Back to all

Insights

15 Minutes with WestCap’s Chief Information Security Officer

Published

05/28/25

Written By

WestCap Team

Share

Andrew Cal knows a thing or two about security. After more than a decade in the U.S. Army, and several years in the risk departments of major financial institutions, Andrew joined WestCap and became our Chief Information Security Officer (CISO).

Andrew, who still serves in the U.S. Army Reserve, not only keeps WestCap’s information and systems safe but also advises on investments and helps keep our portfolio companies bulletproof. We sat down with Andrew to hear more about his fascinating role and his outlook on the future of cybersecurity:

What do you do in your role as WestCap’s CISO?

I have three different responsibilities, which always keeps it innovative and new. My first role is ensuring that WestCap itself is secured, and securing our investor information. Second is working with our portfolio companies to help them build out security programs and platforms. The last is serving as a subject matter expert for the investment team. As they’re looking to make investments, both inside and outside the security space, I advise them on how that company fits into our strategy and if it’s the right investment for our firm.

What are key trends you’ve noticed in cybersecurity recently?

Artificial intelligence has been a hot topic, of course. At first, everyone wanted to talk about it; now, it’s a matter of how it’s actually being implemented. It’s interesting to see who is implementing it well and who is just implementing to say they did it. For example, Apple is quietly developing AI within their solutions: making Siri better, improving the design of apps and helping the Apple Store provide stronger suggestions. While others tout sophisticated AI capabilities, that doesn’t always translate into a better user experience.


As it relates to cybersecurity, attackers are using AI to create better phishing emails. Traditionally, in order to have a realistic email, someone would have to put in an incredible amount of time and effort. Now, almost all the emails can sound convincing, because ChatGPT can write it for you. We’re also seeing AI-generated code, which eliminates a barrier of entry for anyone to try to be a malicious actor. Bad actors can also use AI to scan the entire internet for one or two vulnerabilities and automatically kick off an attack to inject malware into devices. On the other hand, security solutions are using generative AI to better distinguish real from fake emails.


There is also more focus on application security. Threat actors are increasingly going after the actual code of the technology versus trying to go in via phishing emails. With traditional ransomware, the bang for their buck was starting to slow down. If they’re able to inject malware right into the codebase, they can better lock you out of everything and demand a larger ransom. Having the right tools, strategy and processes in place can help protect against these actors.

What should investors and startups be thinking about when it comes to cybersecurity in 2025?

One area is data analytics. Right now, a lot of cybersecurity companies are sitting on data. The challenge is: How can we properly streamline and piece that data together to quickly take the correct action? That’s an area in which AI will be able to assist and look up information across many different areas for you. AI is getting better at distinguishing false positives from alerts that truly indicate a threat. Reducing those false positives elevates staff from doing repetitive, remedial work to deep dives that are more interesting. Right now, cybersecurity professionals have plenty of technology but not necessarily the operational strength to utilize all of it. If there’s a tool to help operationalize everything, it would be greatly beneficial.


When AI first came out, we saw an emergence of “AI-first” or “AI-centric” companies. They went too far into the AI without realizing what the problem set was. Now, we’re starting to see an understanding of the problem and adding in the AI. Getting to 3.0 would mean understanding the friction points in security use cases and combining those with AI.

What do you look for when considering investments in this space?

First, I look at efficacy: Is the tool actually good at what it’s supposed to do? Second, I ask if it’s making my job or life easier or putting more work on me. Some tools might be great, but in order to get them working, I’d need a full-time employee to manage them. If there’s a tool that can do its job well but also reduce my work burden, that will have a higher overall benefit to the company than one that requires a lot of manual effort and tuning.

What are examples of portfolio companies innovating in this area?

Dragos is a company that secures water plants or industrial oil or natural gas infrastructure. They’ve created a function which, if malware is discovered, will say whether to fix it immediately, during the next maintenance or never. This tells operators whether alerts actually impact operations. If they were to respond to every potential issue, we would almost never have gas at our pumps. Dragos receives over 10 billion alerts a day and uses a lot of AI to detect what is happening.


Bishop Fox has created a methodology for penetration testing that attempts to use automation and AI to hack your environment, with a human validating the findings. Their tool can take 10,000 potential vulnerabilities and bring it down to maybe 10 that you need to prioritize.


HUMAN Security, which has over 1 trillion hits a day, secures adtech from being infected by or being used to spread malware. The company’s tech can determine what is a bot or not. In a recent large-scale attack around IoT devices, they were able to pinpoint the signature of malicious actors, which the German government recently took down.

What are you excited for in 2025?

I’ve been in the CISO role for about six months, and I’m excited about learning from what I’ve done and pushing it forward. Over the last two years, I recognized that portfolio companies were spending a significant amount of time researching and sourcing cyber solutions and negotiating contracts with sales teams. I knew the trusted and vetted vendors in the space and negotiated contracts for the entire portfolio, resulting in an average of 76.5% in savings.


I’m constantly thinking about how we can continue to improve what we’re doing internally and with our portfolio, as well as how we make a bigger impact in the investment space. I’m excited to continue our success and keep innovating!

The above is provided as an illustrative example and designed to demonstrate the benefits to portfolio companies of partnering with us. The information is aimed at prospective portfolio companies and not intended to solicit investors, or an offer to purchase any securities. The experiences highlighted may not necessarily represent or be indicative of current, past or future results and experiences with portfolio companies.