Matthew Mudry, CISO at Alera Group

In a two-part Sage Spotlight, Matthew Mudry, CISO at Alera Group, shares how he’s leveling up enterprise security through AI, visibility, and smarter prioritization. He walks through his strategic roadmap as a new CISO, explains how Sagetap has transformed his approach to vendor evaluation, and highlights four standout vendors he’s recently purchased.

Part 1 Video

Part 1 Key Takeaways

• Building the "First 100 Days" Roadmap: As Alera Group's new CISO, Matthew began by assessing security gaps, mapping a three-year roadmap, and scoring each domain to identify areas with the highest risk and potential impact.
• AI-Driven Visibility and Prevention: He calls out a blind spot in legacy detection tools: they only catch what they're configured to look for. By integrating AI, Matthew gains more proactive, preventative insight into data movement and policy gaps.
• Pain Points of Legacy Vendor Discovery: Before Sagetap, Matthew relied on Gartner, resellers, and peer recommendations — but found the process slow and biased toward large incumbents. He called it a “painful process” that didn’t always yield the best-fit solutions.

Part 2 Video

Part 2 Key Takeaways

• Better Vendor Matches and Faster POCs: Instead of relying on Google, Gartner, or resellers, Matthew uses Sagetap to quickly uncover vendors that are agile and aligned with his needs — with some POCs spinning up in days.
• Several Vendors Worth Recommending: He calls out Halcyon (ransomware prevention), Orion (AI-powered DLP), Nagomi (cyber program quantification), and Grip (SaaS visibility) as solutions he’s bought and trusts.
• Quick, Simple Process on Sagetap: Matthew appreciates that Sagetap is easy to use and eliminates wasted time and guesswork. The platform surfaces targeted options quickly, without the long sales cycles or irrelevant pitches of traditional methods.

Full Transcript

Matthew Mudry: I'm the Chief Information Security Officer for Alera Group. My current responsibilities are overseeing the entire security program, so that includes all the security operations, as well as the security risk and compliance arena within the organization.

Meghan Lafferty: What is most pressing for you in 2025? What are you working on right now?

Matthew: What's most pressing for me in 2025 is understanding the current security landscape for Alera Group. I came in about five months ago, April 2025. I immediately performed a gap assessment to uncover where I think there needs to be some improvement, where we need to add some depth and provide a little bit more visibility so that I make sure we have full coverage throughout the entire organization. As you get with the first hundred days of a CISO, to use a cliché term, I immediately performed a strategic roadmap and essentially mapped out what the next one, two, and three years look like for Alera.

I decide what projects to actually pursue using a bit of an archaic method. I sit down with my team every six months, if not sooner, we look at each security domain, and we poke holes in it. Do we really have the right technologies, processes, and do we really have the right expertise in that specific security domain? And then we'll rank them on a scale of one to five. One being we're not doing anything, two being we're doing something, three being we're doing enough to check the box to say, you know, we're secure in that area, four meaning we're doing a little bit more than enough, and five meaning we're walking on water, right? There's not a lot of fives, but what that spider chart does is give us a visual of where we need to focus our time for the upcoming months or years. We're always looking at the highest impact. We're also making sure that we're aligning with the business.

Something the industry is not talking about right now, a lot of legacy, or I'll say existing data loss prevention solutions or even detection solutions, they only focus on the rules that you've established within those programs or those applications, so if you're not looking for something or detecting on something or triggering off something, essentially you lose that visibility. This is where AI really adds another layer. You're essentially adding that piece that's missing, where you're starting to use AI to look for unwanted data moving from locations to locations, and you're also able to build rules based on those detections so you're not relying specifically on what was configured or what was set up initially. It allows you to be a little bit more proactive as well as preventative at the backend.

And I think one of the biggest opportunities for vendors right now is to take advantage of artificial intelligence and start finding ways of where they can plug that into the existing solutions to make them stronger, make them more manageable for small teams, and really just make them smarter so at the end of the day, my team, one from a security perspective, is not focusing on continually maintaining those systems, but artificial intelligence is helping us make some of those decisions or potentially even reacting for us. We can focus on areas that are better worth our time.

Meghan: Before using Sagetap, how did you used to identify the right vendors to evaluate and then eventually to go with?

Matthew: It was really a lot of conversations that happened with my trusted vendor value-added resellers, colleagues that are in the space as well. I've also used Gartner in the past.

The downfall of using somebody like Gartner or somebody, a colleague from a larger organization, is they're going to go with those tried and true and trusted vendors, which are generally large, right? So the challenge there is, if you needed something specific for your organization, they're not going to be able to give you that. It does become a painful process to go start to finish when you're outside of that Sage environment.

When you Google, you know, a vendor for, let's say, you know, data loss prevention, as I mentioned, you're generally going to hit, you know, the top five, top ten in a Google search, even in a ChatGPT search, whereas when you look at Sagetap, immediately when you fill out that profile, it identifies and aligns you with the right vendors it thinks you are a perfect match for.

I'd say that one of the best pieces of Sagetap is it opens my eyes, at least, to identifying other vendors that are smaller, more nimble, more willing to work and partner with the organization so that they can align exactly with what you're trying to solve for and over time, build their application the best way for you. You can identify one vendor because you can learn about it within a quick 30, 45-minute conversation, and then before you know it, you're performing a POC within your organization within days.

Meghan: Let's talk about all the vendors that you've met and been impressed with!

Matthew: There are four vendors for me that I have purchased.

One of them is Halcyon, which is a ransomware-specific solution, sits behind your EDR and complements it. So far, to date, as they tout, they've been 100% effective at preventing ransomware, but if they don't, they have the ability to, a way to insert themselves in the encryption process and help you, or really develop keys, so that you can decrypt if a ransomware encryption process did take place.

Another solution that was of interest for us was Orion. And what Orion does is it complements our existing data loss prevention solution. It gives us the ability to leverage its AI capabilities to detect and/or prevent or warn our end users about things that they, data that they're moving that is potentially unsafe and stop it. If there's a rule not set up to detect, then we're missing some of the pieces to the puzzle. Users can download things, rename them, send them back up or send them out to a specific cloud.

So the third product that Sagetap has brought my way is a product called Nagomi. As a CISO, one of my biggest challenges is reporting to the board how effective our cybersecurity program is. And really, the key word there is how do I quantify that to the board? So what Nagomi does is it gives me that ability to show them this is where we were at such and such date, and this is where we are now. It has a really innate ability to identify core security applications that may be missing from our endpoints, so where Nagomi was helping us was identify where those gaps exist. And then finally, Nagomi also gives us the ability to really quantify how we're protected against specific types of attacks or ransomware and give you pointers to and areas and how you can improve those. So another very powerful product.

Last but not least, Grip has been a product that I actually purchased at my last organization. And now I've just recently repurchased it within my new organization. And that really gives us the visibility across our entire landscape to understand what our end users are doing and using when it comes to cloud resources. Our end users are trying to be very entrepreneurial. They're also forgetting sometimes that they need to clear things with security and make sure that what they're doing is safe and what the, the data that they're inputting into those cloud solutions is secure. So what Grip does is allows us to see, hey, they're leveraging a specific solution that is known to have PII or other types of sensitive information being uploaded into it. And then from there, it allows us to go through the normal third-party vendor risk analysis and secure those applications or potentially stop them from being used, because maybe there's a duplicate within the environment.

Meghan: I love that you purchased Grip at your previous organization and then again at Alera Group. That is really awesome to hear.

Matthew: Nagomi is another product that I actually did purchase at my prior organization, so Grip and Nagomi were purchased prior and now recently purchased with my new organization.

Meghan: Alright, is there any advice that you would give to other tech leaders who are considering trying Sagetap?

Matthew: Sagetap just makes everything easy. Just makes everything super simple. Very short and sweet to identify potential solutions, and at the end of the day, doesn't take much time out of your regular day — you can do it at lunch, figure out if something's a match or not — but also gets you thinking about areas that you may not be focused on currently.