FiscalNote extends assurance of trust with Expel

FiscalNote, a leading technology provider of global policy and market intelligence, was founded in 2013 with a mission to make regulatory, legislative, and market insights more accessible, more actionable, and more valuable. Using AI technology, data, and expert and peer insights, FiscalNote gathers, monitors, and refines this information for more than 5,000 clients worldwide—from governments to nonprofits to Fortune 100 corporations—who use it to define goals, maintain compliance, assess risk, and navigate policy.

For its first few years, FiscalNote was very much a startup, with fast growth and a “make it work now” culture. That fairly typical early-stage approach, combined with the fact that the company’s core product provided access to data that was largely in the public domain, initially reduced concern about security internally. But as the company’s business grew, so did the scope of potential threats. Stronger security defenses were required to maintain trust with customers and to scale with FiscalNote’s growth and increasing complexity.

To help further protect assets and enhance security policies, FiscalNote brought in Andy Keller as Sr. Director, Information Security (now VP, Cybersecurity & DevOps). Coming into the business, Keller saw his main challenge as managing the “unknown unknowns.”

“My background was largely in more regulated environments with clear threat models and an implicitly understood need for security controls and defenses,” Keller recalls. “During the startup phase, the company understandably moved very fast. Thanks to employee diligence and a relatively straightforward single product offering, basic security practices were enough to keep a lid on security risk for several years. However, evolving major changes to the organization were clearly going to add a lot more complexity.”

Attention to these issues increased even further once the company announced plans to go public in November 2021. “Part of my mandate was always to bring more security consciousness to the company, but this increased public attention on FiscalNote,” Keller says. “Any security incident could have negatively impacted our reputation at exactly the wrong time.”

Acquisitions also added to the company’s need to enhance its security program. FiscalNote has acquired more than a dozen companies since its founding. “Each company had its own cloud infrastructure, identity infrastructure, and SaaS apps,” Keller explains. “One of my jobs is to make sure we have tools and processes in place to smoothly, easily, and securely bring any acquired entities into our security program. It had to be a repeatable process.”

Keller had his action plan. As a team of one (to start), he had to carry out the new security approach on his own—and hope that the “unknown unknowns” were few. To accomplish his goals, Keller knew he needed a trusted partner, and quickly.

“I needed more headcount, but I also needed some kind of force multiplier that could be deployed relatively quickly,” Keller says. “Even given budget for headcount, the hiring wasn’t going to happen fast, and building an in-house team with 24x7x365 coverage wasn’t likely. So managed services naturally started to stand out—with innovative partners behind the solutions.”

As Keller searched for a trusted security partner, he explored Expel to understand what was possible. Expel’s innovation and experience in the security market, as well as the attitude and outlook of its leadership team, convinced Keller that Expel MDR was the right solution at the right time.

“I liked the company story,” says Keller. “The leadership wanted to disrupt the state of the market and they had clear ideas on how to create transparency in their investigations.” The difference for Keller was that Expel wouldn’t simply throw alerts over the fence for him to deal with; they would enrich the data by providing real context for rapid decision-making with 24x7x365 coverage.

When pitching Expel to FiscalNote, Keller sketched out what it would take to replicate Expel’s services in-house. “We’d need at least three full-time resources, likely making well into six figures each, annually, at a minimum,” he says. “We’d also need to procure a commercial SIEM tool and/or a security data lake. Expel’s cost would be less than half the cost of building the equivalent team in-house—and offer more consistent coverage with minimal management overhead. And of course, they already have the expertise—what are the chances we’d do better than them 24x7x365?”

Expel integrates natively with all the software and platforms FiscalNote already relies on. “Google Workspace, AWS [Amazon Web Services], GitHub, and Okta account for probably three-quarters of the risk landscape that we had,” says Keller. Expel also integrates with the wide range of other security solutions FiscalNote uses, including native AWS security services like GuardDuty and Organizations.

The integrations help streamline onboarding for employees of both the parent company and new acquisitions, while protecting the company from attacks. “Once new acquisitions accept our AWS Organizations invitation, they’re immediately plugged into Expel Workbench,” Keller explains. “At most, there’s one more click to enable AWS GuardDuty. With a few minutes of effort, Expel is monitoring critical application infrastructure activity.”

Expel’s easy integrations also help protect the company from data loss. “Expel consumes and enriches the findings across all the integrations they have in the platform,” Keller says. “With minimal tweaks, Expel tells us what we need to look at from a security perspective using the big picture—rather than us writing rules, reviewing alerts, configuring dozens of integrations, and chasing after countless false positives.”

Keller’s confidence in Expel went up several notches when the solution helped unearth a potential security breach involving unauthorized access in FiscalNote’s infrastructure environment. Expel alerted Keller to anomalous behavior within an identity access management tool—in this case, a chain of events resulting in the creation of an unauthorized user account.

“This was the kind of thing that I suspected might happen in our environment—and Expel’s proactive alerting saved us from a much more serious incident. We were able to rapidly revoke the unauthorized user accounts,” Keller says.

Benefits of partnering with Expel

• Enables rapid improvement of security company-wide
• Helps define new policies for proper data handling, user accounts, and incident response
• Streamlined processes save time and bring all security features into one platform
• Significant cost savings from further investment in resources and technology
• Strengthens confidence in the FiscalNote brand

By relying on expertise and product excellence from Expel, Keller built 24x7x365 security for the FiscalNote environment, and saved budget by not purchasing a commercial SIEM, which wouldn’t have offered the consistent and precise coverage provided by Expel.

“We saved a lot of time and frustration as well as configuration confusion,” Keller says. “Not only were there significant monetary savings, but also significant opportunity cost savings from our decision to work with Expel.”

With Expel taking on the heavy lifting for monitoring security threat alerts and help with remediation, Keller and his two security engineers can devote time and attention to big-picture security issues.

“The system we set up has really performed well at shaking out the unknowns,” says Keller, “like looking at how previous users of our systems might be misusing access. Security people are infamously skeptical. I’m suspicious of products that claim to provide only the information we need to know. I’m always wondering if they’re missing something. But Expel earned my trust pretty quickly.”

For Keller, the benefits of Expel MDR also relate to saved time. In today’s complex security landscape, having a multitude of task-specific tools generates a lot of noise. Expel refines these inputs into recommendations and actions, leading to quicker action and more decisiveness in FiscalNote’s security posture.

“Just getting the information isn’t enough,” says Keller. “Relevance is paramount. Security alerts need to be accurate, useful, and include enough context to help us make good decisions quickly. With Expel I can focus on what’s important, and use the time saved on other high-value projects.”