Cyber security is only as strong as its weakest link, and CISOs today have a big unknown looming in their environments – third parties. Whether it’d be an organization’s supply chain partners or service providers, entities outside an organization’s firewall are holding sensitive data or accessing internal systems. Yet, insight into third parties’ cyber security risk is limited, creating a large blind spot. Black Kite, our newest portfolio company, addresses this gap.
Earlier this week, we announced a $22M Series B investment in Black Kite, a Boston-based third-party cyber risk monitoring platform. Built by former white hat hackers, Black Kite continuously monitors third parties from a hacker’s point of view to identify vulnerabilities and assess an organization’s risk level. Further, it enables organizations to share their findings with third parties alongside step-by-step instructions to mitigate the risks.
Black Kite sits at the intersection of two key themes for Volition: 1) third party/supply chain risk management, including portfolio companies Assent Compliance and TraceLink, and 2) cyber security, including portfolio companies Ping Identity and Securonix. We believe cyber risk will become a crucial component of every Third-Party Risk Management (TPRM) program, and Black Kite has developed a market-leading cyber risk management product loved by customers. We are excited to partner with the Black Kite team to support the Company through its next phase of growth.
The challenge of third-party risk management
Managing third-party risk in general provides a unique challenge – organizations don’t have direct access to their third-party’s data. And without direct access to data, it is difficult to monitor and measure the risk they pose. Through portfolio companies Assent Compliance and TraceLink, we’ve experienced first-hand how software solutions can help bridge this intra-business data accessibility gap.
Within cyber security, managing third-party risk poses an extra layer of complexity. While the difficulties of data accessibility remain, there are additional challenges, including:
- Questionnaires alone are not enough to understand the cyber risk posed by third parties
- The security posture of third parties is not static. It needs to be continuously monitored
- Monitoring and rating third parties at scale requires deep technical and domain expertise
The ramifications of a third-party breach are far and wide. In the worst of scenarios, the third-party breach leads to a breach on the first-party via island hopping by the attackers. In the best of scenarios, there is operational damage as the supplier or third-party cannot deliver its products and services. As a result, cyber risk management has become crucial for not only security teams but also procurement and supply chain teams. Yet, the market is vastly underserved with an effective solution.
So, why did we invest?
We invested in Black Kite because we believe cyber risk will become a key component of every TPRM program, and Black Kite provides a market leading solution. The company’s platform performs continuous scans and collects data from over 400+ OSINT (Open-Source Intelligence) resources internet-wide without touching the target. Then, it scores each entity’s cyber risk using open-source models such as MITRE and FAIR to help rate and quantify a third-party’s risk, enabling effective, continuous monitoring at scale.
Black Kite’s open rating methodology is a key value driver for customers. Its findings and ratings are easily understood by security teams because they’re based on standard frameworks such as MITRE instead of proprietary ‘black box’ models. Further, Black Kite provides step by step instructions on how to address the vulnerabilities that can be shared with third parties, going beyond just scoring them. As a result, customer feedback has been stellar given the transparency, fidelity, and actionability of Black Kite’s cyber ratings. Black Kite aims to help mitigate third-party risk, not just rate them.
Most importantly, we are big believers in the people behind Black Kite. The Black Kite team is world class, led by Paul Paget, CEO, who has decades of experience leading successful cyber security business, alongside Candan Bouklas, CTO and co-founder, who has built the product from ground-up leveraging his experience as a former white hat hacker. Their commitment to customers and innovation, coupled with their passion for helping organizations secure their environments, has impressed us since our first meeting with the team. We are truly excited to be partnering with the Black Kite team and look forward to the journey ahead.