#73- My (hypothetical) chat with Christina Cacioppo, co-founder & CEO of Vanta

"You can't raise your way into the right product"

A big thank you to Christina Cacioppo, the co-founder & CEO of Vanta, an automated security and compliance platform, for being on board with this! I took the creative liberty to turn a webinar by Christina into a hypothetical chat between the two of us. In the webinar, she shared four practical lessons from her journey to scale Vanta without having a ton of capital. In the last couple of years of funding early-stage companies, I’ve so much respect for founders who do simple things very well. Many parts of the 32-minute webinar resonated with how I would like to see early-stage company building in India - raising a seed round, growing your business to a level where you are in control of your destiny before deciding whether you want to build a cash flow business or an IPO-ready machine. This post is an effort to condense learnings in a fun format, as a mark of earning the respect of the same early-stage founders I’ve learned so much from.

---

Siddharth: Christina, thank you for taking the time and having this quite hypothetical chat with us!

Christina: The pleasure is all mine!

Siddharth: Can you give us a quick overview of Vanta?

Christina: Vanta is an automated security and compliance platform. Vanta makes it easier for businesses to trust and do business with one another by simplifying the process for earning security certifications like SOC 2, ISO 27001, GDPR and HIPAA. The cost of a compliance mistake or security breach is huge. And today the world is moving toward data protection. Vanta makes it easier for big and small companies to be compliant easily.

Siddharth: How did you come up with this idea? What is the Vanta origin story?

Christina: In 2016, I was a product manager at Dropbox Paper. Paper was born out of an acquisition of Hackpad in 2014. Paper was essentially a document collaboration and editing tool. We were mandated to operate like a startup ourselves with the target of scaling to the level of Dropbox itself. So like a startup we were moving fast and breaking things literally. At the time we were not generating revenues so we wanted to go to market faster and provide Paper to every Dropbox user.

But we soon realized that we had not built Paper for security and scale. We learned we have to get a SOC 2. You’ve to understand this compliance process can take over a year and take most of the team’s engineering resources. We were uninitiated at the time, but this was happening during the time of high-profile data breaches. In 2016 -2017 we had Equifax, the US Presidential elections and data compliance and security were being taken very seriously. Security could no longer be put off until scale or an attractive acquisition interest. You had to do it all from the beginning. And for Paper, it was a big process we had to go back and retrofit.

So in 2017, I co-founded Vanta with the idea that if you give small companies tools to start security early, it becomes easier to demonstrate security later with processes like SOC 2 compliance. And more importantly, we thought we could level the playing field where smaller startups could compete with the more established enterprises.

Siddharth: Very exciting - you experienced this as a product manager and went on to build a full-scale solution. How does Vanta look in numbers today?

Christina: By the end of 2020, we crossed $10mn in ARR, we helped almost 1000 companies improve their security. We’re particularly proud of this milestone because we surpassed this without raising a Series A.

Siddharth: That is not the usual path most SaaS companies take. We keep hearing the $1mn ARR threshold to launch a Series A. And that is especially in an environment where the VC world was flush with liquidity. What was the thought process behind it?

Christina: Yes, most companies raise Series A at $1mn, and Series B at $10m. We did not take the decision lightly. We wanted to wait for $10mn before we raise institutional money.

But, it wasn’t the original plan. We went through YC and were the winner of the 2018 batch. We raised a $3mn seed round like our other YC batchmates in 2018. The plan was cookie cutter - take Vanta from $150k in ARR with seed capital and take it to $1-2mn ARR and raise a Series A and Series B at $10mn just like the standard SaaS company trajectory.

But the shock came in 2018 when the YC Partner pulled me into their office and said we were badly off-track. 6 months after YC ended, most of our batchmates had already hit a million-dollar ARR and were driving up and down Sand Hill road. In contrast, we hadn’t. So I walked out of that room pretty freaked out with a feeling that whoops we’re at the back of the classroom.

Siddharth: How unsettling was that? Being told you’re off track and then taking this news to your team.

Christina: Before this infamous meeting, we spent the last couple of months hiring early team members and engineers which took some time. But this felt like a good thing to do. But this, unfortunately, meant we weren’t growing our customer base.

I walked out pretty resolute. I did not want financing and financing timelines to dictate Vanta’s business. I also did not want to walk into VCs offices and try to pitch Vanta without the full confidence that the idea deserved. We’d have been a $200k ARR YC-backed company in a new market, new category, and all that comes with trying to raise without validation.

Siddharth: You say this because you’ve been at both sides of the table.

Christina: Yes. I was fortunate enough to start my career as a VC with USV. This is not to discourage fundraising or denigrate VCs - we’ve since raised from great investors. But this is something I wanted Vanta to do on its own before going out and raising.

Siddharth: So what did you do differently? From your original plan, and your peers at YC.

Christina: Raising a Series A was off. We weren’t at that scale. So when my batchmates were building slides, I was talking to customers, selling the product myself, knowing which pitches to customers resonated and which ones did not, and building conviction around our existence. We wanted to be really sure that we’re building a new product in a new category and could bring opportunity and growth for startups.

We didn’t think about financing for a while. And 6 months later we did hit that magical $1mn ARR figure. We then revisited the question of fundraising - but realized something within us changed. We became clear about the problems money could and could not solve. We had more conviction in ourselves that we were building a meaningful and sustainable business.

Siddharth: As they say constraints breed creativity.

Christina: Absolutely. Working within the constraints of our balance sheet brought a lot of benefits.

Firstly, we relied on a lot of word of mouth since we didn’t have huge marketing budgets - we had no marketing budget. So all of the growth came from organic word of mouth which was a good barometer of PMF. People would tell their friends “We’re SOC 2 compliant!”.

Secondly, it instilled discipline within the team about our bank balance. Every Monday everyone knew how much money we had and how much that fluctuated every week. Our off-the-cuff rule was to spend the money as if you had to stand in the middle of the room and explain to your coworkers where you’d spent it. We fostered the culture of prudence early on.

Lastly, it calibrated us to focus on the business with fewer distractions because we felt we were building an important and sustainable business. At the end of the day the question was did we like the business we were building, not whether some VC will like it.

Siddharth: This is not as easy as it sounds. What are your takeaways from building Vanta in that period?

Christina: I’ve learned that the market always wins. You have to build something people want. Of course, you will not start a business if you don’t have an intuition of what people want. But validating that people will buy your product even before you start coding is the next important thing. For me at Vanta, we must validate the idea before writing a single line of code. I say this as in the past, I made the mistake of writing a lot of code for a lot of products that people didn’t want.

Before writing code, we validated by speaking with a lot of founders and received two insights. Firstly, we spoke to a lot of small startup founders who were selling innovative products to enterprises. It was exciting, the founders had internal product champions who helped things move. Everything went on smoothly. But the deals are stuck at the 1-yard line due to security review. It wasn’t even clear what security review meant. But it did mean the deal got stuck.

Secondly, so many CTOs were losing sleep because they had so much anxiety. They wanted to do the right things in terms of security but nobody knew what was the right thing and where to start. Many knew what to do but didn’t know how to prioritize.

Siddharth: Earlier we thought about security as a check-in-the-box thing, but over time it has become arduous and takes away a lot of bandwidth.

Christina: Yes. People are filling out detailed questionnaires, trying to figure out what a security review means, and scurrying to buy tools. And we realized in early-stage startups, security falls into the high anxiety- low knowledge gap. Security is important but for startups, it is not the core. There are more important things to be figured out, and there is clearly more information required when it comes to security. Having these conversations helped us validate the idea that there was a lot of motivation to buy a product, to remove the ambiguity in the process, to beef up early-stage security and demonstrate the same to their clients. Startups wanted to tell their customers, “Hey! We know data is important, you are giving us sensitive information, and we’ll be good stewards of the data.”

From my Dropbox experience, I knew that SOC 2 was more of a CommonApp for security (one common application for all). So we figured out that if we make SOC 2 compliance easy and accessible there will be a lot of willing users. Yet, we didn’t enter build mode. We took SOC 2 reports, and de-jargonized to help of our friends at Segment who were undergoing compliance. What came out of the exercise was a spreadsheet of SOC 2 controls which we thought we could code, automate and all that. We created the report and asked segment three questions - What did I give you? Would you use it? How much would you pay for it? If your customers can not answer these questions, you should go and change something - your prototype may be faulty.

We found we were on the right track. We could engineer-ify SOC 2, people understood it, and they were ready to pay for it.

Lesson #1: “You can’t raise your way into the right product.”

Siddharth: You were still a small company with limited resources. How did you manage the balance sheet while keeping one foot on growth?

Christina: When we started, we offered both monthly and annual pricing options just like every other SaaS company. We brought in a salesperson 6-9 months after starting to sell and the first thing he did was to completely stop monthly pricing options. It was scary as we didn’t know if people wanted to buy from us. But we asked ourselves, what are we selling? We’re selling security automation and it is not done monthly! You don’t handle security automation on a month-to-month basis, you do it on an ongoing basis. Customers didn’t blink an eye when we said we have only annual pricing options, just signed the DocuSign and wired the money.

Siddharth: How did annual charging help you?

Christina: Firstly we understood where our customers were in their lifecycles. Security automation is a step-by-step continuous process. Early customers required hand-holding and we were able to provide better support. Since we removed the monthly option, we had fewer SKUs to sell which streamlined the sales and RevOps - we technically had only 1 SKU - the annual Vanta for SOC 2. And lastly, having annual revenues removed fluctuation of monthly revenues provided us more predictability to the revenues. A key learning was if you build something people really want, you can go ahead and ask them for upfront annual payments and they’ll pay it too - making your life and operations easier.

Lesson #2: “Did you build something people want?”

Siddharth: But it is difficult to imagine it would have been easy to scale to $10mn without a lot of capital. What went into scaling Vanta?

Christina: Hire the right people. The most important advice I’ve to give about recruiting is to do a lot of it. I was told that 50% of my time as a CEO should be spent recruiting. This felt totally unreasonable because you’re never a CEO in an early startup, you’re everything - so how can you spend half your time doing just one thing? I realized there is no silver bullet. You have to do it. You talk to a lot of people. These aren’t always conversations about roles you are looking to fill immediately - some are to build a pipeline to fill roles in the future. Over time you envision which roles will come up in the future and what will their candidates look like. Our longest recruiting process took about 3 years.

Siddharth: How difficult was recruiting?

Christina: It's painful. We fell into this trap of over-engineering roles. We used to (and still) believe we are a bunch of smart people coming together to solve a key problem and create an impact in the world. But we are a SaaS company at the end of the day. And there we were creating niche roles which were mashed up bits and pieces of other roles. We were creating unicorn roles like Audit Operations Manager when it was a workhorse role like Customer Success role. This caused heartburn.

Do you know what’s difficult to find? An Audit Operations Manager. Most people don’t know what that means - even we thought we did when we didn’t. It was just a mixture of 4 different roles. How to find someone for the role? Do you know what’s easy to find? A Customer Success Manager.

At the early stage when there isn’t a lot of capital or a buzz from big financing round, it is really important to just stick to the basics - get what you really need. And job titles and responsibilities are not what makes your startup special. We’re actually looking to hire a bunch of people at the moment - you can check it out here. Simple, standard job titles are at any SaaS company and that helps attract candidates and help them understand the broad contours of the job and responsibility.

Lesson #3: “Hire more workhorses. Spend less time looking for unicorns.”

Siddharth: Fantastic! So you built a product people wanted, took it to market, grew revenues, and had a great team before you went out to raise. What were your thoughts before raising?

Christina: Raising money has its advantages. But you have to understand which problems money can and can not solve. Many startups have to raise to address the following factors - changing market dynamics by competitor entry, identifying a fast-growing revenue stream and spending on marketing, rapidly building a team, etc.

But raising money is a time-consuming process. It takes 1-2 months, maybe more (definitely more) where the founder bandwidth is completely on the raise - storytelling, narrative building, data rooms, etc. And during this period the founders’ head is in an alternate reality where there are no problems, everything is perfect, every scenario is a blue sky, and every conversation is an opportunity to sell your vision. It is very different from day-to-day operations and I found it very hard, near impossible, to do both at the same time.

My input to founders is that if you plan to raise, be prepared to stay away from day to day for a month or two. And while there is no good time for a founder to stay away from running the company, there are good and bad times within to stay away. For Vanta, we were at a $10mn ARR before investors looked into our books so we built our own conviction and a real opportunity which we could sell to others.

Siddharth: When the VC world was flush with capital in 2020, you did not raise. And in 2022 when there is a dearth of deals, you raised a bumper $110mn Series B.

Christina: As an industry, we celebrate the big PR moments, and it is great for team morale. But that is just 1 day. And you’re building the business day in and out. Hence building conviction in product, market, customers, and the opportunity is really important before you decide to raise. Do it because you wanted to do it and the business required it, not because of a hype machine. We raised because we had deep conviction backed by numbers and the business was ready to take the capital.

This is not to say you shouldn’t raise. We are very grateful to our investors Sequoia, Craft Ventures and others who have been very helpful to us in our journey.

Lesson #4: “Understand which problems money can and can not solve.”

Siddharth: This has been a great conversation. Any closing thoughts?

Christina: Every startup is different and they’re all hard whether or not they work and they’re all really rewarding. I hope this conversation helps some founders learn from Vanta’s battle scars and do things differently or better.