We found Vanta very helpful for identifying and managing all of the to-do's (gap analysis). Our initial discussion with an auditor was very paperwork-focused, and Vanta helped us see the gap analysis as technical/process focused (with the paperwork following, describing what we were now actually doing). It would have been much more challenging to achieve SOC-2 compliance without Vanta.
From a cost perspective, Vanta + a Vanta-partnered auditor was less expensive that just an auditor (presumably because the information was organized so the auditor had to do less work to complete the audit).
The Vanta platform ends up being a place to put documents so the auditor can find them (which is more useful than you might think if you haven't done a SOC-2 audit). They offer several Vanta-developed continuous monitoring tools (e.g., endpoint configuration monitoring, AWS vulnerability monitoring), which are not as well developed as independent tools (e.g., Kandji, AWS Inspector) but are convenient for auditors documenting continuous compliance.
As I understand it, they are working towards being more of an integration center for independent tools, so Kandji/AWS Inspector information can flow into the Vanta system.
Having been spammed by them out of the blue, a couple of times already this year, my feeling is that like most businesses, I already know what changes I'd have to make to improve.
Paying someone to give me a list of problems isn't at all useful until we have nothing else to do. Appreciate there may be others out there without the same understanding of Infosec, but frankly that's a greater risk to companies without those resources.
This is a great point, getting a checklist of your problems to fix and a way to project manage certain pieces of the process isn’t solving the real problem. Also many of these tools don’t give you great insight into where you stand going into your audit or in between your annual audits.
A newer tool that I’ve heard great feedback on is Drata. They’re more focused on automation and continuous evidence collection.
The reason we went with a company similar to Vanta (StrikeGraph) wasn't infosec. It was that SOC2 is enormous and spans beyond infosec, its controls and requirements are arcane, and having experts that have done this before set you up for success in your $50k, year-long investment to get to a Type 2 audit is hugely valuable.
$50K is too high, unless you had a lot of actual process gaps to fill initially and are counting staff time in that. Also expertise isn't really that important - honestly the auditors are often (not always) minimally trained and often don't have much experience in cloud. Having someone on staff that truly understands what your unique system and processes and can articulate and document how it is (or is not) operating securely is a better use of money. Spend the $50K on actual security (training, code reviews, red team exercises, learning about TTPs and allocating time in the dev and QA cycles for these considerations).
As others have said above, the compliance part will be a by-product and will essentially fall in place modulo some extra documentation effort (which can be heavily borrowed from templates).
Vanta and StrikeGraph etc no doubt will make it more convenient to follow best practices and scaffold your continuous monitoring, but I see it as a nice to have, not a must have.
This is pretty much where I was coming from too, although better articulated. I do see value in the structure of responses, but if we have already done everything we need to then we should be able to respond to the audit formulaicly.
Though seeing the other comments that Vanta + audit being cheaper than audit alone is an interesting quality and may change the initial defensive rejection I have for receiving cold contact mail on non-public addresses (which means they also buy harvested data).
