Jessica, you’ve led marketing across several cybersecurity companies. What major shifts have you seen in how cybersecurity buyers evaluate trust, risk, and platform value today?

When I got into cybersecurity, the guiding principle was "trust but verify." That's dead. The industry has moved to “never trust, always verify”, and that shift touches every domain in security, including how organizations think about their vendors and suppliers.

In third-party risk specifically, the volume of suppliers and vendors that organizations rely on has grown exponentially. And with that growth in volume, the risk has grown proportionally. Attackers identified it too. Third-party attacks have risen steadily year over year because the supply chain is a high-yield attack surface that most organizations are still underequipped to defend.

On platform value: I remember when "shelfware" was a real phenomenon, tools that got purchased, deployed, and quietly forgotten. That's gone. There's no spare budget for a solution that isn't demonstrating ROI. Security teams are evaluating their vendor lists more frequently, and every tool has to justify its presence every renewal cycle. The solutions winning today are the ones that can show up at the board level and contribute to real business decisions, not just generate reports that live in a risk register. Buyers are evaluating outcomes, not features. That shift has been one of the most meaningful changes I've seen across my career.

What attracted you to Black Kite, and how has your role as CMO evolved alongside the growing importance of third-party cyber risk management?

I was drawn to the third-party risk space over a decade ago, when it was still in its infancy. The Target breach, which feels like ancient history now, was actually a formative moment for me. It made it so clear how critical supply chain security is, and I knew it was just the beginning. Attackers were going to keep exploiting it, and organizations were going to have to figure out how to secure it. I wanted to be part of building that.

Before landing in supply chain security, I held roles in privileged identity, endpoint, and DFIR. That breadth of experience has made me a better, more well-rounded leader because I understand the broader threat landscape our buyers are operating in, not just the third-party slice of it.

I chose Black Kite specifically because of its differentiation. Trust, transparency, and speed are product differentiators, but they also reflect how the company actually operates internally. We're transparent with each other, we move fast, and we extend real trust across the team. That alignment between product values and company culture matters to me.

As for how the role has evolved: the conversation has moved upstream. TPCRM used to live inside IT security. Today it's a boardroom and regulatory conversation, which means marketing has to operate across a much wider buying committee, from the analyst who runs the program to the CFO who wants financial risk quantification. My job is to make sure our narrative lands at every level of that conversation, without losing credibility at any of them.

Third-party risk is a boardroom conversation today. What are the biggest blind spots organizations still have when it comes to managing vendor and supplier risk?

The most persistent blind spot is the belief that point-in-time assessments driven by questionnaires are still sufficient. They aren't. The gap between what those assessments capture and what's actually happening in a vendor's environment is widening every year. We live with AI now. We've actually been working with it for many years. There is a significantly better way to automate assessments and, more importantly, to monitor vendors continuously. Gartner predicts that by 2028, half of all TPCRM programs will be focused on continuous monitoring. That trajectory is encouraging, but it also means half of the programs will still be operating on a model that's no longer adequate.

The second blind spot is Nth-party exposure. Organizations can do everything right with their direct vendors and still be completely blind to what those vendors depend on. The attacks that cause the most damage today are frequently two or three steps removed from the organization that absorbs the impact. That extended ecosystem is where real risk lives, and most programs aren't built to see it.

The third is financial context. Risk teams can identify a vendor with a deteriorating cyber posture. What they often cannot tell the CFO or the board is what that translates to in dollar-denominated exposure. Without that framing, risk findings compete poorly for budget and remediation priority. Closing the gap between technical findings and business impact is where a lot of otherwise well-run programs still lose momentum.

Many companies struggle with fragmented risk data and reactive security processes. How does Black Kite simplify and strengthen decision-making for security and risk teams?

The core problem Black Kite solves is that risk intelligence has historically been fragmented, manual, and built on a single dimension. Letter grades don't tell a security team which vendor is likely to be hit by ransomware next quarter, or which CVE in a vendor's stack is being actively exploited by a threat actor right now.

Black Kite gives teams continuous, automated monitoring across their full vendor and supplier ecosystem, so they're not relying on an annual questionnaire to understand risk posture. The Ransomware Susceptibility Index™ gives teams a predictive signal, not a rear-view-mirror assessment. FocusTags® connect global threat intelligence directly to the vendors in a customer's specific ecosystem, cutting through noise and surfacing what's actually relevant.

For decision-making at the executive level, Black Kite provides financial risk quantification grounded in FAIR, so a CISO can walk into a board meeting and say "this vendor concentration represents $40M in potential exposure," not just "this vendor's posture needs attention." That's the shift from reactive to proactive that security and risk teams have been trying to make for years.

Your background in product marketing has focused heavily on messaging and competitive positioning. How do you translate highly technical cybersecurity capabilities into narratives that resonate with both technical and business audiences?

Early-stage companies have to lead with capabilities. It's what they have. When you're building a category, and buyers don't yet fully understand what's possible, you have to show your work. There's real value in that phase. But as organizations mature and buyers become more sophisticated, the conversation has to evolve. Features become table stakes. What buyers are evaluating is outcomes.

The outcome we're selling isn't a cyber rating. It's the ability to make fast, confident business decisions based on reliable cyber intelligence. When that's the entry point, the capabilities earn their place as evidence for the outcome, not as the main event.

When building marketing teams in cybersecurity, what qualities do you value most in marketers operating in such a complex and fast-evolving industry?

Self-starters, first. We move too fast to micromanage, and frankly, that's not my leadership style, regardless. I look for people who can identify a problem or a project, develop a point of view, and move on it quickly without waiting to be told. In a space that evolves as fast as cybersecurity, the ability to operate with initiative isn't a nice-to-have. It's a requirement.

Honesty is equally important. This is an industry where it's easy to overstate what technology can do, and where buyers have very good detectors for inflated claims. The best marketers I've worked with develop genuine fluency in the problem space, push back when messaging goes too far, and are willing to say "that's not accurate" when it isn't.

I also look for curiosity about the buyer and a genuine interest in cybersecurity. I've stayed in this industry as long as I have because I identify with something larger than any individual company or product. We are the good guys fighting the bad guys. Finding people who share that orientation is one of the best ways to build a team that's aligned on a common goal. That shared sense of purpose is hard to manufacture and genuinely powerful when you have it.

Cybersecurity marketing has long relied on fear-driven messaging. Do you think the future belongs to brands that create urgency — or brands that create trust and confidence? Where does Black Kite fit into that evolution?

Honestly, this one hasn't changed for me. From the beginning of my career, the standard I was taught is that we don't use FUD, and we don't ambulance chase. Using a breach headline to generate pipeline or manufacturing anxiety to close deals has never been the right approach.

Black Kite is not in the business of selling fear. We're in the business of building trust and demonstrating transparency, and those aren't just values. They're core product differentiators, and they're why buyers are increasingly gravitating toward Black Kite. When organizations are making decisions about which vendor risk intelligence they'll rely on to protect their business and defend their programs to regulators, they need to trust the methodology, trust the data, and trust that what they're seeing reflects reality. That's the standard we're held to, and it's the right one.