Meet the Vanta ESP Team

Since we last introduced ourselves, we’ve grown our Security, Enterprise Engineering, and Privacy teams and have come together as one centralized organization reporting to Jadee Hanson, CISO at Vanta. In this post, we’ll introduce you to our team, give you an overview of what we do, and share our values and vision as Vanta continues to grow. 

‍

What does the ESP team do at Vanta?

ESP stands for Enterprise Engineering, Security, and Privacy, a reference to our identities and recognition of the wide scope of services we deliver. We’re three teams rolled into one organization with a large footprint that covers information technology, security engineering and operations, privacy, and governance, risk, and compliance.

‍

While the domains we span are wide, security is at the heart of what we do—and helping our customers improve their security and compliance posture starts with our own. Our ESP team is an innovative and close-knit group that enables our company to create tech solutions that delight customers, while fostering an environment where decisions are guided by security and privacy principles. We enable Vanta to scale while managing risk and prioritizing security for our customers and users.

‍

In addition to our core responsibilities, we’re also a security team for a security company, which means we use the product we develop. This means we have the unique opportunity and ability to partner closely with our Engineering, Product, and Design (EPD) teams to share our feedback and iterate on solutions. This also means we have the desire and ability to help other security teams who use our solution. In order to do this, we listen to and learn from fellow security practitioners and our shared community to uncover the right solutions, share transparently, and figure out how to partner and win together.

‍

Getting to know our team

Our ESP team includes a crew of generalists and security experts that focuses on several related domains. Here’s a deeper dive into each of the areas, how we work, and what we’re responsible for.

‍

Enterprise Engineering

Led by Alicia Phan, Enterprise Engineering Manager, our Enterprise Engineering team provides Vanta’ns with the tools and technologies they need to do their best work, wherever they are. Also known as the Corporate Engineering or IT team at other companies, we focus our work into two larger areas:

‍

Enterprise Engineering, Systems

Our Systems team focuses on designing and implementing workflows and processes that streamline and automate work here at Vanta. The team’s responsibilities also include (but are not limited to) things such as overseeing administration of our identity and access management provider, helping teams select the right SaaS applications for the company, and ensuring our SaaS applications are all integrated, functional, and secure. We’re constantly on the lookout for ways to enhance the experience of Vanta’ns globally while simultaneously helping to make Vanta more secure. 

‍

Enterprise Engineering, Operations

On the operational side, our Operations team is responsible for basically everything else. End-user support being the tip of the iceberg of what we do, the team serves as the first point of contact for Vanta’ns if they have technical issues. The team also oversees logistics of shipping, retrieving, and provisioning/deprovisioning devices, ensuring that every Vantan has the right equipment to do their job effectively. Lastly, our incredible Operations team is also responsible for end-to-end user lifecycle management and ensuring that provisioning access to accounts and applications is done in a timely manner with the necessary permissions. 

‍

Collectively as a team, our Enterprise Engineering team is responsible for sending one another funny gifs/memes at the start of days and photos of our pets, as well as pretty bad jokes for a good laugh while working together. 

‍

Security Engineering & Operations

Our Security Engineering and Operations team focuses on product security, infrastructure security, vulnerability management, and keeping Vanta itself secure. Led by Nathan Hunstad, Director of Security, here’s what this looks like in practice:

‍

Security Engineering

To ensure that the Vanta product is developed and deployed securely, we use a variety of tools and processes to ensure that security is at the forefront during design, development, testing, and deployment. These tools include static and dynamic scanning (SAST/DAST), software supply chain management (SCA), and penetration tests. 

‍

In addition we have a vulnerability management process which helps to triage and remediate any vulnerabilities discovered in our environment, whether from internal tools or via our Responsible Disclosure Policy. We partner closely with our engineers to ensure security best practices are followed and our teams can innovate securely, using processes like threat modeling and security consulting to ensure potential security risks are identified and addressed early.

‍

Security Operations

Our Security Operations team focuses on securing Vanta’ns and how we work. We deploy industry standard tools such as EDR, MDM, and email scanning to detect malicious content, phishing attempts, and other attempts to compromise our security. Our team investigates events and remediates when necessary, focusing on educating users and giving Vanta’ns the tools they need to work safely. Our team is a part of our broader Vanta Incident Response Process, which provides a mechanism for escalating issues and pulling in appropriate stakeholders when needed.

‍

To continue to nurture Vanta’s culture of security (and have fun!), our Security team runs regular CTFs open to all Vanta’ns and a Security Champions Program. The team also maintains open channels for Vanta’ns to ask security-related questions, discuss security-related topics and articles, and more.

‍

Governance, Risk, & Compliance (GRC) and Privacy

Lastly, our Governance, Risk, and Compliance (GRC) and Privacy team ensures compliance at Vanta—both in-house and in-product—and supports Vanta’s customers, prospective customers, and how we build our Product. Led by Matt Cooper, Director of Governance, Risk, and Compliance, the team is directly involved with building control frameworks, setting and updating our own policies and procedures, managing risk, and monitoring adherence to our security standards and privacy requirements. 

‍

Internal Audit & Compliance

As customer zero of our own solution and platform, we keep a close eye on Vanta to ensure we continuously maintain the trust we’ve built with our customers, partners, and investors. We use the Vanta product ourselves to continuously monitor our own controls and manage the workflows that we’re responsible for—such as policy renewal, security and privacy training, and risk management. 

‍

We drive ongoing compliance for our own SOC 2, ISO 27001, GDPR, CCPA, and other US State requirements as well as our commitments to our customers. This includes weekly product check-ins with our primary stakeholders and daily follow-ups for controls in need of attention. This year our team is driving the organization to be an early implementer of the ISO 42001 Artificial Intelligence Management System (AIMS), and we aim to certify in 2024. In addition, Vanta has been designated by the Cloud Security Alliance (CSA) as a Trusted Cloud Provider.

‍

Risk Management 

In terms of risk management, our team continuously manages our risk register, ensuring that risk items are considered in each quarterly planning cycle. We work with engineering teams to integrate risk management at various levels of the company, including security and privacy by design software development and other specific projects. In addition, we maintain a robust and thorough risk register that’s shared with our company leadership regularly and aligned with our overall strategic priorities.

‍

Vendor Risk Management

Our vendor risk management program focuses on vendor evaluation and proving Vanta’s own security posture. To do so, we’re also customer zero of our own questionnaire automation solution and value the ways in which it draws answers from our security documentation and increases our efficiency with providing thorough and accurate responses about Vanta’s security practices. In addition, we ensure that our own service providers are reasonably and responsibly safeguarding the data we entrust them with.

‍

Privacy Operations

Our privacy operations program ensures that we strictly adhere to privacy regulations, deliver on Data Protection Impact Assessment (DPIA) and Transfer Impact Assessment (TIA) requests from customers and partners, and respond to Subject Access Requests (SAR) under both GDPR and CCPA. To ensure we maintain our privacy commitments, we provide ongoing training for internal teams on privacy best practices and privacy by design. We also partner closely with Vanta’s Legal team on the review of customer and vendor security and privacy requirements. In addition, Vanta is enrolled in the EU-US Data Privacy Framework.

‍

Governance, Risk, & Compliance SME Consulting 

Vanta’s team of Governance, Risk, and Compliance (GRC) subject matter experts (SMEs) provide security and compliance expertise to support Vanta’s customers and prospective customers and to inform how we build and grow our product. From partnering with Vanta’s customers on solutions and questions to designing programs that help expedite customer success and achievement of attestation and certification, our GRC SME team is one-of-a-kind and beloved across Vanta and with our customers for their partnership and expertise. 

‍

We’re deeply involved in supporting our community of security practitioners externally through sharing their expertise in webinars, podcasts, and other content on behalf of Vanta—and helping us win all together. Taking the learnings that Vanta has come to as the original innovator in the trust management space, our team is also integrated into how we build and grow our product. We’re continuously looking for novel, effective ways to help our customers improve their governance, risk, and compliance workflows and provide transparent, simple, and efficient ways of achieving, automating, and demonstrating trust. 

‍

About Vanta’s ESP team

Given the depth and breadth of our team’s scope, we’re lucky to have a combination of Vanta’ns with diverse perspectives, experiences, and skillsets to tackle our shared mission. To highlight who we are and what makes us unique, we asked our team to share a bit more about themselves:

‍

Allan Reyes, Staff Security Engineer

What is your favorite aspect about being at Vanta? As a security engineer, it’s so refreshing and inspiring how much our product engineering and platform teams care about security. We have a really healthy cross-functional relationship, and it makes it so much easier to ship fixes and improvements quickly and painlessly.

‍

Kim Elias, Senior Compliance Specialist

What motivates you in your work at Vanta every day? I'm honored to work with exceptional people who truly strive for exceptional work. As a compliance professional, it seems like an easy "yes" to be focused on ensuring security and compliance are synonymous with trust—and selfishly, I think that's a better and more fun way to do compliance. The fact that our team and company aims to be the best at that is remarkable. The standard is high, not just in the quality of day-to-day work, but thinking critically and holistically, and constantly reiterating why we do what we do. This collective commitment makes Vanta an incredibly affirming place to work.

‍

Jess Chang, Staff Technical Program Manager, Security

What makes our team unique? Not only do we have a talented and kind team, but we bring diverse backgrounds and skills that help us approach problems with perspective, creativity, and empathy. As security practitioners who use our own platform, it’s an even more fun challenge to provide continuous, constructive feedback and be part of the iterative process and Vanta’s product evolution.

‍

Diego Gutierrez, IT Operations Engineer

What's your favorite way to recharge during a busy workday? Depending on the weather, I either take a bike ride or a walk to recharge. If I'm biking, it takes about 20-30 minutes to reach the piers, where I can enjoy the beautiful New York City skyline. If I'm walking, I just stroll around my neighborhood. This helps me relax and take a break from work. Once I'm back, I'm ready to dive back into my tasks.

‍

Alicia Phan, Enterprise Engineering Manager 

What is your favorite aspect about being at Vanta? At the risk of sounding cheesy, it’s truly the people! I thoroughly enjoy getting to work every day with incredibly smart, talented, and kind people. Secondly, I think it’s so fun to be able to be in a world where I’m a customer and an employee of the product. It really helps you see things from multiple perspectives.

‍

Nathan Hunstad, Director, Security

What motivates you in your work at Vanta? Knowing we have a large customer base that really depends on us to help them achieve their goals, whether it's attaining their first SOC 2 or using AI to help answer customer questionnaires quickly and accurately. When you are part of a security team at a security organization, you are securing far more than yourself.

‍

Adam Duman, Information Security & Compliance Manager

What is your favorite aspect about being at Vanta? Security is an industry that is largely built on failure and the lessons we learn from making mistakes. I love that about it. Working for an organization that is open to new ideas and approaches even in that kind of an environment is really refreshing. The opportunity to just say “industry ‘best practice’ is broken and we can do something better. I have an idea…” is incredible and leads to some really novel solutions and also some really complicated but fun exploration of problems, solutions, and answers.

‍

Jadee Hanson, CISO 

A note from Jadee: First of all, if you have read this far, thank you for your curiosity and interest in our Security team. 

‍

“Our team mission at Vanta is to equip Vanta with the technology solutions they need while fostering an environment where decisions are made with security and privacy as guiding principles. As subject matter experts, we guide Vanta towards informed and secure practices internally and a deeper understanding of prospects and buyers externally.”

‍

We believe that security is everyone’s responsibility and we play a lead role in shaping a security culture rooted in trust, transparency, and continuous improvement. Every team member, from leadership to new hires, understands the critical role they play in maintaining a secure environment. Through regular training, open communication, and proactive engagement, we ensure that security is not just a policy but a core value embedded in our daily operations. 

‍

This approach not only reduces risk, but also enhances our operational efficiency and strengthens our reputation as a trusted partner. Our commitment is demonstrated through continuous feedback, clear policies, and visible leadership support—making security a shared responsibility and a point of pride across our organization.

‍

‍Where is the ESP team based?

As mentioned in a previous post, Vanta’s ESP team embraces Vanta’s remote-first philosophy. To ensure we’re able to collaborate seamlessly with one another and across Vanta, we have a defined cadence of regular meetings—both as smaller teams and collectively—that help us stay connected. We also meet in person a few times throughout the year to spend time together doing fun things, planning what’s ahead, and continuing to grow together as a team.

‍

You can read more about our security program on Vanta’s website. We also have resources for prospects and customers on our Trust Report.

‍

Our Security team is growing. Join Vanta’s mission to secure the internet and protect consumer data—learn about our open roles!