Whistic CEO Nick Sorensen on the CyberBytes Podcast

[Music] all right and we're live so welcome Nick senson CEO of wistic Welcome to the podcast how are you good to be here I'm doing great how about yourself good yeah we've had a busy week so far I know you flew in yesterday so a quick pit stop for you um you guys have got a booth right black uhuh how's that going so far uh it hasn't opened yet so but it's going great because it's all it's looking great yes we'll see today so said okay cool firstday today and what's the objectives for you guys this week at Black Cat uh we're doing a lot of awareness about what we do third party risk management is a legacy space a lot of people know what it has been historically for them which is essentially this I send you a questionnaire to understand your risk you spend a month filling it out and we do this dance back and forth it's kind of an unsexy Market it's like it's a I've got to do it sort of a thing so we're helping to educate people on there's a different way there's a new way of thinking about that nice um you don't have to be trapped in that cool I'm Keen to uh explore that in this conversation but before we start so um the way I like to start the podcast is rewind it back a little bit so are you able to give the audience just an idea of who you are your background up until we stick today yeah so I've done three different startups unrelated to cyber security so kind of fell into this opportunity uh first startup was actually outdoor gear and apparel okay company uh funny enough love the outdoors nice so that's what attracted me to that uh the next one was in patient financing so a fintech sort of healthare mashup that I was a part of and now wistic so that's been my last yeah 15 or so Years love it and why are you whistic then so I got introduced to my now partner Juan Rodriguez okay um fell in love with the problem that he was trying to solve really respect him as a as a engineer and as a creative innovator uh in the space uh and really aligned with what they were doing I felt the pain each of us on the founding team sort of felt the pain a different way when my last startup was getting acquired I went through I didn't know it at the time but I went through a third party risk assessment as a part of the acquisition yeah they flew out their Chief Information Security Officer he rented a hotel room okay we sat knee to knee in a hotel room for about two to three hours and he just asked me 350 questions I didn't realize it then but he was running me through the shared assessment Sig questionnaire okay and as we're doing this exercise I just thought this is the most inefficient broken process expensive you know flying this guy out like what are we doing yeah um and come to find out full circle now we're solving a paino that helps address that uh problem so very cool so how would you define for the audience that don't know much about third party risk management how would you define that and also I'd like to cover what you guys are doing slightly differently to innovate the industry yeah I mean at a at a super high level we want to do business together y if I going to purchase your software I need to understand that you're not going to be the source of a data breach sure that my data is going to be safe with you I also need to be able to meet my compliance and audit requirements of my customers my Regulators my Auditors so I need to do my due diligence on you so that you're not a weakness in my tax surface so that's essentially a high level of third party risk management and so you've got risks I need to assess them I need to understand if I'm comfortable with them then we need to decide what to do with them sure and so that process is a two-sided process there's a lot of software that's been developed to essentially make it easy for me as the buyer to send you questionnaires okay that's why you talk to any sales rep you talk to any information security team on the vendor side and they they really hate responding to those questionnaires it's a waste of time it's it's this back and forth but you can't really get ahead of things because everybody's asking you slightly different questions in a different way uh so the Legacy way of doing third party risk management is largely a questionnaire driven approach uh to things and and there's just a lot of inefficiency with that even if you're automating a lot of the manual steps which we do uh we have found that there's still a lot of you know manual administrative effort and most organizations are spending the vast majority of their resources and time on admin ministrative task instead of risk mitigation right and that's not where you want your information security or risk resources right makes sense S I was having conversations this week and um like AI sock and folks doing simil trying to automate the I don't want to say tedious but the the more um operational tasks so they can actually spend time right on the the things that are really important to be solving the problem solving so it's interesting and how long have you been building West for then so we were founded in 2015 our first product Market 2016 cool okay it's been a while um what's been the biggest challenges in that Journey would you say so we've essentially invented a different way to think about a legacy problem yeah one of the biggest challenges is educating people on why they should leave that Legacy because they're entrenched you know we've been doing it this way for years yeah so an example of that in 2017 we introduced a concept to the market that hadn't really been introduced before 4 which is the concept of a trust Center okay uh a software-based trust Center so instead of answering questionnaires over and over again as a thirdparty vendor why don't you publish all of your answers to the standardized framework questionnaires attach all of your documentation your Audits and certifications and proactively push that information transparently to your buyers before they ever send you a questionnaire okay let's turn the tables right yeah and for the first few years people are like that's stupid no one's ever going to accept that fast forward seven years from now that's kind of becoming the status quo that's a part of the change that the industry is making so but it's taken a while for people to get on board with that it's and we're not the only ones that have enacted that there's a lot more transparency there's regulation pushing that Dora is is pushing more transparency in in the EU towards disclosing security incidents and things so it's not just wistic creating that but industry Trends are going that direction now which has been interesting but that's been probably the hardest part these challenge yeah interesting and what was the vision for you guys when you first started and has that deviated over the last six or so years to Juan's credit whose original sort of visionary uh the you go back in the way back machine and look at the original website two-sided vendor security network that's stayed the same okay throughout the beginning now the the how of how we've done that is has is evolved but that was always the vision we have these Legacy tools that are basically built for the buyer to send a questionnaire to the seller to the vendor shouldn't there be capabilities on the vendor side to make that easier like shouldn't we build with both sides in mind and really isn't this a two-sided Network MH um and so that has been the vision from the beginning very cool and what stage are you guys at now are you VC back we are yeah so we raised a series B A couple of years ago oh cool yeah okay um and size of the business big you guys we're just uh we're about 75 employees we're in the hundreds of customers work with some you know some of the largest organizations in the world awesome Financial Services yeah top three Financial Services organization largest Health insurer in the country um some of the larger Tech brands that we all know cool are on wistic brilliant is it just us bace or you wider uh we have customers uh Global mainly Us North America based but Australia UK EU mhm uh as well yeah cool and so you guys you've kind of changed the narrative in the industry what's which is interesting what how do you see the industry maybe changing in the next one to two years or beyond that yeah so really interesting Trend uh over the last 18 months it's been AI obviously buzz word for every you know cyber startups talking about it now in our space though very tangible benefits if you can do it right of of AI not just a feature add-on hey you can use J AI to do this or AI model to do this but if you think about we manage this whole life cycle of third party risk management from vendor onboarding to risk triage to assessment and reassessment and there's this this huge workflow and then you've got our Network that's built on that that's just two-sided exchange of information yeah there's a lot of applications for how AI can accelerate that process one example would be you know even though somebody has a trust Center in what we call our trust catalog a third party vendor you're looking to purchase from has information in there so your team needs to assess them before you can onboard them it's there you get it on demand that's great they've got their sock to they've got all these questionnaires answered in there they got policy documents I still have to go read that stuff yeah and that often takes 8 to 10 hours on average is is the average assessment time for somebody to go that's you know we're eliminating 90 days of back and forth but now you've got this 8 to 10 hour problem so that's a really good application say let AI read that surface the risk summarize the DAT for and now you can eliminate the 90day back and forth and the 8 to 10 hour assessment process so think about every step in that assessment workflow life cycle we're picking off and we have roughly two-thirds of that already AI enabled great we we've basically gone all in on that over the last 18 months awesome so that's been the biggest shift um you know in addition to the foundation that we we've laid to sort of change the narrative in the space now being what we call AI first uh third party risk management is really where we see things going yeah just a lot of really interesting applications that are not buzzwords U but are tangible benefits that our customers are very excited about so that's where things are headed yeah that's very cool and here at Black Cat this week have you guys got any announcements upcoming maybe the next few months this week specifically or end of this year so check yeah we just announced uh our AI assessment co-pilot is generally available now awesome um so that uh you know in in beta um with a lot of customers over the last few quarters and that was recently announced essentially a suite of AI capabilities to automate the pieces of the process that we just talked about we're really excited about that a lot of customers are already leveraging that but that's the big yeah uh announcement and news for for Black Cat and what's the feedback been on that from those customers that us utilizing it makes a lot of sense right to me and it's surely it's saving a lot of time for those folks as well youing it it was interesting so again we've been working on this for for a while so a year ago blackout we started talking about this with customers and and starting betas and things and you saw a lot of customers jumping both feet in right out of the gate and you saw a lot of companies saying we don't know what to do with this Ai and the RIS and and we thought okay that we anticipated that how long is that going to last we were surprised at how quickly a lot of those companies came back around and said okay we've decided that we're ready to go now it's not to say that everybody's in that place some organizations are moving slower on adoption of AI and their risk you know appetite and intolerance for that uh it was good for us though to experience that early you know a year ago because it forced us to be more transparent and to get our um security controls and things in place so that people could feel comfortable with what we're doing so um once you get over that hurdle and you deliver the tangible value to people though it's kind of like can you do the next thing for me as well which has been fun to see we we released an initial capability an example of this in q1 this year early this year and people like we love that and we can summarize a sock 2 audit report can you do this next thing and and we heard that over and over and over again we had already been building that next thing for six months and so it's cool to see the market sort of we we could see where that was going and so now people are really excited for that thing so there's a lot of appetite for for this just because there's so much wasted time and effort that people are going through yeah for sure and H2 into next year what's on the horizon few guys what the goals objectives yeah so I mentioned about two-thirds of that workflow is AI enhanced today we'll complete that entire you know life cycle will be very cool um AI enhanced over the next few quarters which is exciting um and then there's some additional you know we have this trust catalog which is the repository where the trust centers reside there's a lot of interesting things data sources and things that now that we have those foundations and the AI enhancing that um that when we pull those uh additional data points in will make it even more valuable right cool so think about it going deeper on risk now that we've covered all of the bases we can now go you know deeper in a few of those specific areas so that's what we'll do yeah very cool okay nice and um to to wrap this up pleasure to have you on Nick it's been very interesting to learn more about you guys um you've been a three-time successful founder right if you had to give some advice someone in your shoes rewind the years to when you're starting whisk um they're looking to start their own startup what piece of advice maybe one thing or a couple of things what would you say to those folks two things that um that come to mind one find a great partner mhm I've heard this a lot yeah yeah I the first two organizations I with I had great Partners but I also saw the impact of of individuals that weren't great partners that potentially damaged the organization um so that's what do you define as a great partner in your opinion um I'll just describe my partner today Juan humble hardworking and you can trust them y um so those are those are attributes that that I think are not easy to find uh in someone that wants to be an entrepreneur but that's number one number two I would say listen to the customer we do a lot of customer feedback we did that in the early days as well yeah that doesn't mean you have to build exactly what the customer is asking you for but you got to stay close to the to the customer and build with them in mind yeah yeah awesome well Nick it's been a pleasure to have you on for those if they want to get in contact with you guys what's the best way to do that ic.com W s.com cool awesome well great to have you on Nick yeah thanks so much good to be here thank you for listening to this very special black hat 2024 edition of cyber bites the podcast if you did enjoy the episode please like subscribe and share with your colleagues and friends if you're a candidate looking for a new role or a hiring manager looking for their next technical GTM hire then please reach out directly or via our company email info asp search.com