How AI is the Key Turning Point in TPRM with Paul Valente

How AI is the Key Turning Point in TPRM with Paul Valente

Transcript

Paul Valente

As of probably 10 or so years ago, every developer is a DBA. There are tools that allow you to do that, right? Today, we’re at the point where AI is in a similar place—any software engineer can become an intelligent AI user.

Ron Eddings

What’s going on, Hacker Valley fam? Welcome back to the show. As you can see, we’re here at RSA 2024, and we have great guests because so many people are here. With me today, I have a great guest, a repeat guest from last year, Paul Valente, CEO and co-founder of VISO TRUST. Welcome back to the show.

Paul

Thank you. I’m delighted to be here.

Ron

Glad to have you back. It’s crazy that it’s been a year—it feels more like six months. How have you been?

Paul

I’ve been great. I’ve been great.

Ron

Good to hear. One thing we didn’t discuss last time was your background as a CISO. There’s a lot of confusion about what the CISO role is. On one hand, you hear the term CISO, and on the other, CISO. Tell me about your role as a CISO.

Paul

I always went by CISO, but I know there’s also CISO. There are quite a few pronunciations. I was a CISO at several companies, including Restoration Hardware, Lending Club, and ASAPP. I spent over 25 years in security, building security teams in highly regulated companies and publicly traded companies, and even spent a little time in the public sector as well.

Ron

If you had to define the CISO role in two to three sentences, how would you encapsulate it?

Paul

The CISO is the person responsible for security at the organization and represents the concept of security to the organization. I see CISOs like the CFO of security—they’re responsible for all things security. If there’s a breach, they’re the person you’ll go to, speak with, maybe yell at, fire, or give a hug to if they averted a breach.

Ron

I would absolutely agree with that from experience. Now that you’re a CEO, what drove you to that role from being a CISO?

Paul

Moving from a CISO to a CEO was a natural transition for me. I started as a technologist, moved quickly into disaster recovery and security, and found that my skills were most valued and needed in security. I repeatedly found myself in situations where I was building programs and it was only natural for me to become a CISO in order to deliver the most value to the organizations that I was at. So I didn’t spend a lot of time thinking about it. I wasn’t kind of like setting out with that as my target. It was a very natural transition for me as I grew with the programs that I built.

Ron

And when you were a CISO, I could have swear you said that you were doing that for about six years.

Paul

So I was at six years leading the security program at Lending Club, but over 25 years building security programs and various CISO roles at several different companies. Restoration Hardware, Lending Club, ASAPP. I think in chronological order. Yeah. Before that, a company that later became Blackbaud as well. I built a security program there as well.

Ron

Amazing. When I first learned about the role, I thought that there would be a lot of hands-on security work because you’re the person that’s overseeing everything. And then I started to think, well, maybe it’s like being an architect because you’re looking from above. But from speaking to so many CISOs, I’ve heard that it’s more of like being a business person, like where you’re, you’re engaged and part of the executive team. You’re not necessarily speaking the language of security. You’re speaking the language of business. What would you say was the core pillars that you were focused on in your last CISO position?

Paul

So in my last CISO position, I definitely fulfilled all those things that you mentioned. I was not the kind of chief architect or chief technologist. I had a leader of security engineering that essentially carried that role for me or for us, for the team, who actually became my co-founder at VISO TRUST. Fantastic security expert and machine learning expert, Russell Sherman. He’s the CTO at VISO TRUST now. But I definitely represented to the business what security means regarding being strategic for our company, right? I think that was really the main responsibility. And then representing back to the technology organization, kind of the other side of that, right? What needs to be implemented to incorporate the strategy of the business into security technology, right?

Ron

Yeah. On the cyber startup, cyber vendor route, you typically see a product manager or someone from the product kind of elevating and then ultimately becoming a CEO or founding their own company. And then for CISOs, you typically see them being on advisory boards, maybe even a board of directors, but your journey is a little bit different. So why start a company rather than join another team or build another program?

Paul

Yeah, yeah. I think for myself, I perhaps speak for my co-founder a bit here too. I think really the inspiration of being able to contribute the solution for a particular problem to a very, very wide audience, right? We essentially discovered through the pain and suffering of trying to deal with TPRM and third-party risk at our company and really being very, very frustrated with that, also recognizing how universal of a problem it was, we became inspired to focus our efforts to solve that problem, not just for us, but for the community at large. And I think what that really means for us is when you can focus just on one problem, instead of focusing a little bit on a bunch of problems for a single organization, you can focus on one problem for an entire industry, which is exactly what we’ve chosen to do. And so far, we’ve found it to be very, very rewarding.

Ron

I feel like you’ve hit the jackpot because last year when we spoke, everything was about AI and it’s still the case. And you were already bringing in that technology, a lot of machine learning. And last year, I think you also said you were doing statistical analysis in the platform as well.

Paul

Yeah, sentiment analysis, inference, etc.

Ron

Exactly. And on the other hand, since AI is so popular and so hot right now, everybody’s adopting it. So third-party risk is a huge factor in that. So you’re in this very rare space. Would you say that you see the demand and people starting to open up their eyes that they need this type of solution?

Paul

Absolutely. And there’s a few different things at work here. So the first thing is every CISO at every company is getting pushed by their business stakeholders to understand AI, to find ways to control the risks regarding AI vendors and AI in general, as well as to find ways to take advantage of the opportunities. And yeah, we’re really in a perfect spot there.

Our third party risk management platform allows companies to assess third parties, of course, but also to assess them from an AI trust standpoint, right? So that you can adopt these solutions with the peace of mind that you need from an AI trust standpoint. Then there’s what you were alluding to before, which is, how do we address a miserably slow, labor-intensive, complex, painful problem like third-party risk with AI? It turns out that the technologies that we’ve been working on for so long, that you were talking about using natural language processing, machine learning, sentiment analysis, supervised machine learning, etc., really are the key turning point for TPRM, right? It’s a very, very information-intense process. And the intense information problems have been insurmountable in the past. Really, there’s information that we all need locked in what we call security artifacts, evidence of the security program that companies naturally produce as they build security programs and define things like policies and standards and create tools that output various reports or hire companies to do tests, right? All of those have outputs, right? But no TPRM team has had the expert resources en masse to address that and analyze those across thousands and thousands of third parties. And AI is really the key to doing so, which is what we’ve been able to deliver for our customers.

Ron

So break it down for us. Why do companies need third-party risk management?

Paul

Great question. And it’s really interesting because third-party risk management isn’t new. And at the same time, for many CISOs, it is. CISOs, I remember, I don’t know, maybe five years ago talking to a CISO about third-party risk and them saying, not my problem, right? But nobody says that today. Nobody’s saying that today.

In fact, for the past few years, it’s been in the top five, top three, if not the top thing for CISOs. At the same time, it hasn’t necessarily been the top thing that they’re actually doing something about. It’s a top concern, but there has been such a lack of valuable solutions. Questionnaires don’t move the needle on risk. They’re highly biased towards positive responses filled out by salespeople. We all know that the ratings vendors are just giving us security hygiene on public-facing websites. They don’t tell you whether a company encrypts your data at rest or what their security program is really like. With a lack of viable solutions, it’s been at the top of CISOs’ list of things to work on, but with them oftentimes not actually doing anything about it.

We’re finally at a point where not only is there no excuse to not do anything about it, but there’s a great solution using cutting-edge technology.

Ron

For sure. It’s crucial. I think everybody should be checking out third-party risk. It’s something that I’ve been more conscious and aware of, especially because I’m using AI tools and using tools like even things like ChatGPT, it makes you realize how much IP you truly have. Anything that you enter in any tool, but I think AI made us hyper-vigilant, like, oh, they might be using it to train. But, you know, I think that’s kind of the important part of advanced technology is to allow your vendors to learn how to better serve you.

And I think that comes from data. How is your platform and the way that you’re building, you know, encapsulate using previous lessons to make the product and your company better?

Paul

Yeah, yeah. So as a machine learning company and as a company that is focused on the automated interpretation of security-related language, I know that’s a mouthful, but essentially evidence and artifacts of the security program have information about security that needs to be interpreted, right? Needs to be interpreted in terms of what it means for controls and what it means in terms of risk. And building models to do that is what our company is focused on. And so what that means for us is that from every interaction that we have, our models are learning.

Now, obviously, we’re very concerned about the security of data, the security of our vendors, of our customers. And so we go to great lengths to ensure that that information is anonymized, that it’s used appropriately, that, for instance, vendors are in control of when data is reused that belongs to them. We’re able to do that in a way where we can create fantastic economies of scale to allow very, very accurate risk determinations very, very quickly. That essentially gives our customers the ability to take a process that was once confined to only their most critical relationships because they just can’t afford to hire the experts and to scale to thousands and thousands of third parties to instead shift this process left, assess any number of companies when they’re looking at perhaps purchasing a new solution, take that information into account and make better decisions upfront.

And then continuously manage, monitor, assess, and remediate their relationships at large across their entire vendor footprint. So really a very, very powerful paradigm shift that’s perfectly timed with this moment in history where CISOs, every CISO, is being held accountable for their entire third-party footprint.

Ron

I have to jump in for a second to share some details about our sponsor for this episode, VISO TRUST, the leading third-party risk SaaS platform built for modern enterprises. Take your security from bottleneck to business driver with the VISO TRUST risk intelligence insights, leveraging documents, assets, and networked information to deliver fast and accurate vendor risk assessments. Get higher coverage and accuracy at 100% with VISO’s lightning-fast approach. Assess any vendor regardless of maturity. You can finally banish the assessment backlog and map to over 30+ common frameworks. Not only that, you get actionable risk analysis in seconds. How long? 10 seconds instead of 10 hours. VISO TRUST is offering Hacker Valley listeners a discount on annual plans, and you can learn more by visiting visotrust.com forward slash Hacker Valley to get started today. Thank you, VISO TRUST, for sponsoring this episode.

I’m sure before building you tried to build it at places like Lending Club and other places that you were a CISO for. But you learned the hard lessons. It’s like, okay, if I want to solve this problem, I need to give this problem my full attention. When you were first starting out or even today, what is the most valuable piece of data that you can get from a vendor to be better prepared for something like third-party risk?

Paul

That’s a great question. I think if all I could collect is limited pieces of information from vendors, I would focus on a few basic things. Now, these aren’t going to be shocking to folks, but I would collect whatever third-party reports they have. This would include things like SOC reports, ISOs, and especially penetration tests. Of course, that would allow redacted and executive summaries, otherwise they’re not going to give them to you. You don’t need to exploit them.

And then other basic things like policies and standards, if they’re very, very early, job descriptions from their security personnel. And from studying these, you can get a high degree of valuable information. Now, there’s, of course, limitations to that. That can be very time-consuming, right? And if you’re dealing with a lot of vendors, that’s going to be a big problem for you. Or if your business is bringing on new ones really quickly, it’s going to be a big problem. But that’s the highest quality data for sure. Now, of course, you can’t ignore doing a quick web search and seeing whether they’ve had breach notifications come out recently, right? So you need to do that. But if you’re really small and you’re just dealing with a handful of vendors, these are the types of things that I would certainly recommend as the starting point.

Ron

What I find so fascinating about third-party risk management, especially having a solution, a platform that allows you to see the risk of adopting a technology is after seeing that risk, you might say, whoa, I actually don’t want this platform after all. Has that come up? Do you see that?

Paul

So absolutely. And it’s come up actually recently. We have a fantastic company, great, great customer of ours, Cruise Automation, which is part of GM. And they have been a very, very successful customer on our platform. One of the things they reported to us, which was a little bit surprising for me at first, but once I thought about it, made perfect sense, is that, you know, when they went through some contraction, they actually leveraged the VISO TRUST platform to determine which vendors they should keep. And determined that our, you know, our platform was mission-critical in helping them make that distinction.

So that was a value prop that I hadn’t thought quite as much about, certainly in terms of when folks are early on in evaluating vendors. That’s something we hear every day, right? Shifting this process left, assessing all the candidates at RFP, RFI, seeing business owners making better decisions about third parties rather than the security team having to be the Department of No. We hear that all the time, which is really, really powerful and meant a lot for my co-founder and me, because back at Lending Club, that’s what would have changed our lives. Because we definitely were branded the Department of No and accused of killing innovation, which was not obviously our intention.

Ron

I think it’s really cool that one of your customers said, hey, we’re actually going to reduce some of our technologies, the amount of technologies that we have because of things like third-party risk. There’s a lot of platforms out there right now that will let you know if you have duplicate licenses, especially like in the SaaS space. But after you find out, OK, I have two graphing solutions, which one do I want to keep? I think looking at the risk that that technology brings to your organization is a good way to then make a decision on which technologies you want to keep around.

Paul

Absolutely. And I think essentially presenting that information in a way that is really easy for business owners to digest is really key to that. And that’s, we’ve got specific features on the VISO TRUST platform, like the executive summary, for instance, that are really geared specifically towards that.

Ron

Now that you’ve been running it, it sounds like there’s a lot of adoption. You mentioned that you have Cruise as a customer. What other organizations are taking a look at VISO TRUST and what do you think causes that initial point of attraction between CISO and VISO TRUST?

Paul

Yeah, today the platform is trusted by companies in every vertical, including some of the world’s largest banks. And it has become the heart of those companies’ TPRM programs. What is really exciting for me is hearing that we have allowed these teams to reinvent themselves to the business, move from being the department of no, the department of slow, to the model for innovation and automation to which other teams aspire, while controlling risk, while reducing things like risk exceptions by more than 75%. These are companies like Notion, Instacart, Commonwealth Financial Network, lots of companies in every vertical and in every geography across the globe as well.

Ron

Powerful. Love that. As I mentioned in the beginning of the podcast, there’s AI, third-party risks, how does space and cyber today? If you ask me, my background is in security automation, and I know that, especially when security automation was at its pinnacle around 2017, you go to security automation company one, and then two, they’re very different. Like there’s overlap, but there’s very unique attributes about the companies. And I would imagine the same for third-party risk. What is the differentiation for VISO TRUST from other platforms?

Paul

Yeah, so third-party risk has been around a while, right? It was historically mostly focused on in highly regulated industries. But today, it’s important for every CISO. And there’s probably 100 ways to put a security questionnaire online, right? And then there’s probably 20 or more solutions for getting a rating of a vendor with open source intelligence, right? And I think what’s really exciting about VISO TRUST is that we’re neither of those things.

And we’re the only company that allows you to assess companies using evidence and artifacts of the security program across a diverse set of public and private sources, using artificial intelligence to eliminate the work, eliminate the toil, and to give you faster results at scale that are more accurate. We use a human in the loop to ensure 100% true positive findings, 100% accuracy.

And we consistently deliver more than five times the true positive findings on third parties than ratings or questionnaires, which really allows companies to at scale take control of their third-party risk. And we’re really leading what we see as a category shift, moving from questionnaires and ratings that have these problems with scale and accuracy to AI-based evidence and artifact-based assessment.

Ron

I’m a huge AI fan and I know that you are as well. You brought up many different facets that VISO TRUST invests in when it comes to AI. For someone that is looking to do something like third-party risk or just explore AI and cybersecurity, what direction or advice would you have for someone that’s trying to learn more about the space?

Paul

Yeah, that’s a great question. I think the first is to get started. Go for it. There’s a lot of resources out there to learn quickly. AI using open source tools. At one point, databases were just for DBAs, right? As of probably 10 or so years ago, every developer you know is a DBA. There are tools that allow you to do that, right? And today, we’re at the point where AI, that’s where AI is. Any software engineer, anybody can become an intelligent AI user. So jump in, get started, do some tutorials and start playing with it.

Ron

I would highly recommend it. It’s the time. AI is taking over, but so is third-party risk. And I think that’s one area that whether you’re a CISO or a CEO, you have to pay a little bit of attention to, if not immense attention. I would encourage everybody to check out VISO TRUST. Paul, it’s been a pleasure and an honor to have you back on the show.