How we scaled our security culture at Vanta

‍Security is at the heart of what we do at Vanta—helping our customers improve their security and compliance posture starts with our own. Our team’s mission is to ensure that Vanta is a trusted and trustworthy steward of customer data.

‍

At Vanta, we believe that nurturing and scaling our security culture is one of the most powerful ways to achieve our mission. We define security culture as the norms, behaviors, and attitudes around security. We look at our security culture through the following three primary tenets with the belief that these are distinct:

‍

1. Vanta staff cares about security (beliefs and values)
2. Vanta staff understands their responsibilities when it comes to keeping the company secure (knowledge)
3. Vanta staff reaches out with security questions and to ask for guidance (behaviors)

‍

Why three tenets? An individual can care about security and understand their responsibilities, but make a misguided security decision if they opt to not ask for guidance at a critical junction in their project. An employee who doesn’t care about security will likely not understand their responsibilities, and is even less likely to reach out to ask for security guidance. A healthy security culture requires all three tenets operating in tandem to sustain itself.

‍

Why security culture matters

While there are many reasons why security culture matters, one thing in particular stands out to us—which is that establishing a strong security culture enables the Security team to have greater leverage and be more impactful. 

‍

By equipping and empowering teams to partner with the Security team or even address security issues on their own, establishing a strong security culture allows the team to multiply their impact—even with the same resources. For example, at Vanta we partner closely with our Platform team within the Engineering organization through regular meetings that address problems before they even arise. Not only does this help broaden our team’s impact, but also helps avoid creating issues that will surface later. 

‍

Security culture interfaces and principles

You might be wondering how to define and scale your security culture. You may have a function devoted to human risk, security culture, or even security education or generalists on your security team who can lend a hand.

‍

At Vanta, we have a shared responsibility model for nurturing our security culture. We group our guiding principles into two categories depending on whether an employee is interacting with our Security team or tooling we manage, and we work to nurture and improve these consistently: 

‍

• Human touchpoints: Between the Security team and Vanta’s staff
• Tooling touchpoints: Between Vanta’s staff and the tooling or controls built by the Security team 

‍

While related, these two distinct touchpoints have different principles that guide our approach to consistently improving our security culture and our overall security strategy. We’ve shared these team principles below with the hopes that these will be helpful as you look to build and scale your own security culture as well.

‍

Human touchpoint principles: Between Vanta’s Security team and staff

‍

1. Culture of yes: We strive to nurture a culture where partner teams come to us collaboratively to work toward solutions, instead of a culture of fear or one where the Security team consistently says no. This means we must cultivate a responsive, supportive, and judgment-free environment that encourages active engagement with Security. We invite feedback through a biannual, company wide survey that measures friction against security controls and guidance and regularly remind employees how to get help from the Security team. In addition, we operate in a blameless environment that focuses on identifying root causes and solutions.

‍

2. Guardrails are better than gates: Our goal is to help our partner teams by providing guidance and solutions that help meet their needs while not slowing them down. At times, we recognize that this requires imparting a significant amount of trust on our partner teams. Developer experience and productivity are critical to making our systems and processes more secure. We should favor guardrails that make the right and secure thing easy to do, instead of gates that add friction and toil.

‍

3. Be predictable and consistent: In providing guidance, we always seek to provide practical, consistent, and clear guidance from a first principles approach. This means that we’re also transparent when we don’t know what the right answer is—and work closely with teammates to connect our technical expertise in security with their domain expertise. After all, we can’t be successful without the deep domain expertise of our partner teams. In addition, when we’re asked for help, it’s important for us to share clear next steps and a timeline with the requester so they know what to expect and when. 

‍

4. Security is everyone’s responsibility (and can be fun!): While Vanta certainly has a dedicated Security team (us!), we also find ways to create fun, inviting, and accessible ways to learn about security—whether related to Vanta and our work or to our personal lives outside work. Our Security team runs a monthly Capture the Flag (CTF) open to all employees, and also maintains an open Slack channel for articles and discussions on a range of security topics. 

‍

‍

In addition, we share monthly company-wide security updates on what we’re working on and why, as well as threat briefings on an as-needed basis for any potential threats relevant to Vanta or our staff. On a quarterly basis, we also share our top risks and priorities, which helps inform teams and assists in their planning and prioritization. Lastly, as a security company, having clear support from Vanta’s leadership team has also helped emphasize the importance of our internal security initiatives—such as our MDM rollout and migration to WebAuthn.

‍

5. Build a security mindset from the start: To ensure our staff cares about security, understands their responsibilities in keeping Vanta secure, and knows how to ask security questions and get guidance from Day 1, we introduce security at the start—with general onboarding for all employees as well as security training for developers. In addition, we pair our dynamic onboarding content with Vanta’s in-product security and privacy training, and provide regular training on an as-needed basis.

‍

Tooling touchpoint principles: Between Vanta’s staff and tooling

‍

1. Prioritize developer experience: One of the primary goals behind our biannual internal Security team survey is to understand and address any potential points of friction, particularly in our developer experience. If the developer experience is suboptimal because of security controls or otherwise, it will materially impact our overall security culture and lead to decreased engagements with our team. What we build is most readily adopted when it fits into the workflows our developers use—and doesn’t cause additional friction.

‍

2. Shift security left: Embracing this emerging industry principle, we put interfaces in the paths and toolkit of engineers to help keep Vanta secure while also cultivating a healthy relationship with our developers. Our highest leverage efforts are in pushing controls closer to our teammates, while they’re building, designing, and coding. This gives quicker feedback cycles and helps catch security bugs early on in the software development process.

‍‍

3. Minimize alert fatigue: It’s well-established that tooling with overly-sensitive or poorly-defined monitoring and alerting protocols can lead to alert fatigue and easy dismissal of alerts, even when these alerts may be important. This can create a negative security culture of quickly clicking through a security speed bump versus a culture of paying attention. To combat this, we consistently work to fine-tune our monitoring and alerting and adjust on a continual basis.

‍

4. Secure by default: To help create the right guardrails for our employees and environment, we opt for settings and controls that balance the right levels of security and productivity—and provide clear rationale and guidance for employees where needed.

‍

Additional guidance: Always be automating & documenting

Two additional principles we love internally on Vanta’s Security team include always be automating and always be documenting. These two principles help ensure we’re building repeatable processes, improving our overall team bandwidth and consistency, and creating ways for us to continue to evolve alongside Vanta’s business needs. 

‍

As an example, the Security team maintains a decision log that helps us understand any important internal decisions that might help us evaluate future stance and direction. This helps ensure we’re able to provide consistent, principle-based guidance as we grow and scale, and reference prior decisions where relevant.

‍

Lastly, we recognize that every company and team has their own approach to building and nurturing security culture—and we hope that sharing our internal principles and perspectives can help you decide how to approach defining and scaling your own.

‍