of those requirements for themselves. 608 00:34:06,400 --> 00:34:08,529 S2: So that's one I think I'd draw attention to is 609 00:34:08,530 --> 00:34:11,290 S2: just based off of the current events and just what 610 00:34:11,290 --> 00:34:14,450 S2: we know that that would be one, one aspect of things. 611 00:34:14,930 --> 00:34:18,049 S2: But then I think another two other things that I'd 612 00:34:18,050 --> 00:34:20,410 S2: love to draw attention to would be high trust and 613 00:34:20,410 --> 00:34:24,770 S2: our my, our partnership with them and our my CSF integration. Um, 614 00:34:24,770 --> 00:34:27,370 S2: we have a partnership with High Trust where we can 615 00:34:27,370 --> 00:34:29,810 S2: go in and offer the high trust CSF and related 616 00:34:29,810 --> 00:34:34,370 S2: assessment levels. So that's the E1, i1 and R2. Um, 617 00:34:34,370 --> 00:34:39,050 S2: and they're it's a common framework to adhere to multiple 618 00:34:39,050 --> 00:34:42,250 S2: authoritative sources, really frameworks at the at the same time 619 00:34:42,450 --> 00:34:47,570 S2: and show a robust implementation of your security and compliance posture. Uh, 620 00:34:47,610 --> 00:34:50,690 S2: they have a tool called my CSF, which a lot 621 00:34:50,690 --> 00:34:53,730 S2: of customers may be familiar with. And we're able to 622 00:34:53,770 --> 00:34:58,489 S2: connect to with my CSF to make that push of information, 623 00:34:58,489 --> 00:35:02,810 S2: whether it's your your documents, your evidence, your policy information, 624 00:35:02,810 --> 00:35:05,650 S2: so that there's not there's less manual work involved in 625 00:35:05,650 --> 00:35:08,930 S2: that in that process. Finally, I think the third thing 626 00:35:08,930 --> 00:35:11,410 S2: I'd love to draw attention to is the way I act. 627 00:35:11,530 --> 00:35:15,410 S2: I think that I is one of those, um, trends 628 00:35:15,410 --> 00:35:19,410 S2: and topics that's going to continue to be a topic 629 00:35:19,410 --> 00:35:23,770 S2: for months and years to come. Uh, frankly, um, the 630 00:35:23,770 --> 00:35:26,609 S2: way I position it to customers when I'm talking to 631 00:35:26,610 --> 00:35:30,049 S2: them about it is we think about, uh, if you 632 00:35:30,050 --> 00:35:31,930 S2: go to a train track, let's say you're driving and 633 00:35:31,930 --> 00:35:33,930 S2: you approach a train track and you see this train like, darn, 634 00:35:33,930 --> 00:35:36,489 S2: I have to stop for this train. And that train, 635 00:35:36,489 --> 00:35:39,009 S2: you're going like, man, this train's not letting up, and 636 00:35:39,010 --> 00:35:41,890 S2: it doesn't let up. That's AI. AI is this train 637 00:35:41,890 --> 00:35:45,529 S2: that's just going to keep going. And more and more 638 00:35:45,610 --> 00:35:48,850 S2: standards and regulations are going to come in as responses 639 00:35:48,850 --> 00:35:51,770 S2: to it. The AI act is a really good example 640 00:35:51,770 --> 00:35:55,930 S2: of it. Um, and ISO 42,001 as well, which is 641 00:35:55,930 --> 00:35:58,610 S2: an ISO standard that came out at the end of 2023. 642 00:35:59,489 --> 00:35:59,890 S3: Mm. 643 00:36:00,450 --> 00:36:03,569 S1: Okay. And so you're able to take something that's relatively 644 00:36:03,570 --> 00:36:07,649 S1: new and moving fast like that. And how quickly can 645 00:36:07,650 --> 00:36:10,410 S1: you normally turn something like that around to get it 646 00:36:10,410 --> 00:36:13,330 S1: into the platform and get checks going? 647 00:36:13,890 --> 00:36:16,810 S2: It really it frankly, it does just depends on what 648 00:36:16,810 --> 00:36:20,890 S2: the framework is, for example. Right. It was a pretty 649 00:36:20,890 --> 00:36:23,969 S2: robust framework. So it took us a minute to go 650 00:36:23,969 --> 00:36:27,250 S2: do it and implement it. 651 00:36:27,250 --> 00:36:28,930 S3: But but it's in the platform now. 652 00:36:29,770 --> 00:36:32,330 S2: Yes. The UI act we have, we have a framework 653 00:36:32,330 --> 00:36:34,170 S2: for it in the platform. We also have a framework 654 00:36:34,170 --> 00:36:39,890 S2: for Cmmc ISO 20 or 42,001, hitrust, E1, i1 and R2, 655 00:36:39,890 --> 00:36:41,890 S2: and those are all available for customers to come in 656 00:36:41,890 --> 00:36:42,450 S2: and use. 657 00:36:43,489 --> 00:36:44,290 S3: Nice. 658 00:36:44,969 --> 00:36:47,450 S1: So what would be having been like a customer in 659 00:36:47,450 --> 00:36:51,969 S1: the past? What is like your, um, your killer feature 660 00:36:52,090 --> 00:36:54,290 S1: that you think of when you think of vanta? 661 00:36:55,290 --> 00:36:57,689 S2: Oh, man. See, that's that's it's tough because I like 662 00:36:57,690 --> 00:37:02,930 S2: all of Vanta. That's why I'm here now. Um, but the. 663 00:37:02,969 --> 00:37:06,540 S2: I'd say that the whole aspect of Trust Center, seeing 664 00:37:06,540 --> 00:37:09,980 S2: the growth around it is really cool. Um, and we 665 00:37:10,020 --> 00:37:13,700 S2: continue to optimize that experience, link it to the data 666 00:37:13,739 --> 00:37:16,580 S2: stores and the data that we feed into the platform. 667 00:37:16,620 --> 00:37:19,980 S2: Vendor risk management is also a feature. I think that 668 00:37:19,980 --> 00:37:24,700 S2: it's a very big area of time saving and efficiency 669 00:37:24,700 --> 00:37:27,780 S2: that could be used to help streamline that review process 670 00:37:27,780 --> 00:37:31,060 S2: and free up time to focus on other things, which 671 00:37:31,060 --> 00:37:35,180 S2: is frankly a common challenge for everyone. Right? Time and resources. 672 00:37:35,180 --> 00:37:38,540 S2: That's a commonality everywhere and things that you can do 673 00:37:38,660 --> 00:37:42,739 S2: to fast in that process. Those are good things to do. 674 00:37:42,739 --> 00:37:45,620 S2: And I think band as a whole is really doing 675 00:37:45,620 --> 00:37:48,339 S2: that and striving for it for our customers. 676 00:37:48,780 --> 00:37:52,700 S1: Makes sense. All right. Well, I really enjoyed the conversation. 677 00:37:52,700 --> 00:37:56,340 S1: Anything um, we should mention that we didn't talk about. 678 00:37:57,420 --> 00:38:01,140 S2: Uh, no. But, hey, what if there are any questions? 679 00:38:01,140 --> 00:38:03,219 S2: If you're If you're interested, please reach out. We have 680 00:38:03,219 --> 00:38:06,820 S2: a really good LinkedIn presence and other social media platforms 681 00:38:06,820 --> 00:38:10,540 S2: as well. You can also reach out to me via LinkedIn. 682 00:38:10,580 --> 00:38:13,380 S2: It'd be fun. You'll have this information as part of 683 00:38:13,380 --> 00:38:16,900 S2: the recording as well, where it would be really ecstatic 684 00:38:16,900 --> 00:38:20,620 S2: to help you in really operationalizing and streamlining your your 685 00:38:20,620 --> 00:38:21,820 S2: trust management journey. 686 00:38:22,739 --> 00:38:26,500 S1: Fantastic. Yeah. And what's the URL? It's just vanta comm. 687 00:38:26,500 --> 00:38:27,220 S1: Is that right? 688 00:38:27,500 --> 00:38:28,580 S2: Com you got it. 689 00:38:28,900 --> 00:38:29,219 S3: All right. 690 00:38:29,219 --> 00:38:31,219 S1: Well, thank you so much for the time. And it 691 00:38:31,219 --> 00:38:32,540 S1: was a good chat. 692 00:38:33,500 --> 00:38:34,060 S2: Thank you. 693 00:38:34,100 --> 00:38:37,300 S3: Appreciate it. 694 00:38:37,340 --> 00:38:40,900 S1: Unsupervised learning is produced on Hindenburg Pro using an SM 695 00:38:40,900 --> 00:38:44,419 S1: seven B microphone. A video version of the podcast is 696 00:38:44,420 --> 00:38:48,180 S1: available on the Unsupervised Learning YouTube channel, and the text 697 00:38:48,180 --> 00:38:51,500 S1: version with full links and notes is available at Daniel 698 00:38:51,500 --> 00:38:55,300 S1: Miessler newsletter. We'll see you next time.