Vanta’s suite of interconnected web-based tools helps small to medium-sized startups become SOC2 compliant and improve their online security. Reaching SOC2 compliance makes it easier for Vanta’s customers to sell their own software.
UX / UI Designer
Feb - Mar 2019
In 3 weeks, we redesigned two Vanta tools and began to create a design system for the entire product before handing off to another team. Vanta is still in private beta but currently has zero voluntary churn and a recent NPS score of 67—extremely high for a B2B product.
Zack Meredith (Lead)
Josh Puckett (Mentor)
Sarah Jackson (Producer)
Nowadays, hacks and breaches of organizations have become the norm. These cyberattacks lead to crippling mitigation costs for impacted companies and increase the susceptibility of invaluable consumer data.
Vanta’s SaaS model works to help secure the internet, increase trust in software companies, and keep consumer data safe.
Its easy-to-use suite of tools can take a customer with no security infrastructure to the level of SOC2 compliance. SOC2 is an auditing procedure that ensures companies can securely manage consumer data. Not all Vanta customers are pursuing SOC2 compliance, but most are looking to fix major security problems within their organizations.
Users can also link the services they use (like GSuite, Github, and Slack) to Vanta so they can scan for security problems. Vanta’s platform displays the problems their customers have and how to fix them. Even after these problems are fixed, Vanta keeps monitoring all of their services in case a new problem arises.
CHAPTER 01: RISK REGISTER
Vanta’s Risk Register is a guided way for its customers to complete a risk assessment in order to reach SOC2 compliance.
This tool guides users through a variety of questions that determine their company’s open security risks. Answers to these questions have the potential to trigger multiple scenarios. The Risk Register helps users think through these scenarios. It also helps users create one or more mitigation tasks to reduce the probability of that scenario occurring and its impact, if it does occur.
As they’re in private beta and an early-stage startup, Vanta is able to develop close relationships with their customers and can iterate based on their feedback.
OLD RISK REGISTER
Vanta’s users felt that the Risk Register had a confusing interface and lacked context.
Right off the bat, they were overwhelmed by a seemingly never-ending list of questions. Additionally, some users mistakenly thought that the Risk Register had a direct influence on their SOC2 audit. The Risk Register is an exercise to better prepare users for the audit.
As with any design process, we ran through several iterations of the Risk Register design before landing on our final solution, which is detailed below.
We initially believed our redesign addressed the Risk Register’s pain points:
Toolbar showed macro and micro progress
Toggle between Questions and Tasks
Filter for categories, assignees, and status
However, after presenting our designs to Vanta we realized that we had fallen short.
Vanta’s site has an existing global sidebar
Tab bar doesn’t give enough emphasis to Tasks—they can easily get lost if all questions are answered
Untapped potential to draw more focus to question process
Modal at the bottom of the page wasn’t enough to educate users on the Risk Register
Our next major round of iterations seemed to address Vanta’s previous concerns:
Button to give users more information on the Risk Register
Bottom toolbar to demonstrate question progress
Remove the ability to assign tasks to other users within the organization as it was too complicated for V0
Zoomed-in question view placed more emphasis on this part of process
Mitigation task creation occurs in modals within the Add Scenario page
Successfully adding a scenario shows a zoomed question view that lists scenarios below—adding another would result in that scenario creation flow reappearing
However, after presenting our designs to Vanta we realized that we had fallen short.
Zoomed-in question view didn’t give users the ability to choose the question category (i.e. legal questions)
Presentation of the Risk Register data model was too confusing here
Tabs at the top overemphasized completed questions—viewing these was more of an edge case
Bottom toolbar didn’t need to be present on the home view of the Risk Register
“Pick up where I left off” button had potential to confuse users who weren't sure if it was picking up where they left off or where their coworkers did
No easy way to direct people to specific questions within the flow
While we made some progress, there was still more to be done. A few more rounds of iterations and feedback led to our final solution, presented in detail below.
RISK REGISTER — OVERALL INTERFACE
We restructured the overall Risk Register interface in order to make the process less overwhelming.
The page header includes information about the customer’s progress towards preparing for the SOC2 audit. Rather than a daunting list, questions are sorted into collapsible sections. As a default, completed questions aren’t shown, but can be seen by clicking the section toggle. This allows the sections to demonstrate category progress, but gives users the option to view or edit any past questions. The same goes for tasks.
RISK REGISTER — QUESTIONS
Vanta customers had complained that it was jarring to have a variety of question types succeed one another.
Questions about AWS cloudtrails shouldn’t immediately follow those about fire extinguishers in the office. The redesigned questions flow features a simple, focused layout that allows the user to jump between categories as they wish.
Users can enter the focused view by clicking a question from one of the collapsible sections on the Risk Register homepage. Displaying one question at a time effectively chunks the overwhelming amount of questions required for the SOC2 audit.
Toggle Between Categories
The category navigation at the top allows users of varying backgrounds to toggle between sections as needed. Checkmark icons are in place to signify completed sections.
No Scenario Triggered
It’s immediately clear if the answer chosen triggers a scenario as a modal appears. If no scenario is triggered, a confirmation message appears below and the user can move on to the next question.
Mark Question as Complete
The fixed footer displays the customer’s progress within a specific section and allows them to mark a question complete. Adding this extra step in order to move within the flow lets users add multiple scenarios to questions. Users can always skip to another question by accessing it from the home screen.
RISK REGISTER — SCENARIOS
A scenario describes the problem that might be caused by the question, asking the user to think about how likely it is to occur and how serious it is.
Some answers to questions can kick off the creation of one or more scenarios. The overall data model of the Risk Register is fairly complicated, but utilizing a modal for scenario editing simplifies things.
In editing a scenario, users are asked to describe the risk it might cause. From multiple choice options, they must select the likelihood of it occurring and the severity of the situation. The slider from the previous design was replaced by radio buttons, as we didn’t want its empty state to influence users’ choices.
Add Multiple Scenarios
Users can scroll within the modal in order to describe one or more mitigation tasks that could alleviate the risk from the scenario. Once all tasks are added and a scenario is complete, users have the ability to add more scenarios (and accompanying tasks) before completing the question.
RISK REGISTER — TASKS
Tasks are a key part of the Risk Register as they map out concrete ways to reach SOC2 compliance.
A single task can be assigned to different scenarios as some actions can quell multiple security risks. To simplify the Risk Register data model, tasks are created directly within the scenario modals.
When tasks are created, they are added to the main Tasks list on the Risk Register homepage with a default “To do” label. From there, users can change the task’s status by marking it complete. If a task won’t be completed, users can mark it as such but have to provide a reason why.
Each Risk Register task completed is one step closer to reaching SOC2 authentication.
CHAPTER 02: SIGN UP & ONBOARDING
During onboarding, users create an account and link GSuite, infrastructure, and other additional services.
This allows Vanta to scan for potential security threats and educate customers on how to fix them. Vanta users gain no real value until they link their services. The key goal is to activate users by getting them to understand why and how to link these services.
Vanta’s current onboarding process is confusing and doesn’t effectively draw the required user actions.
Because of this, Vanta’s CEO personally onboards new customers and walks them through the process over the phone. This clearly isn’t sustainable long term.
Customers need to link their GSuite accounts or every other page breaks. The connection to GSuite allows Vanta to view customer employee and group lists from the GSuite Admin SDK, giving them the ability to inspect their security levels.
Sometimes organizations have email addresses that are not people, like “firstname.lastname@example.org” or “email@example.com.” A user should be able to specify such email addresses so that Vanta doesn’t erroneously test against them or make invalid assumptions. We decided to create a ‘Not a Person’ flow immediately after linking GSuite for context and early elimination.
Not a Person
Users have the ability to scroll through a list of all employees, with suggested options flagged and preselected at the top of the list. Email accounts that are not associated with specific people at the company can be quickly and easily removed.
Amazon Web Services or Heroku?
Users must then choose their infrastructure service (either AWS or Heroku) in order to continue through their onboarding process. Vanta customers were extremely confused by the complicated AWS flow that required policy and role creation. We added selective illustrations in order to help users navigate through the tedious process.
Users could then complete onboarding by adding additional services like Github or Slack.
In linking additional services, interstitials are used to explain how these benefit the customer. These interstitials can also contain demonstrative illustrations, like in the case of Github. Successful onboarding takes the user to the Activity View, which acts as a security issue dashboard.