3000: Vanta - The AI Advantage in Security and Compliance

[00:00:03] [SPEAKER_01]: Have you or your business ever thought about how AI can fortify business cybersecurity

[00:00:10] [SPEAKER_01]: fences and enhance compliance? Or what innovative strategies are leading companies using right

[00:00:17] [SPEAKER_01]: now to stay ahead in the security game? Well today on Tech Talks Daily I'm excited to

[00:00:24] [SPEAKER_01]: Jeremy Epling, Chief Product Officer at Vanta onto the podcast. With an impressive career

[00:00:31] [SPEAKER_01]: spanning more than 16 years at Microsoft, four years at GitHub, Jeremy brings a wealth

[00:00:37] [SPEAKER_01]: of experience and insights into the role of AI and cybersecurity. And named the number

[00:00:44] [SPEAKER_01]: one most innovative security company in 2024 by FAST Company, Vanta is at the forefront

[00:00:51] [SPEAKER_01]: of leveraging AI to streamline security and compliance. So today Jeremy's going to share

[00:00:57] [SPEAKER_01]: his insights and also findings from Vanta's latest State of Trust report, revealing some

[00:01:04] [SPEAKER_01]: critical insights into the current state of cybersecurity and AI adoption. Something

[00:01:10] [SPEAKER_01]: I don't think we talk about enough. We get carried away talking about the shiny

[00:01:14] [SPEAKER_01]: side of AI but less so about the importance of AI adoption in cybersecurity. Reaching

[00:01:21] [SPEAKER_01]: listeners in 165 countries every day is testament to the unwavering support of you

[00:01:27] [SPEAKER_01]: my listeners and our sponsors, without whom this podcast just simply wouldn't be possible.

[00:01:33] [SPEAKER_01]: And it also gives me a chance to talk about the fact that legacy DRM failed to securely

[00:01:37] [SPEAKER_01]: enable external collaboration, especially on sensitive files and how every organisation

[00:01:43] [SPEAKER_01]: faces this risk trust contradiction where they can share content with untrusted third

[00:01:48] [SPEAKER_01]: party. And the company is yet to protect that data. So it's time for something more modern,

[00:01:53] [SPEAKER_01]: a DRM solution that solves that dilemma without compromising security or productivity.

[00:01:59] [SPEAKER_01]: And you can do all that with a company called Kiteworks that will enable you

[00:02:03] [SPEAKER_01]: to say goodbye to deployment headaches, file transfer risks, collaboration barriers

[00:02:07] [SPEAKER_01]: and productivity constraints so you can experience a more modern way to collaborate on sensitive

[00:02:13] [SPEAKER_01]: content without sacrificing control or security. Please visit Kiteworks.com to get started today.

[00:02:19] [SPEAKER_01]: That's Kiteworks.com to get started today. Now is the moment you've really been waiting for.

[00:02:25] [SPEAKER_01]: It's time to get today's guest on. So buckle up and hold on tight as I beam your ears all

[00:02:32] [SPEAKER_01]: the way to North Carolina where Jeremy's waiting to talk with us today.

[00:02:37] [SPEAKER_01]: So a massive warm welcome to the show, Jeremy. Can you tell everyone listening a little about

[00:02:41] [SPEAKER_01]: who you are and what you do? Yeah, definitely. Jeremy Epling,

[00:02:45] [SPEAKER_00]: I'm the chief product officer at Vanta. So we are product engineering and design teams here.

[00:02:50] [SPEAKER_00]: And yeah, it's been amazing. I've been at Vanta for one year and the company has just

[00:02:55] [SPEAKER_00]: grown so much throughout its history. When you look at like really where Vanta came from,

[00:02:59] [SPEAKER_00]: people were doing these manual point in time assessments for audits and trying to get

[00:03:05] [SPEAKER_00]: compliance. So few people were able to get socked to an ISO because of how much

[00:03:08] [SPEAKER_00]: manual work was required in the process. And then one of the issues that you run into

[00:03:13] [SPEAKER_00]: with that same process is, hey, great, you got a certification, but the next day,

[00:03:17] [SPEAKER_00]: is it still good? Right. And it's like a whole year. You're kind of wondering,

[00:03:21] [SPEAKER_00]: like, is the person still up to date on this or not? And Vanta really transformed that

[00:03:26] [SPEAKER_00]: in 2018 when it was founded by creating automated compliance. So this entire new category of

[00:03:31] [SPEAKER_00]: not only how do you get compliant, but how do you stay compliant? How do we have real time

[00:03:35] [SPEAKER_00]: monitoring so that you know when you're getting off track, which also not only makes it easier

[00:03:40] [SPEAKER_00]: for you to constantly stay on track and feel good about your security and compliance

[00:03:44] [SPEAKER_00]: progress over time. We enable you to then share that with your customers directly on

[00:03:48] [SPEAKER_00]: your trust center so you can build more trust with them as well. And understanding that, hey,

[00:03:53] [SPEAKER_00]: even though if your last audit was a year ago or was nine months ago or whatever else,

[00:03:57] [SPEAKER_00]: you're still keeping on top of everything. It also means less work for security teams

[00:04:01] [SPEAKER_00]: as well. Because instead of kind of going back and having to go find all this crumpety stuff that

[00:04:05] [SPEAKER_00]: may have broken in the last like nine months, and now you're rushing to go do it through the

[00:04:09] [SPEAKER_00]: audit throughout the whole year, you're constantly staying up to date on what's happening.

[00:04:13] [SPEAKER_00]: And I think one of the interesting things that's happened with Vanta has really been

[00:04:17] [SPEAKER_00]: the AI explosion as well. And when we look at like Vanta AI and where that's

[00:04:22] [SPEAKER_00]: needed, how we've been able to introduce AI to the compliance process that's very heavy

[00:04:26] [SPEAKER_00]: kind of documents and data to areas where large language models are really great.

[00:04:32] [SPEAKER_00]: So I think those have been some of the key interesting areas that at least during my time

[00:04:36] [SPEAKER_00]: at Vanta, we've been very focused on around really redefining kind of from these point in

[00:04:41] [SPEAKER_00]: time assessments to automated compliance into full trust management, and then really going

[00:04:46] [SPEAKER_01]: deep in Vanta AI. Well, it's a pleasure to have you join me. Before we started recording,

[00:04:50] [SPEAKER_01]: I was admiring your setup there. You look and sound great, especially for a podcast.

[00:04:56] [SPEAKER_01]: You did let slip that you have worked at GitHub in the past. So can you provide a little bit more

[00:05:01] [SPEAKER_01]: information about your backstory, your role at Vanta and also your experiences everywhere

[00:05:06] [SPEAKER_00]: from Microsoft to GitHub? Yeah, definitely. I started off like

[00:05:10] [SPEAKER_00]: way back when in high school teaching myself how to program as an engineer. So I was just

[00:05:15] [SPEAKER_00]: super excited. It was like the late 90s, the web was exploding. It was pre the first

[00:05:19] [SPEAKER_00]: bubble for her .com and was excited. So built a bunch of websites for small businesses.

[00:05:24] [SPEAKER_00]: And like that was kind of my high school job, I guess a little bit of an entrepreneurial job.

[00:05:29] [SPEAKER_00]: Yeah, I went to university study computer science, started with startup. It didn't

[00:05:33] [SPEAKER_00]: really go anywhere but led to a job at Microsoft. I was there for about 15 years

[00:05:39] [SPEAKER_00]: working on a lot of different products. I worked on Windows on the graphics libraries,

[00:05:44] [SPEAKER_00]: common controls, things like that. Worked on office was on the team kind of from day one

[00:05:48] [SPEAKER_00]: starting OneDrive and kind of scaling that up to maybe around few first million users.

[00:05:55] [SPEAKER_00]: And then worked on Azure for a little while. And then yeah, eventually came to GitHub

[00:06:00] [SPEAKER_00]: and led a bunch of new product development there. So when I joined GitHub, it was

[00:06:05] [SPEAKER_00]: right after the acquisition by Microsoft. And we were really expanding GitHub from

[00:06:09] [SPEAKER_00]: as amazing product for source control and community and issue management, but really

[00:06:13] [SPEAKER_00]: wanted to be a full developer platform. So I led the teams that built like GitHub actions,

[00:06:18] [SPEAKER_00]: which is continuous integration delivery platform there, GitHub packages and the

[00:06:22] [SPEAKER_00]: container registry, GitHub code spaces, which is basically building development

[00:06:26] [SPEAKER_00]: environments in the cloud and the acquisition of NPM. And NPM was later on my team.

[00:06:31] [SPEAKER_00]: And then yeah, a year ago decided to look for something else really love that early

[00:06:36] [SPEAKER_00]: stage building even when I was at Microsoft and like the days at GitHub, I just loved the

[00:06:40] [SPEAKER_00]: zero to one building a new product, trying to figure out how to make it fit,

[00:06:43] [SPEAKER_00]: how to make developers like really love that or the different customers that we have.

[00:06:48] [SPEAKER_00]: So yeah, met Christina and like, yeah, she was just an amazing founder. We kind of clicked

[00:06:52] [SPEAKER_00]: really quickly. I was super excited about the mission for the company and the product

[00:06:56] [SPEAKER_00]: and where we could take it. And yeah, it's been an amazing first year.

[00:07:01] [SPEAKER_01]: Rob Wow. You've been on an incredible

[00:07:02] [SPEAKER_01]: journey. Such a rich history working in the tech industry. And you probably get a little

[00:07:07] [SPEAKER_01]: bit frustrated about the hype that surrounds AI now. You've probably been seeing AI way back

[00:07:12] [SPEAKER_01]: before everyone got excited about it, but there is so much, as I said, hype at the

[00:07:17] [SPEAKER_01]: moment, especially around things like content generation, maybe even coding and collaboration.

[00:07:23] [SPEAKER_01]: But one of the reasons I invited you on today was to talk about how AI can enhance

[00:07:28] [SPEAKER_01]: business's cybersecurity defenses through things like improved compliance measures.

[00:07:33] [SPEAKER_01]: It's the kind of areas that we don't talk about enough, but it's fundamental in IT

[00:07:37] [SPEAKER_01]: and business resilience. So can you expand on that for me?

[00:07:42] [SPEAKER_00]: Yeah, definitely. I mean, I think there's a huge opportunity here. I think with

[00:07:45] [SPEAKER_00]: any new technology, there's always going to be probably some amount of overhyping

[00:07:50] [SPEAKER_00]: that happens in the beginning where people can see what it could maybe do.

[00:07:52] [SPEAKER_00]: And some of that comes true. And some of it is probably a few years away.

[00:07:56] [SPEAKER_00]: I think for AI, it really has a really interesting use case and security and

[00:08:00] [SPEAKER_00]: compliance for a couple of reasons, especially in compliance. Like what are large language

[00:08:04] [SPEAKER_00]: models usually really great at? It's really analyzing lots of text and producing text.

[00:08:09] [SPEAKER_00]: And a lot of security work is actually still rooted in that, especially with compliance.

[00:08:14] [SPEAKER_00]: There's a lot of paperwork and spreadsheets to go back and forth.

[00:08:17] [SPEAKER_00]: A lot of the GRC governance, risk and compliance team I talked to

[00:08:21] [SPEAKER_00]: are still manually working in spreadsheets. They're sending tons of documents back and

[00:08:25] [SPEAKER_00]: forth. If you're a company that's selling software, the kind of API you're using a

[00:08:29] [SPEAKER_00]: lot of the time is actually sending a massive questionnaire back and forth around

[00:08:33] [SPEAKER_00]: security questionnaire. So if we're you're selling ACME and ACME is selling software

[00:08:38] [SPEAKER_00]: to some other company, what are you going to get? You're going to get a questionnaire.

[00:08:40] [SPEAKER_00]: Could be 400 questions long about all these different security practices.

[00:08:44] [SPEAKER_00]: So there's so much text kind of going back and forth that I think

[00:08:48] [SPEAKER_00]: LLMs really enabled this whole new way of approaching it where basic search and

[00:08:53] [SPEAKER_00]: other tech we had in the past wasn't able to really build that understanding.

[00:08:57] [SPEAKER_00]: So this is one of the big areas we focused a lot on Vantas like, hey,

[00:09:01] [SPEAKER_00]: how can we automate questionnaires? How can we automate vendor reviews?

[00:09:04] [SPEAKER_00]: Looking for places where people are sending these big docs back and forth and trying to

[00:09:07] [SPEAKER_00]: get the useful knowledge nuggets out of them. And how can we make that a lot easier?

[00:09:13] [SPEAKER_00]: The other thing is around data analysis too. Even in my own usage,

[00:09:17] [SPEAKER_00]: right, if you've been using chat GPT or using Claude from Anthropic or whatever else,

[00:09:20] [SPEAKER_00]: it's really great for just dropping in lots of data and then asking questions about it.

[00:09:25] [SPEAKER_00]: And maybe you have to do some time describing the columns or whatever else. But

[00:09:28] [SPEAKER_00]: I think that really helps security and compliance teams as well get those actionable

[00:09:32] [SPEAKER_00]: insights. You're not just kind of seeing a trend chart but wondering what is the actual

[00:09:36] [SPEAKER_00]: impact of that? What has changed? A lot of my experience building SaaS products is

[00:09:42] [SPEAKER_00]: when you look at reporting especially, there's this massive kind of long tail

[00:09:47] [SPEAKER_00]: where you may have a bunch of customers that want the same five or six reports.

[00:09:50] [SPEAKER_00]: And then for the long tail there, they all want something slightly different.

[00:09:55] [SPEAKER_00]: And you can either kind of build that for everyone slightly differently,

[00:09:58] [SPEAKER_00]: but it's not really sustainable. And I think AI starts to provide a really interesting way just

[00:10:02] [SPEAKER_00]: ask those questions and automatically generate some of the reports and charts without

[00:10:07] [SPEAKER_00]: a massive engineering investment with tons of flexibility across all these different types of

[00:10:11] [SPEAKER_01]: data. Oh, cool. Another reason I was excited to get you on the podcast today was when I was

[00:10:17] [SPEAKER_01]: doing a little research, I found that Vantua was named the number one most innovative

[00:10:21] [SPEAKER_01]: security company in 2024 by Vast Company. So first of all, huge kudos, huge congratulations.

[00:10:28] [SPEAKER_01]: Can you tell me a little bit more about the story behind that,

[00:10:32] [SPEAKER_01]: especially Vantua's product and AI strategy that obviously led to that recognition?

[00:10:37] [SPEAKER_00]: Incredibly cool, isn't it? Yeah. It was a huge moment for us and

[00:10:40] [SPEAKER_00]: something I'm really proud of. I think the Vantua AI story that we've built is a huge

[00:10:46] [SPEAKER_00]: part of this. We've launched multiple kind of new products that I think are really focused on

[00:10:51] [SPEAKER_00]: bringing AI to help customers. A lot of other companies I've talked to were using AI for

[00:10:56] [SPEAKER_00]: their internal tools, which is great. Our goal is really to bring that to customers quickly.

[00:11:01] [SPEAKER_00]: We have Vantua Trust Centers and questionnaire automation. Whenever you're selling software,

[00:11:06] [SPEAKER_00]: I mentioned before that all of your buyers and prospects will come in.

[00:11:09] [SPEAKER_00]: They have all these questions they want to go ask. One of the things that we've done

[00:11:13] [SPEAKER_00]: is built a live interactive chat bot that you can have right on your Trust Center. You have

[00:11:18] [SPEAKER_00]: a webpage that's just right there built by Vantua. You can upload and control what

[00:11:23] [SPEAKER_00]: all of your documents that are accessible to different people. You can be like,

[00:11:25] [SPEAKER_00]: here's my ISO report. Here's my SOC 2 report. Here's my pin test.

[00:11:29] [SPEAKER_00]: You can control if everyone has access to that, if it's a subset that has access to that,

[00:11:33] [SPEAKER_00]: what the chat bot can use for knowledge. But now your prospects,

[00:11:37] [SPEAKER_00]: instead of already pinging your sales team and then pinging your security team and creating

[00:11:40] [SPEAKER_00]: all this internal work, can really self-serve directly from the Trust Center. They can see

[00:11:45] [SPEAKER_00]: what your controls are, who are your sub-processors, how you're using the data,

[00:11:48] [SPEAKER_00]: how up-to-date you are, ask more detailed security questions.

[00:11:53] [SPEAKER_00]: And then when they do want to go send the big questionnaire, they can go send that.

[00:11:56] [SPEAKER_00]: And then we will analyze the previous questionnaires that the software seller had done before

[00:12:02] [SPEAKER_00]: to automatically answer those. And again, the security team is still in charge. They

[00:12:06] [SPEAKER_00]: still go through and choose which questions they want to approve. But we've really had

[00:12:11] [SPEAKER_00]: amazing success with the quality of these with getting up to an 85% answer acceptance rate

[00:12:17] [SPEAKER_00]: with no edits. So people are just accepting it exactly the way that it is. So we've really

[00:12:22] [SPEAKER_00]: spent a lot of time understanding what is the right ways to optimize our AI to answer some

[00:12:28] [SPEAKER_00]: of these security questions. So I think that on the software selling side, another big one was

[00:12:33] [SPEAKER_00]: what we've done in vendor risk management. Just like you when you're selling software,

[00:12:37] [SPEAKER_00]: you also need to go buy software. And that procurement process can take a lot of time.

[00:12:41] [SPEAKER_00]: And a lot of it's gathering all this documents, all this evidence, pulling that all in,

[00:12:45] [SPEAKER_00]: and then asking questions about it. We've applied that same Vanta AI technology where you can create

[00:12:50] [SPEAKER_00]: these templates. When you get all those documents from your new vendor, you can just dump them in

[00:12:55] [SPEAKER_00]: and we will go ahead and automatically assess those. And you can flag findings. You can link

[00:12:59] [SPEAKER_00]: them to your different risks and what you care about as a company. You can have those

[00:13:03] [SPEAKER_00]: automatically producing Jira tickets or other follow-up items that you need.

[00:13:08] [SPEAKER_00]: And then I think the really important thing we do is give you the references for these as

[00:13:11] [SPEAKER_00]: well. So it's not just an answer where you're like, well, is this accurate? Did it hallucinate

[00:13:15] [SPEAKER_00]: it or not? Like we go, hey, from this document, we pulled it out and here's the reference

[00:13:19] [SPEAKER_00]: so people can double check it. And the normal stuff you would expect,

[00:13:22] [SPEAKER_00]: like you could thumbs up and thumbs down our answers based on that. The models get better

[00:13:26] [SPEAKER_01]: over time. And also when I was doing a little research on you, I also came across Vanta's

[00:13:32] [SPEAKER_01]: state of trust reports. So can you tell me a bit more about some of the key findings

[00:13:37] [SPEAKER_01]: in that report? And also what are the most critical areas for businesses to understand

[00:13:42] [SPEAKER_01]: right now? Anything that really stood out for you?

[00:13:45] [SPEAKER_00]: Yeah, I think one of the big areas that stood out to me, kind of just continue our

[00:13:49] [SPEAKER_00]: conversation on AI is just there is so much AI that is not only new AI products people

[00:13:55] [SPEAKER_00]: are buying, but your existing products that you've already bought are now adding all these

[00:13:59] [SPEAKER_00]: AI features. And when I talk to different security leaders, they just have a bunch

[00:14:03] [SPEAKER_00]: of questions like, what is this feature actually doing? Did it get enabled? Am I in control

[00:14:07] [SPEAKER_00]: of my data or is it automatically turned on? Is it not? Do I get to opt in? What

[00:14:12] [SPEAKER_00]: level of control do I have there? I think the other top of mind question I hear from

[00:14:17] [SPEAKER_00]: everyone is, is it training on my data? And I think that really comes from a concern

[00:14:21] [SPEAKER_00]: of, hey, if I'm using this model and I'm exposing it to my own intellectual property

[00:14:26] [SPEAKER_00]: or the own inner workings of my company, is it going to like mistakenly just reproduce

[00:14:30] [SPEAKER_00]: that for someone else or for my competitors? And so I think this is one of the top areas

[00:14:36] [SPEAKER_00]: that I hear concern for people and that we've seen for people that are purchasing Vanta,

[00:14:40] [SPEAKER_00]: they ask us these questions. It's actually one of the reasons why I partnered with JD,

[00:14:45] [SPEAKER_00]: who's the CISO of Vanta, for us to co-author a blog post together to explain

[00:14:49] [SPEAKER_00]: what are our principles behind AI? What do we do? How do we think about rolling out

[00:14:54] [SPEAKER_00]: these features, which is giving customers notice and giving them control whenever

[00:14:58] [SPEAKER_00]: we are doing these things. They know when AI is being used, they can turn it off if they want to.

[00:15:02] [SPEAKER_00]: They understand who our sub-processors are, so which vendors we're using for AI.

[00:15:07] [SPEAKER_00]: And then at the same time, we don't train on customer data. So letting you know that

[00:15:11] [SPEAKER_00]: how we're optimizing our models is not based on your data, so you have no concern that

[00:15:16] [SPEAKER_00]: that has a potential to get replicated to one of your competitors or to someone else

[00:15:21] [SPEAKER_01]: that you don't want to know about it. And there were also quite a few

[00:15:25] [SPEAKER_01]: rurying stats in there. One in particular really stood out for me was that the report mentioned

[00:15:30] [SPEAKER_01]: that only 9% of the average UK company's IT budget is generally dedicated to security.

[00:15:37] [SPEAKER_01]: So can you expand on that? What are the implications of that statistic for businesses,

[00:15:41] [SPEAKER_01]: especially in this age where there seems to be breaches almost every day?

[00:15:45] [SPEAKER_00]: Yeah, exactly. And you have the breaches and then you also end up having all these different

[00:15:52] [SPEAKER_00]: unethical actors, if you will, all the different hackers kind of coming in trying to extort these

[00:15:57] [SPEAKER_00]: different companies as well. You have the ransomware attacks. So I think we're only

[00:16:01] [SPEAKER_00]: going to see this go up over time. I think the amount of focus on security and the spending

[00:16:06] [SPEAKER_00]: on security, I think the other thing that when I look at that stat and try to understand

[00:16:11] [SPEAKER_00]: where is it going is also kind of a hiring issue with security as well. So I think

[00:16:15] [SPEAKER_00]: one of the places where software security vendors like Vanta and others have a huge

[00:16:20] [SPEAKER_00]: opportunity to really help these companies because it's really hard to find great security

[00:16:25] [SPEAKER_00]: talent. And then unfortunately, a lot of them are spending time on a lot of these

[00:16:29] [SPEAKER_00]: manual paperwork processes, whether it be they're doing compliance kind of the old pre-Vanta

[00:16:34] [SPEAKER_00]: way where they're manually filling out these reports, kind of going through sending

[00:16:38] [SPEAKER_00]: these documents, taking screenshots versus having built in automated compliance and control

[00:16:42] [SPEAKER_00]: monitoring like Vanta has or the questionnaires or the many other kind of security tasks that

[00:16:47] [SPEAKER_00]: they do that are really manual. So I think that one, we're going to see that kind of like

[00:16:52] [SPEAKER_00]: spending go up over time and they're more focused. And then I think the other thing that

[00:16:57] [SPEAKER_00]: is just like, how do we help all those security professionals be more efficient?

[00:17:01] [SPEAKER_00]: Because it's still a small pool. And I think people are looking for more people to go into

[00:17:05] [SPEAKER_00]: the profession and to specialize more there. And although we're seeing a lot of hype

[00:17:10] [SPEAKER_01]: and excitement around things like AI and automation, how it improves collaboration,

[00:17:16] [SPEAKER_01]: content creation, all that good stuff. According to the report, 8% of UK leaders

[00:17:21] [SPEAKER_01]: already using or planning to use ML and AI to detect risks. Still a very small number, but

[00:17:28] [SPEAKER_01]: how are you Vanta supporting these efforts? Because that number is only going to increase,

[00:17:32] [SPEAKER_00]: isn't it? Yeah, definitely. I mean, I think when we look at what we're doing for

[00:17:36] [SPEAKER_00]: vendor risk side, especially it's really helpful when people are in this procurement process of

[00:17:41] [SPEAKER_00]: buying software. How do we help them really see the efficiency reports like the Vanta report?

[00:17:46] [SPEAKER_00]: We have another one that we're doing on long-term ROI of kind of like trust centers and

[00:17:51] [SPEAKER_00]: questionnaire automation and Vanta AI overall that we'll be sharing out more soon as well.

[00:17:55] [SPEAKER_00]: They're really start to show the savings. It's like when I've talked to a bunch of our

[00:17:59] [SPEAKER_00]: customers, many of them will end up saving hours every single week. Sometimes it ends up

[00:18:04] [SPEAKER_00]: 10, 20, 30 hours a week that they would have spent manually gathering these documents,

[00:18:09] [SPEAKER_00]: pulling through all this stuff, just pouring through it to kind of do a pretty repetitive

[00:18:13] [SPEAKER_00]: task of like searching, looking for the same tasks over and over again.

[00:18:16] [SPEAKER_00]: So I think those time savings are going to be huge for a lot of these people. And I think

[00:18:21] [SPEAKER_00]: that they'll just start to see the value more. I think there is a little bit of comfort

[00:18:24] [SPEAKER_00]: that needs to come with AI over time and people building that trust. So I think that's

[00:18:29] [SPEAKER_00]: why it's at the point it is. But I think over time, we're understanding what it's capable of

[00:18:34] [SPEAKER_00]: or not. And then some of that depends on the vendor. Are you being really upfront with

[00:18:38] [SPEAKER_00]: how you're treating your customers' data? Do they feel like they have confidence and trust

[00:18:42] [SPEAKER_00]: that you will protect their data? Because with AI, you're getting access to more of

[00:18:48] [SPEAKER_00]: their data than you probably have before and running a new set of tech over it.

[00:18:52] [SPEAKER_00]: But yeah, I think that there's all these new applications too that we're starting to get,

[00:18:55] [SPEAKER_00]: even for these manual cases in GRC where to provide evidence to your auditor,

[00:19:00] [SPEAKER_00]: maybe there aren't APIs where you can really automate it or even a product like Vanta can't

[00:19:05] [SPEAKER_00]: automate it and you still have to send a screenshot. AI is great at kind of analyzing

[00:19:08] [SPEAKER_00]: that and pulling out the interesting information. So I think there's a lot of

[00:19:12] [SPEAKER_00]: these other places, which Vanta does as well with the different screenshots there.

[00:19:16] [SPEAKER_00]: When you go ahead and think about the different controls you have to

[00:19:20] [SPEAKER_00]: run your program, how do you automatically map those to risks? And then how when you're

[00:19:24] [SPEAKER_00]: evaluating a new vendor, can we automatically be like, hey, you've told us you have these

[00:19:28] [SPEAKER_00]: company risks and you have these controls. Don't even worry about telling us all the

[00:19:33] [SPEAKER_00]: little questions from that. We can infer these are the set of things you're going

[00:19:35] [SPEAKER_00]: to care about and then classify this vendor that you're looking at as high risk.

[00:19:39] [SPEAKER_00]: And you may want to have these set of conversations with them. So I think overall,

[00:19:43] [SPEAKER_00]: we're going to see more comfort building with these. But I think it really comes down to

[00:19:46] [SPEAKER_00]: the individual vendors like Vanta being really clear on transparency and control,

[00:19:51] [SPEAKER_00]: how you're using the AI, what you're doing with it. Customers know and feel empowered around

[00:19:56] [SPEAKER_00]: when they're using it and where it's good and where we're still learning.

[00:20:02] [SPEAKER_01]: I'm glad you mentioned the word risk there because they have a lot of risk adverse

[00:20:06] [SPEAKER_01]: industries from finance and legal, obvious examples. And for those reasons,

[00:20:11] [SPEAKER_01]: I was unsurprised to read that six out of 10 UK decision makers at some of those larger

[00:20:15] [SPEAKER_01]: organizations feel that regulating AI would make them much more comfortable investing in it.

[00:20:21] [SPEAKER_01]: What are your thoughts on that? It is something we're seeing more and more of. And how are you

[00:20:25] [SPEAKER_00]: addressing some of these concerns? Yeah, definitely. I think that for Vanta,

[00:20:31] [SPEAKER_00]: obviously one of the things we help people do is automate compliance. So we're very involved

[00:20:35] [SPEAKER_00]: with all the different regulations. Two things that we are going through now and now offer in

[00:20:40] [SPEAKER_00]: our product and we're the first to offer was the NIST AI risk management framework directly

[00:20:45] [SPEAKER_00]: built into Vanta. So if you want to adopt that as we have adopted it internally, it's a great

[00:20:50] [SPEAKER_00]: set of best practices for responsible AI usage. ISO 4001, which in some degree is kind of the

[00:20:58] [SPEAKER_00]: codification of the EU AI Act or at least parts of it is really helpful and is something that we

[00:21:03] [SPEAKER_00]: deliver directly through our product as well. So you can get a set of automation and a set

[00:21:08] [SPEAKER_00]: of controls and then have that blended in to all the different parts of your GRC program,

[00:21:12] [SPEAKER_00]: whether that be managing your assets, your vulnerabilities, your personnel and your vendors.

[00:21:19] [SPEAKER_00]: So I think those were kind of two areas. When I think about what can Vanta do with AI,

[00:21:23] [SPEAKER_00]: there's a lot of what we've talked about so far, a lot of great AI products that we offer

[00:21:27] [SPEAKER_00]: and ways we're using it to make our product even better for you. But there's also how can

[00:21:32] [SPEAKER_00]: we keep up and are keeping up with all the latest regulations and delivering that set of

[00:21:37] [SPEAKER_00]: automated value so that you can be like, hey, we really need to go adopt this regulation

[00:21:41] [SPEAKER_00]: or we love this framework here. We want to make that real within our company. So Vanta

[00:21:46] [SPEAKER_00]: really makes it easy for you to go and understand what that is and then automate a lot of that so

[00:21:51] [SPEAKER_00]: that you don't have to do as much of the kind of manual work along with it.

[00:21:56] [SPEAKER_01]: And I think any tech project or indeed tech partnership now comes under close scrutiny for

[00:22:02] [SPEAKER_01]: hey, what business value does it offer? What's the ROI of pursuing this? So do you have any

[00:22:08] [SPEAKER_01]: success stories or examples where Vanta's trust management platform has significantly improved,

[00:22:14] [SPEAKER_01]: maybe shown some measurable impact or tangible difference to security and indeed compliance

[00:22:19] [SPEAKER_01]: for an organization? You don't have to name any names, but is there any stories you can share there?

[00:22:24] [SPEAKER_00]: I mean, I think specifically when I look at Vanta AI, we have questionnaire automation

[00:22:28] [SPEAKER_00]: and trust centers. I think those are two areas where those products have been in market with

[00:22:33] [SPEAKER_00]: a bunch of big customers that are already starting to see success. Zoom info is another

[00:22:38] [SPEAKER_00]: great example of this where up to 90% of their customer security questions are answered

[00:22:43] [SPEAKER_00]: via Vanta AI and are getting automated process, which is just amazing to go see. Obviously,

[00:22:48] [SPEAKER_00]: saving them a ton of time every single week. The bigger the customer is also probably the

[00:22:54] [SPEAKER_00]: more questionnaires they're dealing with. I've talked with customers that deal with

[00:22:57] [SPEAKER_00]: hundreds and thousands of questionnaires. And many times these are not just even

[00:23:02] [SPEAKER_00]: 100 questions but can be 300 or 400 questions long. So tons of time saving there.

[00:23:07] [SPEAKER_00]: Smart Recruiters is another one where we save about 20 hours a week by streamlining

[00:23:11] [SPEAKER_00]: security review process, whether it be around questionnaires, their trust center,

[00:23:16] [SPEAKER_00]: or even the chat bot on the trust center. A lot of the times customers go to the trust center

[00:23:20] [SPEAKER_00]: and they interact with the chat bot that's right there. And that's where they can get

[00:23:23] [SPEAKER_00]: a lot of their questions answered. So it's kind of deflecting a bunch of that work

[00:23:26] [SPEAKER_00]: from the security and sales team. The other thing it does is it really drives up accuracy

[00:23:30] [SPEAKER_00]: as well. A lot of the times if you're a salesperson, maybe you're going to get a send

[00:23:34] [SPEAKER_00]: a doc that you set last time. And maybe you've been doing that for like six or nine months

[00:23:38] [SPEAKER_00]: some of the data may be out of date, right? But it's the convenient thing that you said

[00:23:42] [SPEAKER_00]: last time you're just going to copy and paste it. So I think the other value we get from

[00:23:47] [SPEAKER_00]: Vanta AI in a bunch of these cases is that it's always giving you the latest most accurate

[00:23:51] [SPEAKER_00]: answers as well. And you can kind of drive up not only the time savings but the accuracy

[00:23:55] [SPEAKER_01]: as well. So many golden insights in there. And I'd love to hear more from people listening

[00:24:01] [SPEAKER_01]: on how they're using this technology and how they would like to maybe explore a relationship

[00:24:06] [SPEAKER_01]: with Vanta as well. And we start the podcast today though talking about your time and your

[00:24:12] [SPEAKER_01]: career, your origin story beginning with everything from Microsoft to GitHub to Vanta

[00:24:17] [SPEAKER_01]: today. But of course none of us are able to achieve any degree of success without

[00:24:21] [SPEAKER_01]: a little help along the way. So as we come full circle here and you look back at your

[00:24:26] [SPEAKER_01]: career is there a particular person that you're grateful towards? Maybe someone saw

[00:24:30] [SPEAKER_01]: something in you helped you get you where you are today that we can give a little shout

[00:24:34] [SPEAKER_00]: and a thank you to Tilly. Yeah, definitely. I mean, I think there are so many different

[00:24:39] [SPEAKER_00]: people that have kind of helped me throughout my career and influenced. One of the ones that came

[00:24:42] [SPEAKER_00]: to mind was an early manager I had at Microsoft, Piero Sierra, who is actually now the

[00:24:48] [SPEAKER_00]: CPO at Skyscanner. And he was just really influential to me on one, just helping me

[00:24:55] [SPEAKER_00]: understand what it meant to be a manager. It was my first time being a manager. He

[00:24:58] [SPEAKER_00]: took that bet on me and really mentored me to be like, how do you grow people? How do

[00:25:02] [SPEAKER_00]: you make sure that they're inspired and excited about what they're doing every day? How to look

[00:25:06] [SPEAKER_00]: for different coaching opportunities, how to go do that gave me that big opportunity

[00:25:10] [SPEAKER_00]: when we were working on OneDrive and kind of building that in the early days.

[00:25:14] [SPEAKER_00]: I think the other big thing I learned from him was just how important design is

[00:25:18] [SPEAKER_00]: to product management. And like, what does it mean to have a product that's well designed

[00:25:22] [SPEAKER_00]: and not just useful, but really delightful? And it's something that people love and caring

[00:25:26] [SPEAKER_00]: about all the little details that go along with it. And definitely something that I've

[00:25:31] [SPEAKER_00]: continued with throughout my career and something we strive for advanced every day is to kind of have

[00:25:35] [SPEAKER_00]: a high quality, delightful product that people just love using every day and really kind of

[00:25:40] [SPEAKER_00]: polishing all the edges, which I think really adds up over time.

[00:25:43] [SPEAKER_00]: And I think of it as actually a way to build trust. I think a lot of times when

[00:25:46] [SPEAKER_00]: we talk about trust, we think about security and we think about compliance and privacy

[00:25:50] [SPEAKER_00]: and some of these other really important areas that are. But I think there is a certain

[00:25:54] [SPEAKER_00]: amount of trust of when you're using a high quality product, you think if they're

[00:25:56] [SPEAKER_00]: putting this amount of level of detail into making this really good, they probably are

[00:26:00] [SPEAKER_00]: caring about all these other things I'm not thinking about as well. So I look at design

[00:26:05] [SPEAKER_00]: as also being a core part of kind of building trust with customers and building that deep relationship.

[00:26:11] [SPEAKER_01]: Wow, what a great answer. And one of the reasons I always ask that is because

[00:26:15] [SPEAKER_01]: I think he is probably blissfully on the way on the impact he's had on you and your career

[00:26:19] [SPEAKER_01]: and your outlook. So it's so important to get that message out there and hopefully he will get

[00:26:24] [SPEAKER_01]: to hear it. And for everybody listening, what's the best place for anyone to find you or your

[00:26:29] [SPEAKER_01]: team online and find out more about anything we've talked about today?

[00:26:34] [SPEAKER_00]: Yeah, definitely. I mean, come to Vanta.com, check out the product. We have a bunch of

[00:26:38] [SPEAKER_00]: exciting announcements that we've done recently, more coming up and kind of all the time,

[00:26:43] [SPEAKER_00]: especially if you're looking to get certification for SOC 2 or ISO for the first time GDPR.

[00:26:49] [SPEAKER_00]: There's over 30 frameworks that we cover end to end, whether it be in the AI space with

[00:26:54] [SPEAKER_00]: ISO 42001, NIST AI, RMF or many others. So yeah, I would say that's the best place to connect.

[00:27:00] [SPEAKER_00]: And then you can find me on Twitter and on threads as just Jeremy Upling.

[00:27:06] [SPEAKER_01]: Awesome. I'll get all those links added to the show notes so people can find you nice and

[00:27:10] [SPEAKER_01]: easy. We covered so much there, some big stats such as 9% of the average UK companies

[00:27:15] [SPEAKER_01]: mentioning your reports say their IT budget is dedicated to security, a very low number,

[00:27:20] [SPEAKER_01]: but there's a lot to be hopeful about here. And I love how the potential of AI

[00:27:24] [SPEAKER_01]: to fortify business as cybersecurity defenses through enhanced compliance should hopefully

[00:27:29] [SPEAKER_01]: change that narrative. And congratulations to you again for getting that award of number one

[00:27:35] [SPEAKER_01]: most innovative security company this year by Fast Company. I'd love to stay in touch with

[00:27:39] [SPEAKER_01]: you, see how this story evolves and maybe those stats will improve next year. But

[00:27:44] [SPEAKER_00]: thanks for joining me today. Yes, thanks for having me. It's been

[00:27:47] [SPEAKER_00]: great discussion and yeah, I'd love to keep the conversation going.

[00:27:50] [SPEAKER_01]: I think it's evident that AI holds tremendous potential in enhancing cybersecurity and

[00:27:56] [SPEAKER_01]: compliance areas that we don't talk about enough. And that can be from automating

[00:28:01] [SPEAKER_01]: compliance processes to providing real time security insights. And Vanta seems to be

[00:28:07] [SPEAKER_01]: setting the standard for innovation in the security industry. They've got the award for it.

[00:28:12] [SPEAKER_01]: So big question though is what are your thoughts on the role of AI in cybersecurity?

[00:28:16] [SPEAKER_01]: Had you not thought about it too much until today's episode? Or how is your organization

[00:28:23] [SPEAKER_01]: adapting to these advancements? Love to hear your perspectives. Connect with me in all

[00:28:28] [SPEAKER_01]: the usual places, socials just at nielcehughes and email techblogwriteratwork.com.

[00:28:34] [SPEAKER_01]: Other than that, I will return again tomorrow with another guest for you. But thank you

[00:28:39] [SPEAKER_01]: for listening today and thank you for listening right to the end of the conversation. Love

[00:28:43] [SPEAKER_01]: your thoughts on this and until next time, don't be a stranger.