Chris Hristov, VP of Engineering & Security at ICC

In this week’s Sage Spotlight, Chris Hristov, VP of Engineering & Security at International Code Council (ICC), breaks down critical industry blind spots and the accelerating pace of modern threats. Chris shares how Sagetap helps him navigate technology trends and identify innovative vendors like Netacea, Massdriver, and Acuvity to close security gaps and manage complex software environments without reinventing the wheel.

Key Takeaways

• Focus on Global Engineering and Security: As VP at ICC, Chris directs global software development and AI innovation. This spans everything from e-commerce and internal applications to the governance, risk, and compliance (GRC) required for a modern technology organization.
• Two Critical Blind Spots: Chris warns that the industry is overlooking how AI has shrunk security exploit windows from days to mere hours. He also pushes back against unrealistic speed-to-market pressures, reframing fast delivery as a potential value loss that can damage a company’s reputation.
• Simplifying the Agentic SDLC: A major opportunity exists in streamlining agentic software development. Chris is seeking platforms that allow for the seamless implementation of agentic workflows across every step of the SDLC to reduce cognitive load and improve environmental visibility.
• Securing Intellectual Property with Netacea: To prevent corporate content from being scraped for unauthorized AI training, Chris leveraged Sagetap to find Netacea. In their partnership, Netacea’s behavior-based analysis identifies scrapers that traditional tools miss, minimal manual management required.
• AI Governance with Acuvity and Massdriver: Chris recently turned to Sagetap to identify and sign with Acuvity, a move designed to monitor and prevent shadow AI activity. He also highlighted Massdriver as a standout platform for its ability to abstract and simplify complex server management.

Full Transcript

Chris Hristov: I'm VP, head of engineering and also responsible for cybersecurity. 

I oversee all software development activities within the global organization at International Code Council. This includes AI innovation, e-commerce, internal applications, DevOps, SecOps, any digital transformation efforts, custom development initiatives, and of course the governance, risk, and compliance related to the technology department.

Meghan Lafferty: Tell me what is most pressing for you right now. We just wrapped up Q1.

Chris: Keeping up with technology advancements and technology trends. AI is picking up quite a bit. Making sure that we stay on top of it and we're secure and we have the right governance is one of the most pressing issues for us at the beginning of the year, as it was last year as well. 

We as an organization work with content, and content protection is a big piece. 

I would say the third thing pressing in 2026 is keeping up with cybersecurity. Attackers are using AI, and it's becoming even more difficult to prevent any attacks. They're exploiting anything that's possible out there, so staying on top of that is a concern.

Meghan: Is there anything that the industry is not talking about enough that you think should be discussed more?

Chris: I don't think the impact of AI is being discussed enough, and how that AI technology pressure creates a lot more challenges for the business to keep up with closing security loopholes. Back in the day, if a loophole is discovered, it takes time for people to find it, exploit it. Right now, with these tools, it's a matter of days, if not hours. And it blows out of proportion quickly, so tooling around prevention and early detection is what should be in the forefront there in a discussion. 

The other thing that I think hasn't been discussed enough is just the unrealistic expectations to deploy faster, get it out there, make it available just for the sake of being the first or be fast on the market. And that creates another kind of pressure point for the technology team that we need to watch for.

Meghan: Is there a way that you’ve found that works to push back against that?

Chris: Timeline discussion, reducing the scope, ensuring that they understand the impact and quantify that impact is a big piece. Once you put some numbers in front of leadership, they will realize the importance or the value. 

And sometimes you gotta reframe into not just, here is the win with that fast delivery, but here is also the impact if anything goes wrong. That value loss prevention becomes more important because it can cost the company reputation. And that is really hard to recover afterwards.

Meghan: Does that create any opportunities for vendors, or are there other big opportunities for vendors in this space right now?

Chris: Oh yeah, there are many. 

I think the observability is a top opportunity for vendors. AI-powered real-time monitoring tools that can shed a lot more visibility into what's happening with the environment, whether it's the cloud or on-prem data center environment, is key. So it does reduce the cognitive load or stress on the teams monitoring these systems. 

The focus on AI from composable AI platforms with strong governance is another big thing. Everyone is talking about how cool AI is and what are the agentic features that they can spit out in seconds, but how do you control governance, how do you prevent, especially these days, shadow IT is critical. It’s so difficult, close to impossible, to prevent shadow IT, so that is a great opportunity for companies to tap into. 

Other opportunities is to simplify, from my perspective, the agentic software development lifecycle. There are a multitude of models and tools. Anthropic, for example, has agentic workflows to implement within each step of the SDLC. But any tooling or platform that will allow easy implementation of agentic in all the steps I think will be a great opportunity to explore as well.

Meghan: Before you were on Sagetap, how did you identify the right vendors to evaluate and the right vendors to actually purchase?

Chris: That was a lot of research. A lot of Googling, a lot of searching, and of course talk to other partners in the industry. It was taking quite a bit to get to define and find the right vendor for our organization. 

I joined Sagetap to see what's out there and have the firsthand opportunity to talk to vendors — anonymously, as well. I can provide some feedback, maybe they can improve their service as well. 

Over time, also started looking around at what other Sages are doing: other initiatives that they created, how they tackle their projects and the challenges that they run into. I certainly don't want to reinvent the wheel. If someone else is doing it, why not improve from there or use the same service if they're happy? 

On Sagetap, we’ve found several vendors that we currently use in the organization. It certainly reduced the time we spent on researching. At the beginning, I was more of the one that reached out. But lately, I'm seeing more of the vendors reaching out to me, which helped me even further. 

One of the vendors I want to mention, Netacea, is that we were specifically looking to solve a problem and they reached out to us. So that drastically reduced the time to research and find the proper gap fit for our need.

Meghan: Well, let's talk more about Netacea because that's a recent purchase that you made. So I'd love to hear how that came to be.

Chris: I created an initiative that we're looking for a content protection service and preventing the training of AI LLMs on our content. And that's how Netacea reached out to us. 

They do offer a service that monitors the bots hitting our site and through AI analysis, identify their pattern, their behavior, which seemed to be different than others in the market. 

Cloudflare was doing something similar, a bit more on hard identifiers. We looked at Akamai Content Protector as well. But Netacea came out on top because, like I said, they're looking at the actual pattern, the behavior pattern, and be able to detect is that an actual human versus a bot hitting the system.

And then from that point, you can decide how do you handle the traffic. They offer white glove service so you don't have to really manage the intricacies of their service customization. They do that for you. This helps achieve our goal with minimal effort from our side. 

I just wanted to call out a couple more vendors. One of them that stood out was Massdriver. I really liked their offering in abstracting the server management through their platform. It seemed to be a great value for the tool that they offer. 

Another thing is Acuvity. As I mentioned earlier, the AI governance, including detecting and preventing shadow AI and shadow IT, is critical. They do exactly that, and we recently signed a contract with them as well to really monitor our AI activity across the organization.

Meghan: That's great to hear. So picture yourself before you joined Sagetap. Is there any advice that you would give somebody like you?

Chris: The addition of initiatives in the platform really helped narrow down in this is what we are focusing on. So think through that, be able to define it before you start talking to any of the vendors. On the calls, my advice would be to talk numbers so you have a full value picture at the end. 

It's all about time saving, connecting with people, connecting with vendors, and of course staying on top of the technology.