Mick Gomm, Sr. Manager, Vulnerability & Posture Management at Cencora

In this Sage Spotlight, Mick Gomm, Cencora’s Sr. Manager of Vulnerability & Posture Management, discusses how Sagetap helps him identify and evaluate emerging solutions like IONIX and RangeForce. He also shares how the platform keeps both him and his organization ahead of a rapidly evolving cybersecurity landscape.

Key Takeaways

• ‍Current Focus on Asset Coverage and Attack Surface Visibility: With Cencora’s global footprint growing through acquisitions, Mick is prioritizing complete asset coverage — understanding where assets are, what they run, and the vulnerabilities they face.‍
• Continuous Learning and Vendor Discovery with Sagetap: Mick uses Sagetap to stay informed on cybersecurity trends, explore peer initiatives, advance his professional growth, and guide vendor searches.‍
• Deeper External Asset Discovery with IONIX: In a current proof of concept, IONIX is delivering automatic domain mapping, detailed attack surface visualizations, and faster vulnerability remediation.‍
• Hands-On Security Training with RangeForce: Mick and his team recently discovered RangeForce and appreciate its interactive labs, threat-centric reporting, and red-vs-blue exercises that help uncover vulnerabilities and build a security-first mindset.‍
• Sagetap as a Go-To for Every POC Cycle: When budget cycles open, Mick turns to Sagetap to identify and prioritize vendors for POC evaluations, comparing current tools to new solutions that may offer stronger capabilities for securing Cencora’s data.

Full Transcript

Mick Gomm: I'm a senior manager in the information security team at Cencora. We do a lot of the supply chain logistics for big pharma companies. We have a growing footprint in scope for us that includes some international business units.

One of the most pressing things that we're trying to figure out right now at the moment with our acquisitions and a growing company is getting complete coverage of our assets. Being able to get a better picture of what assets you have, where they exist, what software and platforms are being used, and then essentially what your attack surface is in terms of vulnerabilities or threats that your company may be exposed to. Those are probably the biggest areas of opportunity for vendors.

Previously, at least people in IT and cybersecurity would just do quick searches. We'd go to Gartner and figure out what's the newest tool family, or we'd go to security partners and consulting firms and say, What should we be focused on? What vendors are in those spaces? But now, with the advent of AI and platforms like Sagetap, we're able to query for vendors that operate in different aspects of our industry. And I think Sagetap has cast a wide net in terms of vendors that they try and bring in.

There are a ton of different vendors out there that I've really loved over the years already. One of the vendors we just recently met with is called IONIX.

We were using a tool already. It did some initial surface-level analysis of our externally facing assets. But we had to essentially feed them kind of IP spaces and domains that they could crawl and analyze to provide us with an idea of what our attack surface looked like.

Just by knowing a company name, IONIX can go out and crawl the internet, find domains that are related to it, and it does deeper analysis on those domains, the assets that are attached to it, provides fantastic visualizations related to the attack surface and what the domain trees look like with subdomains, etc. And it's already helping us to find vulnerabilities and security risks and also provides us with a detailed analysis that helps us to action things quicker. So there's a lot of things for us to be excited about with IONIX, and we are currently in a POC phase with them right now.

Another vendor that we had a call with is called RangeForce. This is a vendor that provides technical training in actual hands-on lab environments. And I think this type of interactive technical training is exactly where we need to go.

It provides you with threat-centric reporting, after-action reports for when you go through exercises, and allows an organization to get in the mindset of being able to design things with security in mind and also be able to find security issues where they may exist in your infrastructure, so it's another vendor that we're pretty excited about, and we love the interactive aspects of RangeForce's platform.

As we investigate POCs in general, that time frame comes around in our budget cycle, we always go to Sagetap and try and figure out what other vendors should we be looking at and add those to the list.

Sagetap has allowed me personally to continue my growth and career. It's helped me, it's helped my organization to stay abreast of different things that are happening in the cybersecurity landscape.

You're able to look at what other companies are doing and what initiatives they may have that you should be looking at as well. That's helped me to guide my searches when I'm looking at vendors too.