In the world of 2022, third-party cybersecurity risk is undoubtedly a huge problem.

In the 2013 breach of Target, for instance, the attackers gained their initial access by hacking a third-party vendor that had worked at the retailers’ locations. For a more current example, Microsoft said last fall it had observed attackers attempting to get into the systems of companies by breaching their managed service providers, who had administrative access.

But for many businesses, solving the problem of how to assess and manage third-party risk has proven a challenge of its own: Reading documents and completing surveys is a labor-intensive, slow and frustrating process — both for the companies that need to compile the information and for their third parties.

For the founders of San Francisco-based startup VISO Trust, this seemed like an ideal use of artificial intelligence (AI). And today, the company has announced raising $11 million in series A funding to expand its AI-powered security due diligence platform, which automates the process of compiling third-party cyber risk data using document heuristics, natural language processing and machine learning.

“We use advanced automation on our SaaS platform to deliver risk intelligence — giving folks everything they need to know, really without having to lift a finger,” said Paul Valente, CEO and cofounder of VISO Trust. “So no more surveys, no more reading documents — and they can really understand their complete risk posture and be enabled to do whatever they need to do to manage that.”

VISO Trust reports it currently has 15 enterprises as customers, and is aiming for “exponential” growth this year with the new funding in hand and a strong base of customer examples, Valente said. Customers so far include Cruise, Gusto, Instacart, Upwork, Commonwealth Financial, BainCapital and Illumio.

The startup employs 25 people currently and plans to more than double this year with the new funding in hand.

The series A funding was led by Bain Capital Ventures, with backing from Work-Bench, Sierra Ventures and Lytical Ventures. Crowdstrike CEO George Kurtz, Mandiant CEO Kevin Mandia and former Splunk CEO Doug Merritt also took part in the round. VISO Trust had previously raised $3 million in seed funding.

‘No-brainer’

Enrique Salem, partner at Bain Capital Ventures, is joining the board at VISO Trust, and told VentureBeat that the company is the first to truly apply AI/ML in this area of the market.

“I would say this is the biggest no-brainer company that everybody should use,” said Salem, formerly the CEO of Symantec. “They’ve got the core technology. It works. It’s reliable, it’s scalable. And we need to go and get everybody to know about VISO.”

Valente is formerly the CISO of LendingClub and information security leader at Restoration Hardware, and cofounded the company with CTO Russell Sherman, formerly of LendingClub and Dell SecureWorks. VISO Trust launched in 2020, and is providing its platform as a software-as-a-service offering.

The platform provides companies with a complete database of their third-party relationships, and in an automated way, it brings to the top any actions are needed as time goes on, Valente said.

Importantly, the platform continues to monitor the situation in a user’s third-party risk picture for them. Users are notified when there are changes in their risk, which they can quickly see in the platform, Valente said.

Ultimately, customers can “easily see where in the organization they’re bringing on the most risk — and continually be informed through the life of the relationship of any changes in risk posture and any action that they need to take,” he said.

Speeding up the process

Salem said that anytime he discusses the topic of third-party risk with somebody, he hears that “onboarding a new vendor frustrates my company to no end.”

“And by the way, the person who gets a black eye in that is unfortunately either the risk team or the CISO. And people are always like, ‘why are you so slow?'” Salem said.

Salem said he’s heard a number of pitches from people trying to simplify this process, but Valente and Sherman’s solution stood out by breaking the process down to a few key questions that “would allow you to say, what are you actually going to do with this vendor? What kind of data is going to be used by the vendor?”

“And by really synthesizing it down into the few things that matter, they can automate this process way beyond anything I’ve ever seen,” Salem said. “And so the reason we are really excited to be partnering with Paul and Russ is because, everybody needs this. It’s just a must-have — not just by big companies, but anybody. And two, they’ve made an innovative leap forward using AI and machine learning on how to get accurate results back to the risk team or the security team.”

To validate that, Salem said his team went to CISOs and asked them how they onboard vendors, and were taken through all of the many steps.

“And then we said, what if you had a tool like VISO — would you evaluate it? And we got 100% response saying yes,” he said.

“But then the more telling thing was that the folks who were using it, when they audited the results and validated the results, they said, ‘It’s incredible,'” Salem said. “And so we felt, given the frustration with existing solutions and the frustration by users, that the world really needs the innovation VISO is bringing to market.”