ALL RESOURCES
Security
The link between trust and revenue: How proving security wins deals and enables growth

The link between trust and revenue: How proving security wins deals and enables growth

In our 2022 State of Startup Security Report, we asked respondents how their company goes about proving its security. Some responses were quite surprising. “We simply tell the customer that their data is secure.” Another respondent wrote, “I don't (prove security), but since taking some online networking classes, I now know how important it is.”

Having a strong security program is essential, but so is being able to prove it. Whether it's investors, prospects, or regulatory entities, someone, at some point, will ask about your company’s security posture. 

Yes, they’re asking about your security protocols, but what they’re really asking is, “can I trust you?” Growth depends on being able to quickly say, “Yes, you can. Here’s why.” And that confident response, with an emphasis on “why,” is crucial throughout every stage of your company. 

Investors want a sure bet 

22% of our security report’s respondents said venture capitalists asked them to provide proof of a strong security program. The implications of this discovery extend beyond security. 

If founders and entrepreneurs want to find a worthwhile investor, they may have to do more than prove the validity of their product and business roadmap. Security and compliance now play a crucial role in startup strategy. 

If you think about it from an investor’s perspective, it makes a lot of sense. What better way to pressure test a company than to ask for evidence of a strong security program? Tackling a compliance standard such as SOC 2, and then bringing receipts on top of it, reveals an exceptional amount of organizational savvy. It also demonstrates a show of faith and trustworthiness—key factors for any investment decision.  

Closing deals, and retaining them, hinges on security

Whether your company is in the seed or expansion phase, closing deals and earning business is paramount. Proving your organization's security is a task that can appear at any stage in the deal cycle, but this often occurs at the least favorable moment—the “one-yard line.”

At this point, your company has invested a significant amount of time in developing the relationship. Your sales team kicked off a meeting, the prospect explored the opportunity being presented, and right before the deal closes, you're being asked to provide proof of security. This appears to be a common occurrence. 

Our security report found that 57% of respondents were asked to prove their security measures by prospective customers. And if your prospects don’t ask you when it comes time to seal the deal, they’ll likely ask after they become customers. 51% of participants said that existing customers asked to provide proof of security. 

The key takeaway? Generating new revenue, and keeping it, depends on your ability to demonstrate security at any given time. 

Enterprise and international markets require trust 

Long-term success often depends on selling to new markets and scaling revenue. In the US, companies will likely pursue a SOC 2 report as an initial security investment. CCPA and HIPAA compliance may also become necessary components of demonstrating trust. But what about companies that want to go further?

Gaining access to enterprise prospects and international markets bears great responsibility when it comes to security and compliance. For example, abiding by the European Union’s GDPR standard unlocks many possible revenue streams. Obtaining an ISO 27001 certification tells the world that your company adheres to the gold standard of international security protocols. 

Many high-tier prospects won’t even consider your business unless you have a specific certification, or can provide proof that you’re pursuing them. In other cases, they may not require proof of security, but it will distinguish you among competitors vying for their business, and their trust. 

Prove security at every stage of growth with Vanta Trust Reports

Having the ability to show off your commitment to security and compliance is a powerful differentiator. Vanta Trust Reports is the fastest and most transparent way to build trust in your organization. 

Increase efficiency and accelerate sales

Proving security and compliance requires a lot of back-and-forth communication. Spreadsheets, emails, questionnaires, and documents can easily get lost in the fray, or worse, delay a sale. 

Vanta Trust Reports provides one living source of truth for all of your security materials. Answer questions, send up-to-date reports, and provide value to prospects in the early stages of your partnership. 

Not certified yet, but on your way?

Just because you haven’t finalized your SOC 2 report or ISO 27001 certification doesn’t mean you have to stall new business. Many companies will happily move forward on a deal if you can demonstrate the steps you’re taking. 

Capture all of your security and compliance progress with Vanta Trust Reports so you can confidently come to the table with evidence.

Provide proof of regulatory compliance standards

Not all compliance is regulatory compliance. Regulatory compliance standards such as CCPA, GDPR, and HIPAA don’t require audits and don’t hand out certifications. Nevertheless, these are compliance laws that companies are obligated to comply with in certain circumstances. 

Vanta Trust Reports provides your business with a tangible source of evidence so you can demonstrate transparency to any prospect, partner, or regulatory entity. 

Get started‍

Schedule a demo with our team to learn more about Trust Reports and how Vanta can help streamline your compliance goals.

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.

1
2
3
4
!
👍

Does your business offer services to customers who are interested in your level of PCI compliance?

Yes
No

Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:

SAQ A

A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified

SAQ A-EP

A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

SAQ D
for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

ROC
Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference

Questions?

Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.