March 9, 2023
Portfolio
Unusual

How Vanta found product-market fit: Christina Cacioppo on startup compliance

Sandhya Hegde
No items found.
How Vanta found product-market fit: Christina Cacioppo on startup complianceHow Vanta found product-market fit: Christina Cacioppo on startup compliance
All posts
Editor's note: 

Startup Field Guide Episode 11

In this episode of the Startup Field Guide podcast, Sandhya Hegde chats with Vanta founder and CEO Christina Cacioppo. Christina was among the first to understand how startup founders thought about security and compliance and set out to create the automated compliance category. Vanta is currently valued at $1.6bn.

Be sure to check out more Startup Field Guide Podcast episodes on Spotify, Apple, and Youtube. Hosted by Unusual Ventures General Partner Sandhya Hegde (former EVP at Amplitude), the SFG podcast uncovers how the top unicorn founders of today really found product-market fit.

If you are interested in learning more about some of the themes and ideas in this episode, please check out the Unusual Ventures Field Guides on customer validation, free plan vs. trial plan, and picking the right GTM motion.

TL;DR

  • Christina taught herself to code to gain confidence in her technical abilities. Right out of college, she worked at a venture firm where she meet a lot of founders, and it gave her a better understanding of why people start companies, and what qualities they had in common. 
  • While founders acknowledged that security was a concern they should take seriously, they deprioritized it in favor of competing needs (such as building product features). Vanta’s value hypothesis emphasized helping companies become SOC-2 compliant so that they could grow their business and acquire new customers. 
  • The Vanta team spent 6 months interviewing people, testing, and iterating to ensure they were building the right product. They began coding only when they knew they were building something people wanted. 
  • Initially the company offered CTOs checklists for what good security means but did not find traction. However, when they pivoted to preparing companies for compliance certification, they  were much more successful. 
  • In the early days, when Christina wore many hats, she shifted her mentality from “I’m a failure at these jobs” to “how do I get better at these roles?”
  • The Vanta team focused on building their business with the idea that if they did so, funding will take care of itself. Christina believes that VCs want to fund businesses that don’t need their money as much as businesses that do. 

Episode transcript

Sandhya Hegde:

Our guest today is the CEO and co-founder of Vanta, Christina Cacioppo. Vanta is a unicorn in the security compliance space, helping companies become SOC 2-compliant as an example. They have over 3,000 customers and were recently valued at $1.6 billion. Christina, I'm so excited to have you on the show. Thank you for joining us.

Christina Cacioppo:

Thank you so much for having me.

Sandhya Hegde:

Let's go back all the way to 2017. Tell us why you started Vanta. What was the original insight and why did you decide to become a founder?

Christina Cacioppo:

Yes, so there are two parts. To take you and listeners back to 2017, with Vanta specifically, this was when the 2016 election in the US had just happened where everyone's emails were everywhere and everyone was being hacked. There were a bunch of high-profile data breaches: Equifax, Uber, Sony, and Target, right? It was clear that security on the internet was, one, just really important. And two, it seemed like we were not very good at it. The original puzzle is just why that was — because again, if something's important, assumably, we were concentrating on it and getting better at it.

And yes, it's hard. But I think, actually, quite optimistically about people figuring things out in general. And we tend to figure them out. I think the other puzzle is that as I learned more about Equifax then Uber and the Democrats in 2016… and you learn about these breaches and they seem to happen for silly reasons. For example, someone doesn't have two-factor on their email or someone leaves a cloud storage public or a storage bucket open to the world. But there's very smart, motivated people working on these things. So you ask, “Why are they leaving the front door open?” And so it started as this puzzle to go figure that out where you think, "I don't know if I'll find anything interesting at the end of this," but it's a neat detective exercise. And we found a couple things. One, this stuff is really hard. It looks easy because you could be like, "Oh, you just didn't put two-factor authentication on. You left your front door open, silly you."

With stuff like that, it's hard because it's not like there's one front door — to use that analogy. It's like any company has any number of front doors and windows in their security that they can leave open. And there's a lot of these and they change all the time, right? If you think about a cloud infrastructure account, it's constantly changing. And so it's actually really hard to keep track of. And then you have people on the other side and processes where sometimes they work, and sometimes they don't. The problem on the surface seemed very simple yet ended up being quite hard. The other piece was just incentives. I studied economics in school and really like thinking about incentives (in another life, I think I would've been a microeconomics professor). 

One of the things we found — especially when talking to startups and quickly growing companies — is that the founders totally knew they should take security seriously and very much wanted to from a normative sense and from a business sense; yet both are running up into two problems. One was they often didn't quite know what to do. Like what does it mean to have good security as a seed, series A, or series B stage startup? The second bit was that even if you did know the answer to that question, well, that also required a bunch of work, right? And that work got prioritized against things like finding product-market fit, growing revenue, and retaining customers. 

While security was objectively very important, it was really hard to trade that off against building a feature to save your biggest customer or pushing your roadmap forward so you can earn more business. And so security got caught in this gap where founders wanted to take it seriously, knew they should, but couldn't, from a business perspective, feel like they could justify prioritizing it. And so that was the milieu that Vanta came out of.

Sandhya Hegde:

Got it. And you were at Dropbox at the time?

Christina Cacioppo:

I was at Dropbox earlier. And actually, you asked about becoming a founder, and so that story actually starts much, much earlier. I think even back in undergrad, I wanted to start a company. But I did not admit that to anyone else and I didn't really even admit it to myself. And I think I had a lot of, people like me, for whatever reason, didn't study computer science — myself included. I grew up in the Midwest. Whatever. I don't start companies, right? If you want to start a company, you should have been building stuff in your bedroom when you were seven years old, and shoot, now, I'm 20. Yeah, I'm too late. My time has passed.

Sandhya Hegde:

Too late? At 20 years old? Wow!

Christina Cacioppo:

The hubris and depression of a 20-year-old, but I'm joking. But what was really transformative for me was that right out of school, I was lucky enough to work at an early-stage venture firm, Union Square Ventures (USV) in New York. And my job there was basically just to meet with founders all day long for two years straight. And so I met with dozens and dozens of founders and realized all sorts of people start companies! And some of them, yes, there are some common traits, like you have to want to get stuff done and run through walls a little bit. But also, there are a million differences and it's about figuring out what it was like. And that was like a light bulb moment. Over time, I saw people who were successful who I thought I shared qualities with. So it wasn't just people that I didn't feel like.

The one chip I still had on my shoulder was that I was not technical and I wanted to start a software company. Lots of non-technical people start software companies. But I, to a fault,  needed to figure it out to have confidence in that person. I'm not a fake-it-until-you-make-it type of person. Sometimes, I wish I were more that way. So what I did was I took my bonus one year and extended it over two and a half years and just taught myself to code and built a bunch of products — none of which anyone has ever heard of because they didn't really go anywhere. Yet it was fun at the time. It was also stressful at this time, this period of just learning how to build and to make and do that for the first time.

And I think some of that was just really helpful in convincing myself that I was someone who could learn how to do things and learn how to make things; I was sufficiently technical to make shoddy MVPs, right? I could not get hired as an engineer at Vanta today or probably at any point in our history, but I realized that I really liked being able to prototype my ideas. And that was really important to me, in a confidence-building and a testing and iteration perspective. And so just doing that for a couple of years was probably the last piece of the puzzle.

Sandhya Hegde:

Makes sense. The big focus of our show is finding product-market fit. We typically divide that up into two broad stages, which already sounds very simple. I know it's not — it's definitely very cyclical — but for the sake of simplicity in the narrative, phase one, test how strong and differentiated the product value hypothesis is, is this really unique? Is it compelling? Does it resolve a problem with a lot of tailwinds behind it? And second, who is it for? Who is the desperate customer who can validate the growth hypothesis of how this company will find momentum and take off? So that's how we usually divide it up. 

How did you think about this path of product-market fit, especially having been in venture before, seeing a lot of founders struggle through it. Was that a benefit or an advantage to have gone through that experience? And how did you approach this journey of product-market fit? What was it like?

Christina Cacioppo:

I think it was a benefit, although it probably made me a little too considerate. By that, I mean that having worked in venture and early stage venture, you see how... I think as an industry, we celebrate raising money, but when you're working in venture, you're like, "Oh, that's not the thing," right? The thing is getting customers and happy customers and retaining them. 

When you've raised a bunch of money, but don't have growth in customers, then you lose conviction yourself. That is just the worst because there is this huge gap between the money and thinking, "I should be successful and we should be growing and — oh shoot, we're not," when there isn't product-market fit. It's never fun to realize you don’t have product-market fit, but it is in fact worse to not have it with $4 million in your bank account than zero dollars in your bank account. 

And so the piece of raising money is fine, but it doesn't solve the product-market fit problem. And that is in fact a very real problem. Anyway, so I was super skeptical about that. Also, in my two years of building things, I built a bunch of stuff no one wanted. It's fun when you're learning and you're like, "Ooh, I got better at coding!" or "I learned this new skill!" or whatever, but fundamentally, when no one wants your stuff, that just isn't fun either. And so I had a bunch of prior experience and failures (by many senses of the term) that made me really stringent about finding product-market fit for Vanta or for a startup.

I can talk through the process. What it looked like was basically a six-month process that started with really open-ended questions, then moved to spreadsheet prototypes, and then moved to prototypes that we told people were generated with code that was not generally written by hand, right? At the end of the six months, we started coding. We realized that just because we could build whatever thing we wanted didn't mean people wanted it, right? And so we just front-loaded all of this exploration and testing and iteration so that when we did start writing code, hopefully, it was the right code toward a problem that was actually real and resonant and that folks would pay for it with their time and money.

Sandhya Hegde:

And so could you share a few examples from that time, maybe ideas you had confidence in that didn't go anywhere? And then how would you articulate the first problem you decided, "Yes, this is worth building the product around. This is the one problem we'll focus on?”

Christina Cacioppo:

For sure. So going back to security being interesting and important… but we're not very good at it. What's going on? So the first version of this was talking to startup founders. A good portion of them were like, "Hey, I know security's important, but what does that mean for a seed stage company or a  series A company?” And so what we did was went and talked to a bunch of security experts and figured out a version of that. And then we made this prescriptive checklist of “here's what good security means and here's what you do.”

And we went and handed that to a bunch of CTOs who said, "Thank you so much, this is so great. We love it!" And we're like, "Oh, excellent. Maybe we should start coding." And then we return a week later, two weeks later, a month later and ask, "So where are you on the checklist?" Only to hear, "Oh, I haven't started." And you're like, "Why not?" Right? And they're like, "Oh, because I want to, I should, but here are the 9 million other priorities that are more business-pressing that have come up."

And then we're like, "Oh, what if I started doing this for you? Can I come in and do it for you?" And they might say yes, but they mostly were like, "Oh, well, I have to spend a bunch of time getting you set up to do that. And I can't really spend the time. Love you, but I don't want to," right? So you're like, "Ooh, this is not going so well," right? So that was one version.

Another version was that as we started poking around and just having more conversations, we came across security questionnaires. It was at this moment when a company — a B2B company —is selling to probably a bigger company and the bigger company is like, "Hey, maybe I like your product, but you're a couple of people in a garage. How can I trust you? Can you go answer all these questions for me?"

I called them up, and then they sent a spreadsheet. And so we're like, "Okay, this is interesting." So what we started doing was taking in those calls on behalf of companies and just being like, "Can we do it? Are we credible?" We started answering security questionnaires by hand for people. And that worked better, except what we realized was that we could build some tech, but we weren't actually super convinced we could standardize this. And it's interesting because there are more companies now that answer security questionnaires for companies. We have to partner with a couple of them, but it tends to be partially tech, partially services. And so that was our thesis at that time. And we realized, "Hey, maybe it's going to change." But it's a technology bet and you're not betting on your tech, you're betting on Google to make better NLP [natural language processing] tech. Anyway, it just felt like, “oh, your destiny is in the hands of Google's NLP API [application programming interface]” and that doesn't feel great. Anyway, so then we're like, "Okay, well, no one likes these questionnaires. How do you get rid of the questionnaires?"

And we asked around about that and we came across compliance certifications. So then it was like, "Ooh, I remember these. I ran into one at Dropbox. It was terrible." I ran in the other direction because it was so bad! What are these compliance certifications? And so we start poking around and then we start preparing companies for these compliance certifications. It was a similar pitch. You go to the CTO and be like, "Hey, can I come in and give you a roadmap to how to get SOC 2-compliant?" And they're like, "Yeah, because I need that and I don't know what it is and I'm just putting it off." And then you're like, "Okay, but I'm going to need to talk to your engineers". And they're like, "Cool, great. Who do you need when?" And you're like, "Ooh, interesting. Different reaction", right?

Sandhya Hegde:

Great. They're willing to give you access to their engineering team, which is pretty much the most walled garden resource.

Christina Cacioppo:

Right!

Sandhya Hegde:

And was that because that was a business priority for them? They can't sell their software without this, their customers are asking for it. Was that new at the time?

Christina Cacioppo:

Yes.

Sandhya Hegde:

I'm assuming this is maybe 2018 that the companies are saying, "I know you are a small startup, but you still need to be SOC 2 compliant for me to work with you." When did that start happening?

Christina Cacioppo:

Yes. So around 2017, 2018. So in 2017 startups did not get SOC 2. When we raised Vanta's seed round in 2018, we'd pitched seed stage VCs and we'd be like, "Hey, we're going to [implement] SOC 2 with all your startups." And the seed stage VCs would turn around and be like, "But none of our startups have SOC 2;" which is very different now in 2022. But yeah, so this was before that time. We can talk about that shift, but it was a business query. And this was an unlock, it was compliance. In its best case, to me, is how you're demonstrating the security you have to grow your business: to bring on larger customers, to open up new markets, healthcare, enterprise, et cetera.

And so there's actually a very strong revenue tie to this, right? And if you think about how it's demonstrating your security, you should be demonstrating the security you do have, not the security you don't have. And so there's this neat incentive alignment, back to that point of, "Hey, in order to get compliant, you need to work on your internal security. But once you have that internal security, you can go demonstrate it and have a SOC 2 or a ISO 27001, GDPR, whatever. And by the way, that opens up lots of new revenue and new markets for you, so this is worth prioritizing." And that pitch was very clean and we figured that out. That unlocked a lot.

Sandhya Hegde:

Got it. And how did you then think about what people call time-to-value — which is, okay, someone has said, "Yes, SOC 2-compliant, that's on my product roadmap. I need to get that done for the business.” How do you get them from nothing to, "Oh my God, Vanta's already adding value to us?" What was that first “aha!” moment for the product, and how did you guys approach building it?

Christina Cacioppo:

Yeah. So in terms of just broadly building the products, the first SOC 2 gap assessments were in spreadsheets. We did one and it was testing, “do we know what we're doing? Do they think we know what we're doing?” Right? 

We then did a second one, which would basically take the first, but give it to our second company and change some details, but be like, "Hey, can we give this to the first company, saying they're the second company, and does that work?" Because we want to standardize this, right? We want to build software for them, not make spreadsheets for everyone or different spreadsheets for everyone. So anyway, so then the first version of the product was in fact just coding our spreadsheet, right? It was a list of things you needed to do and whether or not your company was doing them. That was it. It was extraordinarily simple, but it had one job and that was the one job.

And so in terms of time-to-value, it’s interesting. I probably would've given you a very complicated answer a couple years ago around timelines and getting compliance or whatever. I think what actually ended up happening was companies would sign up for Vanta, connect, give us read access to an AWS or GitHub or a G-Suite, the tools they’re using, and then they would just have this color-coded roadmap of all these things they were doing and all these things they needed to do. And there was an “aha!” moment because it took this thing of like, "I need to get SOC 2-compliant. What does that even mean? I need to go do a big research project, pay expensive people [who were] in a color-coded task list."

Sandhya Hegde:

Got it. So ironically, it was not that different from that checklist idea you had at first. But now, it's packaged into “here's why you are doing it. Here's specific information for you to act on” that is already taking your context into account because you gave us access to your Google Workspace or whatever.

Christina Cacioppo:

Correct. Yes.

Sandhya Hegde:

Perfect. Got it. Awesome. All right. That is so different from, I think, outside-in, what I would have perceived as Vanta's journey, so thank you so much for sharing that. Segueing a little bit into the customer profile, the addressable market, it sounds like your beachhead customers were startups. Can you share a little bit more about that? Who were you usually talking to? Was it usually a founder, the CXO, the CTO? And how did you think about building a product for startups versus building a product for large businesses? Did you think about making choices differently? Was there pressure to try to go up market and solve this for bigger teams or not really at all?

Christina Cacioppo:

Yeah. So in the very early days, we certainly had a bias towards startups because there were people we knew and people we liked spending time with. But I also think about pragmatism: they were people we could talk to. Like I would send an email and within a week or so you could almost literally get them on iMessage and get feedback over that. And so it was broadly, I mean, a predisposition for startups. But we went and talked to everyone. I went and talked to big enterprises. And there was a pragmatism around startup founders because it's just easier to access and easier to get product feedback. And with startups you’re operating under the assumption that when you're building an MVP and trying to actually figure out if it is an active MVP versus not, you just want to optimize for feedback. And that is just the oxygen in the system. And if you do not have customer feedback, it will not work. And so there's a strong pragmatism in it, too.

Sandhya Hegde:

Got it. And when did you start thinking about, like okay, what is our scalable go-to-market strategy? Was this 2018 or later? When did you start thinking, "All right, I'm the one reaching out to all our prospect customers right now. What does our go-to-market model actually look like?" And what were some of the early evolutions around that?

Christina Cacioppo:

Yeah. So we first went to the market in 2018. I sold the first $500,000 of Vanta because I was just talking to customers all day long. And I sold like a product person. And there was good and bad of that. 

The good was just extreme curiosity and being like, "Oh, why are you interested in this? What's it like?" It was just a strong discovery to use sales terms, right? I was just super curious about the companies because it was all product feedback. The bad of it was you'd go a little overboard on discovery or be like, "Oh, and I want to show you all the cool features I built." That is not the makings of a good demo. Or sometimes we would just not send people contracts.

So there was good and bad to it, but I did all of that. I tried to do it until it felt repeatable, and when it felt repeatable, it was almost boring to do. And that you're like, "Oh, it's another call. 30 minutes, okay, I'll turn half my brain off and just say and do things for 30 minutes and probably send a contract at the end," and it got boring. And so it was like that point where it felt, again, it felt repeatable but yeah, it didn't feel repeatable to me, it felt boring I guess. It's the lived experience.

Sandhya Hegde:

Right. So two follow-up questions. One, how many calls do you think you did to get to that? How many customer calls do you think you did to get to the $500,000? And what was the call script like at a high level? What was the 30-second version?

Christina Cacioppo:

Yeah. So I'm guessing, somewhere between 100 to 150 customers probably. The call script — it’s funny. So initially, it was a first call. It was a call-call, no screen share. I would do all this discovery and then tell them about Vanta. And the conversations would end with them being like, "That sounds really good. But it sounds so good, I think it's snake oil." Like, "I don't believe you,” basically. “You seem very nice, but I do not believe you." 

And then I’d be like, "Oh, let me show you." And so the second call was this screen share and it was this 30-minute demo and I had some flow to that. And then one founder was like, "I didn't believe you on the first call and now, I believe you after the demo. But you should have just done that. You don't need two calls for this."

And I was just like, "Oh, you are so right! I am sorry. Thank you for the feedback." And so I tried to just do these 30-minute calls. And then because I didn't really know what the next step was… I didn't even know how to sell. And so what I would do is just be like, "Oh, well, do you want a trial?" And generally, people would say yes. And I read a blog post that said 14-day trials and 30-day trials are the same, so I was like, "Cool, you can have access to Vanta for 14 days. And I may or may not email you during that, depending on what else I'm doing." (I mean, I should've. That may or may not have happened.) And then at the end, the next Friday, I would just email them and be like, "So could I have your credit card?"

And people would be like, generally, they'd say, "Sure," which I learned was a “presumptive close.” But again, I did not know any of these words. So I was just like someone bumbling around but bumbling around in response to feedback. And it felt like it was getting closer to something. And when I was probably $300,000 in revenue, I went and talked to a bunch of salespeople and sales advisors and was like, "Here's what I'm doing. What do you think?" They were generally like, "Whoa. Some of this makes a lot of sense and some of it's totally dumpy, but it seems like it's working." And by the way, it's phrases like “qualification” and “presumptive close,” all of these things, you learn from reading the sales books.

Sandhya Hegde:

Right. "Let us explain to you what we're doing!" 

Christina Cacioppo:

Totally! Yeah. And then you're like, "Oh those are interesting. I'll Google those words!" Yeah.

Sandhya Hegde:

Yeah. And what happened in that 14-day window with your customers? You probably now know a lot more about that than you knew at the time, but what usually happened in those 14 days? Because a lot of this also goes back to actually having to work with an auditor, which I assume probably takes longer. So could you help us understand what your customer’s two-week or four-week journey looked like at the time?

Christina Cacioppo:

Yeah. So we had this, in some ways, well-instrumented; in some ways, not. So what we actually did — and I've done this with previous things I built. And I found it really helpful, though it does not scale at all, to basically build something where whenever someone rebuilt analytics (in a bad way), we’d send ourselves an email. Whenever someone took an action in Vanta, whether you connect a new system, you generate a policy, or you fix a test, we'd send ourselves an email.

And so I just had this email log of all these actions people took. And so that was actually really helpful because you could be like, "Oh, a person just logged in. They did some stuff." And then again, if I was on my game, I'd get all these emails and then I'd email them and be like, "Hey, what do you think of Vanta?" Right? And they'd be like, "How did you know?"

And so there was a little bit where I had some sense of who was poking around, who wasn't, and what they were doing through our email bot. And this was really helpful. Again, if you actually do get users and customers, it doesn't scale very well. But it was really helpful in the early days. And what they were generally doing was getting ready, and the whole Vanta pitch was like you have this prescriptive to-do list and things are red and green. And if you make everything green, you'll be ready for an audit. So step one was to make everything green. And then step two, we'll get you an auditor and we'll go through that. So it was really just working through that task list.

Sandhya Hegde:

Got it. And so even in the early days, were you also doing the auditor market placing, connecting… was that a part of the value prop as well?

Christina Cacioppo:

It was because we really wanted to get folks SOC 2 compliant, and we were not an auditor. We were not about to become one for regulatory reasons, but you need an auditor to get SOC 2-compliant. And so the initial bit was me going out and talking to auditors and trying to get one of them to work with us. There was some trial and error in that for sure. But eventually, what was actually just compelling was it was a smaller firm — it was a more entrepreneurial partner. It was a firm that was structured such that partners got basically commission on the audits they did. So this person was personally and financially-incentivized to bring in more business to the firm; not just as a share of partner revenue, but with a specific W2 measure, which I learned later. But it was one of those who were like, "Oh, that's why you bet on me. That makes sense!"

Anyway. So we found this person and had a few customers. And so we're like, "Can you audit them? And by the way, I will fly to your office in Colorado. I’ll sit with you and basically sit with the login to the Vanta database and pull whatever information you need. Because I don't quite know what you need and you don't know how to explain it either. So let's just sit in your office for a week straight and go through whatever it is you need in order to feel comfortable with the fact that this customer is in fact meeting the SOC 2 controls."

Sandhya Hegde:

Got it. And it's such a valuable thing you are doing because I can't imagine anything a CTO wants to do less than have to call some auditors to try to find one for their SOC 2 audit.

Christina Cacioppo:

Correct. Yes.

Sandhya Hegde:

That’s so incredibly valuable, especially when you know you can scale it in the future! Awesome. All right. So you have sold $500,000 in contracts. How did you think about what the go-to market model was? Are we doing bottom up or top-down? Product-led? All the buzzwords. And then who were the first few key hires you made, especially given that you hadn't gone big on raising a lot of money early and were thinking about building this company so frugally?

Christina Cacioppo:

Yeah. So on the go-to-market motion, I think I always wanted to be product-led. But there was just so much product to build. And on the sales side, someone being a salesperson and needing a sales hire… that worked well enough as we were basically completing the product. And so what we ended up with was a sales-touch, sales-assist model where someone goes to vanta.com, the CTAs [calls to action], get a demo, and an AE [account executive] will take you from demo to close in under a month. And that's always been true. And it is in some ways, again, more pragmatism than philosophical. And the pragmatism was just like we have so much to build in order to: get a company baseline secure, get them ready for SOC 2, get the auditor what they need…  and this sales thing seems to be working well enough that we should just make sure we already have a complete product first.

Sandhya Hegde:

Makes sense. And I know that a lot of people, especially my investor colleagues,  get very nervous when they see a low five-figure ACV [all commodities volume] products being sold by AEs as opposed to having a self-serve signup flow. How did you think about that? How did you think about A) did that concern come up for you from your stakeholders, from your board at any point? And B) how did you think about what is the sales model that can still work with that price point?

Christina Cacioppo:

Yeah, so it came up when VCs would mention that while we were pitching or during coffee chats. It seemed very philosophical, like, "Thank you for the feedback. I'm trying to get to 100K in ARR," or like, let me try to figure that out first before trying to change. And what I'm doing seems like it's maybe working… but it's not clearly not working, so I hear you. At some point, what I'm doing might not work for those reasons, but this feels more philosophical than my blocker today, this month, this quarter. So it's a little bit of like, "Thank you for the feedback. I shall keep that in mind," kind of a moment. I think the advice is often like, "Oh, you can't sell low five-figure ACVs with a salesperson."

And the more nuanced version is “hey, there are industry-standard and best-in-class sales efficiency metrics. And most companies at the ACV don't get the sales efficiency metrics, so watch out.” That is very different, right? And then when you cut, we'd get that. But when you cut Vanta's sales efficiency metrics, they were best in class. And so then we stopped getting that critique, because it was like, "Oh, you've somehow figured out how to make AE average quota attainment 150%. We're not quite sure what you're doing over there, probably hiring too few AEs honestly, but clearly, there's something there."

Sandhya Hegde:

Got it. So what does rep productivity at Vanta look like? What does a good rep do in, say, a month or however you track it? How many customers do they close in a month or a quarter?

Christina Cacioppo:

Yeah, it's funny. So we have not changed a lot of this — even back to 2019, with the first sales rep. So a couple of things. One, we have monthly quotas. When I was selling, I gave myself weekly quotas. Basically, people convinced me I could not hire anyone on a weekly quota. And even today, the fact that we hire on a monthly quota is still surprising to folks. But to me, it's a less than 30-day sales cycle, so it's a monthly quota. And if you give people a quarterly quota, the sales cycle will almost certainly extend incentives. So that's really important. The original quota — which we still have —was based on what I was selling.

So I was selling about three deals a week, 12 deals a month. And so my thinking was that I have all the benefits of being a founder of the company. Having built the product, I know it super well. But I'm also not a very good salesperson. And so if we bring in a good salesperson who is not a founder, who then doesn't know the product as well or has to learn it… let's just say these things cancel out. And so how can I expect you to do what I was doing? Right? And we brought in a very good salesperson and they blew it out the water — twice what I did, which is awesome! Right?

Sandhya Hegde:

Humbling and great. [Laughs]

Christina Cacioppo:

Totally! [Laughs.] You're like, "Yes, I thought I was getting good. I wasn't. Cool. Great. Glad you're here." But anyway, that's how I figured out our initial quota, I was like, "Oh no, can you do what I was doing? We'll see," and the answer is definitely “yes.”

Sandhya Hegde:

Got it. Makes sense. And so if you think about Vanta's future versus what you're doing now, I'm curious, are you thinking about continuing to stay focused on the startup segment or have you thought about or is there a compelling reason to go upmarket? And at what point? How are you now thinking about future product strategy?

Christina Cacioppo:

Yeah, so a couple of things. One, the startup market is our roots. Philosophical alignment is and will always be extraordinarily important. And I think there's a revenue and customer account piece. But there's a hearts-and-minds piece there that I do not want to ever, ever, ever lose. That said, Vanta is a very special company in lots of ways. But it's also not a special company in other ways. In one way that it's not, it’s kind of like everyone in B2B moves  upmarket over time.

Sandhya Hegde:

Right.

Christina Cacioppo:

And so we probably will, too. Right? And that's just like a little bit of a law of physics thing. And we see that, right? When you serve startups, some of them grow and then they get more demanding as customers. And I say it's one of the best ways of being demanding, but totally more demanding. You also just get this pull from them. So our approach has historically been built for those demanding, early customers who are bought into the vision but maybe are now frustrated with the product and its limitations. But if you can get them in a good spot again, you should be able to go out and get new folks, right? But again, for the folks that are already bought into the premise, you're just annoying them. So stop annoying them… but it's quite hard and requires a lot of product effort. But that is the first step.

Sandhya Hegde:

Right. So you're finding product-market fit again with this new segment, but you have the benefit of the fact that some of your existing customers have already moved into that segment. So hopefully, they can drag you along with them.

Christina Cacioppo:

Yes.

Sandhya Hegde:

Awesome. Well, Christina, one of the things we have noticed is great CEOs almost end up having to become new types of leaders every six months — that's what makes the role so challenging is that your company is often growing faster than you can evolve as a leader, and needs something different from you all the time. How do you invest in your own evolution as a leader and as a CEO?

Christina Cacioppo:

Yeah, I think one thing that helped in the early days — before I hired folks — is that you're the sales until you hire a salesperson, and you've got to hire a good one. You're support, until you hire a support person. Same with customer success, right? And for me, I had this product and technical background, but I didn't know go-to-market at all. And I just felt like I was constantly bad at all my jobs. Which I was! But there was an unlock one day while running when I had this realization of like, "Ooh, this [hardship] is the point, because I am learning these jobs. And if I ever feel like I'm good at them, that means I have waited… and I should be hiring someone for it," right?

For the next couple of years, my job is to do a bunch of jobs I've never done and feel bad about them until I feel better at them so that I can find someone. And I think that mental shift was a big deal for me because it was like, "Oh cool, it's just going to feel like failure for a while. But hopefully, it's not," right? Versus day in and day out, asking, "Why am I not a better salesperson?" Being like, "My job is to get better at sales." When you do something new, especially as someone who likes to feel like they know what they're doing, you definitely, actually don't. And so that feels uncomfortable. But again, normalizing that for myself was a big deal. So in the early days, that mindset was really helpful.

Sandhya Hegde:

Makes sense. Are there any specific mentors or books or anything that stand out to you as something that, looking back, was the right advice that you got at the right time?

Christina Cacioppo:

Yes, a couple things were helpful. I've read all the startup management books and the management books and the engineering management books. I think they're very helpful, but also, while it’s helpful to read them, so much of this stuff is practical learning. As in, how do you learn to manage people? You have to manage people poorly and do it better. And it kills me deeply that you have to practice on other people because that just seems so unfair and I don't know a way around it. It just makes me cringe to this day, thinking about doing it now. I'm thinking about having done it and ugh! It's brutal.

I think there have also been a handful of folks who have been extraordinarily helpful. One in particular, J Zac Stein — he's on Vanta's board now — but I met him in 2018 when I sold Vanta to him. He just negotiated with me under the table, and I felt great about it at the end! He was someone who was like, "Yeah, I would negotiate with you under the table." And then you're like, "Oh, this was such a pleasant interaction!" And he foolishly, at the end of that, offered to stay in touch and I became this gnat at his side. Two and a half years later, it's still there. And he was just really helpful because one, he'd seen more scale. He got a company and that was a year to two years ahead of Vanta. And so it was close enough but he knew it.

He was COO of that company and had therefore led all the other functions. And so when I was trying to figure out what the heck “rev ops” was, he had just built a rev ops team. And then his strengths were also very different. One of his strengths is interpersonal management. Again, he's the person who can negotiate you under the table or let you go when you feel great about everything. And I so wanted that and did not have it. That was really, really helpful.

Sandhya Hegde:

Makes sense. So any last words of parting advice for founders who are starting up right now? For someone who's considering starting a company, what would be your top few points of advice?

Christina Cacioppo:

Yes, so a couple of things. One, so we’re recording this podcast episode in 2022. Obviously, the macro-environment in 2022 is much different than in 2021. 

I actually like this environment much more. I like the focus on sustainable growth and building a business. It's harder in some ways, but I think it just forces a lot of clarity that the company has to adapt at some point. And it's just so much easier if you build it in early. So I think for folks who are like, "Ah, it's the economy crashing" well, I buy into the thought that it’s a great time to start a company. That’s because the things that are harder now, well, companies have to go through them in general. And it's as hard as they are to go through when you're small, it's even harder to go through when you have a thousand people.

So I think that is a big advantage. I think the other part, especially in this environment, but even in last year's, is that one of the "tricks" I learned when I was in VC was that the best way to have a bunch of venture capitalists want to fund your company is to not need venture capitalists to fund your company, right?

Venture capitalists want to fund businesses that don't need them more than businesses that do in order to stay in business. And so for Vanta, we did a bunch of things early on to build our own conviction in the business. We built a business that we always wanted to be huge and venture-funded, but we didn't take venture money for a while. We got to $10 million in ARR around the $3 million seed round. And again, that wasn't a bootstrap-to-venture pivot, it was just the question of, “can we build a real, proper business?” And then the funding will take care of itself.

And so I’m very biased on that one because that's what we did. But I do think it gave us a lot of freedom and control later on. And at the time, it forced us to build conviction in the business ourselves versus outsourcing that and being like, "Oh, we're doing a good job because this VC says we're doing a good job." It's like, "No, we're doing a good job because we're doing a good job," and here's how we know that.

Sandhya Hegde:

Amazing. I feel like we could just keep talking for hours, but I will let you get back to your extremely busy day building Vanta. I'm so impressed by what you've built here, and we'll be waiting to see where you take Vanta in the future. Thank you so much for spending time with us, Christina!

All posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

All posts
March 9, 2023
Portfolio
Unusual

How Vanta found product-market fit: Christina Cacioppo on startup compliance

Sandhya Hegde
No items found.
How Vanta found product-market fit: Christina Cacioppo on startup complianceHow Vanta found product-market fit: Christina Cacioppo on startup compliance
Editor's note: 

Startup Field Guide Episode 11

In this episode of the Startup Field Guide podcast, Sandhya Hegde chats with Vanta founder and CEO Christina Cacioppo. Christina was among the first to understand how startup founders thought about security and compliance and set out to create the automated compliance category. Vanta is currently valued at $1.6bn.

Be sure to check out more Startup Field Guide Podcast episodes on Spotify, Apple, and Youtube. Hosted by Unusual Ventures General Partner Sandhya Hegde (former EVP at Amplitude), the SFG podcast uncovers how the top unicorn founders of today really found product-market fit.

If you are interested in learning more about some of the themes and ideas in this episode, please check out the Unusual Ventures Field Guides on customer validation, free plan vs. trial plan, and picking the right GTM motion.

TL;DR

  • Christina taught herself to code to gain confidence in her technical abilities. Right out of college, she worked at a venture firm where she meet a lot of founders, and it gave her a better understanding of why people start companies, and what qualities they had in common. 
  • While founders acknowledged that security was a concern they should take seriously, they deprioritized it in favor of competing needs (such as building product features). Vanta’s value hypothesis emphasized helping companies become SOC-2 compliant so that they could grow their business and acquire new customers. 
  • The Vanta team spent 6 months interviewing people, testing, and iterating to ensure they were building the right product. They began coding only when they knew they were building something people wanted. 
  • Initially the company offered CTOs checklists for what good security means but did not find traction. However, when they pivoted to preparing companies for compliance certification, they  were much more successful. 
  • In the early days, when Christina wore many hats, she shifted her mentality from “I’m a failure at these jobs” to “how do I get better at these roles?”
  • The Vanta team focused on building their business with the idea that if they did so, funding will take care of itself. Christina believes that VCs want to fund businesses that don’t need their money as much as businesses that do. 

Episode transcript

Sandhya Hegde:

Our guest today is the CEO and co-founder of Vanta, Christina Cacioppo. Vanta is a unicorn in the security compliance space, helping companies become SOC 2-compliant as an example. They have over 3,000 customers and were recently valued at $1.6 billion. Christina, I'm so excited to have you on the show. Thank you for joining us.

Christina Cacioppo:

Thank you so much for having me.

Sandhya Hegde:

Let's go back all the way to 2017. Tell us why you started Vanta. What was the original insight and why did you decide to become a founder?

Christina Cacioppo:

Yes, so there are two parts. To take you and listeners back to 2017, with Vanta specifically, this was when the 2016 election in the US had just happened where everyone's emails were everywhere and everyone was being hacked. There were a bunch of high-profile data breaches: Equifax, Uber, Sony, and Target, right? It was clear that security on the internet was, one, just really important. And two, it seemed like we were not very good at it. The original puzzle is just why that was — because again, if something's important, assumably, we were concentrating on it and getting better at it.

And yes, it's hard. But I think, actually, quite optimistically about people figuring things out in general. And we tend to figure them out. I think the other puzzle is that as I learned more about Equifax then Uber and the Democrats in 2016… and you learn about these breaches and they seem to happen for silly reasons. For example, someone doesn't have two-factor on their email or someone leaves a cloud storage public or a storage bucket open to the world. But there's very smart, motivated people working on these things. So you ask, “Why are they leaving the front door open?” And so it started as this puzzle to go figure that out where you think, "I don't know if I'll find anything interesting at the end of this," but it's a neat detective exercise. And we found a couple things. One, this stuff is really hard. It looks easy because you could be like, "Oh, you just didn't put two-factor authentication on. You left your front door open, silly you."

With stuff like that, it's hard because it's not like there's one front door — to use that analogy. It's like any company has any number of front doors and windows in their security that they can leave open. And there's a lot of these and they change all the time, right? If you think about a cloud infrastructure account, it's constantly changing. And so it's actually really hard to keep track of. And then you have people on the other side and processes where sometimes they work, and sometimes they don't. The problem on the surface seemed very simple yet ended up being quite hard. The other piece was just incentives. I studied economics in school and really like thinking about incentives (in another life, I think I would've been a microeconomics professor). 

One of the things we found — especially when talking to startups and quickly growing companies — is that the founders totally knew they should take security seriously and very much wanted to from a normative sense and from a business sense; yet both are running up into two problems. One was they often didn't quite know what to do. Like what does it mean to have good security as a seed, series A, or series B stage startup? The second bit was that even if you did know the answer to that question, well, that also required a bunch of work, right? And that work got prioritized against things like finding product-market fit, growing revenue, and retaining customers. 

While security was objectively very important, it was really hard to trade that off against building a feature to save your biggest customer or pushing your roadmap forward so you can earn more business. And so security got caught in this gap where founders wanted to take it seriously, knew they should, but couldn't, from a business perspective, feel like they could justify prioritizing it. And so that was the milieu that Vanta came out of.

Sandhya Hegde:

Got it. And you were at Dropbox at the time?

Christina Cacioppo:

I was at Dropbox earlier. And actually, you asked about becoming a founder, and so that story actually starts much, much earlier. I think even back in undergrad, I wanted to start a company. But I did not admit that to anyone else and I didn't really even admit it to myself. And I think I had a lot of, people like me, for whatever reason, didn't study computer science — myself included. I grew up in the Midwest. Whatever. I don't start companies, right? If you want to start a company, you should have been building stuff in your bedroom when you were seven years old, and shoot, now, I'm 20. Yeah, I'm too late. My time has passed.

Sandhya Hegde:

Too late? At 20 years old? Wow!

Christina Cacioppo:

The hubris and depression of a 20-year-old, but I'm joking. But what was really transformative for me was that right out of school, I was lucky enough to work at an early-stage venture firm, Union Square Ventures (USV) in New York. And my job there was basically just to meet with founders all day long for two years straight. And so I met with dozens and dozens of founders and realized all sorts of people start companies! And some of them, yes, there are some common traits, like you have to want to get stuff done and run through walls a little bit. But also, there are a million differences and it's about figuring out what it was like. And that was like a light bulb moment. Over time, I saw people who were successful who I thought I shared qualities with. So it wasn't just people that I didn't feel like.

The one chip I still had on my shoulder was that I was not technical and I wanted to start a software company. Lots of non-technical people start software companies. But I, to a fault,  needed to figure it out to have confidence in that person. I'm not a fake-it-until-you-make-it type of person. Sometimes, I wish I were more that way. So what I did was I took my bonus one year and extended it over two and a half years and just taught myself to code and built a bunch of products — none of which anyone has ever heard of because they didn't really go anywhere. Yet it was fun at the time. It was also stressful at this time, this period of just learning how to build and to make and do that for the first time.

And I think some of that was just really helpful in convincing myself that I was someone who could learn how to do things and learn how to make things; I was sufficiently technical to make shoddy MVPs, right? I could not get hired as an engineer at Vanta today or probably at any point in our history, but I realized that I really liked being able to prototype my ideas. And that was really important to me, in a confidence-building and a testing and iteration perspective. And so just doing that for a couple of years was probably the last piece of the puzzle.

Sandhya Hegde:

Makes sense. The big focus of our show is finding product-market fit. We typically divide that up into two broad stages, which already sounds very simple. I know it's not — it's definitely very cyclical — but for the sake of simplicity in the narrative, phase one, test how strong and differentiated the product value hypothesis is, is this really unique? Is it compelling? Does it resolve a problem with a lot of tailwinds behind it? And second, who is it for? Who is the desperate customer who can validate the growth hypothesis of how this company will find momentum and take off? So that's how we usually divide it up. 

How did you think about this path of product-market fit, especially having been in venture before, seeing a lot of founders struggle through it. Was that a benefit or an advantage to have gone through that experience? And how did you approach this journey of product-market fit? What was it like?

Christina Cacioppo:

I think it was a benefit, although it probably made me a little too considerate. By that, I mean that having worked in venture and early stage venture, you see how... I think as an industry, we celebrate raising money, but when you're working in venture, you're like, "Oh, that's not the thing," right? The thing is getting customers and happy customers and retaining them. 

When you've raised a bunch of money, but don't have growth in customers, then you lose conviction yourself. That is just the worst because there is this huge gap between the money and thinking, "I should be successful and we should be growing and — oh shoot, we're not," when there isn't product-market fit. It's never fun to realize you don’t have product-market fit, but it is in fact worse to not have it with $4 million in your bank account than zero dollars in your bank account. 

And so the piece of raising money is fine, but it doesn't solve the product-market fit problem. And that is in fact a very real problem. Anyway, so I was super skeptical about that. Also, in my two years of building things, I built a bunch of stuff no one wanted. It's fun when you're learning and you're like, "Ooh, I got better at coding!" or "I learned this new skill!" or whatever, but fundamentally, when no one wants your stuff, that just isn't fun either. And so I had a bunch of prior experience and failures (by many senses of the term) that made me really stringent about finding product-market fit for Vanta or for a startup.

I can talk through the process. What it looked like was basically a six-month process that started with really open-ended questions, then moved to spreadsheet prototypes, and then moved to prototypes that we told people were generated with code that was not generally written by hand, right? At the end of the six months, we started coding. We realized that just because we could build whatever thing we wanted didn't mean people wanted it, right? And so we just front-loaded all of this exploration and testing and iteration so that when we did start writing code, hopefully, it was the right code toward a problem that was actually real and resonant and that folks would pay for it with their time and money.

Sandhya Hegde:

And so could you share a few examples from that time, maybe ideas you had confidence in that didn't go anywhere? And then how would you articulate the first problem you decided, "Yes, this is worth building the product around. This is the one problem we'll focus on?”

Christina Cacioppo:

For sure. So going back to security being interesting and important… but we're not very good at it. What's going on? So the first version of this was talking to startup founders. A good portion of them were like, "Hey, I know security's important, but what does that mean for a seed stage company or a  series A company?” And so what we did was went and talked to a bunch of security experts and figured out a version of that. And then we made this prescriptive checklist of “here's what good security means and here's what you do.”

And we went and handed that to a bunch of CTOs who said, "Thank you so much, this is so great. We love it!" And we're like, "Oh, excellent. Maybe we should start coding." And then we return a week later, two weeks later, a month later and ask, "So where are you on the checklist?" Only to hear, "Oh, I haven't started." And you're like, "Why not?" Right? And they're like, "Oh, because I want to, I should, but here are the 9 million other priorities that are more business-pressing that have come up."

And then we're like, "Oh, what if I started doing this for you? Can I come in and do it for you?" And they might say yes, but they mostly were like, "Oh, well, I have to spend a bunch of time getting you set up to do that. And I can't really spend the time. Love you, but I don't want to," right? So you're like, "Ooh, this is not going so well," right? So that was one version.

Another version was that as we started poking around and just having more conversations, we came across security questionnaires. It was at this moment when a company — a B2B company —is selling to probably a bigger company and the bigger company is like, "Hey, maybe I like your product, but you're a couple of people in a garage. How can I trust you? Can you go answer all these questions for me?"

I called them up, and then they sent a spreadsheet. And so we're like, "Okay, this is interesting." So what we started doing was taking in those calls on behalf of companies and just being like, "Can we do it? Are we credible?" We started answering security questionnaires by hand for people. And that worked better, except what we realized was that we could build some tech, but we weren't actually super convinced we could standardize this. And it's interesting because there are more companies now that answer security questionnaires for companies. We have to partner with a couple of them, but it tends to be partially tech, partially services. And so that was our thesis at that time. And we realized, "Hey, maybe it's going to change." But it's a technology bet and you're not betting on your tech, you're betting on Google to make better NLP [natural language processing] tech. Anyway, it just felt like, “oh, your destiny is in the hands of Google's NLP API [application programming interface]” and that doesn't feel great. Anyway, so then we're like, "Okay, well, no one likes these questionnaires. How do you get rid of the questionnaires?"

And we asked around about that and we came across compliance certifications. So then it was like, "Ooh, I remember these. I ran into one at Dropbox. It was terrible." I ran in the other direction because it was so bad! What are these compliance certifications? And so we start poking around and then we start preparing companies for these compliance certifications. It was a similar pitch. You go to the CTO and be like, "Hey, can I come in and give you a roadmap to how to get SOC 2-compliant?" And they're like, "Yeah, because I need that and I don't know what it is and I'm just putting it off." And then you're like, "Okay, but I'm going to need to talk to your engineers". And they're like, "Cool, great. Who do you need when?" And you're like, "Ooh, interesting. Different reaction", right?

Sandhya Hegde:

Great. They're willing to give you access to their engineering team, which is pretty much the most walled garden resource.

Christina Cacioppo:

Right!

Sandhya Hegde:

And was that because that was a business priority for them? They can't sell their software without this, their customers are asking for it. Was that new at the time?

Christina Cacioppo:

Yes.

Sandhya Hegde:

I'm assuming this is maybe 2018 that the companies are saying, "I know you are a small startup, but you still need to be SOC 2 compliant for me to work with you." When did that start happening?

Christina Cacioppo:

Yes. So around 2017, 2018. So in 2017 startups did not get SOC 2. When we raised Vanta's seed round in 2018, we'd pitched seed stage VCs and we'd be like, "Hey, we're going to [implement] SOC 2 with all your startups." And the seed stage VCs would turn around and be like, "But none of our startups have SOC 2;" which is very different now in 2022. But yeah, so this was before that time. We can talk about that shift, but it was a business query. And this was an unlock, it was compliance. In its best case, to me, is how you're demonstrating the security you have to grow your business: to bring on larger customers, to open up new markets, healthcare, enterprise, et cetera.

And so there's actually a very strong revenue tie to this, right? And if you think about how it's demonstrating your security, you should be demonstrating the security you do have, not the security you don't have. And so there's this neat incentive alignment, back to that point of, "Hey, in order to get compliant, you need to work on your internal security. But once you have that internal security, you can go demonstrate it and have a SOC 2 or a ISO 27001, GDPR, whatever. And by the way, that opens up lots of new revenue and new markets for you, so this is worth prioritizing." And that pitch was very clean and we figured that out. That unlocked a lot.

Sandhya Hegde:

Got it. And how did you then think about what people call time-to-value — which is, okay, someone has said, "Yes, SOC 2-compliant, that's on my product roadmap. I need to get that done for the business.” How do you get them from nothing to, "Oh my God, Vanta's already adding value to us?" What was that first “aha!” moment for the product, and how did you guys approach building it?

Christina Cacioppo:

Yeah. So in terms of just broadly building the products, the first SOC 2 gap assessments were in spreadsheets. We did one and it was testing, “do we know what we're doing? Do they think we know what we're doing?” Right? 

We then did a second one, which would basically take the first, but give it to our second company and change some details, but be like, "Hey, can we give this to the first company, saying they're the second company, and does that work?" Because we want to standardize this, right? We want to build software for them, not make spreadsheets for everyone or different spreadsheets for everyone. So anyway, so then the first version of the product was in fact just coding our spreadsheet, right? It was a list of things you needed to do and whether or not your company was doing them. That was it. It was extraordinarily simple, but it had one job and that was the one job.

And so in terms of time-to-value, it’s interesting. I probably would've given you a very complicated answer a couple years ago around timelines and getting compliance or whatever. I think what actually ended up happening was companies would sign up for Vanta, connect, give us read access to an AWS or GitHub or a G-Suite, the tools they’re using, and then they would just have this color-coded roadmap of all these things they were doing and all these things they needed to do. And there was an “aha!” moment because it took this thing of like, "I need to get SOC 2-compliant. What does that even mean? I need to go do a big research project, pay expensive people [who were] in a color-coded task list."

Sandhya Hegde:

Got it. So ironically, it was not that different from that checklist idea you had at first. But now, it's packaged into “here's why you are doing it. Here's specific information for you to act on” that is already taking your context into account because you gave us access to your Google Workspace or whatever.

Christina Cacioppo:

Correct. Yes.

Sandhya Hegde:

Perfect. Got it. Awesome. All right. That is so different from, I think, outside-in, what I would have perceived as Vanta's journey, so thank you so much for sharing that. Segueing a little bit into the customer profile, the addressable market, it sounds like your beachhead customers were startups. Can you share a little bit more about that? Who were you usually talking to? Was it usually a founder, the CXO, the CTO? And how did you think about building a product for startups versus building a product for large businesses? Did you think about making choices differently? Was there pressure to try to go up market and solve this for bigger teams or not really at all?

Christina Cacioppo:

Yeah. So in the very early days, we certainly had a bias towards startups because there were people we knew and people we liked spending time with. But I also think about pragmatism: they were people we could talk to. Like I would send an email and within a week or so you could almost literally get them on iMessage and get feedback over that. And so it was broadly, I mean, a predisposition for startups. But we went and talked to everyone. I went and talked to big enterprises. And there was a pragmatism around startup founders because it's just easier to access and easier to get product feedback. And with startups you’re operating under the assumption that when you're building an MVP and trying to actually figure out if it is an active MVP versus not, you just want to optimize for feedback. And that is just the oxygen in the system. And if you do not have customer feedback, it will not work. And so there's a strong pragmatism in it, too.

Sandhya Hegde:

Got it. And when did you start thinking about, like okay, what is our scalable go-to-market strategy? Was this 2018 or later? When did you start thinking, "All right, I'm the one reaching out to all our prospect customers right now. What does our go-to-market model actually look like?" And what were some of the early evolutions around that?

Christina Cacioppo:

Yeah. So we first went to the market in 2018. I sold the first $500,000 of Vanta because I was just talking to customers all day long. And I sold like a product person. And there was good and bad of that. 

The good was just extreme curiosity and being like, "Oh, why are you interested in this? What's it like?" It was just a strong discovery to use sales terms, right? I was just super curious about the companies because it was all product feedback. The bad of it was you'd go a little overboard on discovery or be like, "Oh, and I want to show you all the cool features I built." That is not the makings of a good demo. Or sometimes we would just not send people contracts.

So there was good and bad to it, but I did all of that. I tried to do it until it felt repeatable, and when it felt repeatable, it was almost boring to do. And that you're like, "Oh, it's another call. 30 minutes, okay, I'll turn half my brain off and just say and do things for 30 minutes and probably send a contract at the end," and it got boring. And so it was like that point where it felt, again, it felt repeatable but yeah, it didn't feel repeatable to me, it felt boring I guess. It's the lived experience.

Sandhya Hegde:

Right. So two follow-up questions. One, how many calls do you think you did to get to that? How many customer calls do you think you did to get to the $500,000? And what was the call script like at a high level? What was the 30-second version?

Christina Cacioppo:

Yeah. So I'm guessing, somewhere between 100 to 150 customers probably. The call script — it’s funny. So initially, it was a first call. It was a call-call, no screen share. I would do all this discovery and then tell them about Vanta. And the conversations would end with them being like, "That sounds really good. But it sounds so good, I think it's snake oil." Like, "I don't believe you,” basically. “You seem very nice, but I do not believe you." 

And then I’d be like, "Oh, let me show you." And so the second call was this screen share and it was this 30-minute demo and I had some flow to that. And then one founder was like, "I didn't believe you on the first call and now, I believe you after the demo. But you should have just done that. You don't need two calls for this."

And I was just like, "Oh, you are so right! I am sorry. Thank you for the feedback." And so I tried to just do these 30-minute calls. And then because I didn't really know what the next step was… I didn't even know how to sell. And so what I would do is just be like, "Oh, well, do you want a trial?" And generally, people would say yes. And I read a blog post that said 14-day trials and 30-day trials are the same, so I was like, "Cool, you can have access to Vanta for 14 days. And I may or may not email you during that, depending on what else I'm doing." (I mean, I should've. That may or may not have happened.) And then at the end, the next Friday, I would just email them and be like, "So could I have your credit card?"

And people would be like, generally, they'd say, "Sure," which I learned was a “presumptive close.” But again, I did not know any of these words. So I was just like someone bumbling around but bumbling around in response to feedback. And it felt like it was getting closer to something. And when I was probably $300,000 in revenue, I went and talked to a bunch of salespeople and sales advisors and was like, "Here's what I'm doing. What do you think?" They were generally like, "Whoa. Some of this makes a lot of sense and some of it's totally dumpy, but it seems like it's working." And by the way, it's phrases like “qualification” and “presumptive close,” all of these things, you learn from reading the sales books.

Sandhya Hegde:

Right. "Let us explain to you what we're doing!" 

Christina Cacioppo:

Totally! Yeah. And then you're like, "Oh those are interesting. I'll Google those words!" Yeah.

Sandhya Hegde:

Yeah. And what happened in that 14-day window with your customers? You probably now know a lot more about that than you knew at the time, but what usually happened in those 14 days? Because a lot of this also goes back to actually having to work with an auditor, which I assume probably takes longer. So could you help us understand what your customer’s two-week or four-week journey looked like at the time?

Christina Cacioppo:

Yeah. So we had this, in some ways, well-instrumented; in some ways, not. So what we actually did — and I've done this with previous things I built. And I found it really helpful, though it does not scale at all, to basically build something where whenever someone rebuilt analytics (in a bad way), we’d send ourselves an email. Whenever someone took an action in Vanta, whether you connect a new system, you generate a policy, or you fix a test, we'd send ourselves an email.

And so I just had this email log of all these actions people took. And so that was actually really helpful because you could be like, "Oh, a person just logged in. They did some stuff." And then again, if I was on my game, I'd get all these emails and then I'd email them and be like, "Hey, what do you think of Vanta?" Right? And they'd be like, "How did you know?"

And so there was a little bit where I had some sense of who was poking around, who wasn't, and what they were doing through our email bot. And this was really helpful. Again, if you actually do get users and customers, it doesn't scale very well. But it was really helpful in the early days. And what they were generally doing was getting ready, and the whole Vanta pitch was like you have this prescriptive to-do list and things are red and green. And if you make everything green, you'll be ready for an audit. So step one was to make everything green. And then step two, we'll get you an auditor and we'll go through that. So it was really just working through that task list.

Sandhya Hegde:

Got it. And so even in the early days, were you also doing the auditor market placing, connecting… was that a part of the value prop as well?

Christina Cacioppo:

It was because we really wanted to get folks SOC 2 compliant, and we were not an auditor. We were not about to become one for regulatory reasons, but you need an auditor to get SOC 2-compliant. And so the initial bit was me going out and talking to auditors and trying to get one of them to work with us. There was some trial and error in that for sure. But eventually, what was actually just compelling was it was a smaller firm — it was a more entrepreneurial partner. It was a firm that was structured such that partners got basically commission on the audits they did. So this person was personally and financially-incentivized to bring in more business to the firm; not just as a share of partner revenue, but with a specific W2 measure, which I learned later. But it was one of those who were like, "Oh, that's why you bet on me. That makes sense!"

Anyway. So we found this person and had a few customers. And so we're like, "Can you audit them? And by the way, I will fly to your office in Colorado. I’ll sit with you and basically sit with the login to the Vanta database and pull whatever information you need. Because I don't quite know what you need and you don't know how to explain it either. So let's just sit in your office for a week straight and go through whatever it is you need in order to feel comfortable with the fact that this customer is in fact meeting the SOC 2 controls."

Sandhya Hegde:

Got it. And it's such a valuable thing you are doing because I can't imagine anything a CTO wants to do less than have to call some auditors to try to find one for their SOC 2 audit.

Christina Cacioppo:

Correct. Yes.

Sandhya Hegde:

That’s so incredibly valuable, especially when you know you can scale it in the future! Awesome. All right. So you have sold $500,000 in contracts. How did you think about what the go-to market model was? Are we doing bottom up or top-down? Product-led? All the buzzwords. And then who were the first few key hires you made, especially given that you hadn't gone big on raising a lot of money early and were thinking about building this company so frugally?

Christina Cacioppo:

Yeah. So on the go-to-market motion, I think I always wanted to be product-led. But there was just so much product to build. And on the sales side, someone being a salesperson and needing a sales hire… that worked well enough as we were basically completing the product. And so what we ended up with was a sales-touch, sales-assist model where someone goes to vanta.com, the CTAs [calls to action], get a demo, and an AE [account executive] will take you from demo to close in under a month. And that's always been true. And it is in some ways, again, more pragmatism than philosophical. And the pragmatism was just like we have so much to build in order to: get a company baseline secure, get them ready for SOC 2, get the auditor what they need…  and this sales thing seems to be working well enough that we should just make sure we already have a complete product first.

Sandhya Hegde:

Makes sense. And I know that a lot of people, especially my investor colleagues,  get very nervous when they see a low five-figure ACV [all commodities volume] products being sold by AEs as opposed to having a self-serve signup flow. How did you think about that? How did you think about A) did that concern come up for you from your stakeholders, from your board at any point? And B) how did you think about what is the sales model that can still work with that price point?

Christina Cacioppo:

Yeah, so it came up when VCs would mention that while we were pitching or during coffee chats. It seemed very philosophical, like, "Thank you for the feedback. I'm trying to get to 100K in ARR," or like, let me try to figure that out first before trying to change. And what I'm doing seems like it's maybe working… but it's not clearly not working, so I hear you. At some point, what I'm doing might not work for those reasons, but this feels more philosophical than my blocker today, this month, this quarter. So it's a little bit of like, "Thank you for the feedback. I shall keep that in mind," kind of a moment. I think the advice is often like, "Oh, you can't sell low five-figure ACVs with a salesperson."

And the more nuanced version is “hey, there are industry-standard and best-in-class sales efficiency metrics. And most companies at the ACV don't get the sales efficiency metrics, so watch out.” That is very different, right? And then when you cut, we'd get that. But when you cut Vanta's sales efficiency metrics, they were best in class. And so then we stopped getting that critique, because it was like, "Oh, you've somehow figured out how to make AE average quota attainment 150%. We're not quite sure what you're doing over there, probably hiring too few AEs honestly, but clearly, there's something there."

Sandhya Hegde:

Got it. So what does rep productivity at Vanta look like? What does a good rep do in, say, a month or however you track it? How many customers do they close in a month or a quarter?

Christina Cacioppo:

Yeah, it's funny. So we have not changed a lot of this — even back to 2019, with the first sales rep. So a couple of things. One, we have monthly quotas. When I was selling, I gave myself weekly quotas. Basically, people convinced me I could not hire anyone on a weekly quota. And even today, the fact that we hire on a monthly quota is still surprising to folks. But to me, it's a less than 30-day sales cycle, so it's a monthly quota. And if you give people a quarterly quota, the sales cycle will almost certainly extend incentives. So that's really important. The original quota — which we still have —was based on what I was selling.

So I was selling about three deals a week, 12 deals a month. And so my thinking was that I have all the benefits of being a founder of the company. Having built the product, I know it super well. But I'm also not a very good salesperson. And so if we bring in a good salesperson who is not a founder, who then doesn't know the product as well or has to learn it… let's just say these things cancel out. And so how can I expect you to do what I was doing? Right? And we brought in a very good salesperson and they blew it out the water — twice what I did, which is awesome! Right?

Sandhya Hegde:

Humbling and great. [Laughs]

Christina Cacioppo:

Totally! [Laughs.] You're like, "Yes, I thought I was getting good. I wasn't. Cool. Great. Glad you're here." But anyway, that's how I figured out our initial quota, I was like, "Oh no, can you do what I was doing? We'll see," and the answer is definitely “yes.”

Sandhya Hegde:

Got it. Makes sense. And so if you think about Vanta's future versus what you're doing now, I'm curious, are you thinking about continuing to stay focused on the startup segment or have you thought about or is there a compelling reason to go upmarket? And at what point? How are you now thinking about future product strategy?

Christina Cacioppo:

Yeah, so a couple of things. One, the startup market is our roots. Philosophical alignment is and will always be extraordinarily important. And I think there's a revenue and customer account piece. But there's a hearts-and-minds piece there that I do not want to ever, ever, ever lose. That said, Vanta is a very special company in lots of ways. But it's also not a special company in other ways. In one way that it's not, it’s kind of like everyone in B2B moves  upmarket over time.

Sandhya Hegde:

Right.

Christina Cacioppo:

And so we probably will, too. Right? And that's just like a little bit of a law of physics thing. And we see that, right? When you serve startups, some of them grow and then they get more demanding as customers. And I say it's one of the best ways of being demanding, but totally more demanding. You also just get this pull from them. So our approach has historically been built for those demanding, early customers who are bought into the vision but maybe are now frustrated with the product and its limitations. But if you can get them in a good spot again, you should be able to go out and get new folks, right? But again, for the folks that are already bought into the premise, you're just annoying them. So stop annoying them… but it's quite hard and requires a lot of product effort. But that is the first step.

Sandhya Hegde:

Right. So you're finding product-market fit again with this new segment, but you have the benefit of the fact that some of your existing customers have already moved into that segment. So hopefully, they can drag you along with them.

Christina Cacioppo:

Yes.

Sandhya Hegde:

Awesome. Well, Christina, one of the things we have noticed is great CEOs almost end up having to become new types of leaders every six months — that's what makes the role so challenging is that your company is often growing faster than you can evolve as a leader, and needs something different from you all the time. How do you invest in your own evolution as a leader and as a CEO?

Christina Cacioppo:

Yeah, I think one thing that helped in the early days — before I hired folks — is that you're the sales until you hire a salesperson, and you've got to hire a good one. You're support, until you hire a support person. Same with customer success, right? And for me, I had this product and technical background, but I didn't know go-to-market at all. And I just felt like I was constantly bad at all my jobs. Which I was! But there was an unlock one day while running when I had this realization of like, "Ooh, this [hardship] is the point, because I am learning these jobs. And if I ever feel like I'm good at them, that means I have waited… and I should be hiring someone for it," right?

For the next couple of years, my job is to do a bunch of jobs I've never done and feel bad about them until I feel better at them so that I can find someone. And I think that mental shift was a big deal for me because it was like, "Oh cool, it's just going to feel like failure for a while. But hopefully, it's not," right? Versus day in and day out, asking, "Why am I not a better salesperson?" Being like, "My job is to get better at sales." When you do something new, especially as someone who likes to feel like they know what they're doing, you definitely, actually don't. And so that feels uncomfortable. But again, normalizing that for myself was a big deal. So in the early days, that mindset was really helpful.

Sandhya Hegde:

Makes sense. Are there any specific mentors or books or anything that stand out to you as something that, looking back, was the right advice that you got at the right time?

Christina Cacioppo:

Yes, a couple things were helpful. I've read all the startup management books and the management books and the engineering management books. I think they're very helpful, but also, while it’s helpful to read them, so much of this stuff is practical learning. As in, how do you learn to manage people? You have to manage people poorly and do it better. And it kills me deeply that you have to practice on other people because that just seems so unfair and I don't know a way around it. It just makes me cringe to this day, thinking about doing it now. I'm thinking about having done it and ugh! It's brutal.

I think there have also been a handful of folks who have been extraordinarily helpful. One in particular, J Zac Stein — he's on Vanta's board now — but I met him in 2018 when I sold Vanta to him. He just negotiated with me under the table, and I felt great about it at the end! He was someone who was like, "Yeah, I would negotiate with you under the table." And then you're like, "Oh, this was such a pleasant interaction!" And he foolishly, at the end of that, offered to stay in touch and I became this gnat at his side. Two and a half years later, it's still there. And he was just really helpful because one, he'd seen more scale. He got a company and that was a year to two years ahead of Vanta. And so it was close enough but he knew it.

He was COO of that company and had therefore led all the other functions. And so when I was trying to figure out what the heck “rev ops” was, he had just built a rev ops team. And then his strengths were also very different. One of his strengths is interpersonal management. Again, he's the person who can negotiate you under the table or let you go when you feel great about everything. And I so wanted that and did not have it. That was really, really helpful.

Sandhya Hegde:

Makes sense. So any last words of parting advice for founders who are starting up right now? For someone who's considering starting a company, what would be your top few points of advice?

Christina Cacioppo:

Yes, so a couple of things. One, so we’re recording this podcast episode in 2022. Obviously, the macro-environment in 2022 is much different than in 2021. 

I actually like this environment much more. I like the focus on sustainable growth and building a business. It's harder in some ways, but I think it just forces a lot of clarity that the company has to adapt at some point. And it's just so much easier if you build it in early. So I think for folks who are like, "Ah, it's the economy crashing" well, I buy into the thought that it’s a great time to start a company. That’s because the things that are harder now, well, companies have to go through them in general. And it's as hard as they are to go through when you're small, it's even harder to go through when you have a thousand people.

So I think that is a big advantage. I think the other part, especially in this environment, but even in last year's, is that one of the "tricks" I learned when I was in VC was that the best way to have a bunch of venture capitalists want to fund your company is to not need venture capitalists to fund your company, right?

Venture capitalists want to fund businesses that don't need them more than businesses that do in order to stay in business. And so for Vanta, we did a bunch of things early on to build our own conviction in the business. We built a business that we always wanted to be huge and venture-funded, but we didn't take venture money for a while. We got to $10 million in ARR around the $3 million seed round. And again, that wasn't a bootstrap-to-venture pivot, it was just the question of, “can we build a real, proper business?” And then the funding will take care of itself.

And so I’m very biased on that one because that's what we did. But I do think it gave us a lot of freedom and control later on. And at the time, it forced us to build conviction in the business ourselves versus outsourcing that and being like, "Oh, we're doing a good job because this VC says we're doing a good job." It's like, "No, we're doing a good job because we're doing a good job," and here's how we know that.

Sandhya Hegde:

Amazing. I feel like we could just keep talking for hours, but I will let you get back to your extremely busy day building Vanta. I'm so impressed by what you've built here, and we'll be waiting to see where you take Vanta in the future. Thank you so much for spending time with us, Christina!

All posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Recent Blog Posts

No items found.