Why Vanta Wants Boards to Measure Cyber Risk in Business Terms
The Business of CybersecurityJuly 18, 2026
38
00:30:3027.92 MB

Why Vanta Wants Boards to Measure Cyber Risk in Business Terms

In this episode of The Business of Cybersecurity, I speak with Khush Kashyap, Senior Director of Governance, Risk, and Compliance at Vanta. Khush began her career as a software engineer before moving into cybersecurity, giving her a builder’s view of governance and operational resilience.

Our conversation begins with the UK Cyber Security and Resilience Bill and the demands it could place on managed service providers, data centers and designated suppliers. Proposed reporting windows could require an initial notification within 24 hours and a fuller incident report within 72 hours. Khush explains why organizations should map their supplier dependencies, define reporting responsibilities and rehearse those deadlines before a real incident tests them.

We then examine what Vanta calls security theater. Khush argues that teams have spent years gathering screenshots, maintaining documents and completing questionnaires because passing an audit became the accepted measure of success. The danger is that an organization can appear compliant while controls remain poorly designed, incorrectly scoped or ineffective in daily operations.

AI can compound that problem. It can generate policies, automate attestations and produce reassuring dashboards, but those outputs mean little when nobody validates the systems or checks whether the underlying controls are working.

Khush also explains why shadow AI creates a larger governance problem than shadow IT. Employees can introduce copilots, models, APIs and autonomous agents that access company data or take actions without the security team knowing they exist. Her advice begins with a live inventory covering cloud assets, SaaS applications, suppliers, machine identities, AI tools and agents.

We also discuss how CISOs can improve their conversations with boards. Instead of presenting compliance status as the main result, Khush recommends explaining business exposure, supplier dependencies, potential outage costs, reporting readiness and the speed at which failed controls can be detected.

Can organizations turn compliance into a continuous operating discipline that protects the business every day, rather than a scramble before the next audit? Please share your thoughts with me.