[00:00:00] Jadee Hanson: Gone are the days of, like, running around trying to get screenshots of, like, settings, and is this thing turned on or off? Like, I think that the world that we need to live in now is, like, continuous checking. And you let me know if, like, something’s off and absolutely provides, like, much more assurance in organizing and adopting that mindset and, like, those types of, like, continuous controls than we’ve ever had in the past.
[00:00:47] Karissa Breen: Joining Me now is Jadee Hanson, chief information security officer at Vanta. And today we’re discussing if compliance is a minimum standard or a strategic enabler in cyber security governance. So, Jadee, thanks for joining me and welcome.
[00:01:00] Jadee Hanson: Thank you so much for having me.
[00:01:01] Karissa Breen: Okay, so, Jadee, I’m really curious, maybe to start with, when people hear the word compliance, where do you think their mind goes? And I ask this because there’s certain words in the industry like audit governance, risk compliance, people start to get a little bit nervous. So I’m keen to hear your thoughts and insights on that.
[00:01:19] Jadee Hanson: Yeah, I think for most people, when they think of the word compliance or they hear the word compliance, their mind typically goes to checklists, audits, potentially regulatory hurdles or even fines. It often feels like a blocker or something that is going to slow the business down. I think in reality, we do need to flip the script on this. Compliance is about more than, you know, going through an audit and going through a regulatory hurdle. It’s really about building trust with your customers, and that can really turn into a business enabler for you. In many cases. If you can prove compliance and trust, your company is just much more suited to win business. Get that next big deal and get just this agreement with those customers that you want to attract and maintain.
[00:02:16] Karissa Breen: Yeah, okay, that’s interesting. So going back to trust, it’s one of those things that’s. How do you sort of establish that, would you say, given your experience? Because we’ve often, we do speak about this a lot in the industry, but what would be your approach to establish that or to know that businesses, perhaps that are listening, that are like, yep, I think I’ve got that. That level of trust.
[00:02:35] Jadee Hanson: Yeah. I think trust can be established in a number of different ways. I mean, at the end of the day, it’s around transparency, it’s around accountability, transparent on where you are as an organization, what things are in place, what things aren’t.
[00:02:51] Karissa Breen: If you’re.
[00:02:51] Jadee Hanson: You’re selling software it’s not over promising that you have features that you don’t actually have. And then I think on the accountability side, it’s doing what you said you were going to do that is certainly establishing trust with your buyers. And I think the last thing that I would mention that is just like such a huge component of establishing trust is the transparency. And so one thing that we do at Vanta is like, we’re very, very transparent on where we’re at, where we’re going, and when we have issues, we’re very transparent on. This is the issue, this is what we’re doing to fix it. I think all of those things combined really, really establish trust with like those, those folks that you’re trying to attract as customers.
[00:03:37] Karissa Breen: Okay, so there’s a few things in here that I want to go into a little bit more. So when you said the level of integrity doing what you said you’re going to do, one thing that’s interesting and we’ve seen this sort of happen a lot here in Australia is, and even recently this week, businesses out there saying, you know, we really care about your security, we really care about your data. And then like a breach happens or something happens. And then of course that erodes trust. Now I’m not saying that these businesses don’t take that seriously because again, security is not, it’s a complex thing. It’s, it’s not a, an easy thing to do as well. So do you think that customers nowadays, they are looking for more of that integrity in terms of people aren’t as loyal to businesses as they sort of used to be. If they can get a better deal, offer whatever elsewhere, we are seeing that people are willing to move. So how does that sort of sit with you then, going back to that integrity and accountability piece?
[00:04:30] Jadee Hanson: Yeah, I mean, I think that the fact that there are breaches and more and more breaches to me doesn’t necessarily tie directly to like folks not doing the right things. I think, you know, security is like very complicated, very space, very complicated area. The adversaries get better and better every year. And so I do think from a company standpoint, like the actions that a company is taking, all the things can be in place and there can still be a human error that causes some sort of issue to happen. And so, yes, I get it like the, you know, anytime that there’s a breach or an incident, it erodes trust. But I’ll go back to the transparency comment of making sure that when those things happen, I think the following actions from a company and how they show up with the right transparency and the right actions, like really changes the narrative.
[00:05:30] Karissa Breen: And when you say how they show up, do you mean how they show up through the breach, as in how they tell their customers, the way in which they tell their customers, when they tell their customers all those sort of things?
[00:05:39] Jadee Hanson: Yeah, absolutely.
[00:05:40] Karissa Breen: Yeah. So one thing that I look, it’s really, really hard to do this, but going back to transparency as well, what is it would you say again nowadays that people are looking for? And it’s not an easy one to answer because again, you can’t, you’re not going to make every single person happy. But as a rule of thumb or generally speaking, what is it would you say JD that people are sort of looking for, that they feel like, hey, this business is being honest and truthful and they. Because they’re providing that transparency.
[00:06:09] Jadee Hanson: Yeah, it’s a, it’s a good question. I think in security, you know, the, the table stakes are going back to the compliance piece and really this is like, do you have the standard compliance certifications in place or do you not? And if you don’t, where are you and when do you plan to get them and what are the things that are gaps from the current compliance standard? So Starting with like ISO and SoC2, all the way to maybe the hardest one, which is a US one, which is our FedRAMP authorization, all of, all of the transparency around that I think can be like incredibly helpful. The other thing that I would say that is an area where companies want to see more transparency is effectiveness of like the working controls within an organization. And so you know, one thing that we do is we have a trust center that you can go to vanta.trust.com and, or maybe it’s trust vanta.com you can go to it and you can see all of the controls that are in place. And what we do is a real time monitoring, monitoring of every one of those controls and you see a little green checkbox of like when the control is in place and when it’s not. And so that I think is the future is like a continuous automated way to test for certain controls in place and a very like transparent way to provide like current state to prospects, buyers and customers alike.
[00:07:38] Karissa Breen: And would you also say, just to add to that, I mean from my experience working in the field historically, I mean I walked, I worked more in a GRC sort of role on the governance side more so. However, would you say that people feel really overwhelmed by compliance? Because like a lot of these things are quite complicated, complex arduous There’s a lot going on, people feel overwhelmed and it’s like another thing that they’ve got to do. So therefore they’re like, oh, that’s really hard and monotonous. So I’ll just sort of put that down towards the bottom of my list, if I’m being honest. So where do you think now and how do we sort of make this easier for people? And would you say that is a common reaction from customers that you’re speaking to? Is all these things really overwhelming? JD and therefore it goes to the bottom of my list?
[00:08:24] Jadee Hanson: Yeah, I do think that in certain cases like compliance can move to the bottom of the list. But I think the one thing that I see which is really promising is buyers are demanding like baseline compliance to be in place. And I’ve heard people describe this as by saying that every compliance control that we pass can be transl some sort of way a customer is paying for it. And so when you think of that in the broad scale like it, it really matters. It matters in every sale that a company has. I think the gone are the days of companies just buying software and engaging with companies without a level of understanding of security compliance. And so you may get by with putting it at the bottom of the list for a period of time, but that will be short lived because any reputable company is going to expect that you have some of these baseline compliance things in place and they’re going to want to see transparently where you’re at for each of them.
[00:09:25] Karissa Breen: So baseline compliance, what’s your sort of definition in case people are not familiar?
[00:09:29] Jadee Hanson: Yeah, I think baseline compliance is like any sort of standard that you want to use to show that you’re meeting those specific security controls. So I think SoC2 is a great place to start. I think the ISO 27001 is a great place to start. Anything like that, that kind of gets you moving towards a list of a security framework that has a list of very baseline controls that should be in place at every company and then sort.
[00:10:00] Karissa Breen: Of to add to that. So when you get into more like sort of complex things and if you’re in a regulated versus non regulated industry, what are people sort of looking for on that front then? Just more of a guiding light to say, okay, this is where we’ve got to go in terms of the direction or what does that sort of look like?
[00:10:14] Jadee Hanson: Yeah, I think, you know, compliance is in large part like the minimum standard. I do think that it is like the floor, it shouldn’t be the ceiling, it’s a great like starting point for companies journey in security.
But we do have to get beyond that. I think, you know, in great security organizations you build a more mature, resilient program.
Achieving the minimum keeps businesses like legally operating. You have the certification that you can hand out to your customers, but it doesn’t really guarantee like the competitive advantage or even like the security resilience. And so like I think security teams like have to go above and beyond to really like solidify like stakeholder trust in what you’re doing and how you’re moving. So you know, things that we deal with at Vanta is yes, we have a SoC2, yes, we have ISO 27001. But certain companies, certain things are more important to them versus others that maybe aren’t necessarily covered in the SoC2 or are beyond the maturity of controls in the SoC2. Things like having a bug bounty program in place or having a responsible disclosure process and way to address vulnerabilities like that, that’s all another level of maturity that really builds trust with customers.
[00:11:39] Karissa Breen: Yeah. So jd, you mentioned before resiliency programs. So that’s something that’s often coming up in my interviews. So do you have sort of your definition of it? And I asked this because everyone defines resiliency programs different or they say like continuous business or they talk a lot about crisis management that feeds into resiliency programs. So I’m keen to sort of get your thoughts on that.
[00:11:59] Jadee Hanson: Yeah, I think this is a term that it’s defined very differently for very different types of industries and then people among the different or people also define it differently. And so for me I think of this like more tied to business continuity planning, disaster recovery planning and really like companies just want to know and feel good that organization has like strong ability to be available when they need them, have a strong ability to come back during, after a crisis and are going to be there when things get tough. And so to me, like, I think that there’s a lot of times where compliance programs actually like touch on this. Most of like the standard compliance frameworks like demand things within business continuity and disaster recovery and actually like test the fact that you go out and you do like resiliency testing and ensure that yes, you, you know, you go beyond just having like a policy on paper and teams actually have tested a failover and know that it will work and know that their system will be up and running if there’s any sort of emergency.
[00:13:11] Karissa Breen: So now Jadi, I sort of just want to move slightly, maybe about 2 millimeters and talking around compliance being an enabler. Now this is a really important question and it’s something that we often speak about in the industry, like security is an enabler or this could be an enabler. But how would you sort of change the conversation for people to understand that about compliance? Because then this is really, really important because often I just hear people throwing the terms out but not really defining it or not explaining a lot of their thinking behind it. So I’m keen to understand how this sits with you.
[00:13:40] Jadee Hanson: I actually love thinking about compliance as enablers. I think it is a foundation for scaling responsibly and when done right, it builds this customer confidence along the way and it accelerates deals, helps the company win. It also reduces risks in ways that directly support business growth. And so as a company grows and gets bigger deals and bigger customers, they expect certain things to be in place. And you’re sort of like reducing risk and meeting certain controls at the same time that customers are asking for those things to be in place.
So it’s not a surprise that companies like favor brands that focus on security and trust. I’ve heard people describe this by saying that every compliance control that we pass can be translated into like this, something that people pay for. I think tools like Vanta, they certainly like help enable this. And that’s why we think of the Vanta solution as like a trust management platform, really establishing trust and again like being that enabler.
[00:14:52] Karissa Breen: And would you say as well people’s sort of mindset is shifting more towards. Yeah, okay, I see what you mean. It is more of an enabler rather than like a sunken cost or all this investment or we’re buying things that is not tangible. Are people in the industry moving away from that?
[00:15:07] Jadee Hanson: Would you say it takes a strong leader to be able to like tie to business impact and bottom line. But I absolutely like think that companies are like much more thinking about like compliance and security programs as being like a foundational requirement to enable the business.
[00:15:31] Karissa Breen: Enterprise. Tech leaders know that compliance isn’t just about ticking boxes. It’s about risk, reputation and revenue. That’s why companies trust Vanta to streamline their security and compliance workflows at scale with deep integrations and automated evidence collection. Vanta takes the manual audit grunt work out of the frameworks like ISO 27001, SoC2 and GDPR. Visit vanta.com/kbcast v a n t a.com/kbcast to learn more.
And I know you sort of mentioned it before, but maybe let’s open it up Just slightly around, you know, the definition of that minimum standard around compliance. Because again, depending on who you speak to or depending on who you ask for the different versions of it. But I’m keen to really understand your thoughts because again, you’ve made some really good points here today, and I think it’s quite easy and digestible for people to understand.
[00:16:27] Jadee Hanson: Yeah. So compliance, like, through the lens of like, the minimum standard. I think the minimum standard is just that. It’s like the floor, it’s not the ceiling. We often see companies, like, start to think about compliance when a vendor requires a SoC2, and it’s a great, like, starting point for companies that want to start in Soc 2. Orey mentioned ISO 27001. Like, very great starting point. I think it’s just the thing, the macro thing that I would want to point people to is to remember that it is the starting point for building a more mature, resilient program.
And achieving the minimum keeps like, the business, like, legally operational, but it doesn’t, like, guarantee that competitive advantage and going kind of beyond the basics to establish that stakeholder trust.
One of the ways that I’ve heard people describe about compliance as like a minimum standard was like having a driver’s license.
You know, you can be on the road, the driver’s license allows you to be on the road, but it doesn’t say anything about how mature or skillful you are as a driver. For those that are listening who have new drivers in the house, like, I do this analogy, like, really hit home for me.
[00:17:40] Karissa Breen: And would you say, going back to your analogy, would you say most businesses today that you’re seeing is just being the driver on the road, or do you think people are getting a little bit more advanced in their driving capability?
[00:17:51] Jadee Hanson: I think most businesses, if I’m to generalize, are, are meeting the standard and not yet maturing beyond that. Again, like, it depends on, like, what compliance standard they’re after.
But going beyond the basics is really going to come from, like, further customer demands to do it. A company that, like, really puts security first in the organization and wants to see the company operating in a secure, mature way, as the company grows, I think it becomes more and more critical. As a company starts out, I do think that they’re probably like, just meeting the standard.
[00:18:29] Karissa Breen: And you also mentioned before, it doesn’t guarantee competitive advantage. So talk to me a little bit more about what do you mean by that?
[00:18:37] Jadee Hanson: Great companies really prioritize, like, trust. They prioritize trust and safety. And I think consumers as well as companies like gravitate towards those companies that prioritize trust and safety. And so two companies can look alike and they both have ISO 27001 certification. But if there’s one that’s like being really transparent, that’s being really accountable and really pushing the needle, I think consumers and companies will gravitate towards that company over the other in the sense of like, you know, people want to do business with a company that prioritize like trust and safety.
[00:19:20] Karissa Breen: Yeah, for sure. That’s interesting because now I’m starting to see, especially here in Australia, a lot of advertising, especially with banks. I mean I worked in a Bank more than 10 years ago and we didn’t do a lot of that. But nowadays I’m starting to see that these banks saying like, you know, we really care about like phishing emails and scams and we’re really taking it seriously. So I’m, I am seeing a push in terms of marketing around that then maybe historically insecurity. So I would agree with you on that front.
[00:19:44] Jadee Hanson: Yeah, absolutely.
[00:19:45] Karissa Breen: So, okay, so there’s a couple of other things around we mentioned before about the drivers just sort of being on the road and you, and you like saying people are now going to start to go beyond or they haven’t really. So would you say if you were to look forward, we will start to see these fuels going beyond based on all the factors you mentioned before, especially around trust and companies having that competitive advantage, etc. So would you envision that this is something that when you come back and you speak to me a year later you say, yeah, Krista, people are getting a little more advanced with their driving or how do you sort of see that unfolding?
[00:20:19] Jadee Hanson: I mean I absolutely think that this is the start. You know, if you think about like just like the security industry, it really, really hasn’t been. The data security industry really hasn’t been around for that long and you’ve seen just like a massive amount of uptick in people prioritizing this companies like making sure that they have like strong mature security teams. And so I think this is like just the beginning and this is going to continue to grow and companies are going to continue to prioritize this.
[00:20:51] Karissa Breen: Okay, so now I want to move to. And you. Everyone would have heard this. It’s not just a tick box or it’s just a tick in the box for companies, companies. And I think this is such a big thing to address because it’s something that we often hear in this space.
How would you sort of advise companies to look past the proverbial ticking of the box when it comes to compliance. And I think I really want to get your thoughts and understand your mindset around this because it’s something that I’ve, I’ve heard for literally years, but then people still default to it or they’re saying, oh, but that company just sort of did the tick in the box and then they moved on and they were not really compliant. And you’ve heard all of these sort of things. So I think this is a really big one to address and to hear your thoughts on.
[00:21:31] Jadee Hanson: Yeah, this one is really interesting. So I think looking beyond ticking the box, or looking beyond kind of, that point in time is really all around what VANTA is fantastic at, which is continuous compliance. So I think we need to shift the mindset from being reactive to proactive compliance. Needs to matter beyond just when you’re doing or your audit or just when you’re preparing for your audit. So moving away from this like point in time ticking the box to a more continuous, always on security and compliance program will more actively demonstrate trust. It will protect against threats in a meaningful way and certainly protect against like reputational damage. So for us, like, again, like I mentioned, like, we display our controls externally, we have a continuous monitoring of the controls in place. And so these are checked whether it’s like daily or weekly or monthly cadence, but these are checked regularly. And then we transparently show what controls we are meeting. And that to me is like moving beyond ticking the box.
[00:22:46] Karissa Breen: So when I, back when I was doing like actual, I used to create dashboards around compliance, but it was all manual. So I used to have to pull all of the feeds, create like a, a tableau dashboard. And then it had to be like maintained like daily. But all of that was super manual. Right? And then like every day, jd, someone would come up to my descript. Oh, like what’s happening on that front? So I’d have to refresh it, make sure something was working, or if one of the spreadsheets there was an error, then my whole thing wouldn’t work. So there’s a lot of frustration then around that. So going back to the continuous side of things, would you say now leaders are bored. This is something they’re going to want to see. Because again, that demonstration demonstrates the trust. It also is sort of keeping people. There’s that pulse check, right? Because if you’re just doing it once a year or once every couple of months, or once when you know you got an audit or something on, you sort of remove from your finger on the pulse a little bit and that’s when issues can start to arise. Right, so is this going to be more of a focus now for executives and boards?
[00:23:45] Jadee Hanson: Yeah, 100%. I, I mean, I think for me, like I, I don’t want to learn about a compliance control failing, you know, minutes before my audit. And I should have had it in place for the last year. And so like that’s the game changing move with continuous compliance. It really shifts the ability for teams to just like have this like real time view of like their compliance posture and know exactly where they need to fix them sync. They don’t need to wait for the internal audit, they don’t need to wait for the external audit. They have like a real time view into what’s going on and what needs to be addressed.
[00:24:27] Karissa Breen: And would you say as well that sort of adds that extra layer of assurance because you know, sort of where you’re at because again, I mean if you’re doing this arbitrary once a year, you’re sort of crossing your fingers and hoping that, oh, I hope those things are all going well and like you said, it could come up to the minutes and some, something’s gone wrong and you don’t have time to, to fix it. So would you say that people are probably sleeping better at night because they got that assurance there and they sort of know where things are at at least?
[00:24:52] Jadee Hanson: I. Absolutely. I mean gone are the days of like running around trying to get screenshots of like settings and is this thing turned on or off? Like I think the, the world that we need to live in now is like continuous checking and you let me know if like something’s off and absolutely provides like much more assurance in organizing and adopting that mindset and like those types of like continuous controls than we’ve ever had in the past.
[00:25:24] Karissa Breen: And then would you also say as well that it’s, it’s giving people time that okay, there’s an issue, hey, we’ve got time to really think about this. It’s not like at the 11th hour we have to make crazy decisions. So would you say that overall the security posture is of a higher standard because that is that continuous compliance happening there that people can sort of say, hey, actually we’ve got an issue, we need to fix it and we have some time to fix it before, you know, the audit happens, for example, or something else happens. So you’re starting to see that as an overall Trend as well?
[00:25:53] Jadee Hanson: 100%. Yeah. Anytime that you’re gonna have like more real time visibility and insights like Your maturity goes up, your program is just much more healthy, your team has more time to address things that they need to address.
There’s just so many benefits from that continuous approach.
[00:26:11] Karissa Breen: And would you say, if you were to zoom out with the continuous approach, would you say this is going to be like the, the go to thing or it’s going to be like a standard that’s going to be implemented by governments? Because again, especially if you’re in a regulated industry, there’s not a lot if something goes wrong, like it really can go wrong. And we’ve seen that in cases here in Australia or they have to do a whole investigation, they get fine, they get all of these sort of things right, or they’re, they’re at risk potentially of losing, you know, some of their financial services licenses as well if certain things go so crazy or awry. So would you say that this is going to be something that we start to see now moving forward or.
[00:26:47] Jadee Hanson: Yeah, I think this is going to become a standard. I think security teams are going to demand to operate this way. They’re going to see the benefits and they’re just going to want to operate in this model. And I think buyers alike are going to demand some sort of like compliance, continuous compliance over current state, like, I’ll send you a report once a, once a year. In the US We’ve already seen this start to take shape. Right now there is a federal compliance authorization that is largely based on NIST 853. And what the federal government is changing now is they’re moving to what they’re calling key security indicators. And they’re forcing those key security indicators to be things that you can, you can continuously monitor in an automated basis. And so I think we’re like starting to see this take shape. One, you know, from a standards perspective and security teams seeing the value and wanting to move this way.
[00:27:51] Karissa Breen: And what’s one thing, J.D. that you think people, when you talk about continuous compliance, for example, what is it that you think people aren’t aware of or don’t quite understand that you have to keep explaining a little bit more.
[00:28:02] Jadee Hanson: I don’t think people understand that efficiency gains from doing it a different way. When you think about the old way, we used to do compliance, we had a number of different controls and folks had to run around in an organization and grab screenshots and get insight into exactly how a control is working. And they had to share those screenshots with auditors and follow up. And today we have so much that we can build into some sort of like automated check or test to give us the visibility and the evidence that we need. And I don’t think people understand what a game changer it is from an efficiency standpoint and how it allows just so much like time back within the security team. And so that’s, that’s really fun to like see teams adopt this approach and have just incredible success on efficiency.
[00:29:01] Karissa Breen: Do you think people are reluctant because it’s like they don’t know what they don’t know yet or you’ve always done it this way, there’s a lot of that thing, or hey, I’ve been doing this sort of function for 20 years now I’ve got to change to doing something else, which I’m not familiar with. Or where do you think people’s mindset is towards that?
[00:29:16] Jadee Hanson: It’s a great question. I, you know, I think in general, and I’m a compliance person, so I’ll be the first to say this. I think compliance people maybe aren’t like the most like innovative people and like willing to like jump in and try something completely new. And so I think there’s that a bit of that reluctance just in the industry in general. Other than that, I think any sort of change in doing something differently is scary. And so just not fully understanding what continuous compliance means is also something probably holds people back.
[00:29:50] Karissa Breen: And Jenny, I know you sort of touched on it before, but I’m curious maybe to understand from yourself, like as we look forward, things are changing every day. I mean, I’m in media and I’m seeing like every day there’s something happening, something new coming out. But in the world of compliance or your world of compliance, where do you sort of see the industry going overall from here? You’ve spoken a little bit more about the US and maybe some of these things will start to spill over into Australia and Asia Pacific. But is there anything else you’d like to share with us today?
[00:30:16] Jadee Hanson: You know, when we think about the world of compliance over the next few years, there’s a couple things. I mean, continuous compliance, we talked at length about that. I think that absolutely is something that is taking shape. I expect more automation tools and platforms to offer continuous compliance, something that VANTA has been doing from day one.
The other thing that I think is going to evolve is our use of AI and AI to support compliance. I think it introduces, obviously there’s risks with AI, but I think that there’s a lot of like untapped opportunity. You know, in the VANTA platform, we’re using AI to map policies to controls and to allow companies to get a questionnaire and have it filled out right away.
We’re also I was leveraging a, a feature today when we went through our policy review and like outlining pieces of our policy that maybe are out of sync with the controls that we have in place. And so like really leveraging AI agents and AI insights to help us do our programs better, to help us identify like where we might have gaps, I think is going to be a huge game changer for us. The last thing I would call out in the world of compliance is I do believe that there is going to be regulation convergence today. We have so many different standards and there’s lots of overlap and I think over time we’re going to see more and more convergence. Even if it’s between Australia and the US and the eu.
What we want is like more universal standards. And so I’m hopeful and I expect that we’ll see more of that over time.
[00:32:06] Karissa Breen: And Jadee, lastly, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
[00:32:11] Jadee Hanson: I think maybe just like an invitation to check out vanta, check out some of the continuous compliance stuff that we’re doing, check out some of the AI stuff that we’re working on. A number of things obviously we run our VANTA platform internally within my GRC team and so a number of the things that we’re building we have like direct ability to influence and so just an invitation to check that out, give us your feedback. My team also writes a lot of internal articles that are always like done so well and so any resources and whatnot that you can get your hands on, I would love like your review. I hope they help you. If there’s any feedback that you have on any of them, I’m on LinkedIn. Hit me up, ask some questions.
