Get to know the 2020 DataTribe Challenge Winner:
Q&A with SightGain founder Christian Sorensen
Q: Tell us about your background.
Founder and CEO, Christian Sorensen
I spent my formative years working on our family farm in Minnesota. Curious by nature, when I wasn’t doing chores, I was tearing things apart to figure out how they worked and then putting them back together. As a result, I built and rebuilt a lot of electrical and mechanical contraptions from an early age. My curiosity led me to the Air Force Academy where I studied Operations Research and Math. I was fortunate to receive a graduate scholarship to study Management Science and Economic Systems at Stanford University, and later earned my MBA from the University of Maryland. This education equipped me with the academic foundation needed to analyze complex systems and identify levers of change that provide the most impact. I practiced these skills first as an analyst and then as a cyber security officer in the Air Force.
After serving in a number of roles, the culmination of my Air Force career was serving in various positions at the NSA and Cyber Command before retiring from the Pentagon. There, I was given the opportunity to lead a number of historic service, coalition, and national cyber operations at a formative time. For me, these experiences crystallized not only what’s possible in cyber, but also what’s necessary for effective cyber defenses. SightGain was built with this know-how in its DNA.
Q: Tell us about your business/idea.
I founded SightGain with the vision of synthesizing insights from the world’s most advanced cyber teams to build a platform that can both analyze an organization’s readiness to stop a cyber-attack and then use the results to optimize cybersecurity spending for mission, threat, and budget. We’ve been in business since 2016 serving government customers and reinvesting those profits to build our platform.
SightGain uses intelligence about malicious cyber actions to validate if production cybersecurity systems are ready to face these threats. Whereas most assessment platforms evaluate cybersecurity technologies, only SightGain focuses on the critical interaction of people, processes, and technologies to build a comprehensive view of an organization’s cybersecurity readiness. Our approach provides new insights that are critical to helping organizations make risk-based decisions using actual results rather than simply compliance or other black box metrics of cybersecurity. The results enable customers to assess impact and quantify their risk exposure in business terms (e.g. data loss, downtime, and financial loss). At the strategic level, SightGain helps security and risk leadership identify the best investments to reduce risk.
Bottom line: We help organizations know if they are ready to stop a cyber-attack and clearly show them where to invest to make improvements.
Q: What was the original inspiration for your company/product?
We had an aha moment while conducting an automated penetration test for a large customer. They had the latest cybersecurity solutions, they were getting monitoring alerts, and their team was trained. They expected to do well, but everyone was stunned when they caught zero of the 125 tests of malicious tactics we attempted.
While extreme, we see similar results all the time. Despite spending millions of dollars on cybersecurity solutions, large organizations are missing more than 50 percent of malicious activity. Their expensive technology is not stopping attacks, their processes are not tuned nor automated, and their highly trained personnel are not effective at responding to malicious cyber actions. Cyber breaches are projected to cost organizations around the world $2 trillion by 2021. Executive leadership and boards still cannot get the insights they need to confidently understand their cybersecurity risk, so they keep throwing money at it with no discernable return on their investment.
Why is this happening? Put simply, organizations are not proactively evaluating the performance of their cybersecurity systems against the adversary threats they will likely face. It’s like a football team’s offense rehearsing their plays without ever playing against another team. They have no way to gauge how well they might perform in a game or where they might have weaknesses they need to be fixed. Do they need a better quarterback? A new offensive coordinator? A better playbook? Or just more practice against a real opponent?
We’ve built SightGain to solve this problem. SightGain can quickly identify the root cause of cybersecurity performance issues, help make rapid improvements, and recommend the best way to invest in cybersecurity or reallocate existing budgets.
Q: What’s your vision for the future … “What will the market you are pursuing look like in 5-10 years?”
Looking forward, we see solutions in the assessment and integrated risk markets integrated in an open and transparent way. Development, security, operations, and risk teams will use standardized data models to automatically gather and analyze a variety of security risk measures. They will be able to contextualize this information – not to chase vulnerabilities and compliance – to prioritize the most impactful risks to their mission first.
Further, and just as important, manufacturers, software developers, and service providers will be able to advertise their level of risk maturity. This may take the form of a private market for risk ratings, like corporate credit ratings from Moody’s or S&P; or, it may take the form of a regulatory mandate for critical industries, similar to the way restaurants are required to post health inspection scores.
Q: How does your business address pressing cyber and data challenges for the commercial sector?
Even after spending millions of dollars on the latest cybersecurity solutions, enterprise organizations are using cybersecurity metrics that create an illusion of safety. Just because an organization is compliant does not mean it is protected, just as trained analysts are not necessarily proficient, and operational systems may not be effective at stopping actual threats. Cybersecurity and executive leadership may assume they are protected, when in reality they do not know if they are ready to stop a cyber-attack, and while industry evidence strongly suggests they are not. SightGain provides a platform that enables leaders to know they are ready to face cyber threats to their most important assets.
Whereas other companies assess technology performance and patch management to assess risk, SightGain is the first company that uses automated Red Team technology to test, evaluate, and recommend improvements for cybersecurity across people, process, and technology. We test the customers’ systems using real tactics across the MITRE ATT&CK framework. From these tests, our customers not only make rapid improvements in their current solutions, processes, and personnel, but they are also able to prioritize future cybersecurity investments. We do this across three parts of the cybersecurity lifecycle:
Measure Readiness Posture: Identify security strengths and weaknesses in production.
- Use automated Red Team platforms to test the ability of people, processes, and technologies to prevent, detect, and respond to attacks against the organization’s specific environment.
- Map exposure in your environment against common threat frameworks such as MITRE, NIST, CMMC, etc.
- Pinpoint the gaps and overlaps in the cybersecurity technology infrastructure.
- Monitor readiness on an ongoing basis to close gaps and reduce risks.
Analyze Cyber Risk: Assess and quantify risk exposure using actual test results.
- Assess the likelihood of a breach using different malicious attack scenarios.
- Measure outcomes for the organization’s business against cyber threats (data loss, downtime, financial loss).
- Quantify the financial impact of a successful attack based on an organization’s security readiness posture.
- Ensure that cybersecurity programs do not compromise business resilience and growth goals.
Prioritize Cybersecurity Investments: Optimize your security readiness with the right investments.
- Analyze how specific security investments would impact the organization’s risk level.
- Identify and prioritize the best opportunities to improve risk reduction / ROI (e.g. training, upgrade talent, fill technology gaps, tune process configurations, streamline processes, etc.).
- Rationalize security investments with “head-to-head” comparison of competing technologies.
- Create customized training plans for each analyst to help them defeat attacks more quickly.
Q: What attracted you to the DataTribe Foundry? Why did you choose to participate in the DataTribe Challenge?
The DataTribe Foundry has a knack for identifying great cybersecurity ideas early, finding product-market fit, and then helping startups scale. They quickly grasped SightGain’s vision and the opportunity we have to change the cybersecurity and risk market.
Successfully building a startup business is not for the faint of heart. There are a few ways to succeed and a whole lot of ways to fail. We want to work with a venture partner that knows the market, has operational experience, and gets their hands dirty with us on the startup journey. This type of partnership truly makes it an “unfair fight” in the market, and we are excited to be a DataTribe Challenge finalist!
Q: What’s your long-term vision for your business?
SightGain will continue to bend the cybersecurity spending curve by adding security and risk information relevant to leadership decisions to the platform. This includes a mix of assessment technologies and business information that evaluates SecDevOps processes, 3rd party software, IT, OT, and mission essential business functions in a comprehensive and continuous manner. The results from these assessments and other operational activities will proactively and clearly inform an organization whether it is protected, capable, and resilient in the face of evolving malicious threats. Leadership will use the information to prioritize gaps for mission impact and field-test potential solutions before acquisitions take place.
Organizations will finally be confident retiring obsolete systems and will truly understand their risk in light of the cyber threats they face. Following this approach, the cybersecurity market will be more operationally effective, faster at mitigating gaps, and more discerning when evaluating new cybersecurity solutions.