Founder in Focus: Will Jackson, C2 Risk
We sat down with Will Jackson, CEO of C2 Risk, a pioneer in risk mitigation technology.
Will Jackson is the CEO of C2 Risk, working to uncover and solve supply chain cyber risks.
Third-party data breaches are happening more frequently, from sports clubs like the Welsh Rugby Union and councils like Colchester City to cloud storage companies like Snowflake. The impact can be devastating, from hospital closures, to critical infrastructure being held to ransom, to personal data breaches affecting millions.
We love C2 Risk’s mission, and the vertical they work in, because cybercriminals increasingly target vulnerabilities deep within a company's vendor network. They’ve discovered supply chains are the backdoor into your data because most businesses rely on complex webs of vendors and suppliers. You don’t usually know who your supplier uses as their supplier and this creates blind spots that hackers capitalise on.
We always start by asking founders or operators “why this?”, “why now?” and “why you?”. Answers to these questions peel back the lid on what makes founders tick, why their solution will succeed and ultimately, why you should care.
We also discussed why traditional supply chain risk management is outdated, what the keys to his success are, and what kind of team they’re building at C2 Risk.
Why this?
Will Jackson: It's very difficult to identify risks in your own business, let alone your supply chains. Supply chains are often multi-layered, like an onion, and there's a flow of lots of information going through them. An added complexity is that supply chains are generally managed on a departmental level within the business. You have finance suppliers, HR suppliers and IT suppliers as well as agencies who may be working with marketing or sales. This causes a lack of visibility across the full supply chain, posing a risk of data breaches. And that's only in the immediate 3rd party layer, think beyond that to the supplier's suppliers and so on.
Now, some of those suppliers won't pose a massive threat to businesses if there's a problem, but some will. So we try to look at the entire solar system of the supply chain, and it is often complex. It's also very difficult to actually assess how risky a supplier is to you, especially on a product and service level. Traditionally, that's done manually by people or external consultants, who are usually quite expensive and always time-consuming. So, we replaced manual effort with technology, and that's what sets us apart. There are very few others that do this, to this level of detail. In fact, I'm struggling to name many that go as deep into that onion as we do.
Thousands of other companies were affected by this cyber breach because MoveIt sat in a blind spot deep in the supply chain for so many.
To give you an example, in 2022 the BBC were involved in a major information security breach. Now, it wasn't the BBC who were hacked or their HR and payroll supplier. The HR and payroll supplier used a data transfer company called MoveIt, and it was MoveIt that was hacked. The BBC probably wouldn't have had any visibility that their HR and payroll supplier used MoveIt. Thousands of other companies were affected by this cyber breach because MoveIt sat in a blind spot deep in the supply chain for so many.
Why now?
Will Jackson: You’ll see in the news that they’re reporting more and more information security breaches, cyber threats, cyber hacks or whatever term you want to call it. It's almost daily.
If you look beneath the headline layer, it's generally a third party that's been breached, but it's the organisation that is responsible for the data that's predominantly in the press. This is really common, in fact, 70-80% of issues relating to data incidents of cyber attacks, happen in the supply chain.
Why you?
Will Jackson: I've always worked in technology and services, so this is no different. It's not my first rodeo replacing manual effort with technology! It's the same reason nobody has DVDs anymore. They just watch movies on Netflix.
I worked in the HR and payroll tech space for about 20 years and became quite fascinated with information security. The HR and payroll industry holds high volumes of very personal information and I felt very nervous about the risks of this. I was fascinated that this industry was dealing with information security risk in such an archaic way. You can understand why though, as especially in the mid-markets, there's very little resource to conduct better levels of due diligence. The CISOs who are responsible for this are generally quite new to the board (or not on the board), and often not as established as other senior stakeholders, despite the increase of such risks.
This is also a huge risk for multinational companies that have large, complex supply chains typically managed by multiple stakeholders. So I saw an opportunity and jumped into it.
How is C2 Risk different?
Will Jackson: We primarily focus on information security within the supply chain and we go very deep into that vertical. What differentiates C2 is where other providers similar to us offer broader and shallower GRC (Governance Risk and Compliance) solutions and services, we really delve deep into the supply chains, the R of the GRC if you will.
If you imagine a survey on steroids, packed full of automation and AI, overlaid with dashboards and analytics - that's what we do.
There are three components to our approach. We work with the client to first establish who is in their supply chain. We then conduct a very high-level Open Source Intelligence (OSINT) search, which we call ‘QuickRisk’. This looks at anything in the public domain relating to security, compliance and financial information. This helps us see where the ‘inherent risk’ is and, most importantly, creates a list of priorities for how to assess that supplier in more detail.
After this, we issue an assessment with a set of detailed questions mapped against an industry-specific framework (for example ISO27001). Alongside this, we collect evidence, policies procedures, and certificates, which support the answers given by the supplier.
Finally, we initiate a comprehensive OSINT search, this time including far more data points than in QuickRisk, around 100-150 data points usually! We look at technical vulnerabilities like outdated software versions, misconfigurations, and potential points of exploitation. We also check for other threats like server and software fingerprints.
The technology compiles all of this information; the question answers, the evidence and the OSINT results and highlights where the risks are.
Just knowing the issues in your supply chain isn’t very helpful. So against all of the risks highlighted, C2 Risk solution will then suggest things to do to improve your risk. We call that the remediation.
Some of those remediation elements include dialogue with the supplier. For example, a missing policy or an outdated certificate. Alternatively, some items of remediation are not immediately addressed, like turning on MFA (Multi-Factor Authentication). The client can either accept those risks or work with procurement to add those remediations into the contract with the supplier.
The assessment results expose the risks clearly for the client, and along with the remediations, allow our clients to either accept the risk, action the remediation or not work with that supplier at all.
The report is a fully detailed, compliant and audit-rich asset. It's an amazing solution to complete due diligence with and give the client a fantastic ‘defensible position’ should a supplier experience a breach.
What’s the value to customers?
Will Jackson: Our customers have so many separate risk assessments to complete so we focused on this supplier friction. We can take any information from the supplier and ingest it into the platform. So if they've done an assessment before or they've got loads of policies and procedures in a big heap, they can push that through the platform. Suppliers like that as it reduces their effort and clients like it as it means assessments can be completed in half the time.
Our clients also like that every single thing related to the assessment lifecycle is within one solution, even the messages you send to each other via email. You can delegate areas of responsibility to different stakeholders, and it's fully auditable. Everyone likes a happy auditor!
But, I’d say the return on investment is the main attraction with new clients. A recent client we worked with was doing 500 assessments per year. Using our solution, we forecasted a reduced cost of 86%, a reduction of internal time by 82% and time to complete the assessment by 52%.
C2 Risk is especially beneficial to the mid-market because they often don't have large InfoSec teams (if at all!), and are often having to engage with external specialists and consultants. To cater for that, C2 offer a managed service, so we manage the assessment process on behalf of the client.
Tell us about your team.
Will Jackson: We made a lot of changes over the last year in readiness to scale the business. As a SaaS company with a well-established platform, we focussed on three main areas; sales and marketing, product and development, and operations. So we restructured the business exactly like that. We defined a simple vision, identified a clear ‘first principle’ and developed a go-to-market strategy. We continue to measure on a weekly, monthly, and quarterly basis. Everyone knows the goal, and everyone is in the right place to achieve it.
What’s been your biggest challenge so far?
Will Jackson: I would say the biggest challenge has been trying to educate the market. I'm trying to say to prospects, you're doing this manually, that's so bad! And they're saying, well, yeah, but we've always done it this way. Some people we speak to think, oh, I didn't even know that this existed. We’re going on that journey with them and at the same time building trust because we are going to do something quite critical for them.
I love to talk about our customers but unfortunately, because this is such a sensitive area, not many high-profile companies want to be discussed. I'm in a business where we do amazing things for our customers but I'm not allowed to tell anyone. That's why all of our case studies don't mention who the customer is!
What are the keys to your success?
Will Jackson: Our amazing team and great marketing!
You can ring and ring and ring people, but if you're not known, you're instantly on the back foot. You could be selling timeshares in Lanzarote, who knows? The point is, it's about the brand. We're trying to be everywhere. Through our marketing, we're trying to leverage our network, create awareness and build trust. That takes a bit of time, especially if your budget is limited.
We've also changed the business name, which was a risky marketing strategy for a scaleup. We went from C2 Cyber to C2 Risk and divested the platform too as part of that process. We've also introduced a broader ‘store’ of programs. This has been a game changer for the market, and our clients. The solution doesn't necessarily have to assess suppliers either, it can essentially assess an ‘entity’.
What is the best piece of advice that you've ever been given?
Will Jackson: Try and do the right thing, and empower and trust those around you to do the same.
I know that's a bit ‘chocolate box’, but I always just think if you try to do the right thing with what you know at the time, then it isn't the wrong thing.
Which startup are you inspired by right now?
Will Jackson: The company called Cognism. The CEO, James Isilay, has really driven that company into the stratosphere and what James has done with the Cognism team has been fantastic.
What kind of person do you look for to work at C2 Risk?
Will Jackson: I find that the best people aren't necessarily the best people on paper. It's about attitude, passion, energy. It's about character and it's about culture.
I wasn't born a CEO. I got here because people gave me the opportunity to grow. I owe people the same opportunities. Like many people, I didn't enjoy school. I didn't leave the education system loaded up with qualifications. I got out to work as early as I could and fought to carve out my career.
Want to meet Will? Get in touch: hello@swiftscale.co