Building a More Trustworthy Internet
In 1997 Christina Cacioppo, age 11, was managing a flourishing Beanie Baby business on eBay. It started when her mom came home one evening from Ohio State University, where she was a professor, and announced, “I used the world wide web today.” Cacioppo says she immediately imagined a string web on the wall, and she couldn’t figure out what her mom had used it for. But she was determined to figure it out.
She was, in fact, an especially driven kid, the kind who wanted to learn everything she could about a new idea, who leafed through encyclopedias and who took pleasure in figuring out complex concepts. At a foundational level, this came, she says, via “osmosis” from her parents, who were academic researchers, dedicating their careers to solving problems. So sitting at the computer, reading while waiting for the dial-up connection, it felt natural for Cacioppo to log on and explore the wide world online and outside Columbus, Ohio. Soon, she dove into Beanie Babies, then at the height of their popularity, and realized she could not only collect them, but help others collect them, and make a little money, too. “It’s cool to be interested in things. It’s way more fun than being jaded. You can go down rabbit holes and come up with new things. If you just push enough, you can learn all the things, right,” she says with a laugh, a bit tongue-in-cheek. Reflecting on how this perspective led her to start Vanta, the fastest-growing startup in the internet security space, she says, “It’s not like I was smarter than everyone, [or] I just did a thing and it worked. No. It was like, you go immerse and do the grunge work for a year-plus. Put in the work, and you get stuff out.”
“It’s cool to be interested in things. It’s way more fun than being jaded.”Christina Cacioppo
Today Vanta helps thousands of companies strengthen their security with compliance automation software. It is determined to create a new gold standard for security across the internet. And while Cacioppo took a roundabout path to becoming an internet security CEO, the challenge of securely transacting business online began dogging her in her first Beanie Baby hustle. “I didn’t have a credit card, and I was too afraid to steal my mom’s,” Cacioppo says. She did, however, have access to a Kroger. To keep her entrepreneurism secret, she managed payments through money orders bought at the nearby grocery store. “I was showing up on my bike with like $8.42 and sliding it across the counter,” Cacioppo says. It was her first time solving problems as an entrepreneur. And, driven by an innate confidence in her ability to figure things out, to make something good and useful, it was something she’d keep doing—no matter the obstacle.
Sequoia Capital partner Andrew Reed, who led its 2021 participation in Vanta’s Series A fundraising, describes Cacioppo as the kind of person who has “read every book” and who can effortlessly quote from them. Cacioppo has a self-aware sense of humor about all that she’s mastered, pointing out that she can still name all the original Beanie Babies—Legs the Frog, Splash the Whale—in what she laughingly refers to as a “not-good cocktail party trick.” But she is also quick to emphasize that the key to founding Vanta, as well as the other companies she started, is her ambition; that’s what pushes her to research, to learn, to synthesize and to keep going when things are difficult or discouraging.
Cacioppo has always been like this, willing to make her own way and figure things out. When she was a kid, she mastered stuffed animal arbitrage to earn spending money. The summer after her freshman year of college, she worked at a Rwandan human rights organization—she started the summer knowing no one but ultimately developed what she describes as a foundational sense of self-confidence. The next year, she interned at the United Nations in Bangkok, and she spent the summer following junior year interning at Google. And after her senior year, she covered technology and business at a newspaper in Uganda, writing about the transformative power of mobile phones. Cacioppo is a rare person who is curious about the wider world, confident enough to pursue big ideas about it and do the dogged research necessary to see those ideas through.
Cacioppo says she both wanted to get out of Ohio, even though she loves her family, and wanted to be in Stanford University. There, she figured she could build on the advanced placement computer science classes she’d enjoyed in high school, or follow up on any number of things she was into. She switched her major “a zillion times,” she says, from French to political science to international relations to creative writing to economics to computer science and so on. She says this taught her that the key to success was her ability to research: “I could really pick anything and, with sufficient work, pick it up.”
Pretty quickly, she started to feel like everyone at Stanford had been coding since they were 5. But there was something else, too. In the mid-2000s at Stanford, and in America broadly, the story of who became a founder was about one kind of person—a man who was a tech obsessive. The university’s list of alumni who’d founded tech companies was long, but almost exclusively male (and mostly white) at the time. So even though she’d started her first business as a kid, Cacioppo didn’t see herself as part of that culture. “As silly as it sounds, I used to think you need to be Mark Zuckerberg, and you need to have been coding since you were 6 years old,” she says. “You need to have gone into your room, and, in a Red Bull-fueled haze, made a thing that entranced thousands of people. And of course, you don’t. But that is where the lore is.”
After graduating with her master’s in 2009, Cacioppo started in 2010 at Union Square Ventures, a small venture capital firm in New York City. She also launched an informal business. She had a good, cool job and people would ask her how she got it, and if she knew of others. She started sending emails when she heard about openings at VCs and startups, then launched a newsletter, and later a website, charging people to list jobs. She remembers making about $30,000 in a year. “It was more successful … than all this other stuff I tried to do [later] that was much harder. There was probably some lesson in there for me,” she says with a laugh.
At Union Square, she met about 10 founders a week for 24 months, each a different kind of person, succeeding and working in different ways. She started to see that there wasn’t just one kind of founder. “I realized that I didn’t need the time machine. I didn’t need to go back to age 7. It wasn’t too late,” Cacioppo says. Inspired by this, she left to start on her path as a startup founder. It would not be a smooth one.
Get the best stories from the Sequoia community.
Cacioppo started to design a book website that she describes laughingly as “Goodreads, but better, but worse.” Then she and fellow Stanford alum Matt Spitz, operating as the startup Nebula Labs, experimented with an Android app called Hoot. She describes it as “Snapchat, but worse, and themed with owls.” But what was supposed to be a cute, fun month-long project snowballed into nine months of experimentation, until they realized they’d failed to solve a problem, or find a market. “I think both of us woke up, and we were like, ‘What are we doing with our lives? How does this happen?’” Cacioppo says. They decided to try to sell the app and Cacioppo started pitching Twitter, Dropbox and other potential buyers. At one such pitch that was clearly not landing a buyer, she says, “The person was like, ‘Would you like a job?’ I said, ‘Yes! Interviews please.’” Spitz joined Dropbox, and the two sold the app to a teenage entrepreneur in Tennessee for $20,000.
She could’ve gone with Spitz to Dropbox, but she says she didn’t want to give up on her dream of building something meaningful in the world just because her first ideas didn’t work out. So she started over, and built a coding education platform to help young people learn more quickly and easily than she had. Advertising her work on Craigslist, she tutored high school students in AP computer science classes. Halfway through the year, she left New York to move to San Francisco to be closer to peers, and kept tutoring, until she realized that even with referrals, there was not a big enough market. So she called Dropbox and asked for a job.
In 2014, she joined as a product manager on a 10-person team building Dropbox Paper, a collaborative document-editing product. The team was composed half of people who’d worked at Hackpad, a web-based collaborative text-editing startup that Dropbox acquired the year before, and half legacy Dropbox team members. She says the team felt like they were the “cool kids in the corner,” working on something special. Two years later, when Paper got rolled into the main Dropbox product, she says it felt like a good time to take what she’d learned—how to speak up, how to lead a team, how to create a successful project and launch it—and take another run at launching her own company.
At Dropbox, the emphasis on security had made an impression. It’s a place that’s renamed October as “Trustober,” a month dedicated to evangelizing security practices to employees. After she left, Cacioppo noticed a series of big news stories on the theme in 2016. First, the personal information of 57 million Uber customers and drivers was leaked. (Uber ultimately paid out a reported $148 million in 2018 to settle claims.) Then Hillary Clinton’s campaign chair John Podesta’s email was hacked via a typical phishing scam. Then, in 2017, Equifax reported the data of nearly 150 million users had been breached.
She couldn’t stop thinking about why these security breaches happened to people with a lot of resources and support. “There was this curiosity of thinking, these are smart, motivated people. How did they mess that up?” says Cacioppo. She had an insight: there must be something especially difficult about online security for so many people and institutions to be making so many mistakes. “So you can either take the more pessimistic stance and think, ‘Well, they’re just incompetent at their jobs.’ Or the more generous one of, ‘This must be harder in a way that I don’t understand. What is that?’ That puzzle was just interesting to me, and it informed what Vanta ended up becoming.”
“There was this curiosity of thinking, these are smart, motivated people. How did they mess that up? That puzzle was just interesting to me, and it informed what Vanta ended up becoming.”Christina Cacioppo
But Cacioppo was more than interested. She was confident she could research the issue, figure out what the problem was, and solve for it. That inclination to figure out how to help is something former coworker Devdatta Akhawe admires about Cacioppo. Now head of security at the web-based design tool Figma, Akhawe worked with Cacioppo at Dropbox in 2015. “Her drive, her empathy, her interest in solving real problems, her product mindset, all those things remind me of some of the best founders and founder-driven companies that I have seen or talked to,” he says.
So in 2017, Cacioppo and a former Dropbox colleague started investigating why people thought security was important but didn’t prioritize it. She interviewed startups and asked them about their best practices and how they handled security audits, which are evaluations of a system’s software, user practices and physical configuration, and how those things comply with regulatory requirements.
“We heard a lot of, ‘I get I should be doing things that I’m not [for my company’s security], and I kind of know what they are, but I’ve got to focus on building or selling my product, and if I don’t, I go out of business!” says Cacioppo. It wasn’t until she interviewed an engineer at Figma that Cacioppo encountered protocols that seemed substantial: laptop-management solutions, cloud infrastructure monitoring, quarterly pen tests, and more. When she asked why, she learned that Google mandated this rigor as a prerequisite for partnership. Cacioppo spotted a need for a tool that not only managed all of these protocols, but automated them. But she realized her idea wouldn’t just be useful to people who want to collaborate with Google. She could design a tool that helped all software companies with all kinds of compliance needs.
In her early founder missteps, Cacioppo learned the importance of finding a big market. Now she’d found a huge one—essentially every software company, anywhere in the world. She also had a unique insight that would shape her company’s approach: Traditional security software companies try to scare customers into buying packages with threats of what could happen if data is hacked, but she realized it would be more effective to focus on the idea that strong security leads to strong growth: “Do the right thing and grow your business. It’s much more forward-looking and optimistic—going-toward rather than running-from.” Cacioppo saw a path forward, knowing once she spotted a market she could work backward to design the product.
In 2017, generally, the prevailing wisdom said every software company was different and needed unique security practices, so security audits relied on manual processes performed by consultants. Cacioppo disagreed, and started compiling every protocol she could find: issues with systems operations, internal and external communications, data storage and transactions. She researched relentlessly and learned what it took to verify compliance with security mandates like HIPAA and GDPR and near-countless others. Sequoia partner Andrew Reed remembers, “Data privacy and security is one of the things that is important and getting harder over time, as opposed to getting better over time. … And she decided she wanted to solve that thing as opposed to the number of other areas that are getting easier and easier over time.” Cacioppo started writing code that would automate these processes, a task she likens to locking up a house before leaving, “except there are thousands of doors, and they change, and it’s actually legitimately hard to remember to lock them all.”
Cacioppo and her co-founder quietly built out Vanta for a year and a half before hiring anyone. She remembers it as a difficult time, but one she knew was worth pushing through. “When you’re in that place of, ‘Hey, I quit my job and I’m starting a startup, but I haven’t hired anyone and I haven’t built anything, but I’m going to go tell people I started a startup …’ That just feels awful,” she says. Spitz (her partner in the owl-themed Snapchat clone) says Cacioppo is one of the most capable, resilient people he’s met. “Going through crushing defeat after crushing defeat week to week with the same person teaches you a lot about what it’s like to work with them.”
By the time they launched a public-facing website, in 2019, Vanta already had grown its customer base by word of mouth. Ari Shahdadi, now Vanta’s head of people, partnerships and legal, discovered the product as a customer when he was CFO/COO at a startup called Enigma and in need of SOC 2 certification. “We bought Vanta, and then also got hooked up with an external security consultant, and got the whole thing done in 30 days,” Shahdadi says. “So we went from having spent a year puttering around, spending a lot of money, not getting anything done, to now this magical piece of software gets installed.” Today, Vanta is used by more than 3,000 organizations in 45 countries, and Cacioppo is working toward a future in which “Vanta Verified” is a shorthand for a secure company.
Today Cacioppo is still fueled by what she describes as a “hard-edged” ambition, the same one that led her to three international internships while still in college. And she’s still driven by her college-major-switching insight—that if she can understand things deeply, if she can keep learning, she can create optimal outcomes—for her business, for her colleagues and partners, for everyone she serves. “I think by the time I started Vanta, it was a little bit of a trope in startups where founders, particularly founder-CEOs, have to learn all this stuff and the job changes all the time … I think I just embodied that, and was like, ‘Okay, well game on. Here we go.’”