Founders in Focus: Tim Sadler of Tessian

Each month we're highlighting one of the founders of Okta Ventures’ portfolio companies. You’ll get to know more about them and learn how they work with Okta. This month we’re speaking with Tim Sadler, CEO and co-founder of Tessian.

What is Tessian and what is your mission?

Tessian is the world’s first Human Layer Security company. We use data science and machine learning to automatically stop data breaches and security threats caused by human error—with minimal disruption to employee workflow. Examples include data exfiltration, accidental data loss, business email compromise, and phishing attacks. We then help employees improve their security behavior over time through contextual, in-the-moment coaching. 

We’re on a mission to empower people to do their best work, without security getting in their way.

What were you doing prior to Tessian that led you to this moment?

I met my co-founders Edward Bishop and Tom Adams at college where we studied engineering together. After college, we each went to work for some of the world’s largest banks, but we all noticed a glaring problem: despite the millions of dollars and human hours enterprises spend on cybersecurity and data loss prevention (DLP), they are often breached and lose data—chiefly due to employee human error. 

At the time, all of the money spent on security technology was focused on securing the machine layer of an organization. No attention was being paid to securing the human layer. So we quit our jobs, moved into an apartment together, and set out to build the world’s first Human Layer Security platform. 

What is Human Layer Security? What challenges does it solve? 

Human Layer Security is the 3rd paradigm of cybersecurity. First, we used firewalls to secure networks. Then we used Endpoint Detection and Response (EDR) to secure devices and endpoints. Now, we must use Human Layer Security to secure people. 

Decades of digital transformation have given people superpowers at their fingertips. We can wire millions of dollars in a few clicks, and share our entire customer database in a single emailed file. Our people are now the gatekeepers to our most sensitive systems and data. But the big challenge is that people make 35,000 decisions every single day, and some of those decisions are the result of human error. We don’t always identify phishing emails correctly, and sometimes we attach the wrong file to an email. This is why, in 2021, an overwhelming 85% of data breaches involved human error. 

Organizations have tried to solve the “people problem” through security training and awareness in an attempt to train away human error. But we only need to look at the common causes of vehicle accidents to know that approach doesn’t work. No one expects new drivers to simply pass a driver’s test and then be safe forevermore. We rely on assistive technology like seatbelts, airbags, anti-lock brakes, blind spot detection sensors, etc. to keep us safe—because it’s inevitable that, at some point, human error will creep in. 

Like the assistive technology in our cars, Human Layer Security is assistive technology to secure human-digital interaction in the workplace. 

Tessian’s Human Layer Security (HLS) Platform does 3 key things:

• Measures and visualizes Human Layer Risk Scores for every employee within an organization. This helps companies understand who their strongest and most vulnerable employees are.
• Prevents, automatically, security threats caused by people, such as accidental data loss due to misdirected emails, data exfiltration, and email phishing.
• Provides in-the-moment security coaching to employees when they make a mistake, break the rules, or succumb to a phishing attack, to help them improve their security behavior over time.

Why did Tessian want to work with Okta? What’s the benefit to mutual customers? 

We’re thrilled to be partnering with Okta on this next chapter of our growth. We see a unique and groundbreaking opportunity to connect behavioral intelligence and identity and access management by integrating Tessian’s Human Layer Security with Okta’s platform. 

Our partnership will be kicked off with the release of our first integration, which will allow organizations to pull Okta groups into our platform. Today, many enterprises utilize Okta Groups to manage their user’s access. With this integration, our customers will gain granular visibility into the potential risks within their groups, as well as the ability to create specific, risk-averse policies for these groups.

And this is just the beginning. We have an extensive roadmap of integrations and features that customers of both Tessan and Okta can leverage.

What trends do you expect to see in the email security and data protection space? 

We’re seeing a complete sea change in both the email security and DLP spaces. 

Organizations have historically had to rely on signature and rule-based detection methods in these systems where, through a rule set, you define what a security threat or data loss event looks like. 

On the email security side, this signature-based approach was effective against bulk email security threats like spam. However, today organizations are being targeted by sophisticated phishing attacks where the threats are targeted to their specific organization, employees, and context.

On the DLP side, signature-based approaches were effective for really basic use cases—like preventing social security numbers from being sent outside the organization via email. You can easily define what a social security number looks like through regular expressions, and easily define “allow and deny” lists. But increasingly stringent data protection policies like the GDPR, CCPA, and HIPAA mean that organizations have to secure a vast array of their customer’s data. As they often have no discernible patterns, this kind of data can be more easily defined through a rule-based policy. 

Instead of signatures and rules, we use machine learning and data science to automatically detect security and DLP threats based on an understanding of normal versus anomalous behavior. This approach means that organizations no longer need to

• annoy their employees with false positives
• miss critical security and DLP threats
• burden their security teams with a whack-a-mole approach of building and managing rules and exceptions 

The current sea change is moving toward solutions like Tessian.

Interested in joining Okta Ventures? Check out our FAQ here and feel free to reach out to our team or submit your business for review.