Meet the Vanta Security Team

As Vanta continues to grow and deliver new capabilities to our leading trust management platform, we’re excited to share more about our own Security, Enterprise Engineering, and Privacy, Risk, & Compliance teams — from the teams themselves. 

‍

In the coming months, we’ll introduce you to the teams that keep Vanta secure and compliant, and share tips and best practices for building and running security and compliance programs that meet the needs of your organization. Today, you’ll hear from Rob Picard, who leads the team, and Jess Chang, Staff Technical Program Manager on the Vanta Security team.

‍

‍

What does the Security team do at Vanta?

‍Security is at the heart of what we do—helping our customers improve their security and compliance posture starts with our own. Our team’s mission is to ensure that Vanta is a trusted and trustworthy steward of sensitive data.

‍

Vanta’s Security team provides essential security operational services, partners in the software development process, sets policies and standards regarding enterprise-wide security requirements, writes and provides tooling, and offers advisory services to enable Vanta’s business to thrive while effectively managing risk.

‍

That’s a long way of saying that we partner across the company to help keep Vanta trustworthy by ensuring we build software that’s secure by design, protect our customers and staff, and follow our own best practices when it comes to security.

‍

‍

How does the team work?

Every quarter as part of our planning process, the Security team updates our top five priorities and shares these across the company. Not only do these help inform prioritization of our own team’s resources and planning, but they also inform the work of our partner teams.

‍

At Vanta, we set the tone internally that the Security team is here to help with any question a Vanta’n might have—and we mean it! We have clear ways for Vanta staff to reach out to our Security team, including:

‍

• Internal Slack channel for general security questions, including ways to reach the on-call security engineer for more urgent needs and direct help
• Team email address, which allows for more private, direct conversations with the full Security team
• Ways to page the on-call security engineer 24/7/365

‍

These channels to reach the team are shared upon onboarding with regular reminders to the company.

‍

‍

How is the team structured?

As part of the Engineering organization at Vanta, our Security team includes a small but mighty crew of generalists and security experts who wear a variety of hats—which is a key part of our team’s strategy at this stage in our development. We focus on five core areas:

‍

Security Operations

‍

Our security operations program is composed of three primary functions:

1. Intrusion detection in the cloud, on endpoints, and in SaaS applications
2. Threat hunting to improve our familiarity with our tools, keep up-to-date with broader trends in the industry, and improve our automated detection capabilities
3. Incident response to quickly and effectively triage and remediate security incidents as they arise.

‍

Security Engineering

‍

Our security engineering programs focus on product security, cloud security, vulnerability management, and penetration testing. We use a suite of security tools for static analysis, dynamic analysis, and attack surface and supply chain monitoring. In addition, we track and manage our vulnerabilities with a clear internal workflow that allows for visibility across different stages of the program. We also partner with Doyensec for regular penetration testing.

‍

We want to be a key partner to all engineering teams at Vanta. We are regularly consulted for design documents, pull requests, architectural changes, and general product security questions.

‍

Enterprise Security

‍

Our enterprise security programs focus on securing how we work. We detect and triage phishing attacks, evaluate the security of prospective vendors using Vanta’s Vendor Risk Management product, manage corporate devices, and run our identity and access management (IAM) program. 

‍

We use Okta as our central identity provider and manage an internal ticketing system where employees can request time-bound elevated access with relevant justifications and approvals.

‍

Behavioral Security

‍

Our behavioral security programs focus on using behavioral science principles to make positive security and privacy behaviors as easy as possible to adopt—not only for our own staff, but also for Vanta’s 5,000+ customers.

‍

Internally, we focus on product consulting to ensure Vanta promotes best security practices with each product interaction, and partner across the business on threat modeling to keep everyone’s mental model of the challenges we face as accurate as possible.

‍

We also build and produce Vanta’s own library of security and privacy education videos to help our customers build a scalable and sustainable security culture—and one that’s accessible, fun, and memorable as well.

‍

Security Governance

‍

Our security governance program works closely with our internal Privacy, Risk, & Compliance team and our Legal team. Together, we establish policies and controls, monitor compliance with those controls, and prove our compliance to third-party auditors. 

‍

Our program is continuously monitored in Vanta, so we can trust that our governance framework is being followed rigorously. We formally maintain an internal library of security and privacy policies and procedures in Vanta with a defined review process to ensure we do what we say.

‍

‍

Where is the Security team based?

Vanta’s Security team embraces Vanta’s remote-first philosophy. As a fully remote team, we have a defined cadence of regular meetings that allow us to seamlessly collaborate with each other and partner teams. We also meet in person at least once a year, which helps us continue to build our team, spark creativity, and spend time together doing fun things.

‍

‍

Where can prospects and customers learn more about Vanta’s security program?

You can read more about our security program on Vanta’s website. We also have resources for prospects and customers on our Trust Report.

‍

‍

What excites you the most about Vanta’s product and mission?

Many things! Most importantly, while we’re here to help keep Vanta and our customers safe, we’re also internal customers of our own instance of Vanta. 

‍

This means we’re able to provide direct, tangible product feedback on Vanta itself toward our mission of securing the internet and protecting consumer data. This close relationship also gives us a chance to partner with our Product team by testing and providing feedback on early features in development—which also help improve our workflows as well. 

‍

Overall, we love partnering with our employees and customers, and look forward to continuing to help Vanta on our mission forward!

‍

‍

Any fun facts about the Vanta Security team?

• 100% of Security team members are parents. 
• No two members of the team live within driving distance of one another unless you’re up for a long road trip—we’re fully distributed!
• We’re big fans of Ilma, Vanta’s mascot! Llamas have always played a special role in Vanta’s brand. Our team especially loves that Ilma is both a guard animal who protects livestock from harm and threats but is warm, approachable, and intelligent.

‍

Join Vanta’s mission to secure the internet and protect consumer data—learn about our open roles!

‍