New ThreatConnect President: ‘Nobody Else’ Unifying Threat Intelligence With ‘Risk-Based’ Approach

A veteran of major cybersecurity vendors including FireEye Mandiant, Chris Lehman tells CRN he’s joined ThreatConnect to accelerate its expansion with channel partners.

Cybersecurity industry veteran Chris Lehman has joined ThreatConnect as its new president as the company seeks to drive accelerated growth with channel partners for its unique security platform, the company told CRN.

In an interview, Lehman — whose nearly three-decade career has included channel executive roles at companies such as FireEye Mandiant — said that he took the role in part due to ThreatConnect’s distinctive approach to helping companies protect against intensifying cyber threats.

ThreatConnect offers a platform that combines aggregation of cyber threat intelligence with the risk quantification that organizations are increasingly seeking today, he said.

“What we're seeing is organizations are moving to more of a risk-based view of the world,” Lehman said. “There's no way you're ever going to be able to respond to every single threat.”

However, in the traditional threat intelligence platform market, “there's really nobody else that's providing the ability to look at things not just through a threat lens, but also through a risk and impact lens,” he said. “I think that's game-changing and very much in line with the direction that the industry is moving in.”

Lehman, whose full title is president of global field operations, joins ThreatConnect from most recently serving as CEO of SafeGuard Cyber, a provider of security for workplace communications, since 2022.

Earlier roles included as CRO at ExtraHop and, before that, senior vice president of worldwide sales and channel at the company.

Previously, Lehman was vice president of Americas sales and channel at FireEye Mandiant from 2014 to 2017.

Notably, ThreatConnect’s chairman of the board is cybersecurity luminary and former FireEye CEO Dave DeWalt, who is now founder and chief executive of cybersecurity-focused venture firm NightDragon. The CEO of ThreatConnect is industry veteran Balaji Yelamanchili, who was formerly a top executive at companies including Symantec, Oracle and EMC.

The hire also comes after ThreatConnect acquired Polarity, which offers capabilities that enable security analysts to perform real-time searches of threat and contextual data, in July.

At ThreatConnect, Lehman said a major priority will be on working with solution and service provider partners around driving greater value with customers through combining a risk-based approach with threat intelligence and prioritization.

For partners, ThreatConnect can help to “elevate your value in the eyes of your customer — by being able to talk about more strategic initiatives,” he said.

What follows is an edited portion of CRN’s interview with Lehman.

What prompted you to make this move?

There's a couple of themes that got me excited about ThreatConnect. No. 1, ThreatConnect is an industry leader in the threat intelligence space. We have very robust, scalable, extensible technology. We’ve got 250 customers who are very happy with the technology. So we’ve got a very firm foundation. There's also a couple of trends that I see that I think bode very well for ThreatConnect moving forward.

For a long time, a lot of organizations — even very large organizations — have still not been particularly security mature or sophisticated. They've been very focused on putting the basic infrastructure and telemetry in place. But my observation is that there's an acceleration going on in terms of the security maturity of organizations. The sweet spot for ThreatConnect has always been the higher-maturity organizations that are more sophisticated and looking to do more with threat intelligence.

Our vision for the future is becoming what we're referring to as a threat intelligence hub. It's the ability to aggregate and understand all of the threat intelligence that you have from all of your different threat feeds, your different telemetry sources. And then being able to aggregate, understand and visualize all of that. But then, the ability to take action on that is becoming more and more important. And what we're doing at ThreatConnect is really building out [that capability]. The acquisition of Polarity gave us the ability to understand all of the threat intelligence that's available to you, but then to take action on that with playbooks and workflow. The industry is looking to get more out of the tools that they have. They're looking for more sophisticated capabilities. And I think ThreatConnect is well positioned to [capitalize on] those trends.

What is your message going to be to channel partners about ThreatConnect?

Most channel partners are looking to elevate themselves in the eyes of the buyer. They don't just want to be somebody who's there selling another tool. A big part of that is helping the various parts of the security organization to start to think about things like time-to-remediation, efficacy, saving dollars. What ThreatConnect does is bring an ability to aggregate, understand and then take action on all the different tooling and threat sources that exist, and really enable those types of bigger-picture value propositions for CISOs, for heads of security engineering, for heads of the CTI or even the CIO. So the idea is to be able to go in and talk to the channel about how we can help them elevate their story — and help organizations get more out of the tooling that they have today. We think we're very well-positioned to help organizations realize that. So it's about going out to the channel, making sure that they understand, hey, this isn't just about selling another seat or selling a point solution. It's helping you elevate your value in the eyes of your customer — by being able to talk about more strategic initiatives.

What would you say are the biggest differentiators for ThreatConnect at this point?

What we're seeing is organizations are moving to more of a risk-based view of the world. There's no way you're ever going to be able to respond to every single threat. And one of the most-effective ways to help an organization prioritize is to not just look at the threat, but also look at the potential impact associated to that. When you look at the traditional [threat intelligence platform] market, there's really nobody else that's providing the ability to look at things not just through a threat lens, but also through a risk and impact lens. I think that's game-changing and very much in line with the direction that the industry is moving in. And then the other area is our recent acquisition of Polarity. What Polarity does is provide situational awareness and situational intelligence. So if you envision yourself being an incident responder and you’ve got a threat, and you see an indicator, you want to understand all of the data points that are associated to this particular indicator. What Polarity does is, in real time, you can do a federated search to see all of the information that is out there to provide contextual enrichment to your workflow and your decision-making process. We can actually do computer vision scanning of information that is not necessarily in a database, which is very much a game-changer in terms of visibility and awareness to help responders make much better and effective decisions in real time. Nobody else is doing that.

What is a major learning that you’re expecting to bring into this role from your previous experiences?

I’m a big believer that there are no silver bullets, but there's a couple of things that great go-to-market organizations and great security companies do well. No. 1, they've got a vision and a point of view for the marketplace that solves real world problems and adds value to their customers. And they can clearly articulate their differentiation, and they can prove that out. Our clear value proposition is in helping organizations understand all the intelligence that they have, help them prioritize threats through a risk-based lens and then take action on it.