Paolo del Mundo, Director of Application Security at The Motley Fool

This Sage Spotlight features Paolo del Mundo, Director of Application Security at The Motley Fool. He shares how Sagetap streamlines vendor discovery and connects him with emerging partners like Oligo and Secureframe to strengthen application security by cutting false positives and managing third-party risk.

Key Takeaways

• Dual Focus on AI in Security: Paolo’s team is tackling both sides of AI — securing AI adoption in the development stack and applying AI to improve traditional security work.
• Streamlining Vendor Discovery with Sagetap: By describing his project once on Sagetap, Paolo gets tailored vendor matches and demos without repetitive introductions, helping him to evaluate vendors 30% faster.
• Sharper Application Visibility with Oligo: Oligo Security acts like a monitor on applications, showing which dependencies are actually in use and filtering out false positives so The Motley Fool can focus on real risks.
• AI-Driven Risk Management with Secureframe: Secureframe applies AI to scan thousands of third parties, flagging those with risky practices or sensitive data exposure so Paolo’s team knows where to dig deeper.
• Bridging Gaps in Vendor Support: VARs and consultants can't always provide the time or focus Paolo needs, so he turns to Sagetap for immediate, relevant vendor options aligned with his AppSec priorities.

Full Transcript

Paolo: I am the Director of Application Security at The Motley Fool. Didn't have an  application security group, and I started it back in 2020.

From the perspective of security for AI, it truly is changing the security landscape. As our software development teams are adopting AI into the stack, how can we make sure that we're securing it appropriately? But it's also for AI for security, because we're doing a lot of traditional security work that can be improved by AI and AI technologies. Using both lenses, that's kind of what's changing my work in the past year, and hopefully for the better.

Not a lot of people are experts in securing AI, and so we see a lot of vendors who are providing that thought leadership and guidance.

I've been asked to sit in a business context meeting where for one or two hours we were just talking about the value to our business. That's not really helping me do my job, because I care about solving the technical aspects of my problem.

There's so many vendors in this space. That's why leveraging tools like Sagetap is very beneficial. I can simply tell Sagetap, This is what my project is. And Sagetap tells me, Oh, here are some vendors that would be interesting to you. Here's what other people have said about them. And we're able to meet with vendors and get the demo that I want. I don't have to repeat myself n times if I'm talking to n vendors. So it's probably saved me something like 30% of that entire process.

We have relationships with various consulting companies and VARs, but we don't always get their time. So Sagetap is filling that gap.

I really like Oligo's pitch. Traditional AppSec has been a battle of knowing what is going on. What I like about Oligo is it's like putting a monitor on your application. You can see which third parties or which dependencies are getting leveraged in your environment. So even if you had a third-party vulnerability, maybe it's not really something that you need to be concerned about because it never gets to that path. I think that's really cool that they're able to fix that false positive problem and help security teams to identify real issues.

The other one I can think of is this company called Secureframe. Secureframe is a third-party risk management vendor. Like most companies, we're seeing thousands of vendors in our portfolio, and knowing which vendors should be looked at with a more critical eye is really important because they might be doing something risky. And if it's concerning your sensitive data, then that's probably something that you want to have a second eye on, and so they are leveraging AI so that you can essentially identify these kind of problems. At the end of the day, you're saving time in terms of all the busy work that you would probably have to do without it.

I think you'll find a lot of value in the first five minutes because you can simply describe what you're looking for and get a list of vendors that might interest you and probably solve the problem that you're looking to solve.