653 Threat Captain: Bridging the Gap Between Cybersecurity and Financial Risk

(0:02 - 0:46)
The podcast you are about to hear is a vendor profile episode for PitchIT, an annual startup competition and accelerator program organized by IT Nation, a ConnectWise community. This year, 26 companies from seven different countries have been selected to participate. Companies go through a 16-week business transformation course led by industry experts and ConnectWise leaders. 

After the 16 weeks, each company will be required to complete a virtual pitch. From that, judges will select three finalists to present their pitch live at IT Nation Connect in November. The first place winner receives $70,000.

(0:46 - 2:11)
Second place winner receives $30,000. Third place, a set of steak knives. This episode is presented by Thread, last year's PitchIT winner. 

Thread's mission is to help IT service providers deliver service magic. Visit them at itbusinesspodcast.com slash Thread. Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals, managed service providers, anyone that is in our space that provides support to business. 

We help you do that better, smarter, and faster. Today, we are having one of the vendor PitchIT profile podcast and these shows are being sponsored by Thread, last year's PitchIT winner. Take control over your service experience and say death to the ticket at getthread.com. So today, we are joined by Thread Captain, a cybersecurity leadership development company dedicated to bridging the gap between executive leadership and security teams, enhancing cybersecurity through strategic alignment and informed decision making.

(2:12 - 6:30)
And yes, that is a mouthful, but to help us understand it better, Adam Anderson, the co-founder of Thread Captain is joining us. Adam, how are you? I am having a delightful day. How are you doing? I am doing pretty good myself. 

So I guess the best question to start with is can you illiterate what I said in a much more concise and clear manner? Gosh, I hope so. Because I mean, that is a really good phrase for like a tattoo or something, but we should not be using it on podcasts. No, you are right. 

So that was a mouthful. And what we really are doing, what we have discovered over the last couple of weeks being on the PitchIT accelerator is to actually build a financial risk platform that helps people talk about financial impact of cybercrime. And that is what is actually bridging the gap between technology providers and the people who are buying those services, be it internal, where it is a CISO talking to a CFO, or if it is an MSP talking to an IT director or a controller and one of their customers. 

Okay. So that actually hones it in a lot. If you are talking specifically financial, what was it that made you kind of tweak that? Well, I love me and I think I do a great job when I am doing professional services, but people kept saying, hey, that cool tool that you are using, maybe can we just have that? And you stopped showing up. 

So it was a little humiliating. And also I get it. That is what this is all about, figuring out what the right niche inside of the niche is. 

And so by being able to graphically show financial impact to cybercrime, it turns out that the picture does equal a thousand words. And really, we just got so much excitement about that, we are like, all right, well, we should do what we are told and move forward with the company that makes sense. Okay. 

So in terms of helping people understand the gap, it sounds like this could be something that could be done both for us as MSPs and for our customers. So do you focus on both or is it a way to help us help our customers understand it? Yeah, it is primarily, you can use it in a lot of different ways, but you got to pick a horse and ride it, right? And so, yeah, you should totally use it internally, but it really is designed to have better conversations with your customer. We did some research and only about 17% of MSPs say that they sell cybersecurity really, really well. 

And the sub data inside of that is about 50% of them say that they struggle communicating the value of cybersecurity. We're really good about scaring the heck out of people. What we're not so good about is explaining what the long-term ROI is. 

So the missing piece of that puzzle was the financial data of likelihood and impact. Okay. Now, I know that for at least the last two, three, maybe more since COVID, we've been taught to some degree how to sell cybersecurity from all the security vendors out there. 

What makes ThreatCaptain unique in that respect? Well, I like to think of the fact that we're just snappy dressers, that we're really well-put. No, that's not it. What I think it actually is, is that the entire security industry sells based off of fear. 

And what we expect a client to do is to respond to that fear and to really respond to the heavy impact side of it. So, oh, if you get hacked, it's going to be like $20 million. And the client turns around and says, look, I'm only doing 6 million revenue. 

How in the world is this going to be $20 million? And so what happens is that as you sell based off of fear, you eventually desensitize the customer to the conversation. So what we do is we move from fear over to likelihood. Well, we talk about what we train MSPs to do and what we're asking them to do is to have that conversation of saying, hey, look, what do you believe the likelihood of your breach is? What does the data show based off of what security controls you have in place? And then let's talk about impact.

(6:30 - 7:00)
Because if you can't get the client to have that epiphany that, hey, the different security controls I have in place actually equates to what's the likelihood of me getting hacked, they're not ready to have the impact conversation. So think about what makes us unique like this. We put the likelihood conversation before the impact conversation and kind of get that whole flow of dialogue to a point where the customer is ready to have a conversation about cybersecurity.

(7:01 - 12:50)
All right. So it sounds like you're selling advice and consulting and not really a service. I don't hear, you know, sell this tool, use this tool to help you sell or anything like that. 

So what are the steps that we would actually have to go through? Yeah. So we had to make a decision. Are we going to help people with selling systems? Are we going to create a tool that meets them where they are today? So if I was to train sales, it would take a really long time and we wouldn't have that big of an impact. 

So we actually created a software platform. So it's a SaaS tool that runs simulations on cyber threat and impact and gives pretty reports for the MSP to go to their customer during a QBR or for prospecting and say, this is what the reality for your risk is from a financial point of view. Let's have a conversation about strategy. 

Okay. So does it take like where we have to upload existing policies and documents and stuff in order to get that? Yeah. So we tried to do that the first time, right? And there's so many nuances and so many different ways. 

It's really hard to replace that solution architect. We did try AI and gosh, darn it, it's not quite there yet to be a solution architect. So what we're doing instead is we're showing industry standards by taking data feeds from the MITRE ATT&CK framework, which shows the kill chain and all the different ways that breaches happen and which security controls prevent those breaches. 

And that's where we get our likelihood from. And then we take a data feed from the Verizon Data Impact Report, which actually shows self-reported financial costs. So by looking at the Verizon data and feeding in the MITRE data, I can then look at what security controls you have in place, what, you know, and I give you pass or fail. 

Do you have a policy? Do you not have a policy? I'm not going to read your policies with the tool. We're giving you the benefit of the doubt. And actually, the real point of all of this is to give you a window into how the cybersecurity insurance industry is looking at your customers. 

And so this is the same process and the same methodology that insurance looks at cyber risk. And we give the MSP a tool that does exact same thing. Okay. 

I want to go back to a little point you made earlier where we said the first time we tried this. So is this a reboot of something or? Yes. So three years ago, he really attempted to bring this kind of product to the insurance industry and they loved it. 

I thought it was great. And we went to the largest insurance provider in the country. We said, this is what we've got. 

I said, oh, my gosh, we were so excited to write you giant checks for this, but we just acquired a company to do this. And so that was our big shot. The company never really got off the ground. 

And then three years later, up to 2023, we looked at that tool and we noticed that there was a huge selling problem inside of the MSP market. And what they were lacking was the kind of transparency and data that the insurance companies had. So we said, well, should we just give this tool to the MSPs and make it multi-tenant, really craft the software around what the MSP needs to do cybersecurity conversations? And well, let's find out. 

So we went out and we tried to sell it. We tried to talk to MSPs, built some early adopters and advisory boards. And lo and behold, by this time, what is this, June, this summer, yeah, it's rocking and rolling our first generation products out there. 

Customers are using it and it's worked. I mean, you never know when you start a company, is this going to actually work? And yeah, it's been amazing. All right. 

So with the help of MSPs, you kind of got it tweaked and everything. I guess the next question is going to be, you know, not only how does it help us, but, you know, what are the types of, I guess, integrations involved? Like how would we use this within our stack? You know, can we jumpstart anything else off of it? That's right. So the most important thing in our process is looking for the actual integrations. 

So the real question isn't should we integrate, but by how much and with who? And so right now it's a standalone product where you go, it's SaaS enabled. And our steering committee right now is breaking the product. They're using it very; we've got about 15 MSPs that are on our steering committee. 

And every week we get a, I need this new integration. This needs to go there. So what you'll end up seeing is that this, that Threat Captain is going to end up being your data analytics engine that gives you alerts, gives you reports, and helps you understand the cyber risk and the cost of it, but then feeds into all of the different day-to-day operations. 

For example, what we don't want you to do is to use it as a CRM. What we want to do is be able to feed that information into your existing CRMs so that you'll be able to say, oh, there's a compliance change. I need to call this client back. 

This is what the impact is and have actionable intelligence around risk that you can then apply. And yeah, the, I will tell you that the number of software products to integrate with is probably going to be our most energetic development effort. All right. 

So now let's go back and see how far along we are. So this was the reboot. Mm-hmm.

(12:50 - 13:09)
Now, in terms of Threat Captain in this iteration, is this something you are one year into, two years into? Where are we at? We are six months into this. Six months in, okay. So that's right. 

We started it back in October. Oh gosh, no, we're about eight months into it. Eight months, yep.

(13:09 - 14:14)
Yeah. So we started October last year. So my co-founder, Brad Powell, and I actually founded another company called Hook Security, which sold cybersecurity through MSP. 

So it was a user, it still is a security awareness training company. And what we found is that every time we sold to an MSP and then we expected them to just turn around and sell it to all their customers, because why wouldn't they? There was a huge barrier, right? And that's really what convinced Brad and I to move on to really addressing this problem of that gap is that every time we sold Hook Security to an MSP, it was Brad's job to help the MSP be enabled to go and sell it. And there just weren't the tools out there to help facilitate that conversation of what was the value of the security. 

So we're about eight months away from that epiphany where we said, all right, we have a CEO in place, let's let that company run and we'll go start another one. All right. Well, let me ask this question that I did not prep you for.

(14:15 - 15:09)
Why not just build this inside of Hook Security so that as a product gets sold, this would be a component, it could be an add-on cost, but... Yeah. What we found is that if you take your eye off of the ball and off the mission, then you can really screw up a company. So for Hook, its primary reason for being is to help people detect when they're being manipulated through technology and equip the human brain to prevent that from happening. 

So all the science and everything they do is all around that. What ThreatCaptain is all about is how do we communicate the financial impact in a way that actually is accessible to people. And so it's a lot easier to go and spin off a new company that has a new mission that may not align with the original mothership.

(15:09 - 15:25)
Gotcha. Okay. That makes perfect sense there. 

And I guess, let me ask now in terms of joining the Pitch It Accelerator program, what's the hope and goal besides winning the money? Well, I think we don't want the money. I think we want the knives. I'll be honest.

(15:26 - 16:50)
You want the steak knives, huh? That's right. Third place steak knives. I'm like, come on. 

Everyone wants the money, but can you think about the PR walking around with those knives every year? That'd be pretty neat. No, actually, so we're pretty tied in with the MSP community from the last six years of working, building the channel with Hook. But it always felt like we didn't quite go all the way in like we could have. 

You have to be in the ecosystem a while before it allows you to be on the inside track. And what we're finding is that what Pitch It really is giving us is access to better information. I totally love making money. 

I think it's great. I think we should all drive for revenue and all that. But at the beginning of the company, when you're building your technology out, the number one thing you're lacking isn't necessarily funding. 

We can go raise money. What we're missing is that instant feedback from potential customers. I only have a window of opportunity to build my first generation product and have it be right. 

After I develop it and we have it out in the world, it gets so much harder to change that thing. So the thing that I'm really valuing out of Pitch It is access to MSPs and other vendors who are able to share their stories with us. So we make sure that we're building that best possible product right out of the gate.

(16:50 - 17:09)
All right. So that sounds admirable. And of course, I'm going to wish you well wishes in your journey on the road to Orlando at IT Nation Connect, where hopefully you'll be one of the final three, which would guarantee you an opportunity at that set of steak knives.

(17:11 - 17:42)
All right, folks. Adam Anderson, co-founder of Threat Captain. You heard what they're doing there. 

Sounds great. Basically helping you guys to, well, us, including myself in that, to help our customers understand the financial risk of cybersecurity a little bit more. So Adam, thank you very much for your time here. 

And again, good luck. And we'll see you on the road. Thanks so much. 

All right, folks, that's it. We'll see you soon. Holla.