Matthew Mudry, CISO at Alera Group

In a two-part Sage Spotlight, Matthew Mudry, CISO at Alera Group, shares how he’s leveling up enterprise security through AI, visibility, and smarter prioritization. He walks through his strategic roadmap as a new CISO, explains how Sagetap has transformed his approach to vendor evaluation, and highlights four standout vendors he’s recently purchased.

Part 1 Video

Part 1 Key Takeaways

• Building the "First 100 Days" Roadmap: As Alera Group's new CISO, Matthew began by assessing security gaps, mapping a three-year roadmap, and scoring each domain to identify areas with the highest risk and potential impact.
• AI-Driven Visibility and Prevention: He calls out a blind spot in legacy detection tools: they only catch what they're configured to look for. By integrating AI, Matthew gains more proactive, preventative insight into data movement and policy gaps.
• Pain Points of Legacy Vendor Discovery: Before Sagetap, Matthew relied on Gartner, resellers, and peer recommendations — but found the process slow and biased toward large incumbents. He called it a “painful process” that didn’t always yield the best-fit solutions.

Part 2 Video Coming 11/4!

Full Transcript

Matthew Mudry: I'm the Chief Information Security Officer for Alera Group. My current responsibilities are overseeing the entire security program, so that includes all the security operations, as well as the security risk and compliance arena within the organization.

Meghan Lafferty: What is most pressing for you in 2025? What are you working on right now?

Matthew: What's most pressing for me in 2025 is understanding the current security landscape for Alera Group. I came in about five months ago, April 2025. I immediately performed a gap assessment to uncover where I think there needs to be some improvement, where we need to add some depth and provide a little bit more visibility so that I make sure we have full coverage throughout the entire organization. As you get with the first hundred days of a CISO, to use a cliché term, I immediately performed a strategic roadmap and essentially mapped out what the next one, two, and three years look like for Alera.

I decide what projects to actually pursue using a bit of an archaic method. I sit down with my team every six months, if not sooner, we look at each security domain, and we poke holes in it. Do we really have the right technologies, processes, and do we really have the right expertise in that specific security domain? And then we'll rank them on a scale of one to five. One being we're not doing anything, two being we're doing something, three being we're doing enough to check the box to say, you know, we're secure in that area, four meaning we're doing a little bit more than enough, and five meaning we're walking on water, right? There's not a lot of fives, but what that spider chart does is give us a visual of where we need to focus our time for the upcoming months or years. We're always looking at the highest impact. We're also making sure that we're aligning with the business.

Something the industry is not talking about right now, a lot of legacy, or I'll say existing data loss prevention solutions or even detection solutions, they only focus on the rules that you've established within those programs or those applications, so if you're not looking for something or detecting on something or triggering off something, essentially you lose that visibility. This is where AI really adds another layer. You're essentially adding that piece that's missing, where you're starting to use AI to look for unwanted data moving from locations to locations, and you're also able to build rules based on those detections so you're not relying specifically on what was configured or what was set up initially. It allows you to be a little bit more proactive as well as preventative at the backend.

And I think one of the biggest opportunities for vendors right now is to take advantage of artificial intelligence and start finding ways of where they can plug that into the existing solutions to make them stronger, make them more manageable for small teams, and really just make them smarter so at the end of the day, my team, one from a security perspective, is not focusing on continually maintaining those systems, but artificial intelligence is helping us make some of those decisions or potentially even reacting for us. We can focus on areas that are better worth our time.

Meghan: Before using Sagetap, how did you used to identify the right vendors to evaluate and then eventually to go with?

Matthew: It was really a lot of conversations that happened with my trusted vendor value-added resellers, colleagues that are in the space as well. I've also used Gartner in the past.

The downfall of using somebody like Gartner or somebody, a colleague from a larger organization, is they're going to go with those tried and true and trusted vendors, which are generally large, right? So the challenge there is, if you needed something specific for your organization, they're not going to be able to give you that. It does become a painful process to go start to finish when you're outside of that Sage environment.

(Part 2 transcript coming 11/4!)