Helping disrupt a broken infosec requirement for sales and procurement professionals has led over 45,000 companies to turn to Pleasant Grove, Utah-based Whistic.


Pleasant Grove, Utah-based Whistic announced this morning that it has closed a $35 million round of Series B funding to help it continue to drive the adoption of the Whistic Vendor Security Network.

This financing comes just shy of two years after Whistic closed a $12 million Series A funding, bringing the total monies raised by the company to over $51 million since its founding in 2015.

Whistic’s Series B funding was led by JMI Equity, a growth equity firm with over $6 billion in committed capital and an investment focus on leading software companies. Additional participation in the funding round included Forgepoint Capital (a new investor), and existing investors: Emergence Capital, Album VC (of Lehi, Utah), and FJ Labs.

Today’s announcement was made from the RSA Conference in San Francisco, California, the leading information security event in the world.


The Whistic Premise: Removing Friction from the Infosec World

For Whistic CEO, Nick Sorensen, the realization that there was a significant time-waster in the information security world occurred roughly seven years ago when a company he helped form was in the process of being acquired.

Nick Sorensen, Whistic CEO. Image provided by the company 07 June 2022.
“(The acquiring company) flew out their chief information security officer to Salt Lake City, rented a hotel room, and I sat for three hours getting interrogated by this person in person. Basically he ran through a spreadsheet’s worth of questions, and I thought, ‘This is the biggest waste of money and time.’ I found out later he was filling out one of these questionnaires. … So that was my first foray into this.”

Clearly the explosive proliferation of customer data around the world has contributed to a rising organizational risk that the related data stores can be breached and valuable consumer data stolen.

To address such risks most organizations now require prospective vendors and suppliers to, in essence, verify that they have implemented proper security measures to ensure data protection and integrity.

During my conversation with Sorensen last week, he explained that the way most companies achieve this is by having organizations fill out spreadsheets populated with hundreds of questions. In other words, it’s

“Here, I need you to answer these 350 questions.”

Many companies have now moved such spreadsheet-based questionnaires online, but the basic approach has been the repeated request of, “I need you to answer these questions.” And he said it happens again and again and again.

Sounds asinine to me.

It also sounds like a regularly repeated, time-consuming yet broken process crying out to be disrupted, to be fixed.

Cue Whistic.

Such friction typically occurs at two junctures

  1. When a salesperson is trying to sell products/services, or
  2. When a procurement professional wants to buy products/services.

In both instances, information security professionals regularly need to answer questions about infosec practices.

According to Sorensen, Whistic is focused on one thing: helping speed up the sales and purchasing processes by allowing organizations to answer infosec questions once and then share those answers again and again.

“In today’s environment as companies engage with vendors and service providers in their supply chain, they want to have confidence that that supply chain partner, that vendor they engage with, is not going to lead to a data breach.”

Whistic’s approach is to allow its partners, its customers, to become part of what it calls the Whistic Vendor Security Network.

“What does that mean?” Sorensen asked.

“We’re the best way to vet, publish, and share vendor security information.”

Sorensen described it as being somewhat similar to what LinkedIn did with resumes.

Specifically, pre-LinkedIn, an HR professional would not be aware that Maria Vasquez even existed, let alone be able to review her skill sets and experiences enough to understand that Maria was likely an ideal job candidate for an open position. But with LinkedIn, individuals know that they can, at a minimum, provide basic resume-like information on a secure, publicly available platform for anyone to see, including HR professionals.

In a similar fashion, by joining the Whistic Vendor Security Network, a company is able to

  1. Answer such questions once, then
  2. Build one or multiple Whistic profiles using the underlying answers, and then
  3. Share those profiles as needed.

Whistic Vendor Security Network Summarized

Whistic Security Profile introductory video downloaded from YouTube 07 June 2022.

As partially summarized in the video above, what Whistic does is allow its clients to craft profiles that speed-up the vendor risk assessment process.

Whistic profiles can be crafted to

  • Automatically collect/distribute non-disclosure agreements (NDAs),
  • Auto expire, and can be
  • Shared from inside Salesforce or
  • Share from within the Whistic platform, as well as being
  • Shared online, such as on a company website.

Whistic also allows enterprises to build multiple security profiles, based upon the specific requirements of a given organization.

According to the Whistic news release,

“Whistic has played a key role in driving industry change including the recent release of the Security First Initiative, which supports the Whistic Profile as the industry standard way to share security information. Founding members of the initiative include Okta, Airbnb, Zendesk, Asana, Atlassian, Snap, Notion, and TripActions. Additional early participants are Cloud Security Alliance, Drata, RiskRecon, RFPIO and Tevora.”

For example, Whistic profiles can be created to show adherence to standards established by a variety of industry organizations or designed to address laws/regulations, such as

  • The Cloud Security Alliance (CSA),
  • The Center for Internet Security (CIS),
  • HECVAT (the Higher Education Cloud Vendor Assessment Tool),
  • The Shared Assessments SIG for the A-RAN Alliance, as well as
  • GDPR compliance (for consumer privacy in the European Common Union), and
  • Compliance with the CCPA (the California Consumer Privacy Act).

To be clear, Whistic does not certify the profiles its customers create nor the validity of their answers.

Rather it merely provides a platform to enable organizations to remove friction from the vendor qualification process.

And so far, over 45,000 orgs have apparently agreed that the Whistic approach is the winning one.

You’ve successfully subscribed to Silicon Slopes Newsroom
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.