Don Gibson, CISO at Kinly

In this Sage Spotlight, Kinly CISO Don Gibson shares how he evaluates new security initiatives by aligning them with top risks, contract timelines, team capacity, and board priorities. As a security leader who’s used everything from peer chats to major trade shows to discover vendors, Don explains how Sagetap has changed the way he finds solutions — giving him the ability to opt in on his terms, connect directly with attentive product builders, and save time during proof-of-concept trials.

Key Takeaways

• Clear Prioritization Framework: Don prioritizes security initiatives primarily based on the risks they address, how they align with customer and board needs, and whether they’re realistically deliverable within existing team constraints.
• Focused Investment Strategy in 2025: With an increased emphasis on ROI, Don is reassessing vendor performance often and making sure every tool aligns with broader strategic goals.
• Limitations of Traditional Vendor Research: Trade shows and peer chats on WhatsApp provide some insight, but feedback can be inconsistent or based on isolated experiences.
• More Flexible, High-Signal Evaluation via Sagetap: Don appreciates that Sagetap lets him “dip in and dip out” on his own terms, connecting directly with attentive product teams and making for smoother POCs and stronger answers.
• Standout Solutions Discovered on Sagetap: Don highlighted Halcyon (anti-ransomware), Egress and IRONSCALES (email security), Praetorian (offensive security), and Imper.ai (deepfake detection) as highly impressive solutions on Sagetap.

Full Transcript

Don Gibson: I am the CISO at Kinly. Kinly are a global audiovisual provider. I look after the whole of security, so that's fiscal security, that's compliance, vulnerabilities, testing, et cetera, and also making sure that security is always part of our design process for our customers.

Meghan Lafferty: How do you make sure you're aware of the highest impact opportunities as early as you can? 

Don: The project list has to fit in very closely with my risk strategy, as in what are my greatest risks? How can I actually close them out? 

In the same breath, there's also the contract cycle, and then at the end of the day, it is what can the team deliver?

If our customers are turning around and saying, we need you to have X as a technology or a capability, that's something that I need to look at very closely, very clearly.

And then finally, what's actually truly important, because the board are the people that at the end of the day setting the strategy that you are feeding into.

So all those kind of different strands pull together.

What's pressing for me most in 2025 is appropriate use of resource. We're obviously having to make sure that we're getting the correct return on investment, the correct use of money, and the correct strategy. Is a tool coming to the end of the contract, do I need to re-review this? Are we really happy with their performance? 

The people that I use and the vendors that I use on a regular basis, I've trusted them. And they've been one of the first people I've called.

Before Sagetap, I'd go looking for vendors kind of the traditional way: Forrester or Gartner, going to trade shows such as InfoSec Europe, Black Hat, et cetera. 

A lot of CISOs, we have these little private WhatsApp groups or the like where we can openly talk and discuss. Generally, I would say, you'll get the truth from that, but there may be a bad experience, someone may have had a bad day, and that may not be a true reflection on them, but for them, that's what they think and that's what they'll say. 

The painful thing with conferences and the like: trying to make sure your name tag isn't getting sniped to get emails through that you just don't care about or will never read.

Yeah, there's a better way, and there is a better way!

Meghan:  There is! Well, let's go into that. Let's talk about why you use Sagetap and how it's made an impact on you and your organization.

Don: It gives me the option to dip in and dip out when I need. A lot of the companies in Sagetap, they're not the established ones. You won't see the kind of giant boothed companies that you would see in the big trade shows there. And for me, I really appreciate that because they're going to be far more attentive to my needs, which means we'll actually have their best people on. We've got the better answer out of the proof of concepts that we've run, which saved time for us. There's been no messing around. It's just been a good process.

Meghan:  Tell me about some of the vendors that you have found on Sagetap. What problem have they addressed, and why are you excited about them? 

Don: There are a few that I've talked to that have blown me away. 

One of them is a company called Halcyon. Their solution is so simple, but so clever. On the call, they detonated ransomware and then fixed it. It was like, wow, hello. So yeah, really, really impressive.

Egress was another company that we looked at, another one called IRONSCALES. Both of which in the email security, anti-phishing side of things,  and both of them were really, really good. 

One out there called Praetorian, which, I love the name.

Imper.ai is a deepfake one,  as part of the meeting, supplied me with a video of my CEO singing my praises. The look on my CEO's face was  priceless. 

Meghan:  When your review comes around, you're gonna have to show him that and say, well, don't you remember saying this about me? 

Don: There's plenty of others. I've talked to a number of different vendors about a number of different initiatives I've got.

Anyone who's looking or potentially thinking about using it,  try it. You may have some interesting conversations. It's a whole different world and way of interacting with vendors. It's done on your terms, and for me, that's really important.