As Sr. Director of Corporate Marketing for Drata, how does your role intersect with product, sales, and leadership to ensure a consistent and credible narrative?

My job is to be the connective tissue between what we build, how we sell it, and how the market hears about us. That sounds simple in theory, but in practice, it means corporate marketing is upstream of almost every external signal Drata puts into the world: the brand, the messaging architecture, the analyst story, the executive narrative, the launch motions, and more. If those aren't tightly aligned with what product is shipping and what sales is hearing in the field, we end up with a brand that promises one thing and a product experience that delivers another. That gap is where credibility goes to die.

With the product team, my partnership is about translation. Engineers and PMs ship capability; product market messages functionality and differentiation, and my help team shapes the meaning around it. When we launched our agentic AI capabilities for third-party risk management and customer assurance at RSAC, the work wasn't just announcing features—it was reframing what those features represent in the broader shift from reactive compliance to continuous, autonomous trust. That story has to ladder back to what the product actually does today, not where the roadmap might land in two quarters.

With sales, the relationship runs the other direction: I need their pattern recognition on what's resonating with buyers, what objections keep surfacing, and where the narrative is doing real work in deals versus where it's just sitting on a slide. And with leadership, it's about discipline. A consistent narrative requires saying no to the dozen good adjacent stories so the one that matters most actually compounds. My role is to hold that line—to make sure the CEO's keynote, the board deck, the analyst briefing, and the homepage are all telling the same story in the same words, even when there's pressure to chase a shinier message. Consistency is one of the most underrated forms of brand investment. It's also one of the hardest to maintain when you're growing fast.

"Trust" is a key business priority, but often feels abstract. What are the real, day-to-day challenges organizations face when managing trust, risk, and compliance?

The honest answer is that trust feels abstract in the boardroom and painfully concrete in the trenches. The day-to-day reality for a security or GRC team is a stack of disconnected work: chasing evidence across dozens of systems, answering the same security questionnaire for the hundredth time with slightly different wording, manually reviewing vendor SOC 2 reports that nobody has time to actually read, and trying to convince an auditor that yes, the control was operating effectively for the entire period. None of that feels like "managing trust." It feels like grinding through an endless backlog of proof.

The deeper challenge is that trust isn't owned by any one function. Security cares about risk, GRC cares about controls, legal cares about contracts, sales cares about closing deals, and the buyer on the other side just wants confidence that working with you isn't going to result in a breach. Each of those groups has its own systems, its own data, and its own version of what "trust" means. When something goes wrong—a vendor breach, a failed audit, a delayed enterprise deal—the cost lands on whoever is closest to the fire, not on whoever made the upstream decision.

Adding to the complexity is the fact that the cadence is broken. Most organizations still treat trust as a point-in-time event: an annual audit, a quarterly vendor review, a one-time security questionnaire. But buyers, regulators, and AI systems are now operating continuously. The mismatch between how trust is produced (occasional, manual, reactive) and how it's consumed (constant, automated, real-time) is where every modern compliance program is breaking down. That's the gap Drata helps to close.

How is Drata trying to rethink this space differently from traditional compliance or GRC tools?

Traditional GRC tools were designed to help large enterprises document what they already do and to create a paper trail that satisfies an auditor once a year. Drata is built on a fundamentally different premise: that trust should be a living, continuous capability, not a periodic exercise. Our platform unifies governance, risk, compliance, and assurance into one system that monitors controls automatically, evaluates third-party risk on demand, and lets customers prove their security posture in real time. That unification matters because the way our customers actually experience trust is interconnected, whereas traditional tools are not.

The bigger reframe is what we mean by "trust management." Compliance is one signal of trust. Risk posture is another. Vendor security is another. Customer assurance is another. Most tools in this space optimize one of those and bolt on the rest. We're building the operating system underneath all of them. When a control fails, the risk view updates. When a vendor's evidence changes, the assessment refreshes. When a customer asks for proof, the Trust Center already has the answer.

The agentic layer is what makes this practical at enterprise scale. We're not asking GRC teams to do more work faster—we're using autonomous agents to do the work that humans shouldn't have been doing in the first place. Drafting questionnaire responses from approved knowledge. Evaluating vendor evidence against your own criteria. Surfacing the issues that actually warrant a human decision. The point isn't to replace the security professional; it's to give them back the strategic time that point-in-time tooling has been stealing for the last decade.

While "agentic trust management" is evolving fast, it's still in its infancy. How do you build a category narrative around something that the market is still trying to understand?

You build it in layers, and you stay patient. When you're naming and shaping a category that doesn't fully exist yet in the mind of your buyer, the temptation is to lead with the most futuristic version of the story—to plant a flag on what will be true in three years. But buyers don't buy three years from now; they buy today. So our narrative is structured to meet people where they are while also pulling them forward. The entry point is a problem they already feel with fragmented compliance, slow vendor reviews, and/or manual questionnaires. The destination is the new operating model: continuous, autonomous, transparent trust. The job of marketing is to make that bridge feel obvious and possible rather than simply aspirational.

We also lean hard on demonstration over declaration. It's easy to claim a new category; it's harder to show what it actually looks like for a customer. As we continue to grow, we're investing more heavily in showing that proof: customer stories with real numbers, product demos that show agents doing real work, and technical content that explains how the underlying platform actually functions.

The third piece is repetition with discipline. New categories aren't built from a single launch; they're built from saying the same thing, in slightly different ways, across every surface, for years. We use the same language on the homepage, in the analyst briefing, in the CEO's keynote at our annual customer conference, in the field marketing event, and in the customer email. That kind of message discipline is unglamorous, but it's how you go from "what does that mean?" to "of course that's what we should be doing." The market will eventually catch up to a coherent story; it will never catch up to a scattered one.

How do you avoid over-indexing on AI in your messaging while still leveraging it as a differentiator for trust management?

To be completely honest, this is something we're actively working through, not something we've solved. The trap right now is that "AI-powered" has become so saturated it's almost a liability. Every vendor in our space is claiming it, which means buyers have learned to discount the claim entirely. And at the same time, if you’re not saying it overtly, your competitors use that against you in the deal as ‘proof’ that AI isn’t embedded into the platform.

To me, the differentiator isn’t that AI simply exists within the product—it's the specificity of what the AI is for, and the proof that it works the way you say it does. A claim about "agentic trust management" only works when a buyer can see exactly which workflow an agent owns, what changes for the security leader, and what the human-in-the-loop architecture actually looks like. We're investing in being more specific in our messaging—leading with the operational reframe rather than the technology label—because specificity is what separates a credible AI story from a generic one.

The other thing I think about a lot is the gap between announcement and adoption. It's one thing to launch a capability; it's another to have customers using it at scale and telling their own version of the story. Closing that gap is the real work—not louder claims, but more proof. That means investing in the customer evidence, the technical depth, and the analyst validation that turn a positioning statement into something the market actually believes. In a category called *trust* management, you don't get to skip that step. The messaging has to align with the engineering, and then the proof has to align with both.

How do you think about timing in marketing — when to educate, when to push, and when to stay silent?

Timing is one of the most underrated levers in marketing, and it's the one I think about most often. The default mode for most B2B teams is to push constantly—every launch, every webinar, every piece of content treated with the same volume and urgency. Even more so now that AI makes it possible to launch more content faster than ever before. That approach trains the market to tune you out. More is not better; more is simply more.

I try to think about it more like a rhythm: education during long stretches when the market is forming its understanding and a larger push when there's a real moment that earns attention.

Education is the longest phase and requires the patient work of teaching—through analyst engagements, technical content, customer storytelling, executive POVs—to create the conditions for a successful push later. If buyers don't already have a frame for what you do and the problem your solution is solving for them, no campaign in the world is going to convert them.

By becoming that trusted advisor, it makes it easier to earn attention when those push moments occur. RSAC is a real moment for the cybersecurity market, so we showed up loudly with a meaningful product release. In addition to our new brand identity, we launched a new agentic capability that genuinely changes the buyer's workflow. The discipline is in saying no to the small moments so the big ones land harder.

In a market where nearly every company claims to enable trust with AI, what do you think most marketing teams are getting wrong, and what will it actually take to earn real credibility with buyers?

The biggest mistake I see is conflating volume with credibility. The instinct in a crowded market is to talk more, post more, claim more to make sure you're not getting drowned out. But buyers in security and compliance are not casual readers; they're skeptical professionals whose careers depend on choosing the right vendor. The more you claim, the more they discount it. Credibility in this space is built by saying less and proving more. Specific outcomes from real customers. Technical depth that demonstrates you understand the problem at the engineering level, not just the marketing level. Executive POVs that take a real position rather than hedging into platitudes about "trust matters." That's what cuts through.

The second thing teams get wrong is treating AI as the differentiator instead of the enabler. When everyone in your category claims to be AI-powered, the AI claim itself stops being a differentiator—it becomes table stakes. The actual differentiation is in what the AI is for, how it's governed, what specific workflow it owns end-to-end, and what the buyer can verifiably do with it that they couldn't do before. Marketing teams that lead with the technology end up sounding interchangeable. Marketing teams that lead with the operational reframe—what changes for the compliance manager, the GRC team, the CISO—earn the right to be heard.

But what it really takes to earn credibility is the unglamorous work of consistency over time. Showing up with the same story across every surface, even when you're tempted to chase a trend. Backing every claim with real proof. Investing in the customer relationships and analyst relationships that turn into third-party validation, because the market will always trust someone else's voice more than your own. And being honest about what's real today versus what's coming next. We have to remember that trust is a behavior—not a tagline. The teams that earn it are the ones who behave like it matters in every interaction.