In this episode, I speak with Faisal Khan, a GRC Solution Specialist at Vanta, about how their platform is transforming trust management for organizations.
We talk about:
Vanta as a Trust-Management Platform:
How Vanta helps organizations build, scale, and showcase their security and compliance programs through automation, efficiency, and tools like the Trust Center.
Key Features and Solutions Offered by Vanta:
How Vanta’s integrations automate compliance checks, streamline vendor risk management, and address industry standards like SOC 2, ISO 27001, and CMMC to save time and improve efficiency.
Future Directions and AI Integration:
How Vanta is expanding into new frameworks like the EU AI Act and leveraging AI to simplify compliance, optimize workflows, and address evolving trends in governance and security.
Unsupervised Learning is a podcast about trends and ideas in cybersecurity, national security, AI, technology and society, and how best to upgrade ourselves to be ready for what's coming. All right, so today we're going to be talking about the Vanta GRC solution. And we have Faisal Khan with us. Faisal, welcome to unsupervised Learning.
Yeah. Thank you for having me. I'm very happy to be here. Excited to talk about Vanta and the world of GRC.
Sweet. So can you start off by telling us a little about yourself and what you do there at Vanta?
Yeah. Of course. So my name is Faisal Khan. I'm a GRC solution specialist at Vanta. I've been at Vanta for a little over a year now. I work with our go to market segment. So about pre-sale and post-sale really to illustrate his value as a trust management platform in the space And, um, focus on how organizations can implement their GRC programs and why their trust management portfolio with Vanta. That goes all the way from talking to customers in the presales process based off of their requirements. And then also helping with some implementation activities. When it comes down to how do you operationalize Vanta according to how they may want to either build a GRC program for themselves from scratch or bring in their own?
Okay. Yeah. In the Front Sight focuses a lot on, uh, automation compliance. Um, obviously compliance, but basically automating it, like having it be as non-manual as possible. Um, for people who haven't heard of vanta. Like, you gave a pretty good intro there, but like, what is this specific problem that we're trying to solve? Like, what are you trying to address?
Yeah. Of course. So to start off, I'll do another do a bit more detailed introduction of Production of Vanta so Vanta. It provides a trust management platform that gives capabilities to customers to help build, scale and really prove their security and compliance programs, both for themselves internally, but also to illustrate that externally to customers as well. The and other external parties for that matter. To do that, you know, you have to really think about, okay, well, let's say that if we think about how organizations approach this today and what are the goals for security and compliance programs, it's all surrounded the aspects of improving security, increasing visibility to risk, making it easier for teams to get the right information about the compliance posture, making it easier for some of those sales cycles to occur and really grow the business and show how they're differentiated. Uh, in a lot of that includes this whole notion of being able to demonstrate that trust to those organizations. But when we think about just that, those goals, there's a lot of, I'd say, uphill battles that come into play when you, you think about, okay, well, how do you achieve them? There are growing buyer security expectations. Right. Like as you go to different customers, maybe different third parties that you work with, the security requirements, they tend to be similar but also different in some way just depending on who you're talking to. But then also this notion of your security is also related to your vendor security. And the number of vendor security reviews also tends to go up as the organizations grow too. And then to not tack on to that even more, we think about regulations, right. And there's this growing regulatory regulatory impact. So we're left with how do you address that space. And oftentimes it's individual processes manual efforts sometimes pointed solutions to do it individual thing, which is where Vanta tries to solve that problem with a bit more of a unified way to start to scale and then ultimately manage your security and compliance programs together.
Yeah, just taking a couple of notes here. I like the way you broke it down there in the beginning with like, there's different groups that we want to prove that we're secure to. Right. And the fact that we are secure or are working towards it, um, can be used to enable business. Right? Or alternatively, you could say that it slows down business when we have to constantly do manual work to be able to get through these hurdles. So it seems like a big part of the platform is not only making sure we're doing a good job, but broadcasting that. Having a narrative around it. How much? How much of it is presentation to the customer themselves? Do they have like a portal that they can go to?
Yeah. Yeah, definitely. Uh, so for my customer presentation perspective. We have what's called the trust Center, and we can do a brief overview later on in this session as well to show what that looks like.
Especially I would love to see that.
But the trust center is supposed to be that way in which you can represent your not only controls, but resources that you might have that you want to share and build processes around those things so that you don't have to manually provide them or go dig for them. You can build in workflows, let's say, from your CRM system to determine approvals and how to get that information and make it a bit more self-serve. So when a customer goes to a customer or a partner or any other external party goes to the trust center, they're able to see the information and really self-serve that request for access to that information and get that information a lot quicker. Um, it becomes even especially even more important when we think about just representation of commonly asked questions about security program That if it's all illustrated in a central place, it just makes that process a bit quicker and increases efficiency overall.
Yeah, yeah, I'm I'm adding to my list here. Uh, this is really interesting because, uh, I've pretty much been in this world my whole life. I've never directly been in GRC, but I'm always dealing with it. It's always right there. Uh, especially risk management side of it. So I've got customers. Uh, questionnaires is kind of a meta because that could come from anyone but customers usually questionnaires come from customers. But customers, procurement auditors, regulators. What are some other groups that are like user buckets?
I would say that partners are also a pretty big use bucket in a past life. The partners that you work with, whether it's integration between systems or them using your service to go in and perform a service to another, another client of theirs, where you might be the fourth party in that in that engagement. It's what it's it's an important aspect to consider because they'll also have their own version of security questionnaire. And it goes back to this notion of the security of your your own organization oftentimes depends on the other vendors and other parties that you're using or using by virtue of another provider.
Yeah, that makes sense. Okay. So I've got questionnaires on top. And then. So I added partners I think that's spot on. Um how about executive team and board.
Yeah. So executive team board are absolutely, absolutely very big. Um, stakeholders as part of it. Uh, I view that in two layers, though, so we can think about internal representation of your security and compliance posture to the board of the company. And then we can also think about external members, and especially for maybe those smaller organizations that have a bit more focus and their main contact is the CEO. It's really the executives are getting the startup on the ground as an example. And in both ways, one way you could solve that through Trust center as an example, where you can use the trust center to still embody the same information, including resources that you want to download and surface. We also have a chatbot on the trust center for folks to go in, and self-service questions based off of what's available resource wise, but then also right, we think about program management and reporting of internal security and compliance to stakeholders within the company. And Vanta does a really good job of looking at the different aspects of of the trust management program. So we think compliance, vendor, vendor security, your overall risk management management program, and having a risk register, knowing where your risks lie, access reviews and collecting that information into operational metrics and reporting dashboards that can help tell the picture of, hey, we have X amount of tests that need to be remediated at X point of time, and the following are running close as an example for a more operational perspective. But okay. Hold on. Look, we have our audits that are also coming up and available. And they're scheduled for X amount of days. So it gives a lot more high level visibility to say, hey, this information can be grabbed and presented to that higher leadership.
That's really cool. When you say test, do you mean like technical testing? You mean like pen tests that are running and assessments like that? You could actually see, um, maybe that they're scheduled or see that findings are coming out of them that can affect the GRC posture.
Yeah. This is actually a really good segue to just talk about the compliance module of Anta, right. Um, at its core, what we do is take an integration first approach, um, where we, we plug into your integrations, of course, we give you the you the workflows, the instructions on steps to follow and say, hey, if you wanted to connect AWS, Azure, GCP, and any other service providers that you use that you that help with illustrating your security compliance posture are impacted by virtue of it. Plug them in. We're going to go run integration based automated automated tests to go check for specific configuration and and uh, configurations that help show a specific posture. A good example that will also do a showcase of is data encryption at rest. Um, very common common security ask is having the data stores that you're using to store your sensitive data be and even confidential and sensitive data to be encrypted at rest. And we have integration checks that check for your in-scope databases that we can see and say, hey, do you have encryption enabled on these things or not? Similar to texts like that, where if we can see a resource and we have a technical test that we can run that's relevant from a security and compliance perspective. We'll go in and run them and report them to you so that you have visibility of, hey, this one is detected, that there's one database that hadn't been encrypted. What gives? And you can go in and and remediate those things. The additional cool bit to that is automated tests are also pre-mapped to controls that come down to the different frameworks that you're trying to comply with.
At the end. Yeah, I was going to ask that. So so you could basically say, okay, we're now going to be under this one. Uh, that given uh, compliance standard then has requirements and the requirements are linked to the automation tests, which leverages which leverages the integration I assume. So it knows what to either build inside of that integration or just kick off inside of that integration. And then it's actually taking signal from the results of that and hitting your, uh, compliance status for that given compliance thing. Is that correct?
Yeah, yeah, for the most part, yeah. Um, we have tests that are running that we've built and and they are pre-mapped to controls that belong to the requirements of different frameworks. So Soc2 and the AICPA criteria and the related controls that we create on top of that.
But you have to build those tests inside of their platform, right?
Actually, no. We actually have those tests that we build and we run those tests against the provider, against the resources that we see for the provider. So we would be the ones building the tests. And based on the data we see, we can run configuration checks against that data that we're collecting that we're able to gather.
Sure. But let's say it's like, um, let's say it's like, uh, an endpoint system, like Tanium or something, or some cloud, uh, AWS thing. Um, in order to run the test against the cloud infrastructure, I mean, don't you have you have to be inside of that infrastructure?
Absolutely, yes. No doubt about that. So we need to have a connection to to that infrastructure. And what we do is we, we, we strive for the minimum possible permissions that we need for the most for for most of it, outside of, let's say, task management integrations, where it's a bit more permissions on creating tasks. It's read only. So we're going in and we do need access to your environment to go look at the available resources that you have. And once we've established those connections, which would depend on what integrations you are able to make, we can then go run those tests from our end to say, hey, we see these databases, we see this load balancer as an example. We see these EC2 instances in AWS. Um, are you're running these things, we're running these checks. And the following instances need to be looked at. Similar example for vulnerability scanners. Right. Different type of test. We see these vulnerabilities these critical high medium and lows. And we give customers and other users of our platform the ability to set SLA for those severities and say, hey, look, you said that critical vulnerabilities are going to be remediated in a 14 day period, but we see this one. It's 15, 16 or hey, look, it's 13 days. You got to remediate it. Why isn't it remediated?
Yeah. So so on that point, is that based on the policy that you've stated somewhere that we, we have stated we want to remediate within that amount of time, or is that coming from requirements that we've said that we want to fall under?
Yeah. So it's a little bit of both. So some standards depending on what the standard is, is going to require specific configurations. Yeah. Um in Vanta there are additional configuration features if you will, that are called SLAs. And you can edit those SLAs to represent What that time period is that's acceptable based on your policy. So let's say my policy and my my vulnerability management policy. And I specified that 1430 90 um, 14 critical 30 for high and then 90 for medium and low. Let's just assume then you can go not make those same edits in your SLAs and say, hey, we've updated them for our policy and we can run tests according to those values to say, hey, look, are you meeting it or not?
Interesting. So if you get a finding back, the finding might say this is a violation. Oh, this is, um, PCI or this one is, um, SoC version two or whatever it is, SoC type two. Um, or it might come back and say you're compliant with all those standards, but you're violating your own policy. Is that would it would it see that?
So to to clarify, usually when you go in And when we think about SLAs and I think a lot of this will become even more evident in the platform. Um, the when we think about policy. Policy is the, the rules really that you establish to govern security compliance. Um, the SLA configurations that I'm referring to are additional way that you can configure specific time periods based on your policy that you've written. So you use the data from your policy and you'd say, hey, my policy says X. Let me modify the SLAs so that the tests can run the way they should. Um, the it's your policy. And what you're trying to comply with should be matching to begin with. And that's the that's where the value comes in as well, where we provide policies and procedures to utilize out of the box and customize as needed based off of what a requirement of a customer might be.
Mm.
Yeah. Interesting. Yeah. I like the direction that we we went. We just jumped right in. Uh. Let's see. Yeah. Um, let's see here.
Uh, I know it's a very broad space, I'll say. Yeah.
What what do you feel like other, like, um, players in the field are not doing well.
Ooh, that's a that's a good one. Um, I'd say that, uh, it's there's two things that come to mind. I think one is breadth of integrations. Um, I can I can attest to this, having been a vantive user in a past life where when I started my journey, it was several years ago, I think when I started with Vanta, it was 9 or 10 integrations. And now if I look at our portfolio today, we have over 300 integrations. And of course, like the depth of those varied, there's different things that we can do with the various integrations. But all that to say is we're able to connect with way more, and the more that we can see and see, the more we can run tests against and go in and provide that visibility to you where it's less tracking it outside for the specific systems that you might be working with. You can come to a unified experience and say, hey, look, I'm running these tests against these integrations, and I have it all in one spot for me to go in and action on. That's one piece I'd say, is breadth of integrations. The second piece that I'd probably call out is, is customer feedback and product listening. I do think that as a whole, especially just been working here internally with our product and go to market teams. We have really good process around understanding customer feedback, taking that and actioning it based off of what the feedback is and taking that back into the product accordingly. Um, because at the end of the day, you know, we want to make sure that our customers are getting the value out of the platform in terms of managing their compliance program, and that they can scale with us as well.
Yeah. So so let me ask you this. The thing that's forming in my mind after hearing this is like there's a distinct two things. One is securing the org. It's finding what we need to be compliant with and like doing the actual work of the security, like vol management and stuff like that. And then the separate part is like explaining the security, uh, presenting the security. It seems like those are two very distinct things. Not not completely, you know, disentangled. But do you, do you see Advanta like it being those two main things?
Yeah, I think that those are. That's a really good way to to look at it. Right. Um, it's distinguishing between your internal, your efforts internally on how you go in and secure and maintain compliance for your environment at large. And I would like to distinguish those two because they're both related. But compliance and security at the end of the day are different things. But one can help with the other. Right. Um, and by virtue of that, it's a that information, the efforts that you take from a security and compliance perspective feed the external communication because you can't if you don't have anything to communicate, then you're kind of at a loss of like how you represent yourself to your customer. And that's where, again, having a unified experience like Avanta is very critical to to demonstrating that notion, because you can complete the required checks, whether it's automated or manual colon in show representation against the frameworks that you're trying to adhere to. See some of that cross mapping across standards. Because if we have a test and we know it applies to another standard, we provide out of the box, we're going to do that mapping for that framework too. And then once you've done that bubble that up into the the output from a control and reporting perspective and documentation to put on your trust center and show that and say, hey, customer A or partner A. Here's the list. Here's the representation of our compliance program. Here are the different controls that we're running. And here's what you need from to see that. We want to show you the trust that you can have with us, and the data that we're storing for you and the services that you're going to be using from us.
That makes sense. That makes sense. Um, you know, what I'm thinking of is, like, there are adjacent spaces that if you're doing this holistically, we're kind of naturally fall into you, and it seems like you're already kind of integrating them. One would be vendor management, another one would be vulnerability management. Have those kind of just naturally folded into you over time.
Yeah, yeah, I'd say I'd say so as well. And again, from a customer like a past customer experience perspective, it's always fun looking at it as a before and after being part of the organization. Um, absolutely. The vendor VRM, I'd say it's one of my favorite, favorite tools. Um, especially because we use AI to go in and help with that analysis to accelerate your your reviews. Um, we also provide integration with, with procurement tools to go in and trigger when a security review might be occurring, whether it's a renewal or a new opportunity. But the thing with vendor reviews and I'm going to make a little tie in to questionnaire automation too, because I think that that's a very good tangential ones, internal, like the ones about your vendors and one's about you being the vendor to another to another consumer.
Oh yeah, I was actually thinking of both at the same time. But you're right. Uh, one is like almost like supply chain management internally. And then that's a good point. I hadn't thought of that one. So that's actually another space. Supply chain management kind of starts to merge with this as well. But I was thinking of the one specifically of, uh, when you start, when you go into a partnership situation, they want to make sure you're secure. Um, they want to know the list of vendors you're dealing with. Like all these questions keep keep coming up. You mentioned AI. Is that to handle the fact that people ask the same question over and over in different ways?
Part of it. Right. Yeah. Part of it is that right? There's different variations to different types of questions. Like it's it's um, you can you can have a questionnaire that's 20 to 30 questions long. I've done questionnaires that are over 500 questions long. Um, and they're all like different depths and breadths, if you will. Um, and because of that, it's a tedious exercise. Um, a lot of there's a lot of effort that goes into just that aspect of it, right, where you're speaking from a being a service provider to a customer. Uh, so we use AI to go in and analyze the data library and information that we can gather based off of what you have input to, to, to collectively answer some of those questions and provide those outputs. And of course, the more data we can get, the more, more refined some of those responses are going to be for you to go in and see, maybe even make some tweaks and updates for the next time so that the next time, sometimes some of those questions comes up, it's there and it's ready to go. Um, so and, and that also then feeds back to the trust center. So if we think about the trust center and being able to ask questions from our trust center, that's also related here, where it's all a unified experience from that lens, from a supply chain management perspective. I think you've hit on you've made a really good point, right. Like one's internal. The other question of automation is a bit more external. Um, the when we think about vendor reviews, there's so much that goes into making sure that they're doing the things according to what you expect them to do and what third party management policy have established. Um, and this gets even even trickier when you think about legal agreements and regulations and things. And if we think about regulations and some of the requirements that they have, the expectation is that the providers that you're using are doing the same as you. Right. That's the general general feel of things. So it becomes this exercise of you have to find a quick way or a quick ish way to be on top of that and not slow the business down at the same time.
Mhm.
That makes sense. Well I'm excited. Let's uh let's check out the platform.
Yeah let's do.
It.
All right. Can you see my screen.
I can yeah yeah yeah.
Cool.
Um, you should be seeing Aventa homepage. I just want to confirm that. You see. See the home.
Yes.
That's right. Cool.
Awesome. Okay, so this is the product. We're on the homepage of the product, but I always like to call attention to the left nav first. Just to illustrate, especially in context of our conversation. Uh, we have compliance. This is the frameworks, controls and related tests that we've talked through where we provide out of the box frameworks such as Soc2, ISO, HIPAA and so on and so forth for organizations to use to illustrate their compliance against those standards. There's this audit component to some standards just depending on what they are. ISO 27,001 and Soc2 are common examples, where we also give the capability to customers to bring to invite their auditors to come in and perform audits within the Vanta platform, which I thought was a really cool and nifty feature there. But then there are other aspects that we've also talked through on this on the session so far. We think about the trust center, which is that external communication of your security and compliance process and your overall trust management program. The knowledge base that I'll be referring to and the aspect of doing questionnaires, the risk management module, our risk management module. Think it's it's a risk register and risk management platform based off of ISO 27,005 risk assessment guidelines. It's very it's the standard for showing risk management practices as part of ISO 27,001, which is all about. Security management system. And then you get into vendors having a vendor risk management program and being able to streamline some of that.
This is great.
This is great. I mean, you almost have it organized by the spaces that that are involved with vendor management, risk management. Um, and I guess supply chain kind of trickles in and out of these. What about vulnerability management? Where does that fall into.
Yep. So that's exactly what we're going to NASA. We thought we put that under assets. And this is where we would surface vulnerabilities. And just a sneak peek right. We think about this from a vulnerability management perspective. We were able to pull in that vulnerability data just depending on what your vulnerability scanner is of course. And surface that information here so that we can run those SLA based tests. And just as a quick example, just just kind of print this out. You'll see the due dates associated with it. And that's going to trigger back to this tests page which I'll quickly highlight to show. Hey, let me go do a quick example here. Hi. Vulnerabilities that are identified in packages are addressed. And this is one specifically for AWS Inspector. We're able to show you that the following vulnerabilities. They need attention um and need to be actioned on. It's due in X amount of days. You need to go in and do something about it. Um, but before I get too far along the integration path, I do want to make sure I call attention to the integration side, because that's actually where like it all starts with a vendor platform. Um, our automated compliance platform, it's built around the integrations that we're able to see plug and play with and see resources from to run those tests against. So there will be integrations such as your cloud service provider, your version control systems, your identity providers, and even Mdms as well that we can go run different types of tests. For MDM, we think about, uh, having Uh, having a screen lock enabled and configured. We think about detecting malware being installed and running on your machines from a cloud service provider perspective, making sure that, again, data encryption at rest is enabled, unrestricted ports aren't used, and if they're used, you have the ability to go in and make those deactivations. We're able to go in and run those tests against against resources that we can see to then illustrate into the compliance side of the House. Um.
Real quick on that previous one. Um, so for those different classifications, cloud providers, uh, CRM documents, like in document management, what would you be doing pulling in documents like reviewing policies, uh, checking against documents like what would that look like? Looking at wikis.
Yeah. Yeah, it's.
A great question. So document management would, would be if let's say that you have a security compliance program today and you manage your artifacts in artifacts in a separate data store, whether it's your policies, maybe it's evidence that you want to manage, where we give you the capability to manage to integrate with those systems and pull that information in so that you can upload that, whether it's a policy that you're trying to implement or it's a document, manual, evidence piece that you're trying to satisfy. So it'd be really that facilitation of evidence from a store that you maybe just want to manage outside of into. And you, you want to continue doing that.
Yeah. That makes sense. Okay. Yeah. Endpoint identity providers. MDM. Yeah. Task management. Yeah. So in terms of task management, could you can you actually see like where something is in like a vulnerability management process.
Could you clarify that question for me.
Yeah. Like so for example um given vulnerability is like uh, it's in the process of being patched or it's being currently being Got it.
So the way that our task tracker tax management integration would work is we give you the capability to go in and create, um, tasks or link existing tasks based off of what's done. So in the instance of a vulnerability being detected, we could go in. We can integrate with your task management provider and give you the ability to either create the task here manually, or create a workflow to auto create that task to send over to your task management provider. Those would then be reflected here to go in and see the status of. And you can centrally view that information here to make sure that those things are closing. Um, but that would be the, the that would be how task management would play in there, where it's a bit more of a two way street where you can create the task, or you could link that task and start to see that status information.
Nice. And then the trust center is where, um, you're broadcasting outwards. Can the Can the customer see any part of this? Is there any part of this like public to. Customers to check status or anything like that.
The. So as far as task integrations.
No no no just the top level just trust center of like something that they could do on. Their own like self-serve to see the the status of anything like status of questionnaires or. I don't know what else would be in there.
Yeah. So questionnaires not quite. But this actually makes a very good segue into the trust center. Um, and what a customer can see relative to that information. So if we think about the trust center, um, the the trust center is a summary of information from a compliance perspective. The different certifications I pull up is a really good example here where we were really into for ourselves and showcase the different standards that we're adhering to, whether it's an.
Attestation.
Situation. But then you can you can also see the controls that we want to represent on our trust center and showcase the status of those things. Make sure that we're socializing what's working, what's what's showing and what's what's, uh, operating as part of our security and compliance program, going to a lot of the vendor type conversations we've been having illustrating your subprocessors that are relevant.
Oh, really cool.
It's very, very important. And we can we give you give customers the ability to surface that information as part of the trust center as well. And then one also like relatively recent, it's it's been a minute since it's been here. But I thought it was really cool. Was this rollout of updates and the time that I've been here, which was the ability to go in and surface what's what's happened as part of your security and compliance program and really show, hey, what's what are the changes? What have you newly achieved? Um, is there things that you want other external parties to know about your security and compliance program and push that upward.
Yeah. Really cool. Really cool. Uh, so any, uh, any new stuff that you're able to talk about that uh, people should expect, uh, coming soon, like, like, uh, what's your area of, like, trying to develop and build for the future?
Yeah. So I'd say that we've, we've actually recently and, uh, released a lot of cool stuff. I think that's also relevant to just how the markets and markets playing, especially what we see in the industry. Uh, two one thing a framework that comes to mind is CMC. Uh, so CMC is a hot topic, especially for DoD contractors and subcontractors that are having to adhere to that framework and get certified or do a self-assessment for, uh, and because of that, we we took the initiative to really build out an OtterBox framework to go in and guide customers on how to implement some of those requirements for themselves. So that's one I think I'd draw attention to is just based off of the current events and just what we know that that would be one, one aspect of things. But then I think another two other things that I'd love to draw attention to would be high trust and our my, our partnership with them and our my CSF integration. Um, we have a partnership with High Trust where we can go in and offer the high trust CSF and related assessment levels. So that's the E1, i1 and R2. Um, and they're it's a common framework to adhere to multiple authoritative sources, really frameworks at the at the same time and show a robust implementation of your security and compliance posture. Uh, they have a tool called my CSF, which a lot of customers may be familiar with. And we're able to connect to with my CSF to make that push of information, whether it's your your documents, your evidence, your policy information, so that there's not there's less manual work involved in that in that process. Finally, I think the third thing I'd love to draw attention to is the way I act. I think that I is one of those, um, trends and topics that's going to continue to be a topic for months and years to come. Uh, frankly, um, the way I position it to customers when I'm talking to them about it is we think about, uh, if you go to a train track, let's say you're driving and you approach a train track and you see this train like, darn, I have to stop for this train. And that train, you're going like, man, this train's not letting up, and it doesn't let up. That's AI. AI is this train that's just going to keep going. And more and more standards and regulations are going to come in as responses to it. The AI act is a really good example of it. Um, and ISO 42,001 as well, which is an ISO standard that came out at the end of 2023.
Mm.
Okay. And so you're able to take something that's relatively new and moving fast like that. And how quickly can you normally turn something like that around to get it into the platform and get checks going?
It really it frankly, it does just depends on what the framework is, for example. Right. It was a pretty robust framework. So it took us a minute to go do it and implement it.
But but it's in the platform now.
Yes. The UI act we have, we have a framework for it in the platform. We also have a framework for Cmmc ISO 20 or 42,001, hitrust, E1, i1 and R2, and those are all available for customers to come in and use.
Nice.
So what would be having been like a customer in the past? What is like your, um, your killer feature that you think of when you think of vanta?
Oh, man. See, that's that's it's tough because I like all of Vanta. That's why I'm here now. Um, but the. I'd say that the whole aspect of Trust Center, seeing the growth around it is really cool. Um, and we continue to optimize that experience, link it to the data stores and the data that we feed into the platform. Vendor risk management is also a feature. I think that it's a very big area of time saving and efficiency that could be used to help streamline that review process and free up time to focus on other things, which is frankly a common challenge for everyone. Right? Time and resources. That's a commonality everywhere and things that you can do to fast in that process. Those are good things to do. And I think band as a whole is really doing that and striving for it for our customers.
Makes sense. All right. Well, I really enjoyed the conversation. Anything um, we should mention that we didn't talk about.
Uh, no. But, hey, what if there are any questions? If you're If you're interested, please reach out. We have a really good LinkedIn presence and other social media platforms as well. You can also reach out to me via LinkedIn. It'd be fun. You'll have this information as part of the recording as well, where it would be really ecstatic to help you in really operationalizing and streamlining your your trust management journey.
Fantastic. Yeah. And what's the URL? It's just vanta comm. Is that right?
Com you got it.
All right.
Well, thank you so much for the time. And it was a good chat.
Thank you.
Appreciate it.
Unsupervised learning is produced on Hindenburg Pro using an SM seven B microphone. A video version of the podcast is available on the Unsupervised Learning YouTube channel, and the text version with full links and notes is available at Daniel Miessler newsletter. We'll see you next time.