Infotrust co-founder Dane Meah has joined the many Australian channel partners to spin out intellectual property developed internally to pursue global ambitions, with the launch of MyCISO.
MyCISO is a software-as-a-service offering targeted to end customers and managed service providers to uplift their security across a range of controls aligned to a full security framework like ISO 27001. The platform looks to “SaaS-ify” security consultants, which have become more costly and less accessible.
“MyCISO enables an MSP, or what we call a provider, to deliver security as a service by performing a maturity assessment for themselves and to develop a security improvement plan afterwards,” Meah told CRN.
“The traditional model is really just sending a security consultant - sending in a man with a clipboard, asking a bunch of questions and sending in a report afterwards, which can cost anywhere from $20,000 to $30,000 to up to $50,000 to $100,000 to get a really detailed improvement plan and strategy for business.”
The concept for MyCISO had its origins back to 2014 with the CryptoLocker ransomware attacks, which at the time bypassed security controls at each egress point, with many businesses incurring data loss and suffering weeks of downtime.
Once reserved for large enterprises and highly regulated industries, security consultants emerged as a way to help businesses identify weak spots in their cybersecurity posture.
Meah said Infotrust developed an online self-assessment tool called Ransomware Readiness Assessment to break down the ransomware attack chain and assess weak spots in preventing a ransomware attack.
The tool eventually sparked the idea for MyCISO, with Infotrust launching a security consulting practice in 2017. The incoming consulting practice manager at the time was tasked to build both the practice and develop the MyCISO app.
Meah also realised MyCISO could also work for MSPs. “We attended a conference in 2018 and 2019 and spoke with dozens of MSPs who were looking for a way to deliver security as a service, but finding hiring and retaining security talent was difficult and costly,” he said.
“It was here where I realised if we could build MyCISO right, MyCISO was a tool for MSPs too. A single pane of glass to manage their customers’ security uplift journey from.”
Infotrust engaged a third-party software developer for MyCISO build v1 following the success of a prototype.
“However, with competing priorities progress was slow, but we finally got to customer beta in May 2020,” Meah said.
The consulting practice manager and product lead resigned unexpectedly, with Meah taking over.
“I quickly realised the v1 product we built was the classic ‘built by consultants for consultants’. Problem was, an IT leader that didn’t come from the GRC/Security background simply couldn’t use this tool. We had built a very complicated tool that only security consultants would understand,” Meah said.
“It led me to hire a UX/CX-focused product owner, Phil McCann. With one failed build under my belt, but an unwavering optimism and can-do mindset, we spent nearly a year trying to re-engineer the software to create v2 with greater simplicity, but the foundations of what we had built were flawed. We made the painful decision to scrap the code-base and start again with only our learnings intact.”
This decision to start over also saw Meah step back from his role as InfoTrust CEO in July 2021 to focus 100 percent on MyCISO.
“We redesigned the entire product with one core principle: elegant simplicity. We kept our target market at the forefront of every design and feature consideration.”
The development team created four personas for its target markets, including ‘Charles the CIO’, ‘Terry the Technical IT manager’, ‘Sally the CISO’ and ‘Michael the MSP’. The team sought to find out what each wanted, what makes them tick and if a feature would make sense to them.
“At this point we also made an important realisation – software development was a highly specialised skill and managing a team of software developers was even more specialised, and we just didn’t have that skillset,” Meah said.
“So we made the painful but necessary decision to outsource software development to a firm with full stack capability, including a pseudo-CTO service from the company’s directors, who provided the oversight on development and tech decisions that we crucially needed.”
Outsourcing helped triple the MyCISO development team, helping speed up the timeline.
The team also looked to help simplify complex security jargon into easy-to-understand language, using Twitter as an inspiration by placing a 130-character limit.
Meah said the security reports from MyCISO had to meet a standard where a tenured security consultant can stand behind them.
“To do this we set the team to task creating Gap Assessment, Risk Assessment and Security Improvement Strategy reports. It was here where we started to do things never previously possible with a consulting engagement,” he said.
“We created complex algorithms which considered every data input to make security improvement recommendations. The output was a data-drive improvement strategy which prioritised mitigation of the greatest risks.”
Meah also realised during the development process that cyber security was not black and white but rather many shades of grey, where one security expert’s fact was heavily debated by the next security expert.
“We made a call to move away from security purism and focus on simplicity and common sense. This wasn’t always popular amongst the security purists, but with the core value of ‘elegant simplicity’ top of mind, we stayed true to our vision.”
MyCISO went into beta in April 2022 and soft-launched in June 2022.
“The feedback was incredible from day one - we have a 100 percent beta to customer conversion rate and as of 30 June, we have 24 paying customers and counting,” Meah said.
“With a great product with an exciting feature set and a packed product roadmap we're extremely excited to take MyCISO to customers and MSPs.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
