How Vanta fails

It's hard to sell easily reproducible commodities

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by Myriam Jessier on Unsplash

I haven’t had a sale recently, and the number of subscribers has increased a lot since the last one. It’s time to have one, especially before Black Friday since Black Friday is overrated. If you’re on a monthly subscription, this is your chance to upgrade to a yearly subscription at 50% off!

---

This week, I’m continuing my series on failure modes for certain companies. In the past, I’ve discussed companies like Crowdstrike, Snyk, Wiz, and Cloudflare. Since joining Headway, I’ve been more involved in our compliance work. As a result, I’ve been learning a lot about SOC2, HITRUST, and the various compliance tools that have recently come to market and how they are used. Specifically, I’ve spent time with Vanta and looked at other tools. To be honest, I was initially dismissive of Vanta and its true value when it first came out. However, after using it, I can see the value: Vanta brings automation to a part of security (compliance) that’s traditionally heavy on operations. It’s interesting to see how Vanta has managed to expand its platform.

As a disclaimer, I do use Vanta, and I’m a fan of the product. However, as always, all products and companies have risks.

What is Vanta?

Vanta started as a product that helped companies achieve SOC2 compliance more easily. The main advantages, in my opinion, are the automated evidence collection as well as the project management abilities, which I will describe more below. Since then, they have expanded to new frameworks, such as ISO, HIPAA, GDPR, etc. They also have expanded the platform to include other features that benefit from their evidence collection and/or are necessary for compliance. For example, they now have access requests, trust pages, and third-party risk management tools.

Why is Vanta useful?