WEBVTT - A Conversation with Faisal Khan from Vanta 0:00:00.920 --> 0:00:05.040 Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 0:00:05.160 --> 0:00:10.000 national security, AI, technology and society, and how best to 0:00:10.039 --> 0:00:18.640 upgrade ourselves to be ready for what's coming. All right, 0:00:18.640 --> 0:00:21.960 so today we're going to be talking about the Vanta 0:00:22.000 --> 0:00:26.200 GRC solution. And we have Faisal Khan with us. Faisal, 0:00:26.239 --> 0:00:27.880 welcome to unsupervised Learning. 0:00:28.760 --> 0:00:31.400 Yeah. Thank you for having me. I'm very happy to 0:00:31.400 --> 0:00:33.479 be here. Excited to talk about Vanta and the world 0:00:33.479 --> 0:00:34.240 of GRC. 0:00:35.840 --> 0:00:38.199 Sweet. So can you start off by telling us a 0:00:38.200 --> 0:00:41.560 little about yourself and what you do there at Vanta? 0:00:41.600 --> 0:00:44.400 Yeah. Of course. So my name is Faisal Khan. I'm 0:00:44.400 --> 0:00:48.000 a GRC solution specialist at Vanta. I've been at Vanta 0:00:48.000 --> 0:00:50.440 for a little over a year now. I work with 0:00:50.440 --> 0:00:53.560 our go to market segment. So about pre-sale and post-sale 0:00:54.200 --> 0:00:57.640 really to illustrate his value as a trust management platform 0:00:57.640 --> 0:01:02.320 in the space And, um, focus on how organizations can 0:01:02.320 --> 0:01:05.920 implement their GRC programs and why their trust management portfolio 0:01:05.959 --> 0:01:10.399 with Vanta. That goes all the way from talking to 0:01:10.440 --> 0:01:13.880 customers in the presales process based off of their requirements. 0:01:14.040 --> 0:01:17.160 And then also helping with some implementation activities. When it 0:01:17.160 --> 0:01:20.319 comes down to how do you operationalize Vanta according to 0:01:20.360 --> 0:01:22.720 how they may want to either build a GRC program 0:01:22.720 --> 0:01:25.400 for themselves from scratch or bring in their own? 0:01:26.800 --> 0:01:30.720 Okay. Yeah. In the Front Sight focuses a lot on, uh, 0:01:30.720 --> 0:01:36.600 automation compliance. Um, obviously compliance, but basically automating it, like 0:01:36.600 --> 0:01:42.080 having it be as non-manual as possible. Um, for people 0:01:42.080 --> 0:01:45.080 who haven't heard of vanta. Like, you gave a pretty 0:01:45.080 --> 0:01:48.559 good intro there, but like, what is this specific problem 0:01:48.560 --> 0:01:50.920 that we're trying to solve? Like, what are you trying 0:01:50.920 --> 0:01:51.560 to address? 0:01:52.120 --> 0:01:55.680 Yeah. Of course. So to start off, I'll do another 0:01:55.720 --> 0:01:58.210 do a bit more detailed introduction of Production of Vanta 0:01:58.210 --> 0:02:02.130 so Vanta. It provides a trust management platform that gives 0:02:02.530 --> 0:02:06.330 capabilities to customers to help build, scale and really prove 0:02:06.330 --> 0:02:09.890 their security and compliance programs, both for themselves internally, but 0:02:09.889 --> 0:02:14.570 also to illustrate that externally to customers as well. The 0:02:14.610 --> 0:02:18.090 and other external parties for that matter. To do that, 0:02:18.210 --> 0:02:21.610 you know, you have to really think about, okay, well, 0:02:21.610 --> 0:02:26.210 let's say that if we think about how organizations approach 0:02:26.210 --> 0:02:27.970 this today and what are the goals for security and 0:02:27.970 --> 0:02:33.290 compliance programs, it's all surrounded the aspects of improving security, 0:02:33.450 --> 0:02:36.850 increasing visibility to risk, making it easier for teams to 0:02:36.930 --> 0:02:41.130 get the right information about the compliance posture, making it 0:02:41.250 --> 0:02:44.690 easier for some of those sales cycles to occur and 0:02:44.690 --> 0:02:48.929 really grow the business and show how they're differentiated. Uh, 0:02:48.930 --> 0:02:51.610 in a lot of that includes this whole notion of 0:02:51.650 --> 0:02:56.010 being able to demonstrate that trust to those organizations. But 0:02:56.410 --> 0:03:00.170 when we think about just that, those goals, there's a 0:03:00.169 --> 0:03:02.930 lot of, I'd say, uphill battles that come into play 0:03:03.050 --> 0:03:05.690 when you, you think about, okay, well, how do you 0:03:05.690 --> 0:03:10.530 achieve them? There are growing buyer security expectations. Right. Like 0:03:11.050 --> 0:03:14.010 as you go to different customers, maybe different third parties 0:03:14.010 --> 0:03:17.770 that you work with, the security requirements, they tend to 0:03:18.250 --> 0:03:20.890 be similar but also different in some way just depending 0:03:20.889 --> 0:03:23.610 on who you're talking to. But then also this notion 0:03:23.610 --> 0:03:27.050 of your security is also related to your vendor security. 0:03:27.050 --> 0:03:30.050 And the number of vendor security reviews also tends to 0:03:30.050 --> 0:03:33.650 go up as the organizations grow too. And then to 0:03:33.690 --> 0:03:37.090 not tack on to that even more, we think about regulations, right. 0:03:37.090 --> 0:03:42.090 And there's this growing regulatory regulatory impact. So we're left 0:03:42.090 --> 0:03:45.770 with how do you address that space. And oftentimes it's 0:03:45.930 --> 0:03:51.570 individual processes manual efforts sometimes pointed solutions to do it 0:03:51.570 --> 0:03:54.410 individual thing, which is where Vanta tries to solve that 0:03:54.410 --> 0:03:57.810 problem with a bit more of a unified way to 0:03:57.850 --> 0:04:01.570 start to scale and then ultimately manage your security and 0:04:01.570 --> 0:04:03.010 compliance programs together. 0:04:04.050 --> 0:04:06.330 Yeah, just taking a couple of notes here. I like 0:04:06.330 --> 0:04:08.210 the way you broke it down there in the beginning 0:04:08.210 --> 0:04:11.810 with like, there's different groups that we want to prove 0:04:11.810 --> 0:04:17.050 that we're secure to. Right. And the fact that we 0:04:17.210 --> 0:04:21.730 are secure or are working towards it, um, can be 0:04:21.730 --> 0:04:24.970 used to enable business. Right? Or alternatively, you could say 0:04:24.970 --> 0:04:27.890 that it slows down business when we have to constantly 0:04:27.890 --> 0:04:31.289 do manual work to be able to get through these hurdles. 0:04:31.570 --> 0:04:33.610 So it seems like a big part of the platform 0:04:33.610 --> 0:04:37.370 is not only making sure we're doing a good job, 0:04:37.529 --> 0:04:42.010 but broadcasting that. Having a narrative around it. How much? 0:04:42.930 --> 0:04:47.090 How much of it is presentation to the customer themselves? 0:04:47.089 --> 0:04:49.250 Do they have like a portal that they can go to? 0:04:49.890 --> 0:04:54.930 Yeah. Yeah, definitely. Uh, so for my customer presentation perspective. 0:04:54.970 --> 0:04:57.450 We have what's called the trust Center, and we can 0:04:57.450 --> 0:04:59.450 do a brief overview later on in this session as 0:04:59.450 --> 0:05:00.610 well to show what that looks like. 0:05:00.610 --> 0:05:02.170 Especially I would love to see that. 0:05:03.490 --> 0:05:05.850 But the trust center is supposed to be that way 0:05:05.850 --> 0:05:09.210 in which you can represent your not only controls, but 0:05:09.250 --> 0:05:12.089 resources that you might have that you want to share 0:05:12.089 --> 0:05:15.330 and build processes around those things so that you don't 0:05:15.330 --> 0:05:18.490 have to manually provide them or go dig for them. 0:05:18.490 --> 0:05:22.050 You can build in workflows, let's say, from your CRM 0:05:22.050 --> 0:05:25.890 system to determine approvals and how to get that information 0:05:25.890 --> 0:05:28.850 and make it a bit more self-serve. So when a 0:05:28.850 --> 0:05:31.450 customer goes to a customer or a partner or any 0:05:31.450 --> 0:05:34.170 other external party goes to the trust center, they're able 0:05:34.170 --> 0:05:37.810 to see the information and really self-serve that request for 0:05:37.810 --> 0:05:43.370 access to that information and get that information a lot quicker. Um, 0:05:43.410 --> 0:05:46.289 it becomes even especially even more important when we think 0:05:46.290 --> 0:05:51.010 about just representation of commonly asked questions about security program 0:05:51.089 --> 0:05:54.970 That if it's all illustrated in a central place, it 0:05:54.970 --> 0:05:59.849 just makes that process a bit quicker and increases efficiency overall. 0:06:00.650 --> 0:06:04.609 Yeah, yeah, I'm I'm adding to my list here. Uh, 0:06:04.610 --> 0:06:07.930 this is really interesting because, uh, I've pretty much been 0:06:07.930 --> 0:06:10.410 in this world my whole life. I've never directly been 0:06:10.410 --> 0:06:12.890 in GRC, but I'm always dealing with it. It's always 0:06:12.890 --> 0:06:16.050 right there. Uh, especially risk management side of it. So 0:06:16.050 --> 0:06:19.890 I've got customers. Uh, questionnaires is kind of a meta 0:06:19.890 --> 0:06:23.050 because that could come from anyone but customers usually questionnaires 0:06:23.050 --> 0:06:30.570 come from customers. But customers, procurement auditors, regulators. What are 0:06:30.570 --> 0:06:33.810 some other groups that are like user buckets? 0:06:33.850 --> 0:06:36.490 I would say that partners are also a pretty big 0:06:36.490 --> 0:06:38.930 use bucket in a past life. The partners that you 0:06:38.930 --> 0:06:43.849 work with, whether it's integration between systems or them using 0:06:43.850 --> 0:06:47.530 your service to go in and perform a service to another, 0:06:47.570 --> 0:06:49.450 another client of theirs, where you might be the fourth 0:06:49.450 --> 0:06:53.020 party in that in that engagement. It's what it's it's 0:06:53.020 --> 0:06:55.380 an important aspect to consider because they'll also have their 0:06:55.380 --> 0:06:57.820 own version of security questionnaire. And it goes back to 0:06:57.860 --> 0:07:02.060 this notion of the security of your your own organization 0:07:02.060 --> 0:07:05.660 oftentimes depends on the other vendors and other parties that 0:07:05.660 --> 0:07:08.780 you're using or using by virtue of another provider. 0:07:09.940 --> 0:07:13.380 Yeah, that makes sense. Okay. So I've got questionnaires on top. 0:07:14.140 --> 0:07:19.460 And then. So I added partners I think that's spot on. 0:07:19.580 --> 0:07:22.660 Um how about executive team and board. 0:07:23.500 --> 0:07:29.580 Yeah. So executive team board are absolutely, absolutely very big. Um, 0:07:29.620 --> 0:07:32.540 stakeholders as part of it. Uh, I view that in 0:07:32.580 --> 0:07:36.540 two layers, though, so we can think about internal representation 0:07:36.540 --> 0:07:38.860 of your security and compliance posture to the board of 0:07:38.860 --> 0:07:43.260 the company. And then we can also think about external members, 0:07:43.260 --> 0:07:46.660 and especially for maybe those smaller organizations that have a 0:07:46.660 --> 0:07:50.780 bit more focus and their main contact is the CEO. 0:07:50.780 --> 0:07:53.260 It's really the executives are getting the startup on the 0:07:53.260 --> 0:07:56.580 ground as an example. And in both ways, one way 0:07:56.580 --> 0:07:59.860 you could solve that through Trust center as an example, 0:07:59.860 --> 0:08:02.180 where you can use the trust center to still embody 0:08:02.180 --> 0:08:06.300 the same information, including resources that you want to download 0:08:06.300 --> 0:08:08.820 and surface. We also have a chatbot on the trust 0:08:08.820 --> 0:08:12.540 center for folks to go in, and self-service questions based 0:08:12.540 --> 0:08:16.580 off of what's available resource wise, but then also right, 0:08:16.580 --> 0:08:20.060 we think about program management and reporting of internal security 0:08:20.060 --> 0:08:24.980 and compliance to stakeholders within the company. And Vanta does 0:08:24.980 --> 0:08:28.100 a really good job of looking at the different aspects 0:08:28.100 --> 0:08:32.460 of of the trust management program. So we think compliance, vendor, 0:08:32.500 --> 0:08:37.900 vendor security, your overall risk management management program, and having 0:08:37.900 --> 0:08:42.860 a risk register, knowing where your risks lie, access reviews 0:08:42.860 --> 0:08:47.980 and collecting that information into operational metrics and reporting dashboards 0:08:47.980 --> 0:08:51.420 that can help tell the picture of, hey, we have 0:08:51.540 --> 0:08:54.100 X amount of tests that need to be remediated at 0:08:54.100 --> 0:08:57.340 X point of time, and the following are running close 0:08:57.340 --> 0:09:00.220 as an example for a more operational perspective. But okay. 0:09:00.260 --> 0:09:02.819 Hold on. Look, we have our audits that are also 0:09:02.820 --> 0:09:05.580 coming up and available. And they're scheduled for X amount 0:09:05.620 --> 0:09:07.540 of days. So it gives a lot more high level 0:09:07.540 --> 0:09:11.620 visibility to say, hey, this information can be grabbed and 0:09:11.620 --> 0:09:13.100 presented to that higher leadership. 0:09:14.420 --> 0:09:16.460 That's really cool. When you say test, do you mean 0:09:16.500 --> 0:09:19.179 like technical testing? You mean like pen tests that are 0:09:19.179 --> 0:09:24.420 running and assessments like that? You could actually see, um, 0:09:24.460 --> 0:09:27.020 maybe that they're scheduled or see that findings are coming 0:09:27.020 --> 0:09:30.059 out of them that can affect the GRC posture. 0:09:30.580 --> 0:09:32.820 Yeah. This is actually a really good segue to just 0:09:32.820 --> 0:09:37.179 talk about the compliance module of Anta, right. Um, at 0:09:37.179 --> 0:09:41.620 its core, what we do is take an integration first approach, um, 0:09:41.620 --> 0:09:45.300 where we, we plug into your integrations, of course, we 0:09:45.340 --> 0:09:47.550 give you the you the workflows, the instructions on steps 0:09:47.550 --> 0:09:51.390 to follow and say, hey, if you wanted to connect AWS, Azure, GCP, 0:09:51.630 --> 0:09:54.550 and any other service providers that you use that you 0:09:54.590 --> 0:09:58.750 that help with illustrating your security compliance posture are impacted 0:09:58.750 --> 0:10:00.670 by virtue of it. Plug them in. We're going to 0:10:00.670 --> 0:10:04.709 go run integration based automated automated tests to go check 0:10:04.710 --> 0:10:10.590 for specific configuration and and uh, configurations that help show 0:10:10.590 --> 0:10:15.550 a specific posture. A good example that will also do 0:10:15.550 --> 0:10:19.230 a showcase of is data encryption at rest. Um, very 0:10:19.230 --> 0:10:23.309 common common security ask is having the data stores that 0:10:23.309 --> 0:10:26.350 you're using to store your sensitive data be and even 0:10:26.750 --> 0:10:30.270 confidential and sensitive data to be encrypted at rest. And 0:10:30.270 --> 0:10:34.070 we have integration checks that check for your in-scope databases 0:10:34.070 --> 0:10:35.710 that we can see and say, hey, do you have 0:10:35.710 --> 0:10:39.990 encryption enabled on these things or not? Similar to texts 0:10:39.990 --> 0:10:41.990 like that, where if we can see a resource and 0:10:41.990 --> 0:10:44.189 we have a technical test that we can run that's 0:10:44.309 --> 0:10:47.590 relevant from a security and compliance perspective. We'll go in 0:10:47.590 --> 0:10:50.310 and run them and report them to you so that 0:10:50.309 --> 0:10:54.030 you have visibility of, hey, this one is detected, that 0:10:54.030 --> 0:10:57.670 there's one database that hadn't been encrypted. What gives? And 0:10:57.670 --> 0:11:01.510 you can go in and and remediate those things. The 0:11:01.510 --> 0:11:05.270 additional cool bit to that is automated tests are also 0:11:05.270 --> 0:11:09.390 pre-mapped to controls that come down to the different frameworks 0:11:09.390 --> 0:11:10.590 that you're trying to comply with. 0:11:10.590 --> 0:11:11.990 At the end. Yeah, I was going to ask that. 0:11:11.990 --> 0:11:14.110 So so you could basically say, okay, we're now going 0:11:14.110 --> 0:11:18.270 to be under this one. Uh, that given uh, compliance 0:11:18.270 --> 0:11:23.150 standard then has requirements and the requirements are linked to 0:11:23.150 --> 0:11:28.589 the automation tests, which leverages which leverages the integration I assume. 0:11:29.230 --> 0:11:33.310 So it knows what to either build inside of that 0:11:33.309 --> 0:11:37.150 integration or just kick off inside of that integration. And 0:11:37.150 --> 0:11:39.910 then it's actually taking signal from the results of that 0:11:39.910 --> 0:11:46.110 and hitting your, uh, compliance status for that given compliance thing. 0:11:46.270 --> 0:11:47.150 Is that correct? 0:11:47.309 --> 0:11:50.430 Yeah, yeah, for the most part, yeah. Um, we have 0:11:50.470 --> 0:11:54.150 tests that are running that we've built and and they 0:11:54.150 --> 0:11:57.310 are pre-mapped to controls that belong to the requirements of 0:11:57.309 --> 0:12:01.830 different frameworks. So Soc2 and the AICPA criteria and the 0:12:01.830 --> 0:12:04.189 related controls that we create on top of that. 0:12:04.790 --> 0:12:07.830 But you have to build those tests inside of their platform, right? 0:12:08.270 --> 0:12:11.510 Actually, no. We actually have those tests that we build 0:12:11.510 --> 0:12:15.230 and we run those tests against the provider, against the 0:12:15.230 --> 0:12:17.829 resources that we see for the provider. So we would 0:12:17.830 --> 0:12:19.910 be the ones building the tests. And based on the 0:12:19.910 --> 0:12:23.750 data we see, we can run configuration checks against that 0:12:23.750 --> 0:12:26.390 data that we're collecting that we're able to gather. 0:12:27.110 --> 0:12:32.110 Sure. But let's say it's like, um, let's say it's like, uh, 0:12:32.110 --> 0:12:36.030 an endpoint system, like Tanium or something, or some cloud, uh, 0:12:36.390 --> 0:12:39.510 AWS thing. Um, in order to run the test against 0:12:39.510 --> 0:12:41.390 the cloud infrastructure, I mean, don't you have you have 0:12:41.390 --> 0:12:43.229 to be inside of that infrastructure? 0:12:43.790 --> 0:12:46.470 Absolutely, yes. No doubt about that. So we need to 0:12:46.470 --> 0:12:49.830 have a connection to to that infrastructure. And what we 0:12:49.830 --> 0:12:53.430 do is we, we, we strive for the minimum possible 0:12:53.429 --> 0:12:56.270 permissions that we need for the most for for most 0:12:56.270 --> 0:12:59.790 of it, outside of, let's say, task management integrations, where 0:12:59.790 --> 0:13:04.030 it's a bit more permissions on creating tasks. It's read only. 0:13:04.030 --> 0:13:06.510 So we're going in and we do need access to 0:13:06.510 --> 0:13:09.790 your environment to go look at the available resources that 0:13:09.790 --> 0:13:13.309 you have. And once we've established those connections, which would 0:13:13.309 --> 0:13:16.829 depend on what integrations you are able to make, we 0:13:16.830 --> 0:13:20.030 can then go run those tests from our end to say, hey, 0:13:20.030 --> 0:13:22.670 we see these databases, we see this load balancer as 0:13:22.670 --> 0:13:27.309 an example. We see these EC2 instances in AWS. Um, 0:13:27.309 --> 0:13:30.390 are you're running these things, we're running these checks. And 0:13:30.390 --> 0:13:33.390 the following instances need to be looked at. Similar example 0:13:33.390 --> 0:13:36.790 for vulnerability scanners. Right. Different type of test. We see 0:13:36.790 --> 0:13:41.870 these vulnerabilities these critical high medium and lows. And we 0:13:41.910 --> 0:13:45.429 give customers and other users of our platform the ability 0:13:45.429 --> 0:13:48.470 to set SLA for those severities and say, hey, look, 0:13:48.630 --> 0:13:52.270 you said that critical vulnerabilities are going to be remediated 0:13:52.270 --> 0:13:56.630 in a 14 day period, but we see this one. 0:13:56.630 --> 0:14:01.030 It's 15, 16 or hey, look, it's 13 days. You 0:14:01.030 --> 0:14:03.190 got to remediate it. Why isn't it remediated? 0:14:04.270 --> 0:14:07.230 Yeah. So so on that point, is that based on 0:14:07.230 --> 0:14:10.550 the policy that you've stated somewhere that we, we have 0:14:10.550 --> 0:14:13.670 stated we want to remediate within that amount of time, 0:14:13.670 --> 0:14:16.510 or is that coming from requirements that we've said that 0:14:16.510 --> 0:14:17.590 we want to fall under? 0:14:18.270 --> 0:14:21.190 Yeah. So it's a little bit of both. So some 0:14:21.190 --> 0:14:24.150 standards depending on what the standard is, is going to 0:14:24.150 --> 0:14:30.150 require specific configurations. Yeah. Um in Vanta there are additional 0:14:30.150 --> 0:14:34.950 configuration features if you will, that are called SLAs. And 0:14:34.950 --> 0:14:38.880 you can edit those SLAs to represent What that time 0:14:38.880 --> 0:14:42.600 period is that's acceptable based on your policy. So let's 0:14:42.600 --> 0:14:46.600 say my policy and my my vulnerability management policy. And 0:14:46.600 --> 0:14:52.160 I specified that 1430 90 um, 14 critical 30 for 0:14:52.160 --> 0:14:56.080 high and then 90 for medium and low. Let's just 0:14:56.080 --> 0:14:59.480 assume then you can go not make those same edits 0:14:59.480 --> 0:15:02.680 in your SLAs and say, hey, we've updated them for 0:15:02.680 --> 0:15:05.920 our policy and we can run tests according to those 0:15:05.920 --> 0:15:08.600 values to say, hey, look, are you meeting it or not? 0:15:09.240 --> 0:15:12.040 Interesting. So if you get a finding back, the finding 0:15:12.040 --> 0:15:17.720 might say this is a violation. Oh, this is, um, 0:15:17.760 --> 0:15:21.520 PCI or this one is, um, SoC version two or 0:15:21.520 --> 0:15:25.400 whatever it is, SoC type two. Um, or it might 0:15:25.400 --> 0:15:28.280 come back and say you're compliant with all those standards, 0:15:28.280 --> 0:15:32.000 but you're violating your own policy. Is that would it 0:15:32.040 --> 0:15:32.840 would it see that? 0:15:33.440 --> 0:15:37.280 So to to clarify, usually when you go in And 0:15:37.280 --> 0:15:38.960 when we think about SLAs and I think a lot 0:15:38.960 --> 0:15:42.120 of this will become even more evident in the platform. Um, 0:15:42.120 --> 0:15:46.200 the when we think about policy. Policy is the, the 0:15:46.200 --> 0:15:51.600 rules really that you establish to govern security compliance. Um, 0:15:51.640 --> 0:15:55.320 the SLA configurations that I'm referring to are additional way 0:15:55.320 --> 0:15:58.280 that you can configure specific time periods based on your 0:15:58.280 --> 0:16:00.840 policy that you've written. So you use the data from 0:16:00.840 --> 0:16:03.880 your policy and you'd say, hey, my policy says X. 0:16:03.920 --> 0:16:06.520 Let me modify the SLAs so that the tests can 0:16:06.520 --> 0:16:11.360 run the way they should. Um, the it's your policy. 0:16:11.560 --> 0:16:15.000 And what you're trying to comply with should be matching 0:16:15.000 --> 0:16:18.840 to begin with. And that's the that's where the value 0:16:18.840 --> 0:16:21.600 comes in as well, where we provide policies and procedures 0:16:21.600 --> 0:16:24.600 to utilize out of the box and customize as needed 0:16:24.800 --> 0:16:27.520 based off of what a requirement of a customer might be. 0:16:28.160 --> 0:16:28.480 Mm. 0:16:29.680 --> 0:16:33.160 Yeah. Interesting. Yeah. I like the direction that we we went. 0:16:33.160 --> 0:16:36.840 We just jumped right in. Uh. Let's see. Yeah. Um, 0:16:36.880 --> 0:16:37.560 let's see here. 0:16:38.000 --> 0:16:41.240 Uh, I know it's a very broad space, I'll say. Yeah. 0:16:41.240 --> 0:16:44.880 What what do you feel like other, like, um, players 0:16:44.880 --> 0:16:46.480 in the field are not doing well. 0:16:47.840 --> 0:16:52.520 Ooh, that's a that's a good one. Um, I'd say that, uh, 0:16:52.520 --> 0:16:55.160 it's there's two things that come to mind. I think 0:16:55.160 --> 0:16:58.080 one is breadth of integrations. Um, I can I can 0:16:58.080 --> 0:17:00.760 attest to this, having been a vantive user in a 0:17:00.760 --> 0:17:04.160 past life where when I started my journey, it was 0:17:04.160 --> 0:17:06.600 several years ago, I think when I started with Vanta, 0:17:06.600 --> 0:17:10.199 it was 9 or 10 integrations. And now if I 0:17:10.200 --> 0:17:13.919 look at our portfolio today, we have over 300 integrations. 0:17:13.920 --> 0:17:16.240 And of course, like the depth of those varied, there's 0:17:16.240 --> 0:17:19.320 different things that we can do with the various integrations. 0:17:19.320 --> 0:17:22.119 But all that to say is we're able to connect 0:17:22.119 --> 0:17:24.520 with way more, and the more that we can see 0:17:24.560 --> 0:17:27.440 and see, the more we can run tests against and 0:17:27.440 --> 0:17:30.960 go in and provide that visibility to you where it's 0:17:30.960 --> 0:17:34.199 less tracking it outside for the specific systems that you 0:17:34.200 --> 0:17:36.720 might be working with. You can come to a unified 0:17:36.720 --> 0:17:39.720 experience and say, hey, look, I'm running these tests against 0:17:39.720 --> 0:17:42.080 these integrations, and I have it all in one spot 0:17:42.080 --> 0:17:44.639 for me to go in and action on. That's one 0:17:44.640 --> 0:17:48.280 piece I'd say, is breadth of integrations. The second piece 0:17:48.280 --> 0:17:50.800 that I'd probably call out is, is customer feedback and 0:17:50.800 --> 0:17:55.640 product listening. I do think that as a whole, especially 0:17:55.640 --> 0:17:58.400 just been working here internally with our product and go 0:17:58.400 --> 0:18:03.040 to market teams. We have really good process around understanding 0:18:03.040 --> 0:18:06.359 customer feedback, taking that and actioning it based off of 0:18:06.359 --> 0:18:08.719 what the feedback is and taking that back into the 0:18:08.720 --> 0:18:12.360 product accordingly. Um, because at the end of the day, 0:18:12.400 --> 0:18:14.879 you know, we want to make sure that our customers 0:18:14.920 --> 0:18:18.640 are getting the value out of the platform in terms 0:18:18.640 --> 0:18:21.520 of managing their compliance program, and that they can scale 0:18:21.520 --> 0:18:22.399 with us as well. 0:18:23.280 --> 0:18:26.639 Yeah. So so let me ask you this. The thing 0:18:26.640 --> 0:18:29.080 that's forming in my mind after hearing this is like 0:18:29.080 --> 0:18:35.450 there's a distinct two things. One is securing the org. 0:18:36.250 --> 0:18:39.090 It's finding what we need to be compliant with and 0:18:39.130 --> 0:18:41.450 like doing the actual work of the security, like vol 0:18:41.450 --> 0:18:45.090 management and stuff like that. And then the separate part 0:18:45.130 --> 0:18:50.330 is like explaining the security, uh, presenting the security. It 0:18:50.330 --> 0:18:54.930 seems like those are two very distinct things. Not not completely, 0:18:54.970 --> 0:19:00.570 you know, disentangled. But do you, do you see Advanta 0:19:00.609 --> 0:19:04.050 like it being those two main things? 0:19:04.090 --> 0:19:06.010 Yeah, I think that those are. That's a really good 0:19:06.010 --> 0:19:09.290 way to to look at it. Right. Um, it's distinguishing 0:19:09.290 --> 0:19:14.370 between your internal, your efforts internally on how you go 0:19:14.369 --> 0:19:18.010 in and secure and maintain compliance for your environment at large. 0:19:18.010 --> 0:19:20.290 And I would like to distinguish those two because they're 0:19:20.290 --> 0:19:23.050 both related. But compliance and security at the end of 0:19:23.050 --> 0:19:25.370 the day are different things. But one can help with 0:19:25.369 --> 0:19:30.410 the other. Right. Um, and by virtue of that, it's 0:19:30.690 --> 0:19:33.770 a that information, the efforts that you take from a 0:19:33.770 --> 0:19:38.970 security and compliance perspective feed the external communication because you 0:19:38.970 --> 0:19:42.250 can't if you don't have anything to communicate, then you're 0:19:42.290 --> 0:19:44.250 kind of at a loss of like how you represent 0:19:44.250 --> 0:19:47.770 yourself to your customer. And that's where, again, having a 0:19:47.770 --> 0:19:53.889 unified experience like Avanta is very critical to to demonstrating 0:19:53.890 --> 0:19:58.970 that notion, because you can complete the required checks, whether 0:19:58.970 --> 0:20:03.649 it's automated or manual colon in show representation against the 0:20:03.650 --> 0:20:06.530 frameworks that you're trying to adhere to. See some of 0:20:06.530 --> 0:20:09.010 that cross mapping across standards. Because if we have a 0:20:09.010 --> 0:20:11.530 test and we know it applies to another standard, we 0:20:11.530 --> 0:20:13.210 provide out of the box, we're going to do that 0:20:13.210 --> 0:20:16.570 mapping for that framework too. And then once you've done 0:20:16.570 --> 0:20:20.250 that bubble that up into the the output from a 0:20:20.250 --> 0:20:24.570 control and reporting perspective and documentation to put on your 0:20:24.570 --> 0:20:28.410 trust center and show that and say, hey, customer A 0:20:28.410 --> 0:20:32.770 or partner A. Here's the list. Here's the representation of 0:20:32.770 --> 0:20:36.130 our compliance program. Here are the different controls that we're running. 0:20:36.530 --> 0:20:40.850 And here's what you need from to see that. We 0:20:40.850 --> 0:20:43.210 want to show you the trust that you can have 0:20:43.250 --> 0:20:45.330 with us, and the data that we're storing for you 0:20:45.330 --> 0:20:47.649 and the services that you're going to be using from us. 0:20:48.730 --> 0:20:51.969 That makes sense. That makes sense. Um, you know, what 0:20:51.970 --> 0:20:56.330 I'm thinking of is, like, there are adjacent spaces that 0:20:56.330 --> 0:21:00.050 if you're doing this holistically, we're kind of naturally fall 0:21:00.050 --> 0:21:02.530 into you, and it seems like you're already kind of 0:21:02.530 --> 0:21:06.450 integrating them. One would be vendor management, another one would 0:21:06.450 --> 0:21:10.649 be vulnerability management. Have those kind of just naturally folded 0:21:10.650 --> 0:21:12.090 into you over time. 0:21:12.730 --> 0:21:15.129 Yeah, yeah, I'd say I'd say so as well. And again, 0:21:15.130 --> 0:21:18.450 from a customer like a past customer experience perspective, it's 0:21:18.450 --> 0:21:20.609 always fun looking at it as a before and after 0:21:20.609 --> 0:21:25.129 being part of the organization. Um, absolutely. The vendor VRM, 0:21:25.170 --> 0:21:28.540 I'd say it's one of my favorite, favorite tools. Um, 0:21:28.540 --> 0:21:31.859 especially because we use AI to go in and help 0:21:31.859 --> 0:21:35.620 with that analysis to accelerate your your reviews. Um, we 0:21:35.619 --> 0:21:38.900 also provide integration with, with procurement tools to go in 0:21:38.900 --> 0:21:42.420 and trigger when a security review might be occurring, whether 0:21:42.420 --> 0:21:46.020 it's a renewal or a new opportunity. But the thing 0:21:46.020 --> 0:21:48.460 with vendor reviews and I'm going to make a little 0:21:48.460 --> 0:21:50.859 tie in to questionnaire automation too, because I think that 0:21:50.859 --> 0:21:53.820 that's a very good tangential ones, internal, like the ones 0:21:53.820 --> 0:21:56.660 about your vendors and one's about you being the vendor 0:21:56.660 --> 0:21:58.900 to another to another consumer. 0:21:59.060 --> 0:22:00.979 Oh yeah, I was actually thinking of both at the 0:22:00.980 --> 0:22:04.100 same time. But you're right. Uh, one is like almost 0:22:04.100 --> 0:22:08.700 like supply chain management internally. And then that's a good point. 0:22:08.700 --> 0:22:11.659 I hadn't thought of that one. So that's actually another space. 0:22:11.660 --> 0:22:13.900 Supply chain management kind of starts to merge with this 0:22:13.900 --> 0:22:18.180 as well. But I was thinking of the one specifically of, uh, 0:22:18.180 --> 0:22:21.460 when you start, when you go into a partnership situation, 0:22:21.460 --> 0:22:24.740 they want to make sure you're secure. Um, they want 0:22:24.740 --> 0:22:27.100 to know the list of vendors you're dealing with. Like 0:22:27.100 --> 0:22:30.940 all these questions keep keep coming up. You mentioned AI. 0:22:30.980 --> 0:22:33.500 Is that to handle the fact that people ask the 0:22:33.500 --> 0:22:35.620 same question over and over in different ways? 0:22:36.100 --> 0:22:38.580 Part of it. Right. Yeah. Part of it is that right? 0:22:38.580 --> 0:22:43.380 There's different variations to different types of questions. Like it's 0:22:43.380 --> 0:22:46.820 it's um, you can you can have a questionnaire that's 0:22:47.340 --> 0:22:50.300 20 to 30 questions long. I've done questionnaires that are 0:22:50.300 --> 0:22:54.340 over 500 questions long. Um, and they're all like different 0:22:54.340 --> 0:22:57.420 depths and breadths, if you will. Um, and because of that, 0:22:57.420 --> 0:23:01.260 it's a tedious exercise. Um, a lot of there's a 0:23:01.260 --> 0:23:04.340 lot of effort that goes into just that aspect of it, right, 0:23:04.340 --> 0:23:07.620 where you're speaking from a being a service provider to 0:23:07.660 --> 0:23:11.540 a customer. Uh, so we use AI to go in 0:23:11.540 --> 0:23:15.660 and analyze the data library and information that we can 0:23:15.660 --> 0:23:18.620 gather based off of what you have input to, to, 0:23:18.619 --> 0:23:22.460 to collectively answer some of those questions and provide those outputs. 0:23:22.460 --> 0:23:25.060 And of course, the more data we can get, the more, 0:23:25.540 --> 0:23:28.139 more refined some of those responses are going to be 0:23:28.420 --> 0:23:31.300 for you to go in and see, maybe even make 0:23:31.300 --> 0:23:33.260 some tweaks and updates for the next time so that 0:23:33.260 --> 0:23:36.260 the next time, sometimes some of those questions comes up, 0:23:36.260 --> 0:23:40.660 it's there and it's ready to go. Um, so and, 0:23:40.660 --> 0:23:43.300 and that also then feeds back to the trust center. 0:23:43.420 --> 0:23:45.420 So if we think about the trust center and being 0:23:45.420 --> 0:23:48.580 able to ask questions from our trust center, that's also 0:23:48.580 --> 0:23:52.139 related here, where it's all a unified experience from that lens, 0:23:52.500 --> 0:23:55.900 from a supply chain management perspective. I think you've hit 0:23:55.900 --> 0:23:58.860 on you've made a really good point, right. Like one's internal. 0:23:58.900 --> 0:24:02.619 The other question of automation is a bit more external. Um, 0:24:02.619 --> 0:24:06.340 the when we think about vendor reviews, there's so much 0:24:06.340 --> 0:24:09.660 that goes into making sure that they're doing the things 0:24:09.820 --> 0:24:12.580 according to what you expect them to do and what 0:24:12.580 --> 0:24:17.540 third party management policy have established. Um, and this gets 0:24:17.540 --> 0:24:20.780 even even trickier when you think about legal agreements and 0:24:20.780 --> 0:24:24.899 regulations and things. And if we think about regulations and 0:24:24.900 --> 0:24:27.700 some of the requirements that they have, the expectation is 0:24:27.700 --> 0:24:30.619 that the providers that you're using are doing the same 0:24:30.619 --> 0:24:33.820 as you. Right. That's the general general feel of things. 0:24:34.180 --> 0:24:37.139 So it becomes this exercise of you have to find 0:24:37.140 --> 0:24:40.500 a quick way or a quick ish way to be 0:24:40.500 --> 0:24:42.620 on top of that and not slow the business down 0:24:42.619 --> 0:24:43.420 at the same time. 0:24:44.260 --> 0:24:44.780 Mhm. 0:24:45.180 --> 0:24:47.980 That makes sense. Well I'm excited. Let's uh let's check 0:24:47.980 --> 0:24:48.820 out the platform. 0:24:49.260 --> 0:24:49.900 Yeah let's do. 0:24:49.900 --> 0:24:50.260 It. 0:24:50.859 --> 0:24:52.420 All right. Can you see my screen. 0:24:53.340 --> 0:24:54.900 I can yeah yeah yeah. 0:24:55.580 --> 0:24:55.980 Cool. 0:24:56.660 --> 0:24:59.140 Um, you should be seeing Aventa homepage. I just want 0:24:59.140 --> 0:25:01.100 to confirm that. You see. See the home. 0:25:01.420 --> 0:25:01.660 Yes. 0:25:01.660 --> 0:25:02.940 That's right. Cool. 0:25:02.980 --> 0:25:06.220 Awesome. Okay, so this is the product. We're on the 0:25:06.220 --> 0:25:09.420 homepage of the product, but I always like to call 0:25:09.420 --> 0:25:13.580 attention to the left nav first. Just to illustrate, especially 0:25:13.580 --> 0:25:17.500 in context of our conversation. Uh, we have compliance. This 0:25:17.500 --> 0:25:20.460 is the frameworks, controls and related tests that we've talked 0:25:20.460 --> 0:25:23.150 through where we provide out of the box frameworks such 0:25:23.150 --> 0:25:26.110 as Soc2, ISO, HIPAA and so on and so forth 0:25:26.390 --> 0:25:30.950 for organizations to use to illustrate their compliance against those standards. 0:25:31.430 --> 0:25:34.389 There's this audit component to some standards just depending on 0:25:34.390 --> 0:25:37.869 what they are. ISO 27,001 and Soc2 are common examples, 0:25:37.950 --> 0:25:41.390 where we also give the capability to customers to bring 0:25:41.430 --> 0:25:44.429 to invite their auditors to come in and perform audits 0:25:44.430 --> 0:25:46.590 within the Vanta platform, which I thought was a really 0:25:46.590 --> 0:25:49.270 cool and nifty feature there. But then there are other 0:25:49.270 --> 0:25:51.590 aspects that we've also talked through on this on the 0:25:51.590 --> 0:25:54.910 session so far. We think about the trust center, which 0:25:54.910 --> 0:25:58.790 is that external communication of your security and compliance process 0:25:58.790 --> 0:26:01.669 and your overall trust management program. The knowledge base that 0:26:01.670 --> 0:26:05.070 I'll be referring to and the aspect of doing questionnaires, 0:26:05.070 --> 0:26:09.430 the risk management module, our risk management module. Think it's 0:26:09.430 --> 0:26:12.630 it's a risk register and risk management platform based off 0:26:12.630 --> 0:26:18.230 of ISO 27,005 risk assessment guidelines. It's very it's the 0:26:18.230 --> 0:26:23.109 standard for showing risk management practices as part of ISO 27,001, 0:26:23.109 --> 0:26:26.670 which is all about. Security management system. And then you 0:26:26.670 --> 0:26:30.310 get into vendors having a vendor risk management program and 0:26:30.310 --> 0:26:31.710 being able to streamline some of that. 0:26:31.710 --> 0:26:32.550 This is great. 0:26:33.030 --> 0:26:35.270 This is great. I mean, you almost have it organized 0:26:35.270 --> 0:26:38.230 by the spaces that that are involved with vendor management, 0:26:38.230 --> 0:26:42.350 risk management. Um, and I guess supply chain kind of 0:26:42.390 --> 0:26:45.830 trickles in and out of these. What about vulnerability management? 0:26:45.869 --> 0:26:47.230 Where does that fall into. 0:26:47.270 --> 0:26:49.590 Yep. So that's exactly what we're going to NASA. We 0:26:49.590 --> 0:26:51.950 thought we put that under assets. And this is where 0:26:51.950 --> 0:26:54.990 we would surface vulnerabilities. And just a sneak peek right. 0:26:55.030 --> 0:26:58.909 We think about this from a vulnerability management perspective. We 0:26:58.910 --> 0:27:01.310 were able to pull in that vulnerability data just depending 0:27:01.310 --> 0:27:04.510 on what your vulnerability scanner is of course. And surface 0:27:04.510 --> 0:27:07.590 that information here so that we can run those SLA 0:27:07.630 --> 0:27:10.230 based tests. And just as a quick example, just just 0:27:10.230 --> 0:27:12.510 kind of print this out. You'll see the due dates 0:27:12.510 --> 0:27:15.429 associated with it. And that's going to trigger back to 0:27:15.430 --> 0:27:18.750 this tests page which I'll quickly highlight to show. Hey, 0:27:19.350 --> 0:27:23.270 let me go do a quick example here. Hi. Vulnerabilities 0:27:23.270 --> 0:27:25.550 that are identified in packages are addressed. And this is 0:27:25.550 --> 0:27:28.550 one specifically for AWS Inspector. We're able to show you 0:27:28.550 --> 0:27:33.790 that the following vulnerabilities. They need attention um and need 0:27:33.790 --> 0:27:36.389 to be actioned on. It's due in X amount of days. 0:27:36.390 --> 0:27:39.670 You need to go in and do something about it. Um, 0:27:39.670 --> 0:27:42.109 but before I get too far along the integration path, 0:27:42.109 --> 0:27:44.550 I do want to make sure I call attention to 0:27:44.550 --> 0:27:47.430 the integration side, because that's actually where like it all 0:27:47.430 --> 0:27:52.510 starts with a vendor platform. Um, our automated compliance platform, 0:27:52.630 --> 0:27:56.590 it's built around the integrations that we're able to see 0:27:56.630 --> 0:27:59.110 plug and play with and see resources from to run 0:27:59.109 --> 0:28:02.429 those tests against. So there will be integrations such as 0:28:02.430 --> 0:28:08.230 your cloud service provider, your version control systems, your identity providers, 0:28:08.270 --> 0:28:10.990 and even Mdms as well that we can go run 0:28:10.990 --> 0:28:15.190 different types of tests. For MDM, we think about, uh, 0:28:15.230 --> 0:28:19.710 having Uh, having a screen lock enabled and configured. We 0:28:19.710 --> 0:28:22.870 think about detecting malware being installed and running on your 0:28:22.869 --> 0:28:27.350 machines from a cloud service provider perspective, making sure that, again, 0:28:27.390 --> 0:28:31.230 data encryption at rest is enabled, unrestricted ports aren't used, 0:28:31.230 --> 0:28:33.350 and if they're used, you have the ability to go 0:28:33.350 --> 0:28:36.630 in and make those deactivations. We're able to go in 0:28:36.630 --> 0:28:39.670 and run those tests against against resources that we can 0:28:39.670 --> 0:28:45.310 see to then illustrate into the compliance side of the House. Um. 0:28:45.590 --> 0:28:48.710 Real quick on that previous one. Um, so for those 0:28:48.710 --> 0:28:56.230 different classifications, cloud providers, uh, CRM documents, like in document management, 0:28:56.230 --> 0:29:00.990 what would you be doing pulling in documents like reviewing policies, uh, 0:29:01.030 --> 0:29:04.670 checking against documents like what would that look like? Looking 0:29:04.670 --> 0:29:05.350 at wikis. 0:29:05.950 --> 0:29:06.430 Yeah. Yeah, it's. 0:29:06.430 --> 0:29:10.190 A great question. So document management would, would be if 0:29:10.190 --> 0:29:13.670 let's say that you have a security compliance program today 0:29:13.670 --> 0:29:16.040 and you manage your artifacts in artifacts in a separate 0:29:16.040 --> 0:29:19.240 data store, whether it's your policies, maybe it's evidence that 0:29:19.240 --> 0:29:21.840 you want to manage, where we give you the capability 0:29:21.840 --> 0:29:24.880 to manage to integrate with those systems and pull that 0:29:24.880 --> 0:29:27.800 information in so that you can upload that, whether it's 0:29:27.800 --> 0:29:31.440 a policy that you're trying to implement or it's a document, manual, 0:29:31.440 --> 0:29:34.680 evidence piece that you're trying to satisfy. So it'd be 0:29:34.680 --> 0:29:37.520 really that facilitation of evidence from a store that you 0:29:37.560 --> 0:29:40.160 maybe just want to manage outside of into. And you, 0:29:40.160 --> 0:29:41.640 you want to continue doing that. 0:29:43.280 --> 0:29:49.440 Yeah. That makes sense. Okay. Yeah. Endpoint identity providers. MDM. Yeah. 0:29:49.480 --> 0:29:54.320 Task management. Yeah. So in terms of task management, could 0:29:54.320 --> 0:29:58.880 you can you actually see like where something is in 0:29:58.880 --> 0:30:02.560 like a vulnerability management process. 0:30:02.600 --> 0:30:04.200 Could you clarify that question for me. 0:30:04.280 --> 0:30:09.120 Yeah. Like so for example um given vulnerability is like uh, 0:30:09.120 --> 0:30:11.560 it's in the process of being patched or it's being 0:30:11.560 --> 0:30:15.920 currently being Got it. 0:30:16.040 --> 0:30:19.800 So the way that our task tracker tax management integration 0:30:19.800 --> 0:30:22.040 would work is we give you the capability to go 0:30:22.040 --> 0:30:27.040 in and create, um, tasks or link existing tasks based 0:30:27.040 --> 0:30:29.040 off of what's done. So in the instance of a 0:30:29.040 --> 0:30:33.160 vulnerability being detected, we could go in. We can integrate 0:30:33.160 --> 0:30:35.880 with your task management provider and give you the ability 0:30:35.880 --> 0:30:39.600 to either create the task here manually, or create a 0:30:39.600 --> 0:30:42.200 workflow to auto create that task to send over to 0:30:42.200 --> 0:30:45.520 your task management provider. Those would then be reflected here 0:30:45.520 --> 0:30:47.320 to go in and see the status of. And you 0:30:47.320 --> 0:30:50.440 can centrally view that information here to make sure that 0:30:50.440 --> 0:30:54.320 those things are closing. Um, but that would be the, 0:30:54.320 --> 0:30:57.080 the that would be how task management would play in there, 0:30:57.080 --> 0:30:59.120 where it's a bit more of a two way street 0:30:59.120 --> 0:31:01.680 where you can create the task, or you could link 0:31:01.680 --> 0:31:05.800 that task and start to see that status information. 0:31:06.520 --> 0:31:10.240 Nice. And then the trust center is where, um, you're 0:31:10.240 --> 0:31:13.240 broadcasting outwards. Can the Can the customer see any part 0:31:13.240 --> 0:31:15.360 of this? Is there any part of this like public to. 0:31:16.040 --> 0:31:18.360 Customers to check status or anything like that. 0:31:19.400 --> 0:31:23.000 The. So as far as task integrations. 0:31:23.040 --> 0:31:26.280 No no no just the top level just trust center 0:31:26.280 --> 0:31:29.800 of like something that they could do on. Their own 0:31:29.800 --> 0:31:34.080 like self-serve to see the the status of anything like 0:31:34.080 --> 0:31:37.960 status of questionnaires or. I don't know what else would 0:31:37.960 --> 0:31:38.560 be in there. 0:31:39.080 --> 0:31:43.040 Yeah. So questionnaires not quite. But this actually makes a 0:31:43.040 --> 0:31:46.400 very good segue into the trust center. Um, and what 0:31:46.400 --> 0:31:49.760 a customer can see relative to that information. So if 0:31:49.760 --> 0:31:53.440 we think about the trust center, um, the the trust 0:31:53.440 --> 0:31:57.640 center is a summary of information from a compliance perspective. 0:31:57.720 --> 0:32:00.360 The different certifications I pull up is a really good 0:32:00.360 --> 0:32:04.920 example here where we were really into for ourselves and 0:32:04.920 --> 0:32:07.800 showcase the different standards that we're adhering to, whether it's an. 0:32:07.840 --> 0:32:09.040 Attestation. 0:32:09.040 --> 0:32:11.479 Situation. But then you can you can also see the 0:32:11.480 --> 0:32:14.080 controls that we want to represent on our trust center 0:32:14.200 --> 0:32:16.840 and showcase the status of those things. Make sure that 0:32:16.840 --> 0:32:22.440 we're socializing what's working, what's what's showing and what's what's, uh, 0:32:22.480 --> 0:32:26.320 operating as part of our security and compliance program, going 0:32:26.320 --> 0:32:29.120 to a lot of the vendor type conversations we've been 0:32:29.120 --> 0:32:32.440 having illustrating your subprocessors that are relevant. 0:32:32.520 --> 0:32:33.640 Oh, really cool. 0:32:33.680 --> 0:32:37.160 It's very, very important. And we can we give you 0:32:37.240 --> 0:32:41.200 give customers the ability to surface that information as part 0:32:41.200 --> 0:32:45.040 of the trust center as well. And then one also 0:32:45.320 --> 0:32:48.120 like relatively recent, it's it's been a minute since it's 0:32:48.120 --> 0:32:49.840 been here. But I thought it was really cool. Was 0:32:49.840 --> 0:32:52.440 this rollout of updates and the time that I've been here, 0:32:52.440 --> 0:32:55.720 which was the ability to go in and surface what's 0:32:55.720 --> 0:32:58.160 what's happened as part of your security and compliance program 0:32:58.160 --> 0:33:01.800 and really show, hey, what's what are the changes? What 0:33:01.800 --> 0:33:04.960 have you newly achieved? Um, is there things that you 0:33:05.000 --> 0:33:08.840 want other external parties to know about your security and 0:33:08.840 --> 0:33:11.760 compliance program and push that upward. 0:33:12.840 --> 0:33:17.320 Yeah. Really cool. Really cool. Uh, so any, uh, any 0:33:17.320 --> 0:33:19.520 new stuff that you're able to talk about that uh, 0:33:19.520 --> 0:33:24.280 people should expect, uh, coming soon, like, like, uh, what's 0:33:24.280 --> 0:33:27.600 your area of, like, trying to develop and build for 0:33:27.600 --> 0:33:28.240 the future? 0:33:29.040 --> 0:33:34.960 Yeah. So I'd say that we've, we've actually recently and, uh, 0:33:34.960 --> 0:33:37.720 released a lot of cool stuff. I think that's also 0:33:37.720 --> 0:33:40.640 relevant to just how the markets and markets playing, especially 0:33:40.640 --> 0:33:43.480 what we see in the industry. Uh, two one thing 0:33:43.480 --> 0:33:46.160 a framework that comes to mind is CMC. Uh, so 0:33:46.160 --> 0:33:50.160 CMC is a hot topic, especially for DoD contractors and 0:33:50.160 --> 0:33:52.880 subcontractors that are having to adhere to that framework and 0:33:52.880 --> 0:33:56.440 get certified or do a self-assessment for, uh, and because 0:33:56.440 --> 0:33:59.280 of that, we we took the initiative to really build 0:33:59.280 --> 0:34:03.400 out an OtterBox framework to go in and guide customers 0:34:03.400 --> 0:34:06.120 on how to implement some of those requirements for themselves. 0:34:06.400 --> 0:34:08.529 So that's one I think I'd draw attention to is 0:34:08.530 --> 0:34:11.290 just based off of the current events and just what 0:34:11.290 --> 0:34:14.450 we know that that would be one, one aspect of things. 0:34:14.930 --> 0:34:18.049 But then I think another two other things that I'd 0:34:18.050 --> 0:34:20.410 love to draw attention to would be high trust and 0:34:20.410 --> 0:34:24.770 our my, our partnership with them and our my CSF integration. Um, 0:34:24.770 --> 0:34:27.370 we have a partnership with High Trust where we can 0:34:27.370 --> 0:34:29.810 go in and offer the high trust CSF and related 0:34:29.810 --> 0:34:34.370 assessment levels. So that's the E1, i1 and R2. Um, 0:34:34.370 --> 0:34:39.050 and they're it's a common framework to adhere to multiple 0:34:39.050 --> 0:34:42.250 authoritative sources, really frameworks at the at the same time 0:34:42.450 --> 0:34:47.570 and show a robust implementation of your security and compliance posture. Uh, 0:34:47.610 --> 0:34:50.690 they have a tool called my CSF, which a lot 0:34:50.690 --> 0:34:53.730 of customers may be familiar with. And we're able to 0:34:53.770 --> 0:34:58.489 connect to with my CSF to make that push of information, 0:34:58.489 --> 0:35:02.810 whether it's your your documents, your evidence, your policy information, 0:35:02.810 --> 0:35:05.650 so that there's not there's less manual work involved in 0:35:05.650 --> 0:35:08.930 that in that process. Finally, I think the third thing 0:35:08.930 --> 0:35:11.410 I'd love to draw attention to is the way I act. 0:35:11.530 --> 0:35:15.410 I think that I is one of those, um, trends 0:35:15.410 --> 0:35:19.410 and topics that's going to continue to be a topic 0:35:19.410 --> 0:35:23.770 for months and years to come. Uh, frankly, um, the 0:35:23.770 --> 0:35:26.609 way I position it to customers when I'm talking to 0:35:26.610 --> 0:35:30.049 them about it is we think about, uh, if you 0:35:30.050 --> 0:35:31.930 go to a train track, let's say you're driving and 0:35:31.930 --> 0:35:33.930 you approach a train track and you see this train like, darn, 0:35:33.930 --> 0:35:36.489 I have to stop for this train. And that train, 0:35:36.489 --> 0:35:39.009 you're going like, man, this train's not letting up, and 0:35:39.010 --> 0:35:41.890 it doesn't let up. That's AI. AI is this train 0:35:41.890 --> 0:35:45.529 that's just going to keep going. And more and more 0:35:45.610 --> 0:35:48.850 standards and regulations are going to come in as responses 0:35:48.850 --> 0:35:51.770 to it. The AI act is a really good example 0:35:51.770 --> 0:35:55.930 of it. Um, and ISO 42,001 as well, which is 0:35:55.930 --> 0:35:58.610 an ISO standard that came out at the end of 2023. 0:35:59.489 --> 0:35:59.890 Mm. 0:36:00.450 --> 0:36:03.569 Okay. And so you're able to take something that's relatively 0:36:03.570 --> 0:36:07.649 new and moving fast like that. And how quickly can 0:36:07.650 --> 0:36:10.410 you normally turn something like that around to get it 0:36:10.410 --> 0:36:13.330 into the platform and get checks going? 0:36:13.890 --> 0:36:16.810 It really it frankly, it does just depends on what 0:36:16.810 --> 0:36:20.890 the framework is, for example. Right. It was a pretty 0:36:20.890 --> 0:36:23.969 robust framework. So it took us a minute to go 0:36:23.969 --> 0:36:27.250 do it and implement it. 0:36:27.250 --> 0:36:28.930 But but it's in the platform now. 0:36:29.770 --> 0:36:32.330 Yes. The UI act we have, we have a framework 0:36:32.330 --> 0:36:34.170 for it in the platform. We also have a framework 0:36:34.170 --> 0:36:39.890 for Cmmc ISO 20 or 42,001, hitrust, E1, i1 and R2, 0:36:39.890 --> 0:36:41.890 and those are all available for customers to come in 0:36:41.890 --> 0:36:42.450 and use. 0:36:43.489 --> 0:36:44.290 Nice. 0:36:44.969 --> 0:36:47.450 So what would be having been like a customer in 0:36:47.450 --> 0:36:51.969 the past? What is like your, um, your killer feature 0:36:52.090 --> 0:36:54.290 that you think of when you think of vanta? 0:36:55.290 --> 0:36:57.689 Oh, man. See, that's that's it's tough because I like 0:36:57.690 --> 0:37:02.930 all of Vanta. That's why I'm here now. Um, but the. 0:37:02.969 --> 0:37:06.540 I'd say that the whole aspect of Trust Center, seeing 0:37:06.540 --> 0:37:09.980 the growth around it is really cool. Um, and we 0:37:10.020 --> 0:37:13.700 continue to optimize that experience, link it to the data 0:37:13.739 --> 0:37:16.580 stores and the data that we feed into the platform. 0:37:16.620 --> 0:37:19.980 Vendor risk management is also a feature. I think that 0:37:19.980 --> 0:37:24.700 it's a very big area of time saving and efficiency 0:37:24.700 --> 0:37:27.780 that could be used to help streamline that review process 0:37:27.780 --> 0:37:31.060 and free up time to focus on other things, which 0:37:31.060 --> 0:37:35.180 is frankly a common challenge for everyone. Right? Time and resources. 0:37:35.180 --> 0:37:38.540 That's a commonality everywhere and things that you can do 0:37:38.660 --> 0:37:42.739 to fast in that process. Those are good things to do. 0:37:42.739 --> 0:37:45.620 And I think band as a whole is really doing 0:37:45.620 --> 0:37:48.339 that and striving for it for our customers. 0:37:48.780 --> 0:37:52.700 Makes sense. All right. Well, I really enjoyed the conversation. 0:37:52.700 --> 0:37:56.340 Anything um, we should mention that we didn't talk about. 0:37:57.420 --> 0:38:01.140 Uh, no. But, hey, what if there are any questions? 0:38:01.140 --> 0:38:03.219 If you're If you're interested, please reach out. We have 0:38:03.219 --> 0:38:06.820 a really good LinkedIn presence and other social media platforms 0:38:06.820 --> 0:38:10.540 as well. You can also reach out to me via LinkedIn. 0:38:10.580 --> 0:38:13.380 It'd be fun. You'll have this information as part of 0:38:13.380 --> 0:38:16.900 the recording as well, where it would be really ecstatic 0:38:16.900 --> 0:38:20.620 to help you in really operationalizing and streamlining your your 0:38:20.620 --> 0:38:21.820 trust management journey. 0:38:22.739 --> 0:38:26.500 Fantastic. Yeah. And what's the URL? It's just vanta comm. 0:38:26.500 --> 0:38:27.220 Is that right? 0:38:27.500 --> 0:38:28.580 Com you got it. 0:38:28.900 --> 0:38:29.219 All right. 0:38:29.219 --> 0:38:31.219 Well, thank you so much for the time. And it 0:38:31.219 --> 0:38:32.540 was a good chat. 0:38:33.500 --> 0:38:34.060 Thank you. 0:38:34.100 --> 0:38:37.300 Appreciate it. 0:38:37.340 --> 0:38:40.900 Unsupervised learning is produced on Hindenburg Pro using an SM 0:38:40.900 --> 0:38:44.419 seven B microphone. A video version of the podcast is 0:38:44.420 --> 0:38:48.180 available on the Unsupervised Learning YouTube channel, and the text 0:38:48.180 --> 0:38:51.500 version with full links and notes is available at Daniel 0:38:51.500 --> 0:38:55.300 Miessler newsletter. We'll see you next time.