Andy Keller, VP of InfoSec at FiscalNote

In this Sage Spotlight, Andy Keller, VP of Information Security at FiscalNote, explains how he’s evaluating security tools with a sharper focus on cost, AI and automation, and team capacity. Andy shares how Sagetap has helped him cut time spent on vendor research and discover solutions that immediately reduce operational burden — including a standout switch to SolCyber that combined two vendors into one and saved budget in the process.

Key Takeaways

• Doing More with Less in Security: Andy is navigating 2026 budget pressures by looking for tools that provide significant value, automate manual work, and eliminate inefficiencies. His priority is to find vendors that force multiply his lean team without creating extra overhead.
• ‍AI's Double-Edged Impact: While AI has become a buzzword in vendor marketing, Andy focuses on real-world use cases where AI makes life easier. He’s also tracking how AI is enabling more targeted and believable attacks, especially across voice, SMS, and social messaging apps.‍
• Shifting Vendor Criteria for a Lean Team: To choose what to focus on, Andy asks: what’s our biggest pain point, and what tool can help us fix it fast with minimal lift? He looks for solutions that “just work,” help his team focus, and avoid the noise of legacy security tools.‍
• Fast, Proactive Discovery on Sagetap: Andy used to rely on “painfully traditional methods," which put the burden on him to hunt down vendors. Now that good-fit vendors come to him on Sagetap, he’s discovered over two dozen potential partners and slashed the time from discovery to POC.
• Consolidating and Saving with SolCyber: Andy found SolCyber on Sagetap while exploring next-gen SOC vendors. SolCyber replaced both his managed SOC and endpoint protection tools, reducing costs and improving alert quality and efficiency.

Full Transcript

Andy Keller: I am the VP of Information Security for FiscalNote. We exist mostly in the information services world, and we focus on public policy and issues management. So, our customers come to us to get well-formatted, alertable, searchable information about all the information that governments are producing. We add insights to it, we have AI assistance on top of it, and we have some really good policy analysts that work for us to enrich all of that on behalf of our customers.

I run our enterprise security program top to bottom, so everything from our technical security controls, to phishing, to our governance, risk, and compliance, that all runs through me. We're a super lean team, so I have my hands in a lot of different activities as far as information security goes.

‍Meghan Lafferty: What is most pressing for you going into 2026?

Andy: What's most pressing for us is making sure that we are getting the best value possible out of our vendors.

I think we're probably not super unique in, this budgeting season and maybe even last, our company's asking us to do more with less, in maybe even the assumption that generative AI has made things a lot easier for everything, even though that's not always true, but that we should be achieving efficiencies, and so that is top of mind with any of our vendor evaluations, whether it's existing vendors or potential new partners.

There are security vendors popping up, new ones every day. A lot of them based on the promise of generative, if not agentic AI. What we're already starting to see, actually, is these vendors and platforms and tools trying to double down on being legitimate AI companies. The initial rush was let's slap that little AI sparkle icon onto everything and just market it all. We're doing AI now, we're an AI company now, and I think the consumers have seen through that by and large.

And what's going to survive, what's going to grow, are compelling solutions that use AI to make the lives of the users easier, to make things more automated. In general, security teams are not necessarily getting any larger, so being able to force multiply what is usually a pretty lean staff on the security team at most companies is going to be paramount.

Meghan: I would assume you would say that the industry is probably talking enough about AI, right? Is there anything, related to AI or otherwise, that you feel like the industry isn't talking about enough or we're not looking at?

Andy: I don't want to say we're not talking about it enough, but it's moving so fast that it's hard to talk about it enough, is the advances that AI has allowed the cyber criminal environment to make enormous leaps. They're moving very fast. And the new phishing we're seeing, the new and different channels of phishing with voicemails, voice messages, SMS, and even Discord and WhatsApp and Telegram.

The attacks are more and more targeted. They're using open-source intelligence. They're using public information about people to go and approach them on these other platforms where their guard is down, where they don't have corporate security tools filtering bad emails out or things like that, and with the ability to achieve believable deepfakes, those other channels are becoming way more attractive.

Meghan: So, as a really lean team, is there a certain way that you decide what projects to actually pursue and what's most important to focus on immediately?

Andy: We typically think of this as what is our biggest pain point right now, and if we're going to go out and spend money on a commercial solution, which ones are going to make the biggest difference the fastest and require, honestly, the least amount of work on our end. It needs to just work and it needs to be at a fair price and it needs to do work for us, not create more work for us.

Legacy security tools, a lot of them would come with a ton of flashing lights. And if you wanted to do anything with those flashing lights, now you're actually taking on more. And we're not in a position to be hiring more humans, so taking on more doesn't really work for us. And so we're looking for things that not only force multiply, but do it in a way that helps us focus more on things that really matter.

Meghan: Before Sagetap, how did you used to identify the right vendors to evaluate and then the right ones to go with?

Andy: We used painfully traditional methods. Some word of mouth from podcasts or from going to conferences, just Googling around, looking at Gartner. Of course, cold emails, cold calls were still happening. But, like most people, I think I just don't pick up the phone for those. I rarely open a cold email, so it was mostly me saying, I have a problem, let me go figure out what's out there. It took a lot of time and energy. It was difficult to find quality things quickly.

Meghan: So now that you use Sagetap, why do you use it, and what kind of impact has it made on either you personally or your organization?

Andy: I use Sagetap just to make the whole process of finding vendors easier. I've been using it for the past nine months. We've converted one of my Sagetap introductions into a purchase, and it makes it just a lot easier on my end to attract vendors to us. So it kind of reverses the old paradigm of me hunting down vendors, and I can easily align them to my initiatives if I haven't already heard from them, so that's really, really convenient.

If you go to a vendor site right now, there's a book-a-demo button. Sometimes you don't hear back for a few days. Sometimes, starting with a demo maybe isn't the best way to even go about it. A lot of times with my Sagetap calls, we talk about the fit. We talk about what I'm looking for and stuff like that before we ever do a demo. And then we get to the demo afterwards, so it cuts the time on POC down quite a bit.

I've discovered well over two dozen vendors to potentially, not only potentially replace legacy tools, but also net new functionality, gaps that we have in our security control environment, risky areas of our business operations that these tools address. So that's been great.

It's definitely saved some time per quarter. And the vendor fit is improved by default, especially if you're talking about vendors that come and request to show their stuff to me because of an initiative we have that I've set up. That makes the fit usually a whole lot better.

Meghan: I know one of the vendors that you recently discovered, and actually went with and purchased, was SolCyber. Can you tell me a little bit more about how you met them and how it's been working with them?

Andy: I set up an initiative to look for what I was calling kind of like a next-gen managed security operations center product. The company we were using we actually didn't dislike. But I wanted to see what was out there because of the introduction of AI, both generative and agentic, and ended up finding SolCyber.

They were able to replace our managed SOC alerting process. They tie in to all of our core technology and produce, I would call them managed alerts. So they get the firehose of the SIEM tool. They are able to adjudicate a lot of those, and then anything they need more information on, they surface up to me. They were also able to take over our endpoint protection licensing.

So, in going to SolCyber, we basically moved two vendors into one vendor, which is nice. They not only manage licenses for our endpoint protection, they also act as the SOC in reviewing a lot of those detections, and we ended up saving a significant amount of money moving to them from both of our legacy endpoint protection and managed SOC providers.

Meghan: Is there any advice you would give to other security leaders who are not on Sagetap, but maybe should consider joining the platform?

Andy: Seriously consider it. If you're looking for a good place to start, find your security roadmap. If you think it might benefit from a commercial tool of some sort, create your initiatives in Sagetap, and then just wait. It won't be too long before you have vendors contacting you who think they're a pretty good fit, and I think you'll find, in most cases, they are.

The one thing about Sagetap is it makes finding and talking to vendors a little more exciting than it normally is, right? There's maybe even a bit of a dopamine hit when you get a match. Because there's an implied mutual interest already. You're not just knocking on the door of the book-a-demo page. You're not coming in cold. They're not coming in cold. It's much more enjoyable to deal with that process.

And the other end of that is if you meet and it's not a great fit, there's really no pressure to continue the conversation. You don’t have to deal with the vendor chasing you for weeks. It helps just cut through a lot of the BS that normally is involved with going and finding new vendors.