RiskRecon

In his role as Chief Information Security Officer at Salt Lake City-based Zions Bank, Kelly White was a typical enterprise software customer — and he had a problem. Every time his team tried to onboard a new vendor, they had to embark on a slow and increasingly antiquated security assessment process built on questionnaires, documentation reviews, and on-site visits. Methods for vetting potential vendors had not kept pace with business data’s accelerating migration to third-party environments, or the increased business risks that accompanied it. 

Frustrated by his inability to find a method that would identify and monitor third-party cybersecurity risk for his enterprise, Kelly set out to build a product that could. He started spending nights and weekends working in his basement, coding a solution capable of automatically discovering and assessing any vendor’s security posture from the outside looking in. To scale up his basement creation and bring it to market, Kelly teamed up with Co-founder Eric Blatte, who brought a wealth of go-to-market leadership experience at several high-growth security startups. Together, they raised RiskRecon’s $3 million Seed Round in late 2015. 

The Security Problem With Third-Party Software

As SaaS and third-party software usage exploded among enterprises in the early-to-mid 2010s, so did their cyber risk exposure. Data assets moved en-masse to third-party environments, drawing heightened scrutiny from boards, management, and regulators. 

Everyone had the same problem Kelly had experienced at Zions Bank: enterprises’ methods for managing third-party risk lagged behind the increased need. A typical enterprise customer might send out a questionnaire with hundreds of questions to a new vendor, kicking off a lengthy research process complete with follow-up emails, conference calls, and on-site visits. The only objective or tech-based method of assessment available was penetration testing, which was extremely costly and, in any case, rarely allowed by vendors. 

During F-Prime’s research in the space, we found that third-party vendors caused almost half of all enterprise data breaches — and the rate of third-party breach events was growing at more than 30 percent each year, even while the vendor security assessment process remained subjective and highly manual. Such breach events were hitting the headlines at an increasing rate, impacting healthcare, mega retailers, financial service providers, and even national governments and militaries. 

Tech and Team Advantages

While cybersecurity was already crowded with startups in the mid-2010s, RiskRecon was one of the few startups with a former CISO at the helm. We suspected that Kelly’s experience in his customers’ shoes would be an incredible secret weapon in such a noisy market — and it was.

Informed by Kelly’s first-hand experience as an enterprise security leader, the product also stood out from the crowd. Instead of aggregating noisy threat intelligence data, the team used machine learning to generate a high-quality, risk-prioritized dataset for enterprises — a competitive differentiation that built enormous trust with its customers. When RiskRecon’s data indicated security weakness in a vendor, users learned to pay attention. 

Early on, the company sold its product to a handful of large financial services customers, and by maintaining close connections at those firms RiskRecon was able to rapidly incorporate customer feedback to the point where it was automating work on their behalf. As a result, the company gradually took a lead over better-funded competitors who merely delivered risk ratings and reports. 

The nature of the product also meant it was easy to sell — the team could quickly deliver self-assessments for a prospect’s cybersecurity posture and show up to demos with immediately actionable insights. It was a simple next step for RiskRecon to give prospects the same insights into the cybersecurity risk hygiene of their entire supply chain.

Aware of the outdated nature of third-party security assessment processes, F-Prime recognized the superiority of RiskRecon’s solution and the uniquely successful dynamic between its founders. When Kelly and Eric set out to raise a Series A, we committed early and partnered with Dell Technologies Capital to lead the $12M round. With some early success under their belt, Accel Partners led RiskRecon’s Series B only a year later, and F-Prime doubled-down.

“Building a startup with the early success of RiskRecon required a focus on rapidly building the right team and ensuring the team is heading in the right direction at breakneck speed, while serving existing customers and winning new ones,” Kelly told us. “It was wonderful to have F-Prime, who were a calm and steady hand by our side, for the best days and the worst days.”

“My Work Brother”

Kelly’s expertise as a security leader at an enterprise organization — RiskRecon’s exact customer profile — was one ingredient for the company’s success. A second ingredient was his co-founder Eric’s experience at several cybersecurity startups, including Imprivata (acquired by Thoma Bravo) and Trusteer (acquired by IBM Security). 

At RiskRecon, Eric reportedly referred to himself as “Chief Bottle Washer,” referencing the way a “chief cook and bottle washer” would take responsibility for the most important and menial tasks alike in a 19th-century naval kitchen. He was always responsible for sales and field marketing, and at various points covered everything from negotiating legal contracts and coordinating billing to winning renewals.  

The third ingredient was the unique relationship between the two founders.

“I came into RiskRecon knowing loads about cybersecurity and risk management, but I knew virtually nothing about business,” Kelly said. “Eric had far more business experience and wisdom, and he patiently helped build RiskRecon through every stage.”

Acquisition

In 2019, Mastercard approached RiskRecon with an acquisition offer that the team couldn’t refuse. While the company wasn’t for sale, the deal offered an opportunity to accelerate RiskRecon’s distribution to thousands of customers with the backing of a global brand. 

“Through a powerful combination of automation and data-driven advanced technology, RiskRecon offers an exciting opportunity to complement our existing strategy and technology to secure the cyberspace,” Mastercard President of Cyber and Intelligence Ajay Bhalla said at the time. 

“Mastercard has been one of those brands that has stood out as a true innovator, focusing on the real problems of real businesses,” Kelly added. “By becoming part of their team, we have an opportunity to scale our solution and help companies in new industries and geographies take steps to better manage their cybersecurity risk.”

Kelly remains CEO of RiskRecon within the Mastercard organization. Meanwhile, Eric stayed with MasterCard until 2021, when he joined F-Prime and Eight Roads Ventures as a Venture Partner. 

“I have seen the F-Prime team at work from the perspective of a founder and as a venture partner,” Eric told us. “They have a massive wealth of knowledge and supportive resources at their disposal. If they aren’t able to help portfolio companies with a problem, they almost certainly know someone who can — and they’re always happy to make the introduction.”

 

Subscribe to our newsletter to get the latest updates on our portfolio companies.