Decrypt Security at Vanta with Rob Picard

Listen on:

• Spotify
• Apple Podcasts
• Amazon
• iHeartRadio
  

In this episode, Shane has a conversation with Rob Picard, Security Lead at Vanta — a one-stop shop for startups needing guidance and support in meeting compliance requirements. Rob is an experienced security leader who led teams at Robinhood and founded YC backed startup Observa, a security tool that offered high-value, high-signal, low-noise detections to cloud accounts.

A few highlights from their conversation include:

• As a security professional your job is not to stop things. Your job is to enable things. Your job is to make things go forward. Guardrails not gates.
• There is a huge need for efficient and effective security solutions, particularly for startups that cannot afford large security teams to sift through noise.
• Security tools like Panther, SimRep, soc.dev, CrowdStrike, Red Canary, and Sublime Security are a few that Rob has found effective and helpful.
• Breaches like CircleCI, where the company was open and upfront, are incredibly useful because people can learn from what happened and go through exercises to prepare for what they might do to prevent it from happening to them, or how they might respond if it did happen.
  

Listen to the full episode on YouTube or wherever you get podcasts. You can find Rob on Twitter @RobPicard and on LinkedIn where he regularly authors articles and insights on security.

Shane:

Hey Rob, thanks for joining.

Rob:

Hey, happy to be here.

Shane:

Delighted to have you. Security is a pretty interesting space for people to get into, and I think it's not necessarily always a thing that people aspire to be doing when they're studying computer science in college or even when they're kids. I'd love to hear a little bit about your background and just how you ended up in security in general.

Rob:

Yeah, that's fair. I think a lot of people kind of find security somewhere along the way and they're like, oh, this is actually really interesting and I can kind of make a whole career out of it. For me, I was interested in security in when I was 14 and high school and I was just being a loner and playing on the computer all day. I discovered, oh, SQL injection and cross-site scripting, and there's all these different ways to hack a website and all this kind of stuff. So I found that really interesting. I spent some amount of time kind of learning all of those words mean, but that's kind of it. I didn't become some sort of pro or anything like that, but when I was in school, third year, I just didn't go to class. I was really done with school and I was kind of over it.

I was like, I'm going to go get a job. I'd gotten more into programming and that kind of stuff, so I was like, I'm going to go get a programming job. I applied to a few places, one of which though was Matasano Security, which was a really well known security consultancy, and what they would do is they would take people who knew what all the words meant and could string them together and really teach them how to be a professional consultant at a really high level. So I mean, definitely some luck, some just like, oh, I happened to learnt a really good set of things. I was able to get in there, and then from there I was like, "Oh, security is definitely the path I want to go down."

Shane:

Cool, and then how did it end up turning into a career? I mean, a lot of people started start hacking around to projects and so on, and they're teenagers and kind of real life gets in the way of that and they end up joining a big company or something. How did you actually turn that into a career?

Rob:

Yeah, I think fortunately I came into the security industry at a time where there was career paths ahead. I didn't have to really forge a new path. It was just, hey, I was in consulting for a while and then I responded to a LinkedIn ad for a job at a... It wasn't a big company, but a startup. I think that's the other side of it is I definitely made a career for myself within the startup world as opposed to going to a really big company. I've had 10 years of experience, but it's basically all consulting and startups, and I've really enjoyed that.

I found that to be almost like a niche within the industry is being that person who can come in very early and do a startups security program or be the first person and kind of go from zero to one. So for me, coming into my first job outside of consulting, it was like, oh, okay, cool. This is what it's like to build it on the other side. And I kind of went back and forth a little bit, but ended up really just making a career out of going from a companies like Zero State or close to Zero State and putting in all those first building blocks and sort of building a security program that is, I guess unique to that company.

Shane:

Yeah, I think a lot of people when they go into the security career in general, they look at the bigger companies that already have well-made roadmaps for what a security engineer should look like or what a security consultant should look like. So I think coming into startups when, frankly, I think a lot of the time, it's a case of firefighting where security is generally one of these things that's hired very late and you're coming in almost a year or two late. It creates for a very interesting set of work. And I guess similar to me, you've been in the unfortunate position of being a founder of a security company as well, which is through that x10. Would love to hear bit more about Observa, what it was, how it came about, and I guess where it ended up, if that's okay with you.

Rob:

Yeah, of course. So I started off the founder idea... Again, back when I was in high school, I was really into Hacker News and actually that first job at Matasona Security I discovered via Hacker News because Tom Ptacek is one of the founders of Matasona Security. He's the number one on the leaderboard of hackers, so he's all over the place on Hacker News to this day. And so I discovered Matasona Security through that, but I also was just fully enveloped in this whole, the founder mythology and startups and all this. I loved it. So it was always in the back of my head as kind of like a, "Oh man, can you imagine going through Y Combinator and all that stuff?" And I was at Robinhood for a few years. I actually read a book that I have over here on my bookshelf. I'll grab it real quick actually just for the visual effect, but it's called the Launchpad and it's about one of the Y Combinator batches.

It's like somebody wrote a book, they went and kind of tagged along and I read it and I was like, oh man, I never applied. I never did anything with that and whatnot. And then I had spent enough time insecurity at Robinhood where I was like, "Well, we've been building all this detection and response tooling and it's this huge investment. I wonder if a smaller company would be down to pay for a very small version of this" where it's just sort of almost checking a box, but an important box to check that, hey, if somebody logs into your Google account and then your Slack account from the impossible travel thing from California and New York within five minutes, then you'll just get a heads up. But ideally focusing on higher signal stuff, impossible travel is not necessarily always high signal, but that's the idea right, is high signal stuff that a startup founder who's in a smaller company might look at and say like, "Oh, you know what? Those things would be valuable to know," and then I could sell that to startups.

So that was the original idea. And then I applied to Y Combinator after reading that book, I was like, this is really good idea I'm going to apply. And it turns out I got in and I was like, "Wow, that's amazing, dream come true," did Y Combinator, but immediately found out, oh yeah, startups, they don't want to buy this weird security idea. Nobody's interested in this. So I pivoted a couple of times. I looked at some threat intelligence stuff for bigger companies, I looked at just a few different ideas, talked to a ton of people, and when I finally decided to really build a product out, it was, all right, let me take that same idea of really high value, high signal, low noise detections and apply it to cloud accounts.

So the thing I started with, or the thing I ended with on that was detecting that you've made a database public, and actually I've seen this happen in the past, is somebody in a dev environment accidentally made a database public to the internet and there's nothing in it, but that was used as a vector to get into the system and then mined Bitcoin. And so, okay, that's an easy thing to detect. I can look at all of your public IPs and I can check, is this a database and just let you know if it is. So I built that out. That was kind of like an MVP. I did the whole launch thing and got a few users, really just a lot of signups, less than a dozen active users. The alerts went off a couple times and nobody cared. And I was just like, man, I've spent a year just toiling on no ideas.

And I was like, you know what? I'm kind of not really interested in pursuing this further. That's where it kind of left off. But one of the interesting things that I've learned from that was, hey, all of these startups that I'm struggling to figure out how to sell a security tool to, they all use Vanta. A ton of them use Vanta, right? And that's where I kind of reached out to Christina from Vanta and I was like, "Hey, I'm a YC founder, shutting down my thing, but it seems like everybody uses Vanta, you need a security person. And it kind of went from there to the next stage of my career.

Shane:

Awesome, yeah, I think building security companies is particularly hard, especially when you're in the kind of tight timeframe world of YC where every single week you need to sign X new users and keep up a 7% weekly growth rate. What do you think was the hardest things-

Rob:

Yeah, I was not keeping up any weekly growth rate.

Shane:

Yeah, no, it is definitely tough in the early days, and I think security especially is one of these things that's just very slow to start, but once you get into a rhythm of it really starts to move. But generally, what were the hardest parts about building a security company and why do you think Observa didn't work out the way you wanted it to?

Rob:

Yeah, I think one of the hardest parts for me was realizing that... I went into this fully knowing that it's really hard to sell security products to early stage startups because they have other priorities obviously. But I went in there with this theory that, hey, I think I might have an angle with this detection and response stuff that would resonate, and I was just wrong. That angle that I had and I went with was just incorrect. So fair enough, you try stuff. I hesitate to draw any other conclusions because I think there's an alternate reality where one of those things I pivoted to just really resonated and I figured out an insight that really I was able to pull the thread and turn it into something bigger or I went longer and I didn't leave it after a year or so and go onto something else.

So it's very possible that somebody else's startup success story had the same start as mine. And I've talked to people who said like, hey... I talked to a very smart person who said, "You totally would've been fine if you had a co-founder" because I was doing it solo and I don't believe them. But at the same time, I'm kind of glad I didn't have a co-founder. If that's the case, because I'm happy with the direction it went. I wouldn't have wanted to just kind of go back and forth between ideas for that long. It just doesn't suit me. Some people do it and they end up with a billion dollar company and good for them, but I have my own path, but I'm hesitant to draw any real conclusions about startups and founders and that kind of stuff from my own experience because N equals one, right?

Shane:

Yeah, there's a good chance that if you just tried it again, everything would be going swimmingly, but you just never know these things. Yeah, so you're at Vanta now and Evervault is a very happy customer of Vanta, helps us really smoothen out a lot of our SOC2 and PCI compliance processes and so on. What is Vanta and what do you help companies do?

Rob:

Yeah, so Vanta is a platform that does sort of security and compliance monitoring and automation. You can think of it as a trust management platform. That's one angle where how do you build trust with your customers and your stakeholders, your prospects? We have a variety of products that help you do that. The sort of flagship is getting a SOC 2 that's really painful sometimes if you're a startup or a mid-market company with a more complex situation and Vanta has a lot of integrations and automation that helps you do that. And then things like proving that demonstrating your security posture through trust reports and that kind of stuff as well. So that's the core of what it does.

I like to think of it personally as sort of where you sort of orchestrate your security and privacy program. That's the higher level abstraction around, hey, this is all the stuff we want to do, let's go make sure that's happening. But sometimes the things that you're actually doing themselves might live in another place like Okta or Google or whatever system that is relevant to your stack.

Shane:

Yeah, I would say we were probably a reasonably early customer of Vanta, and my general impression at the time was that Vanta was just kind of like a one-stop shop where you're trying to sell to a customer, they need you to have a SOC2 certification. The founders typically have no idea what that is or how they go about getting it. And then you go to Vanta and they just introduce you to an auditor and they help you through the whole process. Has that changed or is there a different buyer now compared to what it was a few years ago?

Rob:

That's a great question. I think there's still a core there, that's still the bread and butter is we have a ton of companies who are early stage, they're trying to sell to a bigger company. They said you need to SOC2, they come to us, like, "What is a SOC2?" And we help them get across the finish line and we can do that pretty quickly. We're really good at that part for sure. And then as we've gone up market as a seller, as a producer of software, we are selling more to like me. Now, I am in a lot of ways an important customer of Vanta because I am a mid-market security leader at a startup, and so we are trying to address more than just those box checking. We're trying to actually improve your security posture and then demonstrate that to auditors, third-party stakeholders, partners, whoever it is. I think that's the key movement is that move up market means introducing a new buyer, which is either a security leader or a compliance leader or an IT leader who is thinking in pretty much a full-time way about these problems.

Shane:

And do you communicate the product differently to all those different buyers or have you tried to find a way to unify all of them?

Rob:

I think definitely differently. I mean, this is not my department, but I think it has to be different, right? Because the value proposition is completely different. To your point, the value proposition for a one person or two person startup is, we'll help you unlock that sale. The value proposition to a security leader is we will help you do your job. Your job of securing or managing risk, I guess I'd say. It's almost in a lot of ways it's the same core features that apply to either one, especially if you build them right. You build them for the one who actually really cares about the underlying security in a deep way, but you make it easy enough that it can apply to everybody, even the folks who are more motivated just by, "Hey, I care about security, but my company's going to die if I don't get this sale. I care a lot about that sale." It's a different value proposition, a lot of the same underlying tools and then some, "Oh, hey, we have a better version of X, Y, or Z if you need that sort of thing."

Shane:

Yeah, I would say we've a lot of the same challenges just in terms of how we actually communicate why the product's important to various companies at different stages. The one or two person company, it's almost always only something that they'll do if it's a hair on fire problem where they either have to go through a compliance certification or they're trying to close a deal and it's sort of existential and that's when we come in. But at a later stage, it's always sort of a security buyer where you're trying to make their life easier and they're already thinking about security, they're not saying things like, "We don't care about security" because they obviously do and they have a full-time team. Which sort of points me in the direction of, you're now security lead at Vanta and security is a core part of the value prop of what Vanta's product even is in the first place. What does your role entail and what do you actually do day to day?

Rob:

Yeah, it's a variety of things, but ultimately the high level thing is I'm responsible for building and operating this security program, which means a lot of things, right? We've built a lot of the foundational pieces of that program. So security operations, we have a SIM tool in place. We get alerts from that tool. We have to triage those alerts. We need an on-call rotation process by which we go triage those alerts. We have a product security program where we're going and partnering with engineering teams to review code, review... RFCs is the system we use for technical kind of design specs and stuff like that. We have a governance program where we're updating security policies and making sure that people actually use and understand and don't just throw it over the fence at them and all that kind of stuff. So there's all of these processes in place to ultimately accomplish what I would say is maybe three goals.

One is reduce the risk of a information security incident, reduce the friction caused by information security controls. And then the third one is kind of specific to Vanta, but use subject matter expertise to accelerate the business. So we know a lot about security. We are in a lot of ways the buyer that we're trying to sell to, and so using our expertise to say, hey, when you're in a sales call, talking to somebody who's a security lead and you say this, it's not going to hit right. Maybe talk about it this way. There's a lot of security pitfalls, things like, oh hey... And luckily this hasn't come up, but as soon as I joined Vanta, I got ahead of this and I was like, "If there's a security breach in another company, especially if it's a competitor of ours or anybody, we don't talk about that." We just can't. There's no way for us to talk about that in a way that reflects well on us or the industry and it's just not the right thing to do.

But you see that all the time at security companies where you have people in sales or marketing who say, "Oh, this would never happen to us," and you're like, "Hey, it would, it can happen to anyone." So that's part of that third goal is just making sure that that subject matter expertise is used to its maximum potential within the company since we do sell security compliance software. So day-to-day, that's long way of saying the overall structure. But day-to-day, I'm meeting people, I'm writing docs, I'm reviewing code, this week I'm on call, so I'm doing alert triage and stuff like that. We're still tuning our SIM tools, so we get a lot of false positive alerts and then I'm going talking to people like, "Hey, should we just filter this out, what we do with this?" A lot of that kind of stuff I would say. And then trying to produce more content as well, trying to write interesting blog posts and share some of what we're doing with the world.

Shane:

Yeah, generally I think that two tropes in security are, on one hand you have the kind of compliance and regulatory driven ones who spend most of their time on policies and procedures and just compliance frameworks and so on, then on the other hand, in typically more of the kind of startup space, you have security teams that are actually software engineers. I know you mentioned that you spend some time doing code reviews, but do you ever actually implement any of the security tooling and code yourself or with your team?

Rob:

So our team is... And I realize by the way, I left out one big part, which is enterprise security, so anti- malware, that kind of stuff. I had to say it out loud so people didn't think I'm crazy. We hire people at this stage, we're still a pretty small team. There's myself, two security engineers and technical program manager, all very senior, all can write code. One of our security engineers was like... He's staff security. He was a staff software engineer in a previous life. So we have people who are very technically proficient, can implement everything we need to do from automation on our side to, "Hey, we want to add a product feature." I can go and write a PR for that if it's small enough. In general, we don't want to step on people's toes too much, but we can parachute in and help as needed because we just have that skillset and that's part of our value proposition within the organization is people feel really comfortable coming to us because we're not throwing stuff over the fence at them.

We're saying, "hey, you know what? I'll carve out some bandwidth. I'm going to jump in and I'm going to help you fix this." "Or I'm going to show you how to fix it. I'm going to do the research to learn." The libraries we're using and how to use them correctly and this that and the other. I'm not just going to say there's a high level problem from a tool somewhere. You have to go figure out how to solve it. So at this stage at least, and I think it's totally fine to hire specialists who maybe don't know how to code at all, right? But they do other parts of the situation. I think at this stage we are in a position where we need generalists, and one of the core skills of a generalist is the ability to write code.

Shane:

It sounds like it fits very neatly into your original framework of zero to one security. You're still very hands-on because it's all fine and don't need to say, here's what security should look like, but unless you're actually doing the work, it's just really hard to get it prioritized. And a lot of our listeners are either founders of startups or working at early stage companies that might be thinking about security. And I know you've written quite a lot on LinkedIn and other places about just startup security in general. If you were a CTO or something at a small company, what would the sort of Swiss Army knife or just MacGyver toolkit of security processes and tools look like for you?

Rob:

Yeah, that's a great question. So I can give a shout to just some of the tools that we use. I'd say, we really like Panther. We bought that recently. We're new users of it, but that's our SIM tool. It's pretty good for a Cloud native company like ourselves. Lots of SaaS integrations because that's a big part of the stuff you're trying to monitor is people logging into Zoom and downloading files or something. Weird stuff like that in SaaS applications that aren't just your servers or your network. We really like SimRep. I think my face is somewhere on their website, your face is on ours, and they have SimRep supply chain, SimRep Code. SimRep supply chain is a really cool angle on sort of some of the supply chain security tools because they do a reachability analysis and that eliminates a lot of false positives.

Recently, we had flag a JavaScript dependency that had a vulnerability. Actually 99 times out of a hundred, you ignore those because you're like, come on, it's just like there's thousand CVs out there, there's literally a hundred, so I can't do a hundred reviews of these things. But because they cut all this down, we looked at it and we're like, oh, this actually matters for us. I was able to actually use the thing and exploit it and I was like, Hey, we should go fix this. And so we were able to fix it really quickly because we cut out all that noise. So just really, really content with that outcome there. We use, soc.dev as well for the supply chain integrity, you might call it part of things. I think they probably have their own marketing words that they use, but making sure malware doesn't get introduced in the JavaScript supply chain. Those are three of the big ones I think.

Oh, the other one I'll give a shout out to is use CrowdStrike, which is actually a Vanta partner as well, an investor. I mean everybody knows CrowdStrike. I don't have to say too much. It's good, we use Red Canary though, great combination because Red Canary does manage detection response, and then we use Sublime Security on the email security side today, which is we've been very happy with them. Great at detecting bad emails, really updated on threat intelligence, that kind of stuff. And I will say very interested in potentially using Evervault. I don't want to gas you up or anything, but it is very cool. So it's on the list, but we're not users today.

Shane:

Awesome, yeah, we'd love to have you as a user. That's also just really helpful. I think for people at the early stage, they don't necessarily want to hear about frameworks and how they should think about security in general. They just want a specific list of tools so. Who do I go to, to get those answers out people?

Rob:

Yeah, exactly.

Shane:

So obviously you spend a lot of time with startups, and I'm guessing just most of your time is in the startup space, both through working at Vanta, being a former founder of yourself, and I know you're also a scout at CRV as well. Generally, what are the kind of trends you're seeing in security tooling and products, and what's the most exciting direction that you see all those products going?

Rob:

Yeah, I'll give a boring answer first, which is obviously LLMs and AI are making their way into every security tool, and that's fun. I'm down for it. Let's go for it. So a lot of the tools we use, it's like, oh, beta, the chat portion of this tool, and I'm like, sweet, let's do it. I'm here for all of it. So that's an obvious one. I think more broadly, and it kind of dovetails with that a little bit. What I'm seeing is the trend is signal from noise I'd say. That's how I would characterize it. You're seeing tools, like I mentioned, SimRep doing reachability analysis to say, hey, you have a thousand vulnerabilities, but one of them matters to you. That is a really important insight. In a world where we're not just hiring people left and we're trying to be really conscious of our team size and make sure that we have a small but efficient, effective, powerful team, we just can't sift through a thousand findings. So we need that tool to do it automatically and you have to be smart about it, right?

It's okay, to have some false positives, but you don't want any false negatives I guess. The real vulnerability, you still want to be in the final list, even if that list is a little bit bigger because of it. So that's the main trend. There's another company I've talked to a bit called EdgeBit and EdgeBit, what they do is they do a similar kind of idea, but with software running in your production systems, and I think they might even cover npm packages and stuff like that, but the idea is that I think they use BPF or EPPF, book your pack filter, in your production environment to see which files are actually even getting loaded into memory, even if you use containers and all that stuff so that they can say, oh yeah, that Vim C V E, that's in your container. We can just cross that out because it never even gets loaded into memory.

They're pretty early on still, but that was the last time I talked to them. That was the ideas that they were working on, and it seems like a really smart idea. I really liked that direction of just, Hey, we are inundated with noise. The old way of doing it was hire analysts to sift through the noise, and that's where you end up with a SOC with three tiers of analysts, and if that works, that works. But when you're at a startup, that doesn't work. You can't do that. So you need ways to be able to triage alerts and respond to things, look at vulnerabilities and do that in an effective way, even if you understand, hey, this isn't a hundred percent, but we're getting 90% of the way there with much less work. So I think that's the biggest trend in my mind that I'm seeing

Shane:

As an engineer, I think everything eBPF related insecurity is just super interesting. There's so much potential there, and I hope more and more people start working on it. A lot of those tools that you mentioned, they're on the spectrum between I guess alerting and observability and knowing when a data breach happens, but some of them are also preventative as well. And at Evervault, we talk a lot about Secure by design, and I know that Vanta kind of tend to focus a lot on this as well. What does Secure by Design mean to you and how do you think about it when you're actually doing security Workday today?

Rob:

Yeah, I mean I think there's this concept of guardrails not gates. And when I think about Secure by Design, that's kind of what comes to mind is I'm thinking about, Hey, our job as the security team is to help put up guardrails so that you have the paved path is an easy secure way of doing things. I think that concept... Netflix was really big on their security team and it really propagated out through the industry through their talks and software. So I think that's the core piece, is making sure that an engineer who's writing code changes has the context that they need and the resources that they need to make good decisions.

The goal is not to make decisions for everybody, but the goal is to make their mental model of the world reflect reality enough that they can make good decisions on their own. And if you hire somebody who has a good mental model of the world and still makes bad decisions, then that's a different issue. That's a hiring issue.

But most of the people who you're hiring, they have good mental model, they're going to make good decisions. You give them the resources to backfill their mental model and things go wrong. By that, I mean, hey, they wrote a bad code change, but a tool flagged this might have a security issue and they can look at it, learn more about it and say, ah, I should talk to the security team because a gap in my knowledge here, and they might know what's up, or somebody else on my team might know or I can go and read from these tools that the security team has purchased for the company. So I think that's what I think about when I think of Secure by Design. I know there's a lot of ways to implement that, go deep into the code and create primitives that sort of work securely by default, and that's important as well. Just all these different layers at which you can implement that philosophy,

Shane:

And I think the whole goal of Secure by Design and I guess security more broadly is just stopping data breaches from happening and stopping infrastructure from getting breached by people that shouldn't have access to it. I'm curious whether there's any breaches that you've either been part of or read about that you find particularly compelling and if there's any interesting lessons from it that you think people should hear.

Rob:

Yeah, absolutely, yeah, and I'd actually amend what you said though if you'll indulge me. I think the goal of security is not necessarily to stop breaches. I think you want to set goals you can achieve, and that's probably not in the grand scheme of things, achievable goal for the industry, but I think effectively managing risk is really the core of what we do, both of us.

I think managing risk is saying, hey, I need to be able to make a choice for the business, and that choice needs to be responsible for my customers. It needs to be responsible for my shareholders, it needs to be responsible for the direction of the business, my employees, everybody. It needs to further our goals as a business, and you can't do that if you don't take any risk. And so it's about saying that risk is crazy, we should never do that, and that one is probably fine. We'll put up some guardrails to make sure we're okay. We can respond effectively, it goes wrong, but X, Y, Z, we're going to be okay. I think that is where all of the nuance really comes into play because if you want to stop data breaches, just turn off the computer, right?

Yeah, that's the one correction I'd make there. With that said, yes, speaking of data breaches and to the point I made earlier, I'm always hesitant to name a name and say, oh yeah, they got breached and X, Y, Z, but I just want to commend when Circle CI got breached, they had a security incident, they were super upfront about it, they published a lot of really interesting information about what happened, and again, this could happen to any of us. These things absolutely happened. So what we were able to do is we actually took the information that they put out there about what happened with them and we were able to run tabletop exercises internally and learn from it, and that is fantastic. That is the best possible outcome there is that because hopefully we're not the only ones and hopefully other companies saw that and were like, oh, what if that happened to us?

So in their case, if I'm remembering right from their post, it was some malware ended up downloaded on an engineer's laptop and then that malware was able to steal a session that was sort of post SSO login session to an end system, and then that was then escalated into getting some infrastructure production access for us. We were able to look at that like say, okay, let's assume the most privileged engineer, their laptop gets malware, what happens next?

What do we have to detect it, prevent it? What do we have to prevent the next thing that's going to happen? Let's assume breach. Let's assume that happened. What about the next thing? Will we detect that? Will we prevent that? What about the next? And really just go through that attack chain or tree, and I think that those kinds of moments really are speaking of updating your mental model of the world. Those are the moments that let you take a big step in, okay, this is the kind of stuff that's actually happening to startups out there. This is the kind of stuff that we need to do to prevent it. This is how we're going to improve our threat model and improve our security posture.

Shane:

Cool, thanks Rob for the conversation. It was super interesting and I definitely learned a lot. Just before wrapping up, I'm curious if there's anything else you'd like to add on security in general on how people should be thinking about it, and then also just where can people find your work online or any of your thoughts or opinions on security because we all have them.

Rob:

Yes, we all do. Yeah, I guess at a high level, one of the most powerful insights that I've been able to apply. At Vanta here, this is my first time I've been here almost not quite two years, but I've been here a little while now. It's the first time I've led a security program from Sierra to one. I was very early at Robinhood and I learned a lot there from Karthik Brohan who was my boss, and we learned a lot from Netflix just as third party observers. One of the biggest insights that I've been able to apply here that is just over my two years started to pay dividends, is your job is to be a partner, right?

Your job is not to be the wall that things stop at. Your job is to make sure everybody, including the CEO, potentially the board, all of the individual contributors, all the managers, everybody has the context that they need to make good decisions and make sure that they're informed about risk and that you are documenting and tracking how people are responding to risk and updating your models and whatnot. But your job is not to stop things. Your job is to enable things, right? Your job is to make things go forward. Guardrails not gates.

One of the things that I do, I mentioned sort of the goals of our program, one of them being reduce the friction caused by information security controls. We run surveys twice a year along with a couple other teams and Hey, what are we doing that's stopping you from getting your job done? I get feedback constantly when those things go out or when I talk about this at an all hands, I get feedback. "Oh my God, I just joined. My last company, I never talked to the security team. They were the worst. Anything you said, you send them something for comments, they'll just mark up the whole thing." You get those kinds of pieces of feedback and it's great because the end result is not, oh great, I get to be everyone's best friend. Oh, great, when people have problems, they come to us.

Even if they're kind of sensitive in nature, we can go to people and talk about things that are maybe a little bit personal, maybe a little bit this, that and the other because frankly, we see their emails sometimes, we see what's running on their computer. We see a lot of stuff and we have to be really responsible with that and they have to trust us with that.

So we don't run phishing exercises like simulations because that's just going to erode trust. We try our best to say yes and manage risk instead of saying no, and I think that's paid a lot of dividends and I think that is the right way to approach this stage of building a security program. So that's the final kind learning I'll add on. I am on Twitter at, it's Rob Picard, P-I-C-A-R-D, also on LinkedIn, Rob Picard. I'm the one who works at Vanta, and so yeah, I'll post sometimes articles on LinkedIn and stuff like that, easier than getting people to a blog. They seem to read it on LinkedIn.

Shane:

Awesome, thank you. I wish you and Vanta all the best and thanks so much for jumping on.

Rob:

Thank you.