CASE STUDY
ÉTUDE DE CAS
How Vanta allowed Black Kite to scale their compliance program
SOC 2, ISO 27001, FedRAMP, Access Reviews, Vendor Risk Management, Trust Center, Risk Advanced Customization
Vanta’s automation enabled Black Kite to conquer their GRC roadmap without hiring additional team members early on.
Black Kite uses Vanta Vendor Risk Management to identify and address third-party risks before they become problematic.
Vanta’s hourly tests and Trust Center allow for real-time visibility into Black Kite’s controls and compliance posture, allowing them to address any issues immediately and demonstrate trust publicly.
"Vanta is very forward-looking, as to what they believe their customers’ needs are going to be—the addition of frameworks, different features—it keeps pace with our growth.”
The company
Cyber third-party risk management
Since their founding in 2016, Black Kite has been on a mission to introduce more proactive strategies to assess, manage, and mitigate third-party risk. Founded by leading ethical hackers, Black Kite was built with the observation that third parties were the easiest way to breach a company, and companies needed a way to automate their third-party risk management programs.
Traditional methods of assessing third-party risk, like security ratings and scorecards, are very reactive. Scores increase and decrease based on past events, like breaches, but don’t provide any indication of the potential for future risk. With Black Kite’s Ransomware Susceptibility Index, risk quantification capabilities, and more, their AI-powered platform for cyber risk detection and response helps any company secure their vendors and supply chain.
The challenge
Scaling compliance for a team of one
Black Kite went through a pivotal phase of growth in 2020, with a differentiated product offering and the opportunity to sell to larger customers and accelerate their business. But to sell to larger customers who were more mature in third-party risk management, the company needed to obtain SOC 2 certification.
As a former security leader at PayPal, Black Kite’s Chief Security Officer, Bob Maley, knew all about the complications of preparing for compliance audits. Bob participated in many onsite audits at PayPal and saw firsthand the manual and time-consuming processes required to collect and review artifacts.
Bob, a team of one at the time, needed a solution that would help Black Kite obtain SOC 2 without adding more members to the team—or distracting him from other security priorities that were essential to run the business. Additionally, he knew that as Black Kite grew, their GRC requirements would evolve, and achieving frameworks such as ISO 27001 and FedRAMP would soon become top company priorities. He began his search by looking for ways to reuse overlapping controls across multiple frameworks.
The solution
Frictionless audit prep—and low-touch auditor partnerships
Vanta’s automation gave Bob the ability to automate SOC 2 prep and contribute to Black Kite’s growth, without committing additional resources to his team. And, though the first priority was SOC 2 Type II, Bob valued the ability to reuse artifacts across frameworks without duplicating efforts.
This was key to Black Kite’s growth plans in the future as the company expanded to new markets and geographies, and ultimately paid off when Black Kite achieved ISO 27001 certification in 2024.
Working with Vanta’s high-caliber auditors, who were familiar with the automated processes and Vanta platform, also saved valuable time and created a seamless experience for Bob and Black Kite.
{{quote-2}}
The impact
Beyond automated compliance: Securing a security company at scale
Today, Black Kite’s security team has expanded alongside additional programs to support the company’s accelerated growth. Black Kite is engaged in SOC 2 audit activities all year long, in addition to audit activities for new frameworks and certifications. The Vanta platform gives the team the ability to keep up with those daily to dos, without losing sight of other key security priorities.
Beyond automated compliance, Bob also finds value in Vanta as a platform to continuously monitor and report on aspects of Black Kite’s cybersecurity posture. As a cybersecurity company itself, the stakes for Black Kite are especially high. Access Reviews offer a simple way for Bob and Black Kite to proactively spot red flags independent of a point-in-time audit.
“I only need to worry if there’s a failure. I didn’t have to go out and constantly audit myself,” Bob says of the value of continuous monitoring in Vanta.
Black Kite also uses Trust Center to share important cybersecurity information with prospects proactively, reducing the amount of human hours required to complete security reviews when new deals are on the line.
Bob estimates that the Vanta platform does the work of roughly 1-2 full time employees—allowing Black Kite to scale its program without additional headcount expenses.
{{quote-3}}
